Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Building a secure IoT Gateway using Threat Intelligence

Part 1 and Part 2 of this series provided an overview of Threat Intelligence and hopefully offered some understanding as to what role it can play in helping secure an IoT infrastructure. For those familiar with cybersecurity and how to implement Threat Intelligence in traditional network appliances, the jump to securing an IoT Gateway is fairly straightforward. For those new to the space, trying to put a plan together for integrating Threat Intelligence may seem a bit daunting. This blog is intended to be a guide of questions to start the process.

The first question that should be addressed when building an IoT Gateway is, “What is your audience?” For example, if the given environment in which the gateway will be implemented is closed, meaning no interconnectivity with the Internet, then traditional IP reputation or URL Categorization won’t provide much help. These technologies are built around the expectation that a malicious actor will attack from, or ex-filtrate data to, locations on the Internet. Therefore, with no connection to the Internet these technologies provide little in the way of additional security to an appliance manufacturer. That being said, by definition an IoT Gateway should provide connectivity to the Internet, so the rest of this blog will assume that is the case.

So, what is needed to build an IoT Gateway?

Obviously, there is the interconnectivity that bridges a proprietary physical layer and converts it to TCP/IP traffic. This blog won’t help much with that aspect of the appliance as the respective vendors would know best how to achieve this part of the solution. However, once data has been converted to Internet compatible protocols, building a basic gateway with IP blocking and URL categorization requires: 1) IP packet inspection to extrapolate incoming IP addresses or outgoing URLs, 2) a Threat Intelligence module that allows for the scoring of an IP or URL, and 3) a user interface to manage the policies. Here is a breakdown of each component:

  • Deep Packet Inspection (DPI): Simply put, this is examining each data packet as it comes through the appliance, stripping out header information that contains the IP address for inbound traffic or the outbound URL. There are robust open source solutions such as nDPI from ntop that do a very good job analyzing traffic, but partnering with a provider such as Qosmos might be the right approach for those new to security. The problem isn’t in the ability to inspect packets but rather the ability to do it at line speeds. Those who aren’t experts or who are looking to go to market quickly would do well to find a partner in this space.
  • Threat Intelligence Module: There are several considerations in terms on selecting a provider, how best to implement a solution and how to implement Threat Intelligence in such a way that it becomes a differentiator rather than an “also have”. Take the time to become educated on cost to performance aspects a Threat Intelligence provider offers and understand the ramifications of the level of false positives and uncategorized lookups that a solution will have on the overall implementation of the final product.
  • Policy Management: Nearly as important as the Threat Intelligence itself is the ability for appliance administrators to configure and manage policies. Will there be a need to manage based on region, user, device type or some other granular method specific to an industry? Can the individual device management be done through a cloud-based interface allowing for quicker deployment and lower appliance resource requirements or will it need to be built into the operating system for a given appliance to be managed locally? Taking the time to ask these and other questions around the user interface is key to building a successful solution.

The intent of this post is to identify key considerations that must be addressed to successfully build a secure IoT Gateway. It is a complicated process with issues not limited to traffic management, threat identification at line speeds and the potential for complex policy and usage configurations. As daunting as this may appear, traditional appliance manufacturers have been addressing this need for Information Technology ecosystem for many years and bringing that technology to the Operational landscape is fairly straightforward. Part 4 of this series will push the edge of what is possible by walking through some theoretical configurations that bring Threat Intelligence down from the network appliance to the actual edge device.

New Ransomware PadCrypt: The first with Live Chat Support

A new ransomware has been discovered and what sets apart this variant from the rest is its implementation of a chat interface embedded into the product.

That link for “Live Chat” will prompt the window for live support. The window should look like this and will allow you to talk directly with the cyber criminal.

Currently the Command and Control servers are down so currently there is no encryption being performed and we were unable to chat with any “developer” to see what they would say. However, we presume it’s just to aid in the process of getting a bitcoin wallet address, filling it with coins, and sending the payment securely. This task can be complicated to unsavvy users so we suspect this feature was created to add a more human element to the aid of receiving the ransom.

These are the standard instructions that also are available if you click “decrypt help” and can be a daunting task for those not familiar with the process. This is why we suspect the chat feature was added. Also, for the first time that we’ve seen on any ransomware sample – it comes with a uninstaller. Located in %AppData%\PadCrypt\unistl.exe it will remove all files and registry entries associated with the infection. However, it will still leave all your files encrypted.

