The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

New Trojan Alters Bitcoin Addresses

A newly discovered trojan variant targets Bitcoin users and, more specifically, any Bitcoin addresses that may be copied into the device’s clipboard. The trojan “Evrial” can alter the address in the clipboard so funds are transferred elsewhere when a user performs a Bitcoin transaction.[/inlinetweet] Additionally, Evrial is capable of stealing cookies and any credentials that are being stored within web browsersto further compromise any purchases made on the device.

Paradise Ransomware is Anything But

In a recent return, new attacks have been linked to Paradise ransomware, which had been relatively quiet since its initial burst of attacks last year. Not much has changed for the variant since its previous reveal; it still requires a user to open a phony email attachment and unzip the packed infection. Unfortunately, there is no easy way to decrypt any of the affected files, and the user would need to either restore everything from a clean backup or pay the ransom, which varies based on the victim’s reply time.

Top UK Law Firms Face Massive Breach

Researchers have recently discovered several data dumps that contain over a million email credentials from several of the largest law firms in the UK. Based on the information found in the dumps, roughly 2,000 credentials belonged to each of the companies; the largest company is responsible for over 30,000 of them. Even worse, many of the dumps were released just in the last six months, though most come from third-party breaches.

Major Twitter Accounts Hacked

Several high-profile Twitter accounts were compromised over the last week and used to spread Turkish and Palestinian propaganda while attempting to phish the credentials of related accounts. Along with the credentials, it appears that private messages and other sensitive information were breached as well, leaving the compromised accounts even more vulnerable.

Business Security Moving Forward

Following a Ponemon Institute study from late last year, many were shocked at the results from the companies who responded. Over half of the 1,000 IT professionals surveyed claimed to have suffered a ransomware attack within the last year, and the majority of those reported the cause to be phishing and social engineering tactics. Even more worrisome, the average data breach involved the compromise of an average of 9,000 unique records, costing victims several million dollars to return to normal.

Earlier this month, CES attendees got a taste of the future with dazzling displays of toy robots, smart assistants, and various AI/VR/8K gadgetry. But amid all the remarkable tech innovations on the horizon, one thing is left off the menu: user privacy. As we anticipate the rocky road ahead, there are three major pitfalls that have privacy experts concerned.

Bio hazard

Biometric authentication—using traits like fingerprints, iris, and voice to unlock devices—will prove to be a significant threat to user privacy in 2018 and beyond. From a user’s perspective, this technology streamlines the authentication process. Convenience, after all, is the primary commodity exchanged for privacy.

Mainstream consumer adoption of biometric tech has grown leaps and bounds recently, with features such as fingerprint readers becoming a mainstay on modern smartphones. Last fall, Apple revealed its Face ID technology, causing some alarm among privacy experts. A key risk in biometric authentication lies in its potential as a single method for accessing multiple devices or facilities. You can’t change your fingerprints, after all. Biometric access is essentially akin to using the same password across multiple accounts.

“Imagine a scenario where an attacker gains access to a database containing biometric data,” said Webroot Sr. Advanced Threat Research Analyst Eric Klonowski. “That attacker can then potentially replay the attack against a variety of other authenticators.”

That’s not to say that biometrics are dead on arrival. Privacy enthusiasts can find solace in using biometrics in situations such as a two-factor authentication supplement. And forward-thinking efforts within the tech industry, such as partnerships forged by the FIDO Alliance, can help cement authentication standards that truly protect users. For the foreseeable future, however, this new tech has the potential to introduce privacy risks, particularly when it comes to safely storing biometric data.

Big data, big breaches

2017 was kind of a big year for data breaches. Equifax, of course, reined king by exposing the personal information (including Social Security Numbers) of some 140 million people in a spectacular display of shear incompetence. The Equifax breach was so massive that it overshadowed other big-data breaches from the likes of Whole Foods, Uber, and the Republican National Committee.

