Over the last month, researchers have been monitoring the
spread of a new ransomware variant, Zeppelin.
This is the latest version of the ransomware-as-a-service that started life as
VegaLocker/Buran and has differentiated itself by focusing on healthcare and IT
organizations in both the U.S. and Europe. This variant is unique in that
extensions are not appended, but rather a file marker called Zeppelin can be
found when viewing encrypted files in a hex editor.
German ISP Faces Major GDPR Fine
The German internet
service provider (ISP) 1&1 was recently fined for failing to protect
the identity of customers who were reaching out to their call centers for
support. While the incident took place in 2018, GDPR is clear about imposing
fines for organizations that haven’t met security standards, even if retroactive
changes were made. 1&1 is attempting to appeal the fines and has begun
implementing a new authentication process for confirming customers’ identities
over the phone.
Turkish Credit Card Dump
Nearly half a million payment cards belonging to Turkish
residents were found in a data dump on a known illicit card selling site.
The cards in question are both credit and debit cards and were issued by a variety
of banking institutions across Turkey. This likely means that a mediating
payment handler was the source of the leak, rather than a specific bank. Even
more worrisome, the card dump contained full details on the cardholders,
including expiration dates, CVVs, and names; everything a hacker would need to
make fraudulent purchases or commit identify theft.
Pensacola Ransomware Attack
The city of Pensacola,
Florida was a recent victim of a ransomware attack that stole, then
encrypted their entire network before demanding $1 million ransom. In an
unusual message, the authors of the Maze ransomware used explicitly stated that
they had no connection to the recent shootings at the Pensacola Naval Base, nor
were they targeting emergency services with their cyberattack.
Birth Certificate Data Leak
An unnamed organization that provides birth
certificate services to U.S. citizens was contacted earlier this week in
regard to a data leak of nearly 750,000 birth certificate applications. Within
the applications was sensitive information for both the child applicant and
their family members, which is highly sought after by scammers because it is
relatively easy to open credit accounts for children with no prior credit
history. Researchers are still waiting to hear back from the organization after
finding this data dump in an unsecured Amazon Web Services bin.
IBM researchers have been tracking the steady rise in ZeroCleare
deployments throughout the last year, culminating in a significant rise in
2019. This malware is deployed on both 32 and 64-bit systems in highly targeted
attacks, with the capability to completely wipe the system by exploiting the
EldoS RawDisk driver (which was also used in prior targeted attacks). The
malware itself appears to be spreading through TeamViewer sessions and, though
the 32-bit variant seems to crash before wiping can begin, the 64-bit variant
has the potential to cause devastating damage to the multi-national
corporations being targeted.
FTC Scam Threatens Victims with Terrorism Charges
FTC officials recently made an announcement regarding scam letters purporting to be from the commission and the numerous complaints the letters have sparked from the public. Victims of the scam are told that, due to some suspicious activity, they will be personally and financially monitored as well as face possible charges for terrorism. These types of scams are fairly common and have been in use for many years, often targeting the elderly with greater success.
Following an April 2017 complaint, the Office of Civil
Rights has issued a fine of $2.175 million after discovering that Sentara
Hospitals had distributed the private health information for 577 patients,
but only reported eight affected. Moreover, it took over a year for the
healthcare provider to take full responsibility for the breach and begin
correcting their security policies for handling sensitive information. HIPAA
violations are extremely time-sensitive and the slow response from Sentara
staff could act as a lesson for other organizations to ensure similar events don’t
reoccur.
Android Vulnerability Allows Hackers Easy Access
Researchers have identified a new Android
exploit that allows hackers access to banking applications by quickly
stealing login credentials after showing the victim a legitimate app icon,
requesting additional permissions, and then sending the user to their expected
app. Even more worrisome, this vulnerability exists within all current versions
of AndroidOS and, while not found on the Google Play Store, some illicit
downloaders were distributing it.
Smith & Wesson Hit by Magecart
In the days leading up to Black Friday, one of the largest
retail shopping days of the year, malicious skimming code was placed onto the
computer systems and, subsequently, the website of Smith
& Wesson. In a slight break from the normal Magecart tactics, they
attackers were masquerading as a security vendor to make their campaign less
visible. The card-skimming code was initially placed onto the website on November
27 and was still active through December 2.