The rest of the drill with this ransomware is pretty standard – “.pdf.scr” extension on the encrypted files, Volume Shadow service is deleted, decryptor tool is provided to decrypt your files after paying ransom.

PadCrypt infection samples: From ZeroBin
MD5 8616f6c19a3cbf4059719c993f08b526 (C2: cloudnet.online)
MD5 aface93f4d6a193c612ea747eaa61eaa (C2: annaflowersweb.com)
Dropped files:
17822a81505e56b8b695b537a42a7583 (package.pdcr)
7d2822aedddd634900a4c009ef0791a9 (unistl.pdcr)

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Why Webroot is Proven Next-Generation Endpoint Security

Within the last several years, online threats have continued to evolve at disturbingly high rates, and are more robust than ever before. According to the data we’ve seen across the Webroot Threat Intelligence Platform, many new attacks are targeted, adaptive (polymorphic) malware variants that appear suddenly in several points across a targeted company’s network and then may never be seen in the same way again. When so many threats are tailor-made and can even be purchased as a service in the criminal networks, traditional, reactive cybersecurity just won’t cut it.

At Webroot, we know the only way to protect businesses and individuals is by understanding our adversary and predicting their next move. That’s why we’ve continued to expand our threat intelligence and integrate it more deeply with our endpoint protection solutions so that new, unknown threats are detected and destroyed as soon as they appear within the networks of any of our customers. This unique, collective protection means that all Webroot customers protect one another. It’s a community of cybersecurity. Our cloud-based threat intelligence is derived from millions of sensors and real-world endpoints around the world to provide proven next-generation endpoint security that can predict, prevent, detect, and respond to threats in real time. With 87,000 business customers (and counting) and partnerships with 40 of the industry’s top security vendors, Webroot is the proven choice for defending against modern malware. If you would like to learn more about out Threat Intelligence Platform, see our website.

In view of the tactics modern malware writers and other cybercriminals have adopted, we invite you to join us at the 2016 RSA conference to find out how our next-generation endpoint security solutions protect businesses and individuals in a connected world. To schedule a meeting with us at RSAC, visit www.webroot.com.

What IP/URL Based Threat Intelligence Can and Can’t do for the IoT

Part one of this series provided a high-level overview of Threat Intelligence, the underlying data types common in the current security landscape and how these data are gathered, analyzed and consumed. As cyber security becomes a key focus for the IoT it may appear, on the surface, much of the existing threat intelligence and the techniques used to gather these data do not directly play a role in protecting IoT devices from malicious actors. Though there are gaps in some areas, specifically with malicious files for IoT devices and closed network threat analysis, much of the threat data can be applied to the IoT once communication with, and across, the Internet occurs.

Many consumer and industrial IoT devices do use custom protocols to communicate with one another in a closed environment which presents a challenge for existing systems to gather and collate data specific to these environments. Fortunately, by definition, devices in the IoT must communication through the Internet requiring proprietary or non-TCP/IP traffic to be converted to TCP/IP. It is at this conversion point existing threat intelligence can play a critical role in protecting IoT devices through the use of traditional malicious IP blocking and traffic management to and from malicious or off category URLs. Some specific cases for the use of these data that directly affect how IoT Gateways can be secured are:

Malicious IP Blocking: One of the most basic ways to protect IoT devices is to prevent known malicious IP addresses from communicating from the Internet to devices inside of a network. If an OT network contains devices that are directly manageable over the Internet and whitelisting is not a viable option due to dynamic addressing, then a very straightforward and extremely successful solution in IT ecosystems, is to block known malicious IP addresses.

URL Categorization and Reputation: Another common, and extremely effective, security measure that is used throughout the IT landscape in perimeter appliances is to limit what a device can communicate with. Through the use of policy and security management filters devices can, at the gateway, be denied the ability to communicate with malicious IP addresses and URLs, preventing the exfiltration of data to unknown or unauthorized entities.

The aforementioned use of IP addresses and URLs in IoT Gateways to help prevent threats from entering an ecosystem does have limitations in terms of detecting threats in closed environments. Today, threat intelligence providers have focused on identifying threats on the Internet at large due to the vast amounts of data available for analysis. Machine learning engines have been a boon for the cyber security industry in their ability to be finely tuned to detect and identify Internet-borne threats but they require vast amounts of data to accurately identify a threat and reduce false positive results. Closed ecosystems, even TCP/IP-based networks, do not have the volume of data the current state of machine learning requires to accurately and definitively detect threats unique to these environments. Building tools and applying new methodologies to these smaller datasets associated with closed ecosystems will be the challenge security architects must overcome as more and more devices make their way into the IoT.

