Industry Intel

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Ransomware Exploits Safari Bug

Apple fixed a flaw earlier this week that allowed scammers to exploit a pop-up redirecting porn viewers to a fake law enforcement page. Once there, further access was blocked, and a demand for an iTunes gift card as ransom was made. While many unsuspecting users fell victim to the scam, Apple was able to promptly issue a patch that resolved the vulnerability. Apple has also recommended that anyone affected by the scam should clear their browser cache, to remove any possibility of relaunching the malicious sites.

Microsoft’s Docs.com Sharing Documents Publicly

Researchers have discovered that a vast majority of the documents posted to Docs.com are fully searchable and indexed into several search engines. This wouldn’t be such an issue if the many users posting content to the site were aware of the public availability of the possibly-sensitive documents they had unwittingly sent through their organizations and out into the public domain. While Microsoft has since removed the search bar from the main site page, anything uploaded prior is still available through multiple search engines.

Hong Kong Voter Records Leaked

As the Hong Kong elections took place over the weekend, two laptops containing sensitive information for Hong Kong’s nearly 3.7 million voters were stolen from a backup location for the elections. While the data on the laptops was encrypted, it could only be a matter of time until it is broken and that data is exposed. If released, it would be the largest data breach to ever come out of Hong Kong.

Crusader Adware Replaces Tech Support Search Results

A new browser extension has been discovered that can modify a user’s search results, launch additional ads, and even display pop-ups for other scams. Usually installed with a bundle of other software, the extension known as Crusader is able to monitor all Internet traffic and rewrite tech support numbers to continue the cycle by having the victim contact yet another tech support scammer for “assistance.”

WoW Users Targeted with Phishing Attack

Many avid World of Warcraft players have received emails offering an in-game pet that was “gifted” to them by a fellow gamer. Unfortunately for the recipients, the link directing them towards the Battle.net site to claim their gift actually sent them to a phishing site set up to capture all of their login information. While the scam site is already blocked by Google’s Safe Browsing, users are still urged to proceed with caution, should they receive any suspicious emails.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Hackers Threaten to Lock 200M+ iCloud Accounts

Hackers are threatening to remotely lock down over 200 million iCloud accounts. Webroot Senior Threat Research Analyst, Tyler Moffitt told SC Media that this may be a bluff. We’ll wait and see on this one since all we have to go off of is the hackers’ word and a few screenshots. We’ll know more as the ransom deadline of April 7th approaches.

American Farmers are Hacking Their Tractors

This isn’t our usual data leak or ransomware attack, it’s black market tractor hacking. Farmers are taking things into their own hands in an effort to thwart manufacturer blocks on their farming equipment.  These blocks are an attempt to prevent farmers from going to cheaper, “unauthorized” repair shops to maintain their vehicles. Farmers are starting to hack their equipment with Ukrainian Firmware so they can fix their tractors when they need to and at an affordable price.

ISPs Now Allowed to Sell User Browsing History to Advertisers

It just wouldn’t be the Cyber News Rundown without a new government data leak or citizen privacy battle. The US Senate has voted to eliminate broadband privacy rules that require ISPs to obtain customer consent before selling any sensitive information with advertisers. The vote was split equally down the party lines, and now only a House vote or Presidential veto could stop the roll-back of the privacy rules. The data in question is extremely valuable as major corporations could use it to pattern out an individual’s entire day, based on their Internet usage, purchases made, and places visited.

UK Mobile Data Breach Leaves Customers Stunned

Customers at Three UK found a surprise when signing into their accounts, a breach of privacy where they’d see a stranger’s personal information and call history. The cause of the breach hasn’t been announced but this is their second data exposure within a few months. Although the Three UK breach only affected a small percentage of their 9 million customers, I’m guessing back-to-back data leaks are not helping their retention rates.

McDonald’s Delivery App Vulnerabilities

The McDonald’s India-exclusive app service, McDelivery, is currently under fire for an API leak that has exposed millions of users. The vulnerability was originally reported to McDonald’s in early February and is still unpatched. While reporting these types of breaches isn’t mandatory in India, you’d think the sheer number of users who could be negatively impacted would motivate McDonald’s to release an update. I guess I wouldn’t mind people knowing how often I order off the dollar menu either — but having access to my phone number and address is another story.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

USAF Leaks Highly Sensitive Data

Our government is back at it again. Researchers discovered the exposure of an unsecured backup drive containing names, addresses, ranks, and Social Security numbers of over 4,000 United States Air Force officers and top security clearance information of other high-ranking officials. Personal records for several celebrities who had undergone security clearance checks prior to visiting foreign military bases were also exposed. It sounds like this breach could prove to be disastrous if the information gets into the hands of enemies to the United States.