It seems no one—including the government agencies we trust to guard against the most dangerous online threats—was spared the wrath of serious data leaks. Unfortunately, there is no easy remedy in sight, and the ongoing global invasion of user privacy is forcing new regulatory oversight, such as the upcoming GDPR to protect EU citizens. The accelerated growth of technology, while connecting our world in ways never thought possible, has also completely upended traditional notions surrounding privacy.

The months ahead beg the question: What magnitude of breach will it take to trigger a sea change in our collective expectation of privacy?

Talent vacuum

The third big issue that will continue to impact privacy across the board is the current lack of young talent in the cybersecurity industry. This shortfall is a real and present danger. According to a report by Frost & Sullivan, the information security workforce will face a worldwide talent shortage of 1.5 million by 2020.

Some of this shortfall is partly to blame on HR teams that fail to fully understand what they need to look for when assessing job candidates. The reality is that the field as a whole is still relatively new and is constantly evolving. Cybersecurity leaders looking to build out diverse teams are wise to search beyond the traditional background in computer science. Webroot Vice President and CISO Gary Hayslip explained that a computer science degree is not something on his radar when recruiting top talent for his teams.

“In cyber today, it’s about having the drive to continually educate yourself on the field, technologies, threats and innovations,” said Hayslip. “It’s about being able to work in teams, manage the resources given to you, and think proactively to protect your organization and reduce the risk exposure to business operations.

Beyond shoring up recruiting practices for information security roles, organizations of all types should consider other tactics, such as providing continual education opportunities, advocating in local and online communities, and inevitably replacing some of that human talent with automation.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.

Hospital Pays Ransom to Restore Systems, Despite Having Backups

In the first cyberattack of 2018 to hit a healthcare organization, an Indiana hospital’s entire network was taken offline. Despite having full backups on-hand, the hospital paid the $55,000 Bitcoin ransom right away. Officials stated they paid the ransom to get the systems back to normal as quickly as possible, since restoring everything from their backups could have taken weeks. Fortunately for patients, no data was stolen, and the staff could continue assisting new arrivals the old-fashioned way (that’s right: pen and paper) until system functionality was restored.

Audio Attacks Used for Damaging Hard Drives

A recent collaborative study performed by two universities proved that, within a reasonable proximity, an attacker could use acoustic signals to target a hard disk drive, leading to data corruption on the device. While many people could explain why this type of attack is possible, the study determined that the attacks required not only a specific frequency based on the hard drive in question, but also a precise distance from the drive and angle of sound projection to execute a successful attack.

New Android Platform Takes Spying to New Heights

A new Android spying platform has been discovered that puts all its predecessors to shame. By implementing several new features, such as location-based audio recording, compromising WhatsApp messages, and even allowing attackers to connect the device to malicious WiFi networks, this software platform gives attackers an all-new range of methods to target victims. The platform is based around five known exploits in the Android OS, and it uses them to gain administrative access to the device.

Latest Netflix Phish Asks for User Selfie

Within the last week, a new email phishing campaign has been spotted targeting Netflix users. The email informs users that a “hold” has been placed on their account pending further information. It requests users upload a photo of themselves with an ID card and prompts them to update their billing information, before redirecting them to the real Netflix login page.

RubyMiner Found on Older Linux and Windows Servers

A new cryptocurrency miner variant has been targeting outdated system servers that run both Linux and Windows. The variant, known as RubyMiner, identifies the unsecured servers using a web server tool, then gains access via a variety of exploits to install a modified Monero miner. RubyMiner deviates from similar miners in that it focuses on machines that have likely been forgotten about, and so remain on without being regularly patched.

“How to buy Bitcoin” dominated Google how-to searches in 2017, ranking third overall. With the hype surrounding cryptocurrency at an all-time high, now is a better time than ever to cover the essentials of keeping cryptocurrencies safe.

If you are just getting into the crypto space or you’ve known what ‘HODL’ means for a while now, there are some basics everyone should know about protecting their holdings.