Part three of this series will continue with the discussion around threat intelligence and how to apply it to IoT Gateways to protect OT ecosystems. It will give an overview of a basic gateway, the submodules required to extract necessary data from a data stream for analysis, how to analyze the resulting data and the process for applying policy to the overall environment. The hope will be to keep the discussion moving forward on how existing technology can help protect the IoT.

Some notes on VirusTotal

Many of you are probably familiar with VirusTotal, a service that allows you to scan a file or URL using multiple antivirus and URL scanners. VirusTotal results are often used in write-ups about new malware to show how widely a sample is detected by the AV community. We receive links to VirusTotal results via our support system and on the Webroot Community. Computer support forums will also suggest a user submit a file to VirusTotal in order to determine whether or not a file is malicious. VirusTotal can be a very useful service – if you know how the service works and how to interpret the results. A good place to start is the About page, paying special attention to the Important notes and remarks section of the page.

I’ve written before about how inconsistent the results for a file can be, and this makes a bit more sense when you understand more about how VirusTotal works. To put it simply, because of the way that VirusTotal works, files that show no detections in VirusTotal may actually be detected by the scanners used in real-world situations, and the opposite is also true. (Knowing how it works can also help understand why a next-generation cloud-based solution like Webroot SecureAnywhere is not one of the scanners used in VirusTotal.) I’ve seen many instances where a write-up on new malware shows few detections in VirusTotal, but a quick check of our database shows that we had seen and were detecting the sample prior to the date it was submitted. There have also been countless times where our own Webroot SecureAnywhere process showed as being detected by multiple scanners in VirusTotal.

As VirusTotal clearly states, “the service was not designed as a tool to perform antivirus comparative analyses” yet we see it used to gauge how widely detected a new malware sample is all the time. When looking at VirusTotal results, I tend to make two assumptions. The first is that I always assume that all of the scanners are set to their highest heuristic settings – what I like to refer to as “tin-foil hat heuristics” – which will cause a much higher number of False Positives.

The second assumption is that the scanners will be using their full Enterprise signature set which will detect various legitimate programs that administrators might not want on their networks such as administrative tools or remote access tools. Over time, you can become familiar with some of the more common detections and naming conventions used by the various scanners that can help make a more informed interpretation of the results.

As with any tool, knowing the intended use and limitations helps use it more effectively.

Threat Intelligence: An Overview

Bring Threat Intelligence to the world of IoT

Threat Intelligence has become common throughout the cyber security landscape used in traditional information technology platforms from next generation firewalls, application load balancers, SIEM and other threat monitoring and prevention tools. With the pervasive growth of IoT initiatives and concerns around how to protect operational infrastructures from malicious actors an understanding of how existing threat intelligence can play a role in protecting an organization’s technology infrastructure is needed. Additionally, the existing methods for collecting and analyzing threat data do not directly translate to meet all of the potential security issues found in the IoT space. Therefore, a deep dive into what existing security technology can and cannot do for an organization’s operational infrastructure will help determine what can be done today and what technologies need to be developed to better secure entire ecosystems.

This five-part blog will walk through each aspect of threat intelligence from a general overview to help provide a basic understanding to the future of threat intelligence as it relates to IoT. Part 1 will give a high-level overview of what threat intelligence is, how it is gathered, analyzed and consumed. Parts 2 and 3 will focus on IP and URL data, how it can be applied to IoT and an example of implementing this data in an IoT Gateway. The last two articles will discuss what the future holds in store for protecting devices and creating purpose-built protection for the IoT.

Threat Intelligence: An Overview

Traditional Threat Intelligence consists of the collection and analysis of four main data types: IP Addresses, URLs, Files and Mobile Applications. The focus of this data collection and analysis revolves around protecting workstations and servers from becoming infected with malicious software, preventing command and control servers from activating dormant code living in an organization’s network and helping to identify and prevent the exfiltration of data. This was initially done through the use of human analysts who spent time manually identifying and evaluating threats but has now evolved to a more automated process through the use of machine learning and big data analytics.