Ohio County Facing Massive Ransom

In recent weeks, Ohio County officials have been recovering from a cyber-attack that forced the county to shut down over 1,000 computers to prevent the infection from spreading. The ransom for the return of their files was 28 bitcoins, roughly $35,000 at the time of writing, which the county correctly chose to ignore and instead restored their systems from backups. While the whole process cost the county nearly $50,000, the situation could have been worse if they paid and received nothing in return for paying the ransom.

Instagram Credentials at Risk

Researchers discovered 13 seemingly harmless apps on the Google Play Store that function as data collectors for your personal information. The apps themselves claim to increase your Instagram follower numbers by simply having users log into their accounts, only to be greeted with an error message. Fortunately, Google has already been made aware of the Turkish-based apps and has removed them.

PetrWrap Circumvents Ransomware Authors’ Cut of Ransom

As ransomware continues to evolve, some malware authors have begun acting against their peers, who wish to piggyback off the creations. By exploiting a bug found in the Petya ransomware variant, a new collection of cybercriminals have created a workaround to insert their own encryption keys over the Petya authors’ and collect the ransom themselves. This workaround comes months after Petya creators implemented methods to stop this very exploitation of their software.

New Updates on Phishing Tactics

People have been on the watch for tax-related phishing scams, as they appear around this time every year. The latest trend, however, appears to be PDF files that do not contain malicious code and use social engineering to direct victims towards compromised websites to input sensitive information. Additionally, there has been a recent influx of phishing attacks due to fake friend requests through email, as users are exceedingly likely to click on these types of links and attempt to “log in” to view the request.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Microsoft Services Go Offline

Was I the only one who wasn’t able to access my Xbox Live account earlier this week? Once again, Microsoft services were rendered inaccessible to users due to an issue with their authentication servers. The service interruption affected Outlook, Skype, and even Xbox Live not recognizing correct credentials, as we would attempt to log into the services. Fortunately for us, most services were promptly restored to working order and we were able to game-on.

Satan Ransomware Offers New Service

We all know that ransomware isn’t a new topic (nor one that is going by the wayside), but as new variants are created, the attacks are becoming more sophisticated. With the Satan variant, malicious actors are employing new tactics. I was surprised to learn that the latest evolution introduced a service signup sheet to begin running your own ransomware campaign. Scary, right? Now we have entrepreneur malware authors refining their skills and creating ransomware. The malware authors providing this service gain revenue by taking 30% of the earnings from everyone that uses the tool to distribute ransomware.

Anonymous Decreases Dark Web Activity by 20%

Did you think Anonymous was on vacation? Well, they’re rested and back to playing Robin Hood. Anonymous took down over 11,000 Dark Web sites and the majority of sites in question were distributors of child pornography or offered access to illicit drugs. Their targets were also responsible for the leak of over 380,000 user records.

Smart Utility Readers Failing to Read Anything

Our society is becoming more connected and ‘smart’ every day but sometimes things go wrong.  Over the last four months, EDF customers were paying next to nothing for their energy bills. As it turns out, the smart meters weren’t so smart and were failing to report energy usage data. Customers will receive updated bills as they’re charged for the energy usage that failed to send.

WikiLeaks Releases Immense CIA Data Vault

Don’t you love hearing about new ways our government is spying on us? If so, you’ll love what’s next. WikiLeaks has released an enormous trove of information regarding tools and methods used by the CIA to spy on us through our devices (again). By copying tactics used by large-scale malware samples, the CIA has created various tools to bypass secure messaging encryption or even turn IoT devices into spies! Creepy, right? And thanks to the selfie, we have two cameras that they can use.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Boeing Informs Workers of Data Breach

Am I surprised there’s another data breach in the news this week? Not at all, and you won’t be either after reading on. However, I am surprised to hear it happened with Boeing. It reported that one of their employees sent sensitive data outside of the company’s network. I have so many questions. “Do they have a security training program for employees?” “Was this an accident?” But before I offer up more of my thoughts, read DefenseNews’ account of the incident and let me know yours.

