Industry Intel

Emergency Services Lines DDoS’d in Texas

Officials have sentenced a cybercriminal who manipulated a bug via the Twitter app to continuously dial 911, which spread to several hundred individuals across multiple states. By tweeting out a malicious link to his followers, anyone who clicked on it was subjected to an endless loop of dialing the local emergency services lines, until the phone carriers were able to shut down the calls.

Magento Database Flaw Exposes User Data

A flaw was discovered that can trigger code to be executed in an online shop’s database that intercepts a customer’s credit card information and resends it to the attacker’s server. This is likely the first time such an attack has been written in SQL and in addition, the code trigger responds to every new customer order by reinserting itself into the site’s source code, if it’s unable to detect the malware in any portion of the page.

IDF Phones Flooded With Malware

Researchers identified a significant number of IDF-related phones were infected with a piece of malware known as ViperRAT, which is capable of extracting and sending any sensitive data on the device. The most common method of infection stems from malicious messaging apps that request administrative permissions for the device, to then gather data and send it to a C&C server.

East Idaho Counties Victims of Ransomware

Two Idaho counties were targets of cyberattacks that left one county still struggling to regain its main systems. Teton County was fortunate to have only their main website defaced, which was promptly restored to normal. Meanwhile, Bingham County was less fortunate to have found ransomware on several computers that then infected their backup servers, bringing all current operations to a halt. The attack was likely initiated from a malicious email attachment that launched an executable file.

Zerocoin Source Code Typo Leads to Breach

Zerocoin made it known that they suffered a breach that allowed an attacker to steal over $500,000 worth of the cryptocurrency. The vulnerability was simply one additional character that caused a bug that, when exploited, allowed the attacker to make one transaction but receive the money repeatedly. The attacker apparently created multiple accounts to hide the influx of the multiple transactions, and had cashed out the majority of the stolen coins by the time the Zerocoin team noticed the variations.

Chatting with David Dufour, senior director of engineering, Webroot, is always interesting. Quite frankly, so is pinning him down for a short Q+A  about his experience at RSA 2017. One thing I could be sure of, though, was David having an opinion and being a straight shooter. As a first time attendee, I was curious to know what trends a veteran like David noticed and what were some highlights for him.

Webroot: You’ve been attending RSA for a number of years now. What were your expectations going into RSA 2017?

David Dufour: In my experience, RSA would never be confused with a pure play security conference like Black Hat simply because of all the hype and marketing spin, and this year did not disappoint. Going into the conference, it was apparent that Artificial Intelligence was going to be the big buzzword, with all exhibitors talking about how advanced their AI implementations were. The fun always starts when you pin many of these vendors down on exactly what AI means in their environment- how they’ve implemented it and what struggles they’ve had going to market with AI based solutions. This typically results in a glazed stares that leads to an eye twitch indicating they are finding a way to get rid of me.

“There continues to be significant advances in technology that help prevent malware both at the endpoint and in the network.”

What did you experience on the show floor?

Webroot had a prominent spot in the South Hall this year where the atmosphere seems more cutting edge than the North hall that usually hosts traditional security providers. I prefer to cut through the buzzwords and noise to get to the significant trends in the industry. Malware prevention, detection and remediation continues to be the least sexy, yet most critical tool in a security team’s bag. Although many companies purport its demise, there continues to be significant advances in technology that help prevent malware both at the endpoint and in the network. Many organizations still seem to be struggling with automation, knowing that they need to strike a more automated posture, but not yet comfortable allowing automation to run independent of human review.

What was the best part of RSA 2017?

For me, the best part of any event is typically the meetings I’m able to have with new vendors who can dive deep into the theories and implementations behind their solutions. I had several great meetings, both scheduled and impromptu, that showed promise in terms of new ideas for isolating and preventing threats. I’m hopeful some of these new companies will partner with Webroot in the near future to deliver some truly innovative ways of protecting our customers.

