by Steven Jurczak | Nov 12, 2020 | #LifeAtWebroot
Webroot is a dynamic team of hard-working individuals with
diverse backgrounds. One of those hard-working individuals is Ben Jackson,
Senior Manager of Software Development, Engineering. Ben started off building
pages in HTML. Now he leads high-performing teams and helps develop architectures
from his home in the UK. We sat down with Ben to find out how he got into
software and where he sees the biggest growth opportunities.
What were you doing before working at Webroot?
I worked at a Smart Meter manufacturer in the UK on their
manufacturing systems and had a short stint at a big UK retailer called Next working
on their retail website.
What brought you to Webroot?
The opportunity to work on some really cool tech, and the
people and culture really attracted me.
What is your role in the company?
I am a Senior Software Development Manager for the Sky
Services and Efficacy tools.
How did you get into software development?
I took a shine to it from an early age when I was trying to
find something to do for a career back at school. I started with the most basic
HTML web page in my spare time by copying the code from a textbook into notepad
and saving it as an html file to see it run. I have never looked back.
What are the primary coding languages you specialize in?
Microsoft .net framework technologies with languages such as
C#. I can use Visual Basic but I’m not a huge fan, and also Java.
What are the advantages of those languages and how do they manifest themselves in your work?
C# is in the core of what we do as a team. All our
applications are in the Microsoft .net framework stack, and through the use of
.net core in a lot of our new projects, we can run our code on any operating
system, making it very easy to deploy, such as in Linux or Docker containers.
What parts of your job require you to think outside of strictly writing code, for example, system architecture, use cases, etc.?
Most of my job requires me to think outside of writing code,
especially working with other engineering teams, product management, and
helping design the architecture of some of our decoupled systems.
What are your proudest accomplishments as a software engineer?
I have contributed to and led numerous software projects in
my career that I am very proud of, but my proudest achievements are in building
teams that work together to deliver something special and noteworthy in terms
of how the team collaborated together, especially my current team.
Where do you think the future of software development is headed?
It is tricky to say as direction changes all the time and
people have such differing opinions, but I feel it will certainly be the
continuation of the cloud (Amazon Web Services, Microsoft Azure and Google
Cloud) being king. The management of the infrastructure to run applications
will further be detached from the developer so that they will just be writing
the code and handing it over to the cloud to deploy, scale and manage for you
automatically. Serverless architectures will become more of the norm, I think.
War Games or The Matrix?
War Games! It was released the year before I was born, but I
have grown up with it through watching re-runs.
What else do you like to do besides coding?
I am a big football (soccer) and sports fan and try to watch
as much as I can. I used to play 11-a-side football as a goalkeeper every
Saturday for a local team until my recent retirement to spend more time with my
two children, who are my biggest focus now outside of work.
Any personal details or stories you’d like to share?
I once appeared on a Portuguese news channel while at a
friend’s stag (bachelor party). I was dressed as a pirate, doing the iconic
scene from the film Titanic at the front of a fishing boat as it came into the
harbor. For some reason, a news crew interviewed us and ran it on the early
evening news with the Titanic theme song by Celine Dion playing in the
background. I have no idea why they found us so interesting!
Want to find out about job opportunities at Webroot? Visit
our careers page.
by Kyle Fiehler | Nov 10, 2020 | Business + Partners, Managed Service Providers
A few years back, cryptojacking and cryptomining emerged as
relatively low-effort ways to profit by hijacking another’s computing
resources. Today, cloudjacking and cloud mining capitalize on similar
principles, only by targeting the near infinite resources of the cloud to
generate revenue for attackers. Knowing this growing threat is key to maintaining
cyber resilience.
Enterprise-level organizations make especially attractive
cloudjacking targets for a few reasons. As mentioned, the computing power of
cloud networks is effectively limitless for all but the most brazen
cybercriminals.
Additionally, excess electricity consumption, one of the
most common tipoffs for smaller scale cryptojacking attacks, often goes
unnoticed at the scale large corporations are used to operating. The same goes
for CPU.
Careful threat actors can also throttle back the amount of
resources they’re ripping off—when attacking a smaller organization, for
instance—to avoid detection. Essentially, the resources stolen at any one time in
these attacks are a drop in the Pacific Ocean to their largest targets. Over
time, though, and depending on particulars of a usage contract, the spend for
CPU used can really add up.
“Hackers have definitely transitioned away from launching
ransomware attacks indiscriminately,” says Webroot threat analyst Tyler
Moffitt. “It used to be, ‘everybody gets the same payload, everyone has the
same flat-rate ransom.’
“That’s all changed. Now, ransomware actors want to go after
businesses with large attack surfaces and more pocketbook money than, say,
grandma’s computer to pay if they’re breached. Cloud is essentially a new
market.”