Russian Hacker Offers Access to University Databases

And the trends keep coming. Did you read the Daily Bruin’s article on a Russian-speaking hacker selling unauthorized access to databases for more than 60 universities and government agencies in the US and United Kingdom? I’m not pointing a finger at anyone, but I mean, another alleged Russian involved attack?! The takeaway for most is simple–SQLi attacks are definitely preventable. Organizations should take the extra effort and be more vigilant (read: do the research) when choosing pre-packaged software bundles.

Toy Maker Ignores Warning of Security Flaw

Instead of droning on about yet another data breach, I’m going to let you hear reactions from a few security experts on this one. But before taking you there, I’m have to ask, “Who hacks children toys?” (Rhetorical!) If you want to read more on the breach itself, feel free. Who am I to deprive you of the details?

Robots across Industries Share Vulnerabilities

I, for one, am glad the security of robotics is becoming more of a concern. We live in 2017 and should act accordingly when it comes to security in a connected world. Many devices lack user authorization, have default passwords that are unchangeable or left as the default, or are using insecure communication methods, all of which leave these machines vulnerable to an outside attack.

Amazon Web Services Go Offline

You all noticed the pretty big internet outage this week, right? If not, you’re either living under a rock or just arrived on planet earth. There’s no way you missed so many sites having issues. Not to mention, the social webs were buzzing. The outage was due to a problem that originated from an Amazon data center in Virginia. I think it’s safe to say interested parties were glad to hear Amazon officials state the issue has since been resolved. Amazon is likely to publish a full report on the cause and resolution to the issue in the coming days.

Emergency Services Lines DDoS’d in Texas

Officials have sentenced a cybercriminal who manipulated a bug via the Twitter app to continuously dial 911, which spread to several hundred individuals across multiple states. By tweeting out a malicious link to his followers, anyone who clicked on it was subjected to an endless loop of dialing the local emergency services lines, until the phone carriers were able to shut down the calls.

Magento Database Flaw Exposes User Data

A flaw was discovered that can trigger code to be executed in an online shop’s database that intercepts a customer’s credit card information and resends it to the attacker’s server. This is likely the first time such an attack has been written in SQL and in addition, the code trigger responds to every new customer order by reinserting itself into the site’s source code, if it’s unable to detect the malware in any portion of the page.

IDF Phones Flooded With Malware

Researchers identified a significant number of IDF-related phones were infected with a piece of malware known as ViperRAT, which is capable of extracting and sending any sensitive data on the device. The most common method of infection stems from malicious messaging apps that request administrative permissions for the device, to then gather data and send it to a C&C server.

East Idaho Counties Victims of Ransomware

Two Idaho counties were targets of cyberattacks that left one county still struggling to regain its main systems. Teton County was fortunate to have only their main website defaced, which was promptly restored to normal. Meanwhile, Bingham County was less fortunate to have found ransomware on several computers that then infected their backup servers, bringing all current operations to a halt. The attack was likely initiated from a malicious email attachment that launched an executable file.

Zerocoin Source Code Typo Leads to Breach

Zerocoin made it known that they suffered a breach that allowed an attacker to steal over $500,000 worth of the cryptocurrency. The vulnerability was simply one additional character that caused a bug that, when exploited, allowed the attacker to make one transaction but receive the money repeatedly. The attacker apparently created multiple accounts to hide the influx of the multiple transactions, and had cashed out the majority of the stolen coins by the time the Zerocoin team noticed the variations.

Chatting with David Dufour, senior director of engineering, Webroot, is always interesting. Quite frankly, so is pinning him down for a short Q+A  about his experience at RSA 2017. One thing I could be sure of, though, was David having an opinion and being a straight shooter. As a first time attendee, I was curious to know what trends a veteran like David noticed and what were some highlights for him.

Webroot: You’ve been attending RSA for a number of years now. What were your expectations going into RSA 2017?

David Dufour: In my experience, RSA would never be confused with a pure play security conference like Black Hat simply because of all the hype and marketing spin, and this year did not disappoint. Going into the conference, it was apparent that Artificial Intelligence was going to be the big buzzword, with all exhibitors talking about how advanced their AI implementations were. The fun always starts when you pin many of these vendors down on exactly what AI means in their environment- how they’ve implemented it and what struggles they’ve had going to market with AI based solutions. This typically results in a glazed stares that leads to an eye twitch indicating they are finding a way to get rid of me.

“There continues to be significant advances in technology that help prevent malware both at the endpoint and in the network.”

What did you experience on the show floor?