Bullying is no longer confined to school playgrounds and neighborhood
alleys. It has long moved into the online world, thanks to the easy access to
technology. Between Twitter, SnapChat, TikTok, Instagram, WhatsApp, or even
standard SMS texts, emails and instant messages, cyberbullies have an
overwhelming number of technical avenues to exploit.
While cyberbullying can happen to anyone, studies
have shown that teens are usually more susceptible to it. The percentage of
individuals – middle and high school students from across the U.S. — who have
experienced cyberbullying at some point, has more than doubled (19% to 37%)
from 2007 to 2019, according to data
from the Cyberbullying Research Center.
Before you teach your kids how to respond to cyberbullying, it
is important to know what it entails.
Cyberbullying is bullying that takes place over digital devices like cell phones, tablets, or computers. Even smaller devices like smartwatches and iPods can facilitate cyberbullying. Today, social media platforms act like a breeding ground for cyberbullying.
Cyberbullying usually begins with teasing that turns to
harassment. From there it can evolve in many ways, such as
impersonation and catfishing, doxxing, or even blackmail through the use of
compromising photos.
Catfishing is the process of creating a fake identity online and using it to lure people into a relationship. Teens often engage in impersonation online to humiliate their targets and it is a form of cyberbullying.
Doxxing is used
as a method of attack that includes searching, collecting and publishing
personal or identifying information about someone on the internet.
Identifying the Warning Signs
When it comes to cyberbullying, just like traditional bullying, there are warning signs for parents to watch for in their child. Although the warning signs may vary, Nemours Children’s Health System has identified the most common ones as:
being upset or emotional during or after
internet or phone time
being overly protective of their digital life
and mobile devices
withdrawal from family members, friends, and
activities
missing or avoiding school
a dip in school performance
changes in mood, behavior, sleep, or appetite
suddenly avoiding the computer or cellphone
being nervous or jumpy when getting an instant
message, text, or email
avoiding conversations about their cell phone
activities
While having a child who is being cyberbullied is every
parent’s nightmare, it’s equally important to understand if your child is
cyberbullying others.
Do you believe your child is a cyberbully? That difficult
and delicate situation needs its own blog post—but don’t worry, we have you covered.
Preparing your kids for a world where cyberbullying is a
reality isn’t easy, but it is necessary. By creating a safe space for your
child to talk to you about cyberbullying, you’re setting the foundation to
squash this problem quickly if it arises.
Webroot has evolved its secure login offering from a secondary security code to a full two-factor authentication (2FA) solution for both business and home users.
Webroot’s 2FA has expanded in two areas. We have:
Implemented a time-based, one-time password (TOTP) solution that generates a passcode which is active for only a short period of time.
Given our users the option to either opt-in or opt-out, especially those that leverage Webroot for home and personal use.
Starting in December, with the new updates, users will find it easier to use industry-vetted options, including Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Authy 2-Factor Authentication.
Why Two-Factor Authentication?
First and foremost, we encourage all users to opt-in to maintain a higher level of security. Two-factor authentication adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are adds a layer of security. Each layer of security you add exponentially increases protection from unauthorized access and makes it harder for brute force and credential stuffing attacks to occur.
A Note to Businesses
Users will have the option to opt-in or opt-out of the new Webroot 2FA feature. The Admins tab within our console will show you which of your users have or have not enabled 2FA.
To learn how to enable two-factor authentication, visit the Webroot Community.
Shade Ransomware Takes Crown as Most Distributed Variant
Over the course of 2019, one ransomware variant, known as Shade, has taken over 50 percent of market share for
ransomware delivered via email. Otherwise known as Troldesh, this variant receives
regular updates to further improve it’s encrypting and methods of generating
additional revenue from both cryptomining and improving traffic to sites that
run ads. In just the first half of 2019, attacks using Troldesh dramatically
rose from 1,100 to well over 6,000 by the second calendar quarter.
PayMyTab Leaves Customer Data Exposed
For more than a year sensitive customer data belonging to
users of the mobile payment app PayMyTab
has been publicly exposed in an online database using no security protocols.
Even after being contacted multiple times regarding the data breach, the
company has yet to fully secure customer data and may have to take drastic
measures to fully secure their data storage after allowing virtually unlimited
access to anyone with an interest in personal data.