Outerwear Online Retailer Hit with Cyber Attack

Columbia Sportswear announced that they were in the midst of investigating a cyberattack on one of its subsidiary retail sites, prAna, a brand that was acquired by Columbia in 2014. While officials still haven’t confirmed the type of attack, they have stated that it shouldn’t affect any of Columbia’s other affiliated sites.

University Targeted by Fishy Hack

An American university’s computer network was slowed to a crawl by nearly 5,000 infected devices from around the campus, all repeatedly performing searches for seafood. The IT staff noticed the dramatic increase in network traffic caused by the attack, though were initially unable to remedy the situation due to the sheer number of IoT devices sending the commands.

Mandatory Data Breach Reporting Implemented in Australia

In the past several years, thousands of companies and organizations have been victims of some form of data breach, though the number actually being reported is significantly less. While some companies choose to hide the breach from the public for fear of financial loss, this now will change in Australia as they have finally passed legislation for mandatory reporting to the Privacy Commissioner and any affected customers. This reporting must come immediately after a breach has been confirmed and could lead to hefty fines if they go unreported.

Politicians Quick to Adopt New Messaging App

A large number of politicians have been turning to an end-to-end encrypting message app that automatically deletes the conversation after a pre-determined amount of time. Similar to SnapChat, where the picture only lasts for a few seconds, the message app Confide only allows the reading of the message as a finger or cursor passes over the writing. This step dissuades any attempts to save the message’s contents, thereby keeping them from unauthorized eyes.

Ransomware Attack on Water Supply

A security researcher from Georgia created an experiment to simulate a ransomware attack on a water supply system. By using programmable logic controllers that are used in real systems, he was able to show how easily they were to exploit. Many were poorly-secured and even fully accessible online. By using one of these vulnerabilities, an attacker could easily disable several critical systems and damage the actual infrastructure.

Successful companies stand on the shoulders of great customer service. At Webroot, we aim to consistently be the best, and to do so, we rely heavily on our highly skilled, globally-based technical support team to delight our customers at every turn.

At Webroot, we utilize a follow-the-sun approach with customer service support staff in Australia, the United Kingdom, and North America. – Amy Wiley, vice president of engineering service

Because of this, we were honored to win the 2017 SC Award for Best Customer Service at this week’s RSA Conference 2017 during the SC Awards Dinner and Presentation in San Francisco. The SC Awards acknowledge the achievements of companies and information security professionals that focus on protecting businesses and customer data.

The Webroot Family

We support an active and collaborative online community where customers can get involved in discussions about our products, ask IT security concerns, and even submit feature requests. Although our product is cloud-based and customers do not typically require on-site assistance, we do accommodate our customers at no additional cost when needed. Providing exceptional customer service solutions is in Webroot’s DNA and crucial to protecting our customers against the many threats launched by today’s savvy cybercriminals.

Thank you to SC Magazine the honor, and thank you to our customers for being a part of the Webroot family.

The City of San Diego is the 8th largest city in the US and has over 12,000 employees, numerous vendor partnerships, as well as a vast array of diverse systems and devices to protect.

In addition to more traditional endpoints and data centers, the City must protect each new piece of smart technology it implements. These include smart street lighting where adaptive controllers and LEDs work to reduce energy consumption based on foot and street traffic analysis; smart parking, in which networked sensors ease congestion with driver communications and dynamic pricing; smart grid, where data collected from smart meters and phasor measurement units increase grid reliability; smart water utilities for fresh and wastewater management; the list goes on.

You can imagine, then, that the network would be a significant asset—both due to cost and the fact that it’s the connective tissue between all business processes, city services, critical infrastructure, and various devices. Because of the diverse and widespread nature of City devices, the network that connects them is constantly exposed to attacks from all entry points of the perimeter, VPN, WiFi, and from internal people using infected devices.

Some Attacks Are Too Sophisticated For Legacy Security Tools

While legacy security tools can catch up to 95% of the attacks from known threat vectors, the most sophisticated attackers use new forms of polymorphic malware and take advantage of the new attack vectors presented as more devices are added to the network. The remaining 5% of attacks that are too dynamic to be detected by legacy solutions now comprise a serious security gap.