Webroot had a prominent spot in the South Hall this year where the atmosphere seems more cutting edge than the North hall that usually hosts traditional security providers. I prefer to cut through the buzzwords and noise to get to the significant trends in the industry. Malware prevention, detection and remediation continues to be the least sexy, yet most critical tool in a security team’s bag. Although many companies purport its demise, there continues to be significant advances in technology that help prevent malware both at the endpoint and in the network. Many organizations still seem to be struggling with automation, knowing that they need to strike a more automated posture, but not yet comfortable allowing automation to run independent of human review.

What was the best part of RSA 2017?

For me, the best part of any event is typically the meetings I’m able to have with new vendors who can dive deep into the theories and implementations behind their solutions. I had several great meetings, both scheduled and impromptu, that showed promise in terms of new ideas for isolating and preventing threats. I’m hopeful some of these new companies will partner with Webroot in the near future to deliver some truly innovative ways of protecting our customers.

Outerwear Online Retailer Hit with Cyber Attack

Columbia Sportswear announced that they were in the midst of investigating a cyberattack on one of its subsidiary retail sites, prAna, a brand that was acquired by Columbia in 2014. While officials still haven’t confirmed the type of attack, they have stated that it shouldn’t affect any of Columbia’s other affiliated sites.

University Targeted by Fishy Hack

An American university’s computer network was slowed to a crawl by nearly 5,000 infected devices from around the campus, all repeatedly performing searches for seafood. The IT staff noticed the dramatic increase in network traffic caused by the attack, though were initially unable to remedy the situation due to the sheer number of IoT devices sending the commands.

Mandatory Data Breach Reporting Implemented in Australia

In the past several years, thousands of companies and organizations have been victims of some form of data breach, though the number actually being reported is significantly less. While some companies choose to hide the breach from the public for fear of financial loss, this now will change in Australia as they have finally passed legislation for mandatory reporting to the Privacy Commissioner and any affected customers. This reporting must come immediately after a breach has been confirmed and could lead to hefty fines if they go unreported.

Politicians Quick to Adopt New Messaging App

A large number of politicians have been turning to an end-to-end encrypting message app that automatically deletes the conversation after a pre-determined amount of time. Similar to SnapChat, where the picture only lasts for a few seconds, the message app Confide only allows the reading of the message as a finger or cursor passes over the writing. This step dissuades any attempts to save the message’s contents, thereby keeping them from unauthorized eyes.

Ransomware Attack on Water Supply

A security researcher from Georgia created an experiment to simulate a ransomware attack on a water supply system. By using programmable logic controllers that are used in real systems, he was able to show how easily they were to exploit. Many were poorly-secured and even fully accessible online. By using one of these vulnerabilities, an attacker could easily disable several critical systems and damage the actual infrastructure.

Successful companies stand on the shoulders of great customer service. At Webroot, we aim to consistently be the best, and to do so, we rely heavily on our highly skilled, globally-based technical support team to delight our customers at every turn.

At Webroot, we utilize a follow-the-sun approach with customer service support staff in Australia, the United Kingdom, and North America. – Amy Wiley, vice president of engineering service

Because of this, we were honored to win the 2017 SC Award for Best Customer Service at this week’s RSA Conference 2017 during the SC Awards Dinner and Presentation in San Francisco. The SC Awards acknowledge the achievements of companies and information security professionals that focus on protecting businesses and customer data.

The Webroot Family

We support an active and collaborative online community where customers can get involved in discussions about our products, ask IT security concerns, and even submit feature requests. Although our product is cloud-based and customers do not typically require on-site assistance, we do accommodate our customers at no additional cost when needed. Providing exceptional customer service solutions is in Webroot’s DNA and crucial to protecting our customers against the many threats launched by today’s savvy cybercriminals.

Thank you to SC Magazine the honor, and thank you to our customers for being a part of the Webroot family.

The City of San Diego is the 8th largest city in the US and has over 12,000 employees, numerous vendor partnerships, as well as a vast array of diverse systems and devices to protect.

In addition to more traditional endpoints and data centers, the City must protect each new piece of smart technology it implements. These include smart street lighting where adaptive controllers and LEDs work to reduce energy consumption based on foot and street traffic analysis; smart parking, in which networked sensors ease congestion with driver communications and dynamic pricing; smart grid, where data collected from smart meters and phasor measurement units increase grid reliability; smart water utilities for fresh and wastewater management; the list goes on.

You can imagine, then, that the network would be a significant asset—both due to cost and the fact that it’s the connective tissue between all business processes, city services, critical infrastructure, and various devices. Because of the diverse and widespread nature of City devices, the network that connects them is constantly exposed to attacks from all entry points of the perimeter, VPN, WiFi, and from internal people using infected devices.