As stated above, threats in the cyber security space can be broken down into four main components. Of course, there are other vectors a malicious actor can use to attack an organization but the elements below comprise the bulk of threats a typical organization will regularly face:

  • IP Addresses: IPv4 and IPv6 addresses that are typically analyzed for threats inbound to an organization. Typical attacks include spam sources, command and control servers, and botnet servers.
  • URL: Not often thought of as a threat category as many organizations consider URLs as policy control but they are heavily used as dynamic embedded delivery endpoints for phishing and malware. It should also be noted that URLs can contain IP addresses.
  • Files: Traditional malicious files, think viruses, used to encrypt user data, listen to user activity, destroy systems and/or exfiltrate data.
  • Mobile Applications: These have been identified separately from traditional files as they require special analysis due to their specific platforms and the functionality they provide in terms of network connectivity and application performance.

There are three main steps to any threat intelligence system:

  • Data Collection and Aggregation: There are three main ways to gather data in the wild for analysis.
  • Active: This includes web crawlers and IP port scanning techniques. Since it can be controlled this method provides a robust amount of data but does not typically result in identifying the high-value zero-day threats.
  • Passive: By deploying victim machines, web app honeypots, endpoint agents and other exploitable devices on the Internet it is possible to attracted attackers and record malicious activity as it occurs. This technique results in a better set of threat data but requires patients while waiting for a malicious actor to attempt to take advantage of weakened system.
  • 3Rd Party Data: There are several international, governmental and independent bodies that collect threat data for use by security teams. This data, though valuable, must be vetted for accuracy and often times because outdated quickly as threat actors subscribe to the same data sets and change or avoid the items published in these lists.
  • Classification: Once data has been gathered and aggregated it can be fed into purpose-built machine learning engines for analysis. This involves the creation and training of engines for each of the data types identified above. Analysts move from doing deep dive identification of threats to maintaining and tuning the engines for better accuracy. This is done by continually feeding the engines more highly refined data for the engine type.
  • Analysis and Consumption: Once the data has been collected and classified it is a simple Big Data issue of provided tools such as APIs or SDK to access each of the individual data types.

A relatively new component to the threat intelligence space is the generation of contextualized data made possible through advancements in big data analytics. Contextualization involves walking through disparate data sources looking for linkages between the data in an effort to help prevent future threats before they occur or allow an analyst to better understand the effect of an identified threat may have on an organization.

Typical applications of threat intelligence range from policy management in next generation firewalls to network traffic analysis in security operation centers. Depending on the type of threat data an organization uses and their ability to apply that data to their infrastructure will directly correlate with how well they can detect, identify and resolve threats.

Next week Part Two of this series will explore what traditional URL and IP data can and cannot do for the IoT.

Webroot’s Acceleration with Advancement of IoT

As a concept, the IoT (Internet of Things) has been with us since the late 1990’s, and has evolved from simple M2M (Machine-to-Machine) connectivity into a vision for Operational Productivity enabled by Interoperability.  Innovation and investment in new IoT technology and business models are driven by the pursuit of key operational benefits such as:

  • Provisioning Assets as Services
  • Efficiency through Automation
  • Resource Utilization
  • Environmental Impact
  • Safer and more productive Critical infrastructure

Next-generation IoT devices and platforms are now being deployed in critical infrastructures such as Integrated Transportation (auto, railway, airports,…), oil & gas operations, industrial & manufacturing facilities, energy distribution, and ‘SmartCity’ systems.  Operations are becoming dependent on these efficient and high-availability IP-aware systems.

New systems are being deployed and older non-IP based systems are being modernized with IP-aware functions at a rapid rate. Supporting this movement has driven device manufacturers to deploy new classes of devices and systems that can take advantage of direct and indirect internet connectivity in order to leverage public and private IoT Cloud Services Platforms.  Theses next-generation smart systems can perform many advanced functions such as data aggregation and storage, advanced analytics, prediction, prognostication, and even limited decision-making.   What was considered advanced data processing and decision- making in a data center just two years ago is now being deployed regularly in stand-alone IP-connected devices at the internet edge.   This along with rapid developments in semiconductor and control technology is paving the way for a new wave of robotics and autonomous systems where cloud processes like machine learning are being brought down to the edge (FOG computing).