Credentials Dump for Major Service Sites
Login credentials for two highly-trafficked websites were
discovered in a data
dump earlier this week. One dump belonged to GateHub, a cryptocurrency
wallet with potentially up to 1.4 million user credentials stolen, including
not only usernames and passwords, but also wallet hashes and keys used for
two-factor authentication. The second dump contained information on 800,000
users of EpicBot, a RuneScape bot used to automate tasks in the skill-centric
MMORPG. While both dumps appeared on dark web marketplaces on the same day, it
also seems coincidental that both sites use bcrypt hashing for passwords, which
should make them exceedingly difficult to crack assuming it was set up
properly.
Louisiana Government Systems Hit with Ransomware
Multiple Louisiana state service sites were taken offline
early Monday morning following a ransomware
attack that affected mostly transportation services. All 79 of the state’s
DMV locations were forced to close until systems were returned to normal, as
they were unable to access DOT services to assist clients. While it is still
unclear what variant of ransomware was used, the state of Louisiana did have a
cybersecurity team in place to stop any further spread of the infection.
Magecart Targets Macy’s Online
Nearly a week after the initial breach, Macy’s
officials noticed some unauthorized access between their main website and an
undisclosed third-party site. The breach itself appears to have compromised
payment card data for any customers who input their credentials during the
first couple weeks of October. Macy’s has since removed the illicitly added
code from their sites as well as contacted both payment card providers and
affected customers regarding the breach.
With major advancements in communication technology, many of us are fortunate to be able to work from home. Working from home can be a huge productivity boost—saving you gas and time by not commuting, plus you get to work more on your own terms. If you’re able to work from home here are five tips to make sure you stay productive and feeling good in your home office.
Not so comfortable that you fall asleep, but we all know how miserable an uncomfortable office chair can be. By working at home, you have the opportunity to completely build your own environment. That means finding the right furniture for you.
If you’re looking for a high-quality office chair, an underrated place to look is gaming chairs, which were built for long hours of sitting. However, a high-quality chair from your local furniture store would likely also do the trick.
Or, maybe instead of sitting all day, you prefer to stand. Luckily, there is an abundance of standing desks available for your choosing, many of which are easily adjustable so you can alternate between sitting and standing.
In addition to ergonomics, you also want to think about how to decorate your home office. For example, having plants in your office can actually help reduce stress and improve productivity. If you can, try to choose a room that has lots of natural lighting, which can help you stay healthy, concentrated, and even sleep better at night.
However you want to set up your home office, it’s important that you do what’s most comfortable for you.
Limit Distractions…But Not Too Much
If you’re going to be working from home, you may have to deal with more distractions than you would in the office, especially if you have pets or family moving around the house. Because of this, it’s important you try to limit distractions, not letting your eyes wander to the television or Facebook. After all, you may be the only one keeping yourself accountable.
If you have people in the home who could be distracting, make sure you choose an office space that has a door, possibly in a more remote part of the home, rather than working in common spaces. It’s a good idea to also ask your friends and family members to respect your work hours.
At the same time, you will need breaks from time to time, so don’t be afraid to keep distractions at hand, but out of sight. If you know that you struggle with concentration without someone looking over your shoulder, there are a number of apps you could try that help promote focus and productivity.
Secure Your Devices
Now that you are in charge of your own office, you may also be in charge of making sure that it is secure. Namely, you want to make sure you have proper cybersecurity measures in place. This will help you keep peace of mind while you’re working, but also ensure you’re not derailed by cybercriminals or unexpected computer failures.
First and foremost, you want to make sure your devices and data are protected with a consumer antivirus (AV) or endpoint protection. If your company consists only of you or you are working remotely from your personal computer, a consumer AV may be right for you. However, if your company has a few employees and you need to manage multiple endpoints, a business endpoint solution is a better option.
Regardless of which solution is right for you, it’s important to remember that all security products are not created equal. The top antivirus and endpoint protection products are cloud-based, have a small digital footprint—meaning they won’t slow down your computer—are actively protecting against known and never-before-seen threats, and are able to reverse any damage that occurs if your device is compromised.
Another measure you should consider is backing up your data. While this can be done using a physical external hard drive, they can also be compromised when plugged in. The best option is using a cloud-based backup and recovery service.
We all know how cluttered a desk can get. Depending on your job, you may have papers strewn about, multiple desktops, or a pile of sticky notes in shorthand you can no longer quite decipher. But a cluttered environment can lead to a cluttered mind.