High-profile cloudjacking incidents
Arguably the most famous example of cloudjacking, at least
in terms of headlines generated, was a 2018
attack
on the electric car manufacturers Tesla. In that incident,
cybercriminals were discovered running malware to leech the company’s Amazon
Web Service cloud computing power to mine cryptocurrency.
Even with an organization of Tesla’s scale, the attackers reportedly
used a throttling technique to ensure their operations weren’t uncovered.
Ultimately, they were reported by a third-party that was compensated for their
discovery.
More recently, the hacking group TeamTNT developed a worm
capable of stealing AWS credentials and implanting
cloudjacking malware on systems using the cloud service. It does this by
searching for accounts using popular development tools, like Docker or
Kubernets, that are both improperly configured and running AWS, then
performing a few simple searches for the unencrypted credentials.
TeamTNT’s total haul remains unclear, since it can spread
it’s ‘earnings’ across multiple crypto wallets.
The fear though, now that a proven tactic for lifting AWS credentials is
out in the wild, is that misconfigured cloud accounts will become prime targets
for widespread illicit cloud mining.
SMBs make attractive targets, too
Hackers aren’t just launching cloudjacking attacks
specifically against storage systems and development tools. As with other
attack tactics, they often see MSPs and small and medium-sized businesses
(SMBs) as attractive targets as well.
“Several attacks in the first and second quarters of 2019
involved bad actors hijacking multiple managed service providers,” says
Moffitt. “We saw that with Sodonakibi and GrandCrab. The same principles apply
here. Hacking a central, cloud-based property allows attackers to hit dozens
and potentially hundreds of victims all at once.”
Because smaller businesses typically share their cloud
infrastructure with other small businesses, compromising cloud infrastructure
can provide cybercriminals with a trove of data belonging to several concerned
owners.
“The cloud offers an attractive aggregation point as it
allows attackers access to a much larger concentration of victims. Gaining
access to a single Amazon web server, for instance, could allow threat actors
to steal and encrypt data belonging to dozens of companies renting space on
that server hostage,” says Moffitt.
High-value targets include confidential information like
mission-critical data, trade secrets, unencrypted tax information or customer
information that, if released, would violate privacy laws like GDPR and CCPA.
Some years ago, smaller businesses may have escaped these
cloud compromises without too much disruption. Today, the data and services
stored or run through the cloud are critical to the day-to-day even for SMBs.
Many businesses would be simply crippled should they lost access to public or
private cloud assets.
The pressure to pay a ransom, therefore, is significantly
higher than it was even three years ago. But ransoms aren’t the only way for
malicious actors to monetize their efforts. With cloud mining, they can get
right to work making cryptocurrency while evading notice for as long as
possible.
How to protect against cloudjacking and cloud mining
Moffitt recommends using “versioning” to guard against
cloudjacking attacks. Versioning is the practice of serializing unalterable
backups to prevent them from being deleted or manipulated.
“That means not just
having snapshot or history copies—that’s pretty standard—since with ransomware
we’ve seen actors encrypt all of those copies. So, my suggestion is
creating immutable backups. It’s called versioning, but these are essentially
snapshot copies that can never be edited or encrypted.”
Moffitt says many service providers have this capability,
but it may not be the default and need to be switched on manually.
Two more tactics to adopt to defend against cloud jacking
involve monitoring your configurations and monitor your network traffic. As
we’ve seen, capitalizing on misconfigured AWS infrastructure is one of the more
common ways for cybercriminals to disrupt cloud services.
Security oversight of devops teams setting up cloud
applications is crucial. There are tools available that can automatically
discover resources as soon as they’re created, determine the applications
running on the resource and apply appropriate policies based on the resource
type.
By monitoring network traffic and correlating it with
configuration data, companies are able to spot suspicious network traffic being
generated as they send work or hashes to public mining pools that are public
and could help identify where mining is being directed.
There tends to be a learning curve when defending against
emerging attacks. But if businesses are aware of how cloud resources are
manipulated by threat actors, they can be on guard against cloudjacking by
taking a few simple steps, increasing their overall cyber resilience.
by Connor Madsen | Nov 6, 2020 | Industry Intel
Maze Ransomware Group Ends Operations
A press release issued this week announced the end of the Maze
ransomware group’s data theft operations. In the release, the Maze authors revealed
their motives behind one of the most successful ransomware campaigns to date,
and why they chose to finally shut down their massive project. It also stated the
Maze team was working to expose the major security holes key industries fail to
address, though their methods created many victims.
Magecart Targets International Gold Retailer
Nearly three months after a data breach caused by a Magecart
attack struck the international precious metals retailer, JM
Bullion has finally released an official statement to customers. After
identifying unauthorized activity on their systems in the mid-July, the company
went on to find that their systems had been compromised since February by
Magecart payment card-skimming software. The company has yet to acknowledge why
took so long to discover the breach or why it failed to follow GDPR regulations
by immediately contacting affected customers.