In order to deliver the vision of IoT business models, the lines between traditional enterprise IT systems (IT) and the high-availability autonomous operational infrastructures are undergoing radical evolution with new standards and vendors.  As with many new waves of technology advancement, there are those who seek to leverage weaknesses for criminal exploit, state-sponsored espionage, or simply mischief on a grand scale.  These new systems are very enticing to those who specialize in advanced exploits.  Increasingly, malicious actors who have targeted personal computing with malware, viruses and phishing exploits, are now targeting critical infrastructure elements for profit and other motives.  Modern cyber attacks on critical infrastructure take advantage of compromised IP addresses (servers, websites, etc.) to carry out DDoS, botnet and other forms of remote command and control exploits.

Webroot deployed the cyber-security industry’s first, most advanced, and most effective real-time cloud-based Threat Intelligence.  We have been providing this service exclusively to leading Security Appliance, NGFW, and Access Point OEMs for over 5 years.  These OEMs are leaders in bringing the latest cyber security approaches to corporate and public IT enterprises.  This same technology, which has armed advanced networking equipment providers with a real-time defense against Internet launched attacks, is now made available to non-telecom equipment developers for cyber protection to support the growing new classes of IoT systems, such as connected automobiles, industrial automation, process control, aviation, railway, power management, and home energy management.

As system designers look to protect new and existing IoT devices and networks, they are increasingly applying techniques formerly used by the most advanced firewall and network security appliance manufacturers.   IoT gateways are emerging as this new class of OEM appliance. They are being designed to locally integrate single and multi-vendor platforms.  Common functions are real-time data stream analytics, protocol translations, networking control, endpoint control, storage, and manageability.  However, until recently, IoT gateways were being built without sufficient security or intelligence to properly protect critical infrastructure.  What is new and very exciting now is that non-security appliance vendors are now able to bring advanced cyber-security into IoT Gateways and offer Cyber-Security-as-a-Service to critical infrastructure. IoT Gateways can now utilize cloud-based cyber-security to securely connect legacy and next-generation devices to the Internet of Things.

I am pleased and excited to be part of the efforts by Webroot and our partners to ensure that the latest techniques are leveraged across these new IoT devices, appliances, systems and platforms.  We look forward to our continued dialogue with you in advancing collective threat intelligence.

As tax season approaches, beware of tax related scams

Tax season officially began on January 19th, and with tax season comes the inevitable rise in tax-related scams. Identity thieves tend to step up their game a bit during tax season, looking to get the ultimate prize – your Social Security Number. Scammers often use the threat of jail time for unpaid tax debt to trick you into giving out sensitive personal information. As with so many scams, seniors are a major target. Telephone scams are particularly popular, but as more people file their taxes electronically, phishing emails and malicious email attachments have become more prevalent.

Now is a good time to help educate your family members about these types of scams. It is important to pay extra attention to any email that is tax related. Be aware that the IRS will not contact you via email to request any personal or financial information. Don’t click on any links or download any attachments from emails claiming to be from the IRS. If you need tax related information, go directly to the official IRS website at www.irs.gov instead of using a search engine.

For more information on taxes and security, the IRS have provided resources at: https://www.irs.gov/Individuals/Taxes-Security-Together

A look at a typical macro infection

For over a decade, one of the most common ways to infect a computer with malware has been the implementation of “macros” in Word and Excel documents. Macros are small scripts that automate a series of commands in a document; most commonly they are used to automate legitimate repetitive tasks in applications like MS Excel and MS Word. Because of the security issues inherent to macros, Microsoft added security features in Office 2003 and all subsequent Office releases in order to curb macro abuses. In particular, the use of macros is disabled by default in Microsoft Office applications, requiring the user to manually turn macros on in order to use them.

Because of this, it is less likely to be infected by a document containing a malicious macro, but it is still possible. Typically, a document containing a malicious macro these days will be accompanied by instructions that ask the user to enable macros in their Office applications. Fortunately, these types of attacks are easy to detect if you know what to look for.

The first thing to be aware of is that unless you already use macros regularly in your work, you will probably never be sent a legitimate document that contains a macro script. In the case that you do use macros regularly, they will usually be similar types of documents that come from the same sources. If you receive a document via e-mail from an unknown sender, and the document contains macros, it is probably malware and should be deleted immediately.

The most popular type of malware infection these days comes in the form of a bogus shipping e-mail, such as a UPS Shipping Notice or a USPS “failed delivery” e-mail, as shown below:

Webroot_macroinfection

In this example, we can see a few different things that would alert you to the fact that it is bogus. First, observe the “From” e-mail address. The e-mail claims to be from the USPS but the sender is from “no-reply@Postal-Reporter.com” instead of a “USPS.com” e-mail address. Secondly, because the e-mail address is an unknown or previously uncontacted sender, the fact that the message has a document attached is highly suspicious. We would recommend immediately deleting an e-mail like this and would especially advise not downloading or opening the attached document.