In fact, Lynne Gilberg, a professional organizer in Los Angeles, CA told WebMD, “Clutter is bad for your physical and mental health…A lot of people express that they are overwhelmed. They become nonfunctional and nonproductive.” It’s important to keep your area organized and tidy to be more productive and creative in the long run.
Plus, remember that this is still your home, and you may not want your family or guests to consider your office an eyesore. If you’re ever overwhelmed by chaos in your home office, here are some tips for helping clean up your work area.
Separate Personal and Professional
When working from home, it’s easy to blur the lines between your personal and professional lives. However, it is important that you resist this tendency to blend the two. Thinking too much about work at the dinner table can disconnect you from family and friends. And managing day-to-day family tasks while on the clock can hurt productivity.
You may want to establish strict working hours to help keep your two home lives separate. Let’s say from 8-5 you concentrate on work and then, after five p.m., you concentrate on your family, friends, and anything else that may need to get done around the home.
Looking to build a more complete, detailed schedule? The New York Timeshighlighted some tips for building a work-from-home schedule that will help you stay on task and stay productive.
Some Final Tips for Your Home Office
Consider getting exercise equipment for short breaks. Things like resistance bands, small weights, or even a treadmill can help keep your blood flowing on a long work day.
Stock up on supplies. You’ll still need pens, paper, and other work supplies in your home office. Make sure you are always stocked.
Dress for work. Just because you have the option to work in your underwear, doesn’t mean you should.
A database containing login credentials for numerous internal systems belonging to Orvis, one of America’s oldest retailers, was found to be publicly available for an unknown amount of time. Why the database was publicly accessible at all is still unclear, but the retailer has determined that many credentials were for decommissioned devices. They managed to resolve the security dilemma for the remaining devices relatively quickly.
Mexican Oil Company Hit by Ransomware Attack
A few days ago, Pemex
Oil was targeted by a ransomware attack that, according to reports,
affected 5% of their computer systems. The demanded ransom, as displayed by the
note left by the DoppelPaymer ransomware variant, was 565 bitcoins, or roughly
$4.9 million. Fortunately, Pemex had a decent security strategy in place and
was able to get their operations running normally by the following day.
Facebook Bug Turns on iPhone Cameras
The latest bug from Facebook
is one that turns on the user’s iPhone camera when they open the Facebook app.
It appears the bug only works on phones running iOS version 13.2.2, and for
users who accepted permissions to allow the app to access the camera.
Unfortunately for Facebook, many of its users are already wary of the company’s
privacy policies, and so-called “bugs” like this one only serve to increase the
level of distrust within its customer base.
PureLocker Ported to All Major Operating Systems
A new ransomware
variant, PureLocker, has been successfully ported from Windows® operating
systems to both MacOS® and Linux® systems with the typical capacity to fully
encrypt all discovered files. Researchers have found that it encrypts files on
compromised systems using .CR1 as the file extension, a tag which also appears
in the text-based ransom note. This may be tied to a particular affiliate, as
PureLocker is being distributed as Ransomware-as-a-Service.
Cyberattack on UK Labour Party
Officials for the UK
Labour Party have issued a statement regarding a cyberattack on their
computer systems, though it appears that the security they had in place was
enough to repel the attack. While they are still unsure as to the origin of the
attack, they were able to determine that it was a DDoS attack (Distributed
Denial of Service), which floods the targeted systems with an overwhelming
amount of cyber-traffic.
Why do so many businesses allow unfettered access to their networks? You’d be shocked by how often it happens. The truth is: your employees don’t need unrestricted access to all parts of our business. This is why the Principle of Least Privilege (POLP) is one of the most important, if overlooked, aspects of a data security plan.
Appropriate privilege
When we say “least privilege”, what we actually mean is “appropriate privilege”, or need-to-know. Basically, this kind of approach assigns zero access by default, and then allows entry as needed. (This is pretty much the opposite of what many of us are taught about network access.) But by embracing this principle, you ensure that network access remains strictly controlled, even as people join the company, move into new roles, leave, etc. Obviously, you want employees to be able to do their jobs; but, by limiting initial access, you can minimize the risk of an internal breach.
If you haven’t already, now is the perfect time to take a look at your network access policies. After all, it’s about protecting your business and customers—not to mention your reputation.