Ryuk Remains Top Player Throughout 2020
With ransomware continuing its stay at the top of the cyberthreat
throne, Ryuk
variants have been responsible for over a third of all ransomware attacks in 2020
alone or roughly 67 million attacks. Ryuk has been around for over two years,
but found much greater success this year after being found responsible for only
5,100 attacks in 2019. Ransomware attacks grew 40 percent over last year, to
nearly 200 million as of Q3.
Cannabis Site Leaves Database Exposed
An unsecured database belonging to cannabis website GrowDiaries
and housing over 3.4 million user records was found to be accessible last month.
The data included 1.4 million user passwords that were encrypted using MD5
hashing, which is known to be easily unlocked by cybercriminals. Nearly a week
after being informed of the database GrowDiaries properly secured it from
public access, though it remains unclear how long it was accessible or who
accessed it during that time.
Mattel Reveals Ransomware Attack
Following a July ransomware attack, Mattel
has finally issued an official statement regarding the overall damage. The
company has confirmed that no data was stolen during the attack, which was
quickly identified by their security, and many systems were taken offline to
prevent any damage or theft occured. The ransomware attack was likely perpetrated
by TrickBot, as it’s known for concentrating on large organizations and leaving
them exposed for some encrypting variant to follow.
by Steven Jurczak | Nov 4, 2020 | Home + Mobile
Mobile
devices have become an indispensable part of our lives. By the time we’re
teenagers, we’re already tethered to technology that lives in our pockets and
connects us to a network far larger than we ever imagined possible. Because of
the way we interact with our phones, it knows our likes, curiosities and
vulnerabilities, in addition to our passwords, financial data and most closely
held secrets. This seemingly infinite amount of data also makes our mobile
devices highly attractive targets for malicious actors. That’s why it’s
critical to protect phones from threats.
A
successful attack on your phone could compromise your personally identifiable
information (PII), banking accounts and even your professional life or the
success of your business. Just like you lock the doors of your house when you
go away, or your storefront after business hours, you should take care to secure
the entry points that cybercriminals use to gain access to the data on your
phone.
WiFi and Mobile APP threats
The
convenience and ubiquity of public WiFi and mobile apps are also their greatest
weakness. With unsecured public WiFi, you can never be sure if you’re
connecting directly to a secure hotspot or to a hacker, who is stealing your
information and relaying it to another malicious actor. Before you connect to
an unfamiliar public WiFi network, follow these best practices to reduce the
chances of compromising yourself:
- Use a virtual private network (VPN) instead – VPN is highly recommended for all business
communications. VPN keeps your network and Wi-Fi communications encrypted,
which makes it much harder for hackers to access.
- Disable sharing on all apps – While you may be comfortable sharing your
location with apps when you’re on a secure connection, consider disabling it in
system preferences or settings when you’re connecting to public WiFi.
- Verify all
public WiFi networks – Hackers can
easily set up a public WiFi that looks like it’s owned by the proprietor.
Before you connect to “Java House Guest WiFi,” ask someone behind the counter
the exact name of their WiFi network.
- Plug
Bluetooth vulnerabilities – Hackers often
use Bluetooth connections to infect or steal files. This puts personal data at
risk when using Bluetooth. These attacks involve using the device for phone
calls or text messages, or using Bluetooth functionality to find deeper
vulnerabilities in the phone system or to steal data stored on the phone. Similar
exploits exist for Apple users through the AirDrop feature. The best way to
plug theses vulnerabilities is to turn off Bluetooth or AirDrop when not in
use, keep your software up to date, only pair with trusted devices and use a
VPN to encrypt your data and hide your identity.
- Disable
auto-join for open networks – Public
WiFi networks are ideal environments for a range of cybersecurity attacks,
including rogue networks, man-in-the-middle attacks, viruses, and snooping or
sniffing. To prevent the likelihood of these attacks, remote users should turn
off Wi-Fi auto-connect settings for public WiFi networks.
With
more than 120 million Android users, Android malware continues to be a real and
increasingly common threat. Google has already pulled a large number of
malicious apps from the Play store. But the open nature of the Android
operating system makes it an easy play for hackers. The year 2020 has been a
particularly risky one for mobile app users. A few of the more dangerous mobile
threats in circulation include:
- Joker – Since 2019, Joker has been stealing
credit card information and banking credentials by simulating other legitimate
apps.
- CryCryptor – Based off the open-source ransomware
CryDroid, this mobile variant has been spotted masquerading as a COVID-19
tracing app.
- EventBot – This malicious app abuses
accessibility features to steal user data, and reads and steals SMS messages to
bypass two-factor authentication.
- Dingwe – This modified remote access tool is capable
of controlling a device remotely. Samples have been found impersonating as
COVID-19 tracing apps.