Need-to-know: private keys

Let’s start with the basics. First and foremost, you should know the difference between your public and private wallet addresses (aka keys). A convenient analogy here is that most cryptocurrency wallets essentially operate like a postal box.

Each wallet has a unique public address that can be given out freely to anyone, much like you would give out your P.O. box address at a post office. This public address will only allow people to send coins to the wallet.

You also have a private address that unlocks your wallet and allows you to send coins out of it, similar to how your mail key allows you to unlock your P.O. box and withdraw your mail. This key is yours and yours only. Never share your private address with anyone.

Keeping up with your wallets’ private addresses is an exercise in personal responsibility. You don’t have a physical key to save you, and instead need to carefully store your private address (which is simply a long string of characters). Above all, storing private keys insecurely on your computer is an easy target for cybercriminals who use malware capable of sniffing out and copying your private keys.

If you choose to store private wallet addresses on your devices, never keep them in plain text format, and instead store them on a password-protected, encrypted drive. For maximum security, only print paper versions of your wallet and store multiple copies in secure places, such as a home safe or a bank safety deposit box. This technique is referred to as cold-storage, as your wallet is not stored on an internet-connected device. Hardware wallets, such as those made by Trezor or Ledger, are other options for secure storage of your crypto assets.

Risky business

Buying and storing coins on an exchange such as Coinbase is inherently risky, especially the storage part as you don’t have access to your wallets’ private addresses on an exchange. The convenience factor may be great—user-friendly apps, pretty charts, and a multitude of coins to explore—but on an exchange, you do not have access to your private wallet addresses.

To be fair, that’s part of the ease-of-use exchanges provide since you don’t have to worry about copy and pasting a private address every time you want to unlock a wallet to send from. But this also means that you are not in full control of your coins and if you were to violate any terms of the exchange (knowingly or unknowingly), they could ban your account and you would lose access to your coins. The same is true if the exchange was hacked. If they were improperly storing private keys, you could lose your coins forever.

Staying in full control of your wallet also has additional perks. In the case of a ‘hard fork’ or ‘airdrop’ to holders of a certain coin, you would be able to claim those. As it currently stands, most exchanges do not give you hard fork coins or airdrops, and instead keep those assets for themselves to increase profitability.

‘All your Bitcoin are belong to us’

Perhaps only one thing is certain in the crypto-world: hackers can and WILL try to steal your cryptocurrency.

While blockchain technology is considered an incredibly reliable, real-time database that’s proven resistant to attack and manipulation, wallet- and exchange-side security have shown numerous vulnerabilities over the years. Perhaps you’ve heard of the infamous Parity wallet hack in which an attacker exploited a wallet vulnerability to steal over 150,000 ETH (today that’s $165 million USD).

Just last week, a Google researcher discovered a bug in the popular Electrum wallet that would allow websites to steal the wallet’s contents, causing the Electrum team to quickly release a patch to fix the bug. Case in point—do your homework on any desktop, browser, or mobile wallets you plan to use. Don’t trust blindly.

Phish food

Beware of tried-and-true phishing attacks. Phishing attempts to steal private keys are abundant and targeted specifically toward unwitting investors chasing the crypto rush. Below is a phishing site that visually copies a legitimate site belonging to the wallet app Bread. Notice that the malicious URL (hxxp://breadtokenapp.com/sign.php) is just barely different than the legitimate URL (hxxps://token.breadapp.com/en/).

Dead giveaway. No website should ever ask for your private address. The same is true for exchanges as they manage wallets on their side and would never need your private keys either. The only circumstance where your private address needs to be inputted is to access a wallet. It’s a good idea to bookmark wallet sites such as the popular myetherwallet.com to make sure that you are always using the correct URL and not a phishing site.

It might seem obvious, but making sure your computer is free from malware is mission critical when dealing with cryptocurrencies. A trusted antivirus solution, secure password manager, and browser security can help protect you from would-be crypto thieves.