Some Attacks Are Too Sophisticated For Legacy Security Tools

While legacy security tools can catch up to 95% of the attacks from known threat vectors, the most sophisticated attackers use new forms of polymorphic malware and take advantage of the new attack vectors presented as more devices are added to the network. The remaining 5% of attacks that are too dynamic to be detected by legacy solutions now comprise a serious security gap.

FlowScape Analytics technology allows us to determine risk of system-wide user behavior and flag anomalies for remediation. – Gary Hayslip, CISO, City of San Diego

To address the 5%, the City of San Diego has adopted Webroot FlowScape® Network Behavioral Analytics. FlowScape Analytics accelerates network threat detection by automating network monitoring and leveraging supervised and unsupervised machine learning algorithms to protect the City’s core asset: its network. The software can find both known and unknown threat activity by first studying normal network traffic to establish a baseline, next identifying any unusual behaviors and then using advanced heuristics to do a risk assessment.

Here’s How FlowScape® Analytics Enhances Smart City Networks

What makes FlowScape Analytics special is the additional insight it provides. Most network protection solutions only look at direct traffic between endpoint devices and the internet, i.e. North/South traffic. But what about communications between internal devices within the network (East/West traffic)? FlowScape Threat Detection is tightly integrated with the Webroot BrightCloud® Threat Intelligence Platform to connect the dots between North/South communication and East/West communication. It monitors, maps, and learns both IT and IoT/SCADA/PLC communications. It also detects insider staff and vendor behaviors, which greatly increase risk through policy violations. FlowScape Analytics keeps a real-time asset inventory of anything that talks on the network, and the ports they normally communicate over. The end value is the added visibility across the entire threat landscape of a smart city network.

With a daily count of approximately 500,000 cyberattacks against the city of San Diego networks, Webroot FlowScape Analytics gives us the network visibility we need to protect critical infrastructure and services.  – Gary Hayslip, CISO, City of San Diego

San Diego Improves Critical Infrastructure with FlowScape® Analytics

Since staff is limited, automating security tools has been a critical requirement for the City. Think of FlowScape Analytics like putting a security analyst in Ripley’s power loader from Aliens. Security analysts don’t have the time or resources to deal with the constant barrage of alerts, so the security framework needs to be able to do some serious heavy lifting on massive amounts of data to determine which network activity is threat related. By implementing FlowScape Analytics to protect their infrastructure, that’s exactly what the City of San Diego has done.

For more information about FlowScape Analytics, download our datasheet.

Macros Turn Focus Towards MacOS

Researchers have discovered a trend of malicious Microsoft Word documents for MacOS that behave similar to Windows macro infections. The culprits download and execute a malicious payload to a user’s computer. While not particularly sophisticated, the macro-based infections focus on exploiting the users of the computer, rather than a software vulnerability, as macros can also be used for legitimate applications.

Phishing and Tax Season Go Hand in Hand

It’s tax season and criminals are working on new and clever ways to gain access to sensitive documents, and other available assets. This year brings the usual spear phishing campaigns that spoof an executive requesting tax forms, but arrive with a follow-up email requesting a wire transfer to a listed account. The best defense against these types of attacks is caution on the recipient of any suspicious emails, and using two-factor authentication where available.

Android Malware Triada Takes Top Spot

The reigning Android malware family has changed from Hummingbad, a rootkit downloader that remains persistent on devices and downloads fraudulent apps for ad revenue, to Triada, a malicious backdoor that grants super-user privileges to the malicious payloads that are downloaded according to a recent announcement. This switch comes after nearly a year as the most widespread infection for Android devices.

Teen Hacks 150,000 IoT Devices Overnight

It’s been revealed that a teenager from the UK, in the span of an evening, successfully hacked over 150,000 printers across the world. He created a simple program that sent printer protocol requests to various IoT devices and was able to get responses from and send jobs to different printers. The teen claims he did so to bring attention to the major lack in security for IoT devices that are connected to an insecure network.

Unpatched WordPress Sites Defaced

Thousands of WordPress sites have been defaced by hackers exploiting a bug patched nearly two weeks ago. Sites that haven’t been updated to the latest version were susceptible to a vulnerability in the REST API allowing unauthorized changes to be made to the title and any visible content. Due to the defacements, Google has begun categorizing affected sites by the hacker group’s names.