Many
of these malicious operators use various tricks to evade detection. Since
Android devices can come with hundreds of apps pre-installed, there’s a high
potential for security gaps that a malicious app maker could exploit.
#1 Defense Measure: Update the OS
One
of the major vulnerabilities with Android devices is outdated software. More
than 40% of Android devices are using an OS version older than v9. This makes
them more vulnerable to malicious applications.
Webroot® Mobile Security can help improve your mobile defenses without
impacting your browser speed. It allows you to browse, shop, search, bank or
use social networks, all while blocking malicious websites that try to steal
your personal information. Webroot® Mobile Security includes proactive identity
protection features, which block malicious sites that try to steal your
personal info or harm your device. With Webroot® Mobile Security, you can hide
your digital footprint and your browsing history through private browsing mode.
by Connor Madsen | Oct 30, 2020 | Industry Intel
Adobe Flash Being Uninstalled on Windows Systems
Following its September announcement, Microsoft has released
an update that removes Adobe
Flash from Windows 10 systems and prevents reinstallation. It should be
noted that this update only removes the version of Adobe Flash that comes
bundled with Windows 10. Internet browser extensions and stand-alone installs
of the software will remain unaffected by this update. Should the user want to
re-install Adobe Flash on an updated system, they must either revert to a point
prior to the update or perform a fresh install of Windows 10.
Gunnebo Suffers Critical Data Breach
Officials for Gunnebo,
a Swedish security firm, have revealed that they were victims of a data breach in
August. Researchers also discovered an 18GB file confirmed to contain customer
information stolen from Gunnebo. The compromised data was uploaded to a public
server after Gunnebo refused to pay a ransom, exposing roughly 38,000 sensitive
files.
Finnish Health Center Hacked
It was recently revealed that the Finnish psychotherapy
center Vastaamo
suffered a ransomware attack that compromised highly sensitive patient data belonging
to thousands of individuals. After refusing to pay a 40 Bitcoin ransom, the
attackers began publishing the stolen data on the dark web. While officials have
yet to determine when the breach occurred, they have been contacting victims
about the stolen data since October 21.
Customer Accounts at UK Restaurant Chain Breached
Recent technology changes at restaurants and other public
establishments like touchless methods of interaction have left UK restaurants open
major security flaws. One such flaw has been exploited at UK restaurant chain Nando’s,
with several customer accounts affected. By accessing previous account logins
and using credentials that were stolen in prior cyberattacks, hackers have been
able to create fraudulent orders. The company has since confirmed that, though
they themselves weren’t the target of the breach, they will compensate any
customers who are fraudulently charged.
Ryuk Suspected in Major Steelcase Attack
International furniture maker Steelcase
was forced to take its systems offline following a ransomware attack that began
late last week. It is believed that the attack used the highly active
ransomware variant, Ryuk, though this has yet to be confirmed by Steelcase. By
shutting down the remaining unaffected systems, Steelcase hopes it was able to
stop the spread of encryption before irreparable damage was caused.
by Kyle Fiehler | Oct 29, 2020 | #LifeAtWebroot
Nurul Mohd-Reza knows how to empathize with the customers
she serves. Her work with marginalized groups as a college student, she says,
helped prepare her for when the pandemic turned many of her customers’
businesses upside down last March.
Here she discusses what she’s learned after just 10 months
in the industry and provides some advice for those looking to dive headfirst
into something new.
Tell us a little bit about your career background. How
did you get to where you are today?
I started working at Webroot back in January, so my time
here hasn’t been long. For most of my collegiate career I worked in the
Division of Student Affairs at CU Boulder, focusing specifically on leadership
and development. I served as a student advisor to university officials and local
businesses. And so, as time went on, I became very interested in the dynamic
between people and business. From there, I knew I wanted to dive deeper into
this realm but was unsure on how to get started. So after college I began
working in healthcare operations.
I believe what got me interested in this career path was
when I attended Denver Start Up Week, which was a phenomenal experience. It
opened my eyes to the unfamiliar world of customer success. Seeing how
companies used technology and data to proactively understand their customer
persona, and on top of that, scale engagements to fit their customer’s needs was
truly insane. I thought what better way of molding my interests than being on
the front lines serving as an advocate between people and product.
And how did you land at Webroot specifically?
It’s a funny story. I had come across this position and
halfway through filling out the application I thought I might not be well-equipped
for the role, so I actually ended up not finishing the application. And then a
recruiter reached out to me and said they were interested in starting a
conversation. It was unconventional, but I’m very grateful she reached out
because it gave me an opportunity to explain my transition and why I wanted to
make that jump into tech.
From there, I ended up interviewing here at Webroot and it
was a great experience overall. Being early on in my career, I knew I wanted to
work in an environment that obviously fostered growth, professionally and
personally. After speaking with my current boss, I was very optimistic about
the trajectory of Webroot, as well as the vision for Customer Success and this
team specifically.