FlowScape Analytics technology allows us to determine risk of system-wide user behavior and flag anomalies for remediation. – Gary Hayslip, CISO, City of San Diego

To address the 5%, the City of San Diego has adopted Webroot FlowScape® Network Behavioral Analytics. FlowScape Analytics accelerates network threat detection by automating network monitoring and leveraging supervised and unsupervised machine learning algorithms to protect the City’s core asset: its network. The software can find both known and unknown threat activity by first studying normal network traffic to establish a baseline, next identifying any unusual behaviors and then using advanced heuristics to do a risk assessment.

Here’s How FlowScape® Analytics Enhances Smart City Networks

What makes FlowScape Analytics special is the additional insight it provides. Most network protection solutions only look at direct traffic between endpoint devices and the internet, i.e. North/South traffic. But what about communications between internal devices within the network (East/West traffic)? FlowScape Threat Detection is tightly integrated with the Webroot BrightCloud® Threat Intelligence Platform to connect the dots between North/South communication and East/West communication. It monitors, maps, and learns both IT and IoT/SCADA/PLC communications. It also detects insider staff and vendor behaviors, which greatly increase risk through policy violations. FlowScape Analytics keeps a real-time asset inventory of anything that talks on the network, and the ports they normally communicate over. The end value is the added visibility across the entire threat landscape of a smart city network.

With a daily count of approximately 500,000 cyberattacks against the city of San Diego networks, Webroot FlowScape Analytics gives us the network visibility we need to protect critical infrastructure and services.  – Gary Hayslip, CISO, City of San Diego

San Diego Improves Critical Infrastructure with FlowScape® Analytics

Since staff is limited, automating security tools has been a critical requirement for the City. Think of FlowScape Analytics like putting a security analyst in Ripley’s power loader from Aliens. Security analysts don’t have the time or resources to deal with the constant barrage of alerts, so the security framework needs to be able to do some serious heavy lifting on massive amounts of data to determine which network activity is threat related. By implementing FlowScape Analytics to protect their infrastructure, that’s exactly what the City of San Diego has done.

For more information about FlowScape Analytics, download our datasheet.

Macros Turn Focus Towards MacOS

Researchers have discovered a trend of malicious Microsoft Word documents for MacOS that behave similar to Windows macro infections. The culprits download and execute a malicious payload to a user’s computer. While not particularly sophisticated, the macro-based infections focus on exploiting the users of the computer, rather than a software vulnerability, as macros can also be used for legitimate applications.

Phishing and Tax Season Go Hand in Hand

It’s tax season and criminals are working on new and clever ways to gain access to sensitive documents, and other available assets. This year brings the usual spear phishing campaigns that spoof an executive requesting tax forms, but arrive with a follow-up email requesting a wire transfer to a listed account. The best defense against these types of attacks is caution on the recipient of any suspicious emails, and using two-factor authentication where available.

Android Malware Triada Takes Top Spot

The reigning Android malware family has changed from Hummingbad, a rootkit downloader that remains persistent on devices and downloads fraudulent apps for ad revenue, to Triada, a malicious backdoor that grants super-user privileges to the malicious payloads that are downloaded according to a recent announcement. This switch comes after nearly a year as the most widespread infection for Android devices.

Teen Hacks 150,000 IoT Devices Overnight

It’s been revealed that a teenager from the UK, in the span of an evening, successfully hacked over 150,000 printers across the world. He created a simple program that sent printer protocol requests to various IoT devices and was able to get responses from and send jobs to different printers. The teen claims he did so to bring attention to the major lack in security for IoT devices that are connected to an insecure network.

Unpatched WordPress Sites Defaced

Thousands of WordPress sites have been defaced by hackers exploiting a bug patched nearly two weeks ago. Sites that haven’t been updated to the latest version were susceptible to a vulnerability in the REST API allowing unauthorized changes to be made to the title and any visible content. Due to the defacements, Google has begun categorizing affected sites by the hacker group’s names.