Have questions or concerns specific to cryptocurrency wallet security? Drop me a line in the comments below.

Update 2/8/2018:

Reports have surfaced recently that Ledger Nano S hardware wallets are susceptible to potential man-in-the-middle attacks.

Man in the Middle Attack – Am I at risk? Our answers and actions to address the threat https://t.co/ms5LAnAR2O

— Ledger (@LedgerHQ) February 5, 2018

The Ledger, while safe in offline storage, must still be connected to the internet to make transactions. Ledger has confirmed that their device is vulnerable to man-in-the-middle attacks (using malware that scans for the recipient’s address and changes it to the hacker’s own address). This reiterates the importance of always double-checking the wallet address that you intend to send to, as well as ensuring your computer is free from malware.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst with a passion for all things security. Any questions? Just ask.

Exploitable Backdoor Found in Western Digital NAS Drives

Western Digital has recently released numerous patches for the vulnerabilities that were found and reported to the vendor nearly six months ago. The prominent issue revolved around a hard-coded administrative backdoor that could allow attackers to remotely execute files on the drives. Unfortunately for Western Digital, this series of vulnerabilities comes not long after the same generation of drives were found with 85 different exploits (and the company waited to push out patches until after the exploits had come to public attention.)

Welsh Restaurant Closes After Cyberattack

In the past month, the owner of a Welsh restaurant has been struggling to keep the doors open on the Seafood Shack following a cyberattack that completely cleared out the restaurant’s reservation system in the weeks before to Christmas. The restaurant is currently closed after nearly a month without patronage. The systems weren’t being monitored manually, so every diner’s booked tables were left empty. In addition to the cyberattack, the restaurant also faced licensing issues after a supervisor left their employ.

Winter Olympics Organizers Targeted by Phishing Attacks

Officials working on the Pyeongchang Winter Olympics have been under a constant stream of phishing attacks disguised as Microsoft® Word documents from a South Korean intelligence agency. The documents work like normal ones, but request that the user enable macros to launch a PowerShell script. Another version of the malware even bypassed the need for user permission, and instead waited for the user to click the .docx icon to change the language to Korean before launching the same PowerShell script.

Older Zero-Day Exploit Released on New Year’s Eve

In an unusual finish for 2017, one researcher chose to release a 15-year-old macOS® exploit into the wild. The exploit requires local access to the device, but, once active, would give any attacker full root access to the machine after the user logged out of their session. Even though all Mac® operating systems are susceptible to this vulnerability, it’s only a matter of time until Apple steps in and corrects the issue and give their massive client-base some piece of mind.

Opera Browser Implements Anti-Cryptojacking Functions

With the recent emergence of cryptojacking (i.e., exploiting an unwitting user’s CPU to mine cryptocurrency while they visit a hijacked website), Opera has taken a stand and implemented crypto-mining protection called “NoCoin” in their current ad blocking filter. NoCoin works by detecting any mining activity on a visited website and stops the mining, freeing up the system’s processor for actual user-initiated applications.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst with a passion for all things security. Any questions? Just ask.

Researchers Find Major Security Flaws in Modern Processors

Newly discovered bugs, Meltdown and Spectre, exploit critical flaws in the architecture of many modern processors to leak system memory and view information that should remain hidden at the application level. This vulnerability would allow hackers to steal secret information, such as stored passwords, although there are no known exploits currently in use. Operating system makers such as Microsoft, Apple, and Linux scrambled on Wednesday to release security updates to protect users. Experts speculate these flaws will impact the security industry for many years to come.

‘Trackmageddon’ Bugs Leave GPS Data Open to Hackers

Two security researches have uncovered several vulnerabilities that affect GPS tracking services, including those used in child and pet trackers. These vulnerabilities range from weak passwords and unsecured folders to unprotected API endpoints, according a report issued by the research team. Hackers could potentially exploit these flaws to collect private data from these location-tracking services.