What are your core responsibilities as a customer
retention specialist?
I would say my time is split between two main
responsibilities. My primary role is to oversee the renewal process for a subset
of SMBC contracts projected for the quarter. On the other hand, we are a
customer facing role. So handling business customer inquiries as
they arise. This involves everything from advising customers on certain buying
decisions to providing in-product guides.
However, we are starting to shift our
focus on how to effectively connect with customers throughout their lifecycle. Previously,
we’ve concentrated on the renewal period which is 90 days before expiration.
Now, we’re starting to expand our scope and engage with customers to create
those smooth onboarding workflows, as well as push early-on adoption of the
product.
At the end of the day, it’s really about strategy—how do we
effectively educate and guide the customer to build depth behind the product in
hopes of retaining that relationship for the long haul.
What would you say has been the most significant
challenge of your career so far?
I think one of the most significant challenges was switching
to an industry I’d never worked in before. The learning curve was steep in
terms of familiarizing myself with the products we offer, our workflow with all
the various systems we use, and the dynamic relationships between our various
partners.
In Customer Success, it’s not simply about securing
renewals. The process involves having to solve roadblocks in order to help a
customer achieve their goal. We have to work with a range of departments to
solve issues the customer is facing—whether it be from a product standpoint or
a billing redundancy. So being able to learn each player’s role and then manage
those relationships was obviously a challenge to begin with. It’s exciting,
though. It keeps you on your feet and you get to meet a lot of new people from
diverse backgrounds.
Another obvious challenge was COVID-19. I had only been
working in the office for about two months when the pandemic hit. Learning how
to onboard remotely was new and something I had to juggle with most definitely.
What skills do you feel have carried over well from your
work in public affairs?
I believe Customer Success is focused on building
relationships with our customers—which to my advantage was a valuable skill I
carried over from my work in public affairs. In this role, it’s very important
to enjoy solving problems and addressing issues head-on. You have to be
incredibly flexible and create some sense of fluidity in the midst of a growing
que of customer requests.
In my previous role, I worked with marginalized communities to
combat an array of social issues. So learning how to communicate with empathy,
while also moving with focus and intent was crucial and very much transcends
into my current role now.
Do you have a favorite part of the job after 10 months
with the company?
I’m optimistic about being able to refine the customer
journey. I believe the beauty behind Customer Success is it’s still an unknown
territory. Everywhere you look, companies have a different way and methodology
on how they interact with the customer. Not to mention, the type of technology
and automation coming into play is fascinating.
In addition to that, our team is fairly new, which gives us
a range of autonomy to create the structure and the formatting that we believe
will best deliver value to our customers throughout their lifecycle. Although
we are now part of a 15,000-person organization, it still feels like a start-up
environment. We are constantly working to strategize and envision how we want
the customer experience to evolve. To me, it’s very exciting to be at the
intersection of all these moving parts.
Any advice for someone in your same situation, looking to
cross over into the tech industry?
Well, given my experience, I’d say don’t doubt your
capabilities. No experience is wasted experience. Even if you might not be the absolute
perfect fit for a position, you have a breadth of skills you’ve developed over
the past couple of years that will help mold you into whatever new role you’re
interested in.
I believe one of the best pieces of advice I was ever given
was don’t close a door on yourself before the opportunity even presents itself.
By saying you can’t do this, or you don’t have the skills for that, you’ve
already blocked out all these great possibilities. So be open to new
experiences and don’t hold back.
To see what positions are available for
you at OpenText, visit our careers page here.
by Justine Kurtz | Oct 27, 2020 | Business + Partners, SMBs
For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.
For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.
But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.
Here are a few
of nastiest characters and a breakdown of how they can work together.
- Emotet botnet + TrickBot Trojan + Conti/Ryuk
ransomware
There’s a reason Emotet has topped our list for 3 years in a row. Even though
it’s not a ransomware payload itself, it’s the botnet that is responsible for
the most ransomware infections, making it pretty darn nasty. It’s often seen
with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.
Here’s how an attack might start with Emotet and end with ransomware. The
botnet is used in a malicious spam campaign. An unwitting employee at a company
receives the spam email, accidentally downloads the malicious payload. With its
foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot
spreads laterally through the network like a worm, infecting every machine it
encounters. It “listens” for login credentials (and steals them), aiming to get
domain-level access. From there, attackers can perform recon on the network,
disable protections, and drop Conti/Ryuk ransomware at their leisure.