If this type of document is downloaded, it may not be immediately detected by security software because the document itself does not contain malware. It is only when macros are run that the malicious script is activated; usually this would trigger a download and launch of malicious software.

When this document is opened, what you will usually see in MS Word is something like this:

Webroot_macroinfection_1

The document contains no real information but is meant to trick you into believing that you will not be able to read a message without enabling macros in MS Word. You can see that MS Word displays a yellow bar with “SECURITY WARNING: Macros have been disabled.”, also giving you the option to “Enable Content”. This is your clear warning that something is not right with this document. If you have opened a suspicious document and have gotten this far, you should immediately close and delete the document before going any further with it.

Webroot_macroinfection_2

Knowing how to spot these types of attacks is the best way to avoid them, but there is one more thing you can do to ensure that a malicious macro document does not infect your computer. By default, the “Trust Center” setting for macros is “Disable all macros with notification”. This means that if macros are detected in a document, you will see that yellow “SECURITY WARNING” bar. We would recommend changing this setting to “Disable all macros without notification”, which will simply block the ability to use macros without prompting you to enable them:

Webroot_macroinfection_3

This is especially useful if you share your computer with others who are not already trained in spotting these types of malicious documents. We hope that this helps you to pre-emptively detect and avoid these types of infections in the future.

Ransom32 – A RaaS that could be used on multiple OS

Update: We now have a soundbite of the music played after infection: 

The RaaS (Ransomware as a Service) business model is still seeing growth. Here is the latest cyber criminals have to offer and it could later on be used for Mac and Linux OS

As with all other RaaS platforms you sign up to create new samples from hidden servers in the Tor Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.

Once you input a deposit bitcoin address, you’ll be presented with a very easy to use portal with customization and stats. The customization allows you to fully lock the computer – which will make the lockscreen pop-up every few seconds and not be able to be minimized. What is interesting is that it even mentions to use caution with this feature as victims will find it difficult to check that their files have even been encrypted and will have to use another machine to pay the bitcoin ransom. The stats will show you how many people you are infecting and how many people are paying the ransom.

Once you click download it will generate the malware with your customized setting and payment amount. The size of the file is 22MB which is quite large for malware in general. This is because main malware component inside the payload, “chrome.exe” is a packaged NW.js application which contains the malware code. NW.js s a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on windows… for now. We suspect that Mac/Linux compatibility is in the works.

This is the infection lockscreen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.

As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Please see our community post on best practices for securing your environment against encrypting ransomware.

Top Security Predictions for 2016

As 2015 comes to an end, we all look back at the huge list of big-name data breaches that occured, from passwords revealed to full on dating identities. It was not a pretty year for companies with lacking security protocols to say the least. And while we can sit here and delve into what happened, as a security company we must continue looking forward to what is going to happen next. Lessons were learned in 2015, but there is still going to be breaches, security problems to be solved, and as technology advances, so will the vectors for attack.

To look forward, to continue preparing, we here at Webroot have works on a list of our top 4 security predictions for 2016.

  1. People Push Back:  Tools that prevent unintentional data collection – such as cookie blockers, microphones, malicious advertisements, and camera blockers – will be increasingly adopted by consumers. Many of these tools block ads indiscriminately which will have an impact on legit sites ability to fund themselves. Consumers will also require web companies to disclose consumer data use and how it is being protected.
  1. Increased Attacks on IoT Devices: As more common items add connectivity for convenience, and thus become part of the IoT, it is expected that hackers will take advantage of poorly implemented security. Weaknesses in passwords, firmware updates and the storage of user specific data make IoT devices a prime target and attacks against these devices will increase in 2016.
  1. More Breaches: Cybercriminals will double down on phishing attacks – whether via telephone, texts, tweets, Instagram, Snapchat and other social avenues. With rapid growth on the rise in 2015, attackers will create remote sessions into PCs disguised as a trusted account vendor.  Also, reps from fraudulent sites will offer support which results in a remote connection and users’ systems getting compromised.
  1. 2016 Presidential Elections: There will be a spike in cybercriminal activity that exploits the 2016 US presidential elections and causes mass disruption. The attacks will include spam emails, campaign donation scams, fake election sites and telephone-based threats, which have been on the rise in 2015. Attacks will target social media and will increase in activity as the election night approaches. As a result, candidates will need to be more security-aware than ever before.