Clothing Retailer Finds Malware on PoS Devices

The LA-based fashion retailer Forever 21 revealed that a recent data breach resulted in the theft of customer credit card information. Following an investigation, Forever 21 disclosed that point-of-sale devices were infected with malware following a lapse in data encryption. While it’s still unclear how many stores and customers have been affected, the retailer advises all customers to keep a close eye on their financial statements and credit reports for suspicious activity.

Cancer Care Provider Reaches Settlement over HIPAA Violations

21^st Century Oncology has reached a $2.3 million settlement agreement with the US Department of Health and Human Services following a data breach that leaked patient records and Social Security numbers of some 2 million patients. According to a press release from HHS, the breach was uncovered after an FBI informant was able to illegally obtain the company’s private patient files from a third party.

Android Malware Variant Steals Uber Data

Fakeapp malware found on Android devices spoofs Uber app to appear legitimate to users. This new malware tricks users into entering their account credentials by imitating the Uber app’s user interface. This attack underscores the need for caution when downloading apps, even from the Google Play store, as well as using a trusted a mobile security solution.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.

WordPress Backdoor Found on Over 300,000 Machines

Recently, researchers found a WordPress plugin containing a backdoor that could allow criminals to easily access any device on which the plugin is installed (at least 300,000 machines, in this case). Even more worrisome: the backdoor wasn’t discovered until the plugin’s author was cited in a copyright claim over the use of the “WordPress” brand. The WordPress security team quickly updated the plugin and began force-installing it on all compromised sites.

Billions of Credentials Found on Dark Web

In a recent data dump on the Dark Web, researchers have discovered a trove of credentials for at least 1.4 billion users, all of which was stored in plain text and was easily searchable. While some of the data had already been released in a previous data dump, it appears most of the credentials were new and verified as authentic. Unsurprisingly, the dump has also revealed that the majority of users still have incredibly weak passwords. The most common is still “123456”.

Data on Millions of Americans Left Unattended Online

Earlier this year, researchers discovered yet another AWS S3 database left misconfigured and freely available to anyone with AWS credentials. The database belongs to Alteryx, a marketing analytics company, and revealed financial information for at least 123 million Americans. Although, fortunately, the database didn’t contain full names or social security numbers, the 248 available data fields could easily be used to identify specific individuals.

Thousands of Lexmark Printers Left Unsecured

Over 1,000 internet-connected Lexmark printers have been found to have zero security measures; most lacked even a simple password. Additionally, many of these printers have been traced back to prominent companies and even government organizations. And while sensitive information isn’t directly available, hackers could cause major disruptions to the devices’ functions, and could even install malware to remotely capture any print jobs that might contain valuable data.

Android Mobile Game Silently Leaking Data

A relatively new mobile game on the Google Play Store appears to leak sensitive data from both the device’s user and the device itself almost constantly. Dune!, the app, has been downloaded at least 5 million times, and has been known to connect to up to 32 different servers to silently transmit stolen data and access a device’s geolocation data. Along with its true functionality, Dune! carries at least 11 known vulnerabilities that make it prone to additional attacks and further data leakage.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any questions? Just ask.

NC County Crippled by Ransomware Attack

Recently, a county in North Carolina was the target of a substantial ransomware attack that took many of their official systems offline, and may have affected over a million residents. Nearly 10% of the county’s servers were forced offline with a ransom demand of $23,000. County officials have stated they will not be paying, as there are no guarantees with ransomware, and will work to recover systems as quickly as possible.

Starbucks In-Store Wi-Fi Used to Mine Cryptocurrency

In the past week, a researcher discovered that the Argentinian rewards site for Starbucks was silently running a coin-mining script to generate Monero coins. Even more worrisome: more than 5,000 unique sites have been identified which are also be running some form of CoinHive code to mine cryptocurrency by sapping unsuspecting visitor’s CPU power. Fortunately for fans of free WiFi, Starbucks was quick to contact their internet service provider and resolve the issue.