- Ursnif Trojan + IcedID Trojan + Maze
ransomware
Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has
resurfaced after being mostly dormant for a few years. In an attack featuring
this troublesome trio, Ursnif might land on a machine via a malicious spam
email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the
attackers’ chances of getting the credentials or intel they want. (Interestingly,
IcedID has been upgraded to use steganographic payloads. Steganography in
malware refers to concealing malicious code inside another file, message, image
or video.) Let’s say the Trojans obtain the RDP credentials for the network
they’ve infected. In this scenario, the attackers can now sell those
credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun
fact: Maze is believed to have “pioneered” the data leak/auction website
trend.)
- Dridex/Emotet malspam + Dridex Trojan +
BitPaymer/DoppelPaymer ransomware
Like TrickBot, Dridex is another very popular
banking/info-stealing Trojan that’s been around for years. When Dridex is in
play, it is either dropped via Emotet or its authors’ own malicious spam
campaign. Also like TrickBot, Dridex spreads laterally, listens for
credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.
As you can see,
there are a variety of ways the attacks can be carried out, but the end goal is
the more or less the same. The diverse means just help ensure the likelihood of
success.
The characters
mentioned above are, by no means, the only names on our list. Here are some of
the other notable contenders for Nastiest Malware.
- Sodinokibi/REvil/GandCrab ransomware –
all iterations of the same ransomware, this ransomware as a service (RaaS)
payload is available for anyone to use, as long as the authors get a cut of any
successful ransoms.
- CrySiS/Dharma/Phobos ransomware – also RaaS
payloads, these are almost exclusively deployed using compromised RDP
credentials that are either brute-forced or easily guessed.
- Valak – a potent multi-functional malware
distribution tool. Not only does it commonly distribute nasty malware such as IcedID
and Ursnif, but it also has information stealing functionalities built directly
into the initial infection.
- QakBot – an info-stealing Trojan often
dropped by Emotet or its own malspam campaigns with links to compromised
websites. It’s similar to TrickBot and Dridex and may be paired with ProLock
ransomware.
Combine protections to combat
combined attacks.
If businesses want to stay
safe, they need to implement multiple layers of protection against these types
of layered attacks. Here are some tips from our experts.
- Lock down RDP.
Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the
COVID-19 pandemic began because more businesses are enabling their workforce to
work remotely. Unfortunately, many are not doing so securely. He recommends
businesses use RDP solutions that encrypt the data and use multi-factor
authentication to increase security when remoting into other machines.
- Educate end users about
phishing. Principal product manager Phil Karcher points out that many of
the attack scenarios listed above could be prevented with stronger
phishing/spam awareness among end users. He recommends running regular security
training and phishing simulations with useful feedback. He also says it’s
critical that employees know when and how to report a suspicious message.
- Install reputable cybersecurity
software. Security intelligence director Grayson Milbourne can’t stress
enough the importance of choosing a solution that uses real-time threat
intelligence and offers multi-layered shielding to detect and prevent multiple
kinds of attacks at different attack stages.
- Set up a strong backup and
disaster recovery plan. VP of product management Jamie
Zajac says that, particularly with a mostly or entirely remote workforce,
businesses can’t afford not to have a strong backup. She strongly recommends
regular backup testing and setting alerts and regular reporting so admins can
easily see if something’s amiss.
Discover more about the 2020’s
Nastiest Malware on the Webroot Community.
by Steven Jurczak | Oct 21, 2020 | Home + Mobile
October 21 is Wonder Woman Day. It commemorates Wonder
Woman’s first appearance in All Star Comics
#8. With the upcoming release of Wonder Woman 1984, we took the
opportunity to talk superheroes, superpowers and protecting data with our very
own Briana Butler, Engineering Services Manager at Webroot.
Q: Wonder Woman got her powers from her divine mother, Queen Hippolyta. How did you get your data protection superpowers?
I had a reboot in life. I was previously a retail buyer then
I went back to school for computer science and ended up switching to the business
school. I was hired at Webroot to be a bridge between engineering and business
– you have to have people that can speak both languages – and that’s exactly
what I wanted to do and what I was trying to forge with my new career.
I first began as a data analyst, which meant working on privacy
compliance, GDPR, CCPA, and data mapping, understanding where data is stored and
processed, and who has access to it. My latest role is as an Engineering Services
Manager, meaning I help engineering and product with personnel and hiring needs,
ISO certification and making sure our development teams receive the training
they need to stay up to date with the fast pace of tech.
Q: Wonder Woman had several superpowers, or super powerful gadgets, like indestructible bracelets and a lasso that forced people to tell the truth. Is cyber resilience a superpower?
Every superhero has different talents or powers. When we
think of cyber resilience, it’s sort of like our own personal toolbox of powers
that we can use against malicious actors who want to take our data and make
money off it.
Our toolbox of cyber resilience includes basic best
practices like knowing how to create a strong password, not clicking every link
that comes into your email inbox and daily behaviors of how to navigate and
defend yourself online. The goal is to live your best digital life confidently, without
disruption.