Hotel Doors Locked By Ransomware

A prestigious hotel in Austria was the target of a ransomware attack that left their electronic door locking systems inoperable for several hours. The hack only stopped hotel personnel from activating new keycards due to system is capabilities allowing the functionality without power. Unfortunately, the hotel did pay a ransom of 2 bitcoins. They now have plans to replace the electronic lock system with traditional keys to avoid any future complications.

WordPress Quietly Fixes Critical Vulnerability

Reports have surfaced that WordPress deployed an update resolving several crucial vulnerabilities allowing unauthorized users to access and modify WordPress hosted sites. REST API is the source of the vulnerability. The API was implemented in an earlier version and set to be enabled by default. Fortunately for many WordPress users, the exploit was resolved without any signs of the issue being exploited in the wild.

Ransomware Locks up Texas Police Department

A Texas police department was forced to wipe their servers ridding ransomware encrypting documents and video evidence stored on computers. Officials have stated that the infection started from a spam email link and spread through nearly 8 years worth of data before the individual computer was taken offline.

Netflix Login Generator Creates More Than Credentials

Researchers have discovered a new ransomware variant that comes bundled inside a Netflix login generator application. When users click on the “Generate Login!” button, they are met with a dropped executable that begins encrypting any file located in the main Users directory of the computer. Currently, this variant only runs in Windows 7 and 10 and demands a smaller ransom than normal ($100 or .18 bitcoins), likely in the hope of actually receiving payment.

Office Printers Susceptible to Cyber Attack

While many believe that employees are the main point of vulnerability for a typical corporation, it should be mentioned that the quietest machine in the office can also be an attack vector: the printer. With wireless access becoming ever more prevalent, it’s no surprise that cyber criminals are looking to different areas of opportunity. With nothing more than authority to use the printer, there are several ways to bring the machine to a halt or even gather data that passes through.

Major Dark Web Marketplace Hacked

Recently, a hacker using the alias cypher0007 reached out to AtlasBay, a large dark web market, with information on two significant vulnerabilities that allowed him to access over 200,000 private messages, names, and addresses. Along with retrieving a good amount of buyer and seller information, the hacker also revealed that the site had no encryption on its private messaging feature. For users of the online marketplace, their data has been secured in addition to AlphaBay releasing patches for both vulnerabilities.

Ransomware Victims Likely to Pay for Data Retrieval

In a recent study, it was revealed that nearly half of businesses hit with ransomware were willing to pay the ransom which often reached over $10,000. Many of the respondents believed that the loss of data was actually less costly than the overall downtime for the business, loss of customers, and the investment in new security measures. More surprisingly, 17% of the victim companies did not involve a law enforcement agency for fear of additional attacks on their infrastructure.

Latest Firefox Update Flags Insecure Logins

Following in the steps of Google, Firefox has released an update that has resolved many security flaws that have been prevalent for quite some time. The main focus appears to be on flagging HTTP login pages as insecure and giving users an additional warning if they begin typing in an insecure username or password field. Also, Firefox has begun refusing to accept SHA-1 certificates from several public companies, as a sign of lost faith.

Android Ransomware Found On Google Play

In the last week, researchers discovered a new ransomware variant embedded in a seemingly innocent app on the Google Play store. The variant, named Charger, begins by prompting the user to allow administrator access to the device. Once access is given, the user is shown a ransom lock screen and the app starts downloading user contact and SMS data while asking for a mere 0.2 bitcoins, or roughly $180. Fortunately, the app was caught early and removed from the app store with a minimal number of total downloads.

Dark Web Hacker Steals Over 1 Billion User Accounts

With corporate hacking being more profitable than ever, it comes as no surprise to see dark web vendors selling data for millions of users. Recently however, one vendor has offered access to over 1 billion unique user accounts from some of China’s largest online vendors. Alongside the initial listing for the main Chinese accounts, the hacker also offers another ~46 million email accounts from varying domains.

MongoDB Hacks Spreading Fast

In the past few weeks, researchers have been monitoring the steady rise of hacked MongoDB installations, now surpassing over 28,000 individual systems. While the attacks started with ransoming back the stolen data, the attackers have now begun simply deleting the information from the database and leaving the ransom note for payment anyways. With up to 12 different attackers as well, crossover hacks have occurred on several of the databases, leaving the victim unsure of who to contact or how to retrieve their missing data.