With these in mind, this is not the limit of what we will see but more of the avenues that we feel will have the biggest impact on the global threat landscape. What predictions fo you have for this coming year? Share your ideas in the comment box below.

Quick Tips to Protect Your New (and old) Apple Devices

Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow ‘Macheads’. I myself, am a huge fan of Apple and have been for a quite some time; I still have my iBook, and it still works! My desk is home to an iMac, Macbook, and many other small Apple devices. The one thing that most people believe is that there is no need to worry about security for their beloved Apple devices, which is a bit over inflated. So here are a Full this holiday season.

Top Ten tips for OS X security

  1. Create a standard account (non-admin) for everyday use– Log into the standard account for your everyday activities, and to store your personal information. Whenever an administrator’s password is required, type the admin username, and the appropriate password. This will lead to more password requests than if you were working under an admin account. However these requests should make you think whether you should be entering your password.
  2. Set Gatekeeper to allow Mac App Store and identified developers– Gatekeeper resides under Preferences>Security & Privacy and its main function is to allow the user to control which apps can be run without further escalation and or attention. If you download an application that doesn’t meet the criteria you will not be able to run it.
  3. Stay current with OS X updates– Mac OS X has a built-in software update tool “Software Update”. It’s a good idea to run “Software Update” frequently and install updates when available.
  4. Disable automatic login– Automatic login means that anyone who can access your Mac only needs to start it up to have access to all of your files.
  5. Use the built in Firewall– The firewall can be tuned to your needs whether it be at home, work or travel.
  6. Use a password manager to help prevent phishing attacks– It’s important to create complex, unique passwords, however for most of us, the more complicated the password the easier it is for us to forget it.
  7. Use Mac FileVault for full-disk encryption– FileVault encrypts your entire hard drive using a secure encryption algorithm (XTS-AES 128). You should enable this feature on your Mac because if your hard drive isn’t encrypted, anyone who manages to steal your computer can access any data on it.
  8. Use a Mac anti-virus (WSA)– Let’s face it, Mac malware is real and only getting worse.
  9. Enable iCloud Mac locator and remote wipe– If your system is ever stolen you can log into iCloud.com or use the Find My iPhone app on an iOS device to locate your device, send it a command to lock it, have it issue a sound, or remotely wipe the device.
  10. Use “Secure Empty Trash” to remove data– By default files are simply marked for deletion and not really deleted making file recovery simple. Using Secure Empty Trash things get much more difficult to recover.

Tips to secure your iOS

  1. Enable Passcode Lock. This is one of the key security tips, The stronger the passcode the better. Apple has incorporated a fingerprint scanner in the newer iPhone models which allows users to use their fingerprints for authentication when unlocking their device and making purchases.
  2. Erase all data before selling, trading in, or sending off for repair.
  3. Update. By keeping your apps and operating system up-to-date, you will strengthen the security of your device. You can turn on the automatic downloads feature which will update apps in the background and without the need for you to do anything.
  4. Don’t Jailbreak. Sure, some of the Jailbreak tweaks are cool and can do some fun things but is the lack of security really worth it?
  5. Enable Safari security settings. These settings include blocking pop-ups, disabling autofill, fraud warnings, and the ability to clear cookies/history/cache. Alternatively, you can download Webroot’s secure web browser for iOS.
  6. Disabling Bluetooth/WiFi. There are several freeware tools designed to sniff for Bluetooth and WiFi signals then gather information from open devices. It is also best to not use public WiFi; you don’t really know what the guy sitting at the other table in Starbucks is doing on his computer.
  7. Find my iPhone. This should go without saying, this feature not only helps you find a lost or stolen phone, but it also makes wiping the phone a little harder. I had an iphone stolen and find my iPhone found it five months later… in Canada… someone sold it on ebay.
  8. Disable Siri on Lock screen. Siri is a great tool and assest but she can also talk to much, this will keep her quite until the correct person is able to unlock the device.
  9. Set up a VPN. A Virtual Private Network is a must-have and can bring extra security to anyone who uses their devices on different wireless networks. Some VPN services are free of charge, but some can cost several dollars a week which is more than a fair price for protecting your information.
  10. Turn on two-step verification for Apple ID and iCloud – a great way to prevent issues without someone knowing both the password and the 4-digit verification code.