Q: What about our data? Does that give us any powers that we wouldn’t have without it?
I think it’s more about understanding the power data has if
we give it away. When we give people access to our data, that’s when it becomes
powerful. Whether it’s corporations or malicious actors, when we willingly hand
out our data, that gives it power because then, they know things about us. I
talk a lot about privacy and why everyone should be more critical and cognizant
of the data they’re sharing. We share a lot more than we realize. It’s time for
all of us to understand what we’re sharing and then decide if we, personally,
really want to share it.
Q: Wonder Woman encountered her fair share of comic strip villains, like the Duke of Deception, Doctor Psycho and Cheetah. Who are the villains in the digital world?
They’re the malicious actors and cybercriminals who would take
your data and sell it on the open market. It could even be the person trying to
get access to your Hulu account. There are also nation-state actors and the
companies you buy things from. There’s a huge spectrum of villains, and they
all want your data. There’s big money in data. So, it’s important that you’re
aware of what’s being shared.
I’ve started reading privacy policies – those long,
convoluted legal documents – to see if I can understand where I’m going to be sharing
my information and make a more conscious decision.
For one large social platform, when I went through it, I started
asking myself, am I really okay sharing this information? Do I really need this
service or platform? Is it necessary in exchange for what I’m about to share
with them? In the end, I didn’t sign up for it.
I’ve also gone through the frustrating and somewhat time-consuming
act of cleaning up all my passwords and using a password manager. Most people
say they have anywhere from 15 to 20 password-protected accounts. But when I
went through all the places I’ve shared my password, it was upwards of 100!
One of my favorite topics is password strength. We recently
did an analysis of password configurations with Maurice Schmidtler, our head
data scientist, who created a Monte Carlo simulation.
We took what you usually see when you’re told to create a password – like using
uppercase and lowercase letters or special symbols – and applied those within
the simulation. What we found was that the more constraints you put on a password,
the fewer viable options you have for a strong password, meaning it decreases the
number of good password options. Whereas if you focus on creating a strong
password, where length is more important than the various character-type
constraints, you’ll end up with a much stronger password. Length is strength
because it takes more computing power to break.
Q: Wonder Woman was a founding member of the Justice League. So, even she needed the help of a squad to defeat the villains. Do we need help from a squad to be more cyber resilient?
We all need assistance because as humans, we are fallible. Inevitably,
someone might click on a malicious link, or some unforeseen event might happen where
you need a backup
that’s going to allow you to recover data instead of losing it permanently.
When it comes to ransomware, or really any other attack, you
need awareness. That’s why we encourage proactive education and regular security
awareness training, so people truly understand the threat landscape and how
to identify the most prevalent types of attacks.
Q: At one point in the story, Wonder Woman surrendered her superpowers and used fighting skills instead. In what ways do we surrender our powers when it comes to cyber resilience?
Oversharing content or data about yourself, your name or address
are surefire ways to surrender power in the digital age. All these things
identify you and allow criminals to gain insight that can be used against you
through social engineering.
You’re also surrendering power when you practice poor cyber
hygiene, like repeating passwords across multiple logins. Once a cybercriminal
gains access to one login, they can discover more details about you and use it
elsewhere. For example, you may not be worried about a criminal getting access
to your Netflix account, but if you use the same password there as you do with
your bank, then the situation just became much more serious.
You also surrender power by not protecting your home network
and not using VPN when you’re on public Wi-Fi. People often think “it won’t
happen to me,” until it’s too late. And recovery can be costly and time-consuming.
That’s why implementing layers of protection up front strengthens cyber
resilience and helps keep your digital life easy, secure and free of complications.
Q: Are you going to watch the new Wonder Woman movie?
Oh sure! I will because I’ve seen all the other ones. I’m a
big fan of Guardians of the Galaxy. And, of course, I love Iron Man. And I was
a big fan of Black Panther, too. Doctor Strange is also one of my faves.
Q: If cybercriminals were villains from Wonder Woman, who would they be?
The Duke of Deception! Hackers, cybercriminals and nation-state
actors are constant antagonists, and that’s exactly who we defend our users against.
by Kyle Fiehler | Oct 19, 2020 | Business + Partners, Managed Service Providers
Fine-tuning privacy for any preference
A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.
The most visible use of DNS is typically the browser, which
is why all the usual suspects are leading the charge in terms of DoH adoption. This
movement has considerable steam behind it and has extended beyond just
applications as Microsoft,
Apple
and Google
have all announced their intent to support DoH.
Encrypting DNS requests is an
indisputable win for privacy-minded consumers looking to prevent their ISPs
from snooping on and monetizing their browsing habits. Businesses, on the other
hand, should not easily surrender this visibility since managing these requests
adds value, helping to keep users from navigating to sites known to host
malware and other threats.
Here are three examples of how.