Miami Bank Loses Millions without Notice   

Recently, a major Miami Beach bank has been under heavy scrutiny after nearly $4 million USD were stolen from their accounts without any suspicion arising. According to officials, the thefts began in the summer of 2016 and continued until December, when they were given a report showing a large number of fraudulent transactions taking place in the form of automatic billing payments that were being rerouted. Amidst the scandal, several prominent financial executives were forced to resign.

Amazon Phishing Scheme Targeting User Credentials

Users of retailing giant, Amazon, have noticed some oddly suspicious behavior when attempting to purchase items with prices that are too good to be true. Items being posted for sale the fraudulent merchant are available to purchase, until you add the item to your cart and begin checking out. Once in the cart, the item mysteriously disappears and a message stating that it is no long available appears. Users are then contacted by the vendor via email with a new link to purchase the item, though this link does not direct the user back to the legitimate Amazon site, but instead one that looks similar and wants your credentials badly.

Ukraine Power Stations Still the Focus of Cyber Attacks

It’s been almost exactly one year since the major power outages that affected nearly a quarter million Ukrainians, and once again, the hackers are up to their same tricks. In the last month, officials have been working to determine if the latest power substation failure was a legitimate failure or the results of another cyberattack. With the latter being confirmed, it is still surprising how little damage the hackers have actually done, with nothing more than overwriting the firmware used in the power stations to signal a manual reset to engineers on site. Researchers believe these attacks are merely a test of their capabilities and learning what security is in place and how to bypass it.

Spora Ransomware Offering New Encryption Process

With ransomware being the highest grossing cyber-attack vector, it’s no surprise that attackers are coming up with clever new methods for causing user devastation. By adding an additional encryption step, allowing for offline encryption, the attackers are able to create a new set of AES keys on the local machine which will stop decryptors from unlocking all of the victims with one private key. Additionally, Spora has the capability to gather information about the computer itself and determine an appropriate ransom amount, whether it’s for an individual user or a large corporate network.

FireCrypt Ransomware Builder Found in Wild

Researchers have discovered a new ransomware variant that uses “.firecrypt” as its amended extension once encryption has taken place. FireCrypt is compiled using a command line builder software that allows varying inputs and outputs to be determined by the author for a unique hash, as this allows for better disguise by enabling the author to change the icon and executable name. Along with the usual encryption, FireCrypt also connects to the Pakistan Telecom Authority website and begins downloading all of the available content, thus filling the victims hard drive with thousands of junk files.

Los Angeles College Hit with Cyberattack

While many students are preparing to return to classes after their winter break, employees at Los Angeles Valley College are working to determine the severity of a cyberattack. It is still unclear how the systems were breached or to what extent any sensitive information has been access, though officials are working with law enforcement.

Philippine Army Website Vandalized By Hackers

In the past week, the official Philippine Army website was compromised by a hacker going by the alias, Shin0bi H4x0r. The site itself displayed several messages to any visitors, boasting about the weak security and taunting the site admins. Though the site has since been taken offline, it is still undecided how the site was breached.

Experts Doubtful of Russia’s Part in Recent Hacking

With so many recent stories surrounding Russia’s involvement with the recent utility grid breach in Vermont and the implied connection to the hacks that took place during the election, many security researchers are unsure how involved Russia actually is. Flaws found in the US utility services are not a secret, and officials have been working to resolve them for quite some time. While public outcry over Russia hacking the election has been very pro-America, it stands as a bit hypocritical, as the US is assuredly involved in similar tactics all across the globe.

Malicious Super Mario Run Apps Found on Android

While Super Mario Run was released for iOS in the early part of December, it has yet to hit the official Android app store for sale. Due to the release gap, many cybercriminals have been cashing in by creating at least 9,000 known malicious versions of the app and distributing them through third-party app stores. Users are warned to avoid downloading any Super Mario Run-related apps until the official version has been released by Nintendo on the Google Play Store.