Brand New HP Laptops Come with a Nasty Surprise

Keylogging software was recently discovered on over 400 models of HP laptops—preinstalled in their keyboard drivers. Even though the keylogger is disabled by default, it wouldn’t be difficult for anyone with access to the device to compromise its security by enabling it to record users’ keystrokes. Luckily for HP users, the company promptly issued a patch that removed the keylogging software from affected devices.

Spider Ransomware Focused on Balkans

Over the last few days, researchers have been monitoring a new ransomware variant called “Spider” as it works its way across the Balkan region of Europe. Surprisingly, this variant gives victims a mere 96 hours to pay the ransom. In addition to the tight deadline, the ransomware makes several attempts to ease the payment process for victims by providing an “educational” video tutorial and giving the user steady reassurance on how simple it is. As with many other ransomware variants, Spider spreads through malicious Microsoft® Office documents that request users to enable macros.

Mirai Botnet Creators Federally Charged in US

The creators of the original Mirai botnet have been federally charged for its initial creation and use as a DDoS-for-hire service. At its peak, Mirai affected over 300,000 individual IoT devices. Apparently, after the major DDoS attack earlier this year against DNS provider Dyn, one of the creators released the source code in the hope that others might use it, thereby obscuring the trail leading back to him.

It has been a turbulent year of devastating ransomware attacks (e.g. NotPetya) and gut-wrenching breaches (e.g. Equifax). Undoubtedly, the question on everyone’s mind is, “what’s in store for us in the New Year?” Webroot’s top 10 cybersecurity predictions for 2018 covers everything from ransomware and breaches to mobile, cryptocurrency, and government.We’ve grouped our predictions to help you navigate this glimpse into one possible cybersecurity future.

Malware will get smarter and threats more serious.

Malware campaigns will use AI to make secondary infection decisions based on what they’ve learned from previous campaigns. – Gary Hayslip, chief information security officer

We will see the first health-related ransomware targeting devices like pacemakers. – Eric Klonowski, sr. advanced threat research analyst

We haven’t seen the last of breaches.

I predict a minimum of 3 separate breaches of at least 100 million accounts each. I’d be willing to bet the data has already been compromised, but the affected organizations won’t learn of the breach until next year. – Tyler Moffitt, sr. advanced threat research analyst

Not even biometric security will be safe from malicious actors.

We will see the first biometric-access-based exploits using facial recognition or fingerprint access. – Eric Klonowski, sr. advanced threat research analyst

Consumers will want more from governments to keep them safe.

Consumers fighting back: 2018 will see major a major backlash from consumers (perhaps in the form of class action lawsuits), necessitating more regulations around data protection, particularly in the U.S. – David Kennerley, director of threat research

Infosec will become a C-level priority.

The CISO role will be mandatory for all organizations who do business with the Federal Government. – Gary Hayslip, CISO

Being a mobile-first society will come with greater costs.

We will see the first widespread worming mobile phone ransomware, perhaps spread by SMS or MMS. – Eric Klonowski, sr. advanced threat research analyst

Cryptocurrency will continue to rise and impending legislature is inevitable.

Malware distribution will rise and fall in conjunction with Bitcoin value. – Christopher Cain, associate malware removal engineer

GDPR will set a tone, for better or worse, and businesses should prepare on all sides.

Companies who trade with the European Union will suddenly panic over GDPR requirements and just encrypt everything in a knee-jerk response. – Jonathan Giffard, sr. product manager

The boom in the IoT space will bring stricter oversight to device manufacturers.

Data collected from IoT devices will be aggregated and used to develop an even larger, more involved picture of customers’ habits, constituting a major breach of privacy without consent. – Gary Hayslip, CISO

Do you have any cybersecurity predictions for 2018? Share your thoughts with us on Twitter with the tag #CyberIn2018.