1. By enhancing DNS logging control
Businesses have varying motivations for tracking online
behavior. For persistently troublesome users—those who continuously navigate to
risky sites—it’s beneficial to exert some control over their network use or
even provide some training on what it takes to stay safe online. It can also be
useful in times of problematic productivity dips by helping to tell if users
are spending inordinate amounts of time on social media, say.
On the other hand, for CEOs and other strategic business
units, tracking online activity can be cause for privacy concerns. Too much
detail into the network traffic of a unit tasked with investigating mergers and
acquisitions may be unwanted, for example.
“If I’m the CEO of a company, I don’t want people paying attention
to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I
don’t want people to know of potential deals I’m investigating before they
become public.”
Logging too much user information can also be problematic
from a data privacy perspective. Collecting or storing this information in
areas with stricter laws, as in the European Union, can unnecessarily burden
organizations with red tape.
“Essentially it exposes businesses to requirements
concerning how they’re going to use that data, who has access to it and how
long that data is preserved” says Barnett.
By optionally never logging user information and backing off
DNS logging except when a request is deemed a security threat, companies
maintain both privacy and security.
2. By allowing devices to echo locally
With DoH, visibility of DNS requests is challenging. The
cumulative DNS requests made on a network help to enhance its security as tools
such as SIEMs and firewalls leverage these requests by controlling access as
well as corelating the requests with other logs and occurrences on the
network.
“Let’s say I’m on my network at the office and I make a DNS
request,” explains Barnett. “I may want my DNS request to be seen by
the network as well as fielded by my DNS filtering service. The network gets
value out of DNS. If I see inappropriate DNS requests I can go and address the
user or fix the device.”
Continuing to expose these DNS requests through an echo to
the local network provides this, while the actual requests are secure and
encrypted by the DNS protection agent using DoH. This option achieves the best
of both worlds by adding the security of DoH to the security of the local
network.
3. By allowing agents to fail open
DNS is instrumental to the functionality of the internet. So,
the question is, what do we do when a filtered answer is not available? By
failing over to the local network, it’s assured that the internet continues to
function. However, there are times when filtering and privacy are more
important than connectivity. Being able to choose if DNS requests can leak out
to the local network helps you stay in control by choosing which is a priority.
“Fail open
functionality essentially allows admins to make a tradeoff between the
protection offered by DNS filtering and the productivity hit that inevitably
accompanies a lack of internet access,” says Barnett.
Privacy your way
The encryption of DoH enables options for fine-tuning
privacy preferences while preserving the security benefits of DNS filtering. Those
that must comply with the needs of privacy-centric users now have control over
what is revealed and what is logged, while maintaining the benefits of
communicating using DoH.
Click here
to read related blogs covering the transition to DNS over HTTPS.
by Connor Madsen | Oct 16, 2020 | Industry Intel
Backdoor Found in Children’s Smartwatch
Researchers have discovered that the X4, made by Norwegian
smartwatch seller Xplora,
contains a backdoor that could allow for information to be stolen. The X4 watch
is designed specifically for children with a limited number of capabilities, mostly
for children’s security. The backdoor, however, could allow attackers to take
snapshots, view messages, call records, and access geolocational data from the
wearer. The watches are designed and built in China and it remains unclear who
has access to data created and stored on the devices.
Ransomware Strikes London Borough
The London borough of Hackney
recently fell victim to a ransomware attack, taking several of the council’s
primary services offline. While still little is known about the attack, it’s likely
that encrypted files were also stolen for auctioning to the highest bidder.
Council officials are working with law enforcement to determine the initial
attack vector and information that may have been targeted.
Carnival Reveals Updates to Recent Cyberattack
Nearly two months after a ransomware attack compromised a third-party
vendor for the Carnival
Corporation, the company announced sensitive passenger information has indeed
been exposed. An undetermined number of customers and employees may be affected
across three Carnival cruise lines. With 150,000 employees worldwide, and
upwards of 13 million customers, this data breach could be affect millions of
individuals.
Ransomware Takes Aim at International Law Firm
International law firm Seyfarth
Shaw has confirmed a ransomware attack targeted their systems over the
weekend. While the extent of the attack remains unclear, several systems were
forced offline after encryption was executed to stop additional spreading. Firm
officials stated that no client information was stolen or illicitly accessed,
but they are still operating without email or a live website. Some systems were
saved from the attack but officials have yet to confirm if customers were
affected by the breach.
Software AG Suffers Major Data Breach
German IoT specialist Software
AG suffered a ransomware attack that was able to exfiltrate significant
amounts of data. Officials have confirmed that, while they have been able to
maintain online services throughout the attack, the malicious downloading of an
unknown amount of sensitive data did take place. The attacking group has not
yet been identified, but other attacks of similar scale have cost companies
anywhere from $20 to $70 million in ransoms for the return of their data.