Navigating the difficult conversations around access control
It’s no surprise that employees enjoy taking liberties at the workplace. In fact, Microsoft reports that 67% of users utilize their own devices at work. Consequently, they may push back on POLP policies because it means giving up some freedom, like installing personal software on work computers, using their BYOD in an unauthorized fashion, or having unlimited usage of non-essential applications.
Ultimately, you need to prepare for hard conversations. For example, you’ll have to explain that the goal of Principle of Least Privilege is to provide a more secure workplace for everyone. It’s not a reflection on who your employees are or even their seniority; it’s about security. So, it’s essential for you, the MSP or IT leader, to initiate the dialogue around access control––often and early. And, at the end of the day, it’s your responsibility to implement POLP policies that protect your network.
Firewalls and antivirus aren’t enough
There’s a common misconception in cybersecurity that the firewall and/or antivirus is all you need to stop all network threats. But they don’t protect against internal threats, such as phishing or data theft. This is where access policies are necessary to fill in the gaps.
Here’s a prime example: let’s say you have an employee whose job is data entry and they only need access to a few specific databases. If malware infects that employee’s computer or they click a phishing link, the attack is limited to those database entries. However, if that employee has root access privileges, the infection can quickly spread across all your systems.
Cyberattacks like phishing, ransomware, and botnets are all designed to circumvent firewalls. By following an appropriate privilege model, you can limit the number of people who can bypass your firewall and exploit security gaps in your network.
Tips to achieve least privilege
When it comes to implementing POLP in your business, here are some tips for getting started:
Conduct a privilege audit. Check all existing accounts, processes, and programs to ensure that they have only enough permissions to do the job.
Remove open access and start all accounts with low access. Only add specific higher-level access as needed.
Create separate admin accounts that limit access.
Superuser accounts should be used for administration or specialized IT employees who need unlimited system access.
Standard user accounts, sometimes called least privilege user accounts (LUA) or non-privileged accounts, should have a limited set of privileges and should be assigned to everyone else.
Implement expiring privileges and one-time-use credentials.
Create a guest network leveraging a VPN for employees and guests.
Develop and enforce access policies for BYOD or provide your own network-protected devices whenever possible.
Regularly review updated employee access controls, permissions, and privileges.
Upgrade your firewalls and ensure they are configured correctly.
Officials for Nikkei
are working to identify the perpetrators of a recent business email compromise
(BEC) scam that took roughly $29 million from the company’s American
subsidiary. The illicit transfer took place sometime during the end of
September and, though they did make a public statement last week, the only
clues they have are the Hong Kong bank account that the funds were sent to.
While this is not the largest scam of this type to occur this year, it does serve
to underscore the prevalence and continued success of these attacks.
Canadian Province Shuts Down After Ransomware Attack
Government networks for the Nunavut
territory of Canada have been taken offline following a ransomware attack that
appears to have been executed by an unwitting employee. Fortunately, even
thought their security systems failed to block the infection, the affected
offices keep regular backups to safeguard against this type of issue. However,
even with these failsafe measures, it may still take about a week to get all of
the official systems back to full operation.
Facebook API Allows Unauthorized Access to User Accounts
Several developer apps have been found retaining user info
and photos from Groups for much longer than previously anticipated by Facebook.
This is, by no means, the first time in recent years that Facebook has fallen
under scrutiny; it comes nearly a year after the Cambridge Analytica findings, not
to mention the more recent news about the company removing thousands of apps
that had been misusing customer data. While the social media giant has made a
number of changes to stop these types of data leaks, they clearly still have a
lot more work to do to ensure their clients’ data is safe.
Indian Education Firm Data Leak
A database belonging to an Indian
tech firm may have exposed sensitive information for over 600,000 customers.
Even more alarming than the high number of victims is that this leak seems to
have begun back in July of this year, begging the question as to why it took so
long for the firm to make an official announcement. Due to the sheer volume of
exposed data, the company has already started contacting affected customers in
hopes of preventing any further misuse of their information.
MegaCortex Ransomware Demos New Tactics
The latest variant of MegaCortex
has brought with it a plethora of new features and functionality. While it does
still perform RSA encryption on nearly every file on the machine, it now also
has the ability to change the main system password, making it very difficult
for the victim to access their own system at all. In addition to the typical
ransom note that demands quick crypto-based payment, this variant also
threatens victims in lurid detail as to how their encrypted files will be
published to the masses.
An official announcement made earlier this week acknowledged
illicit access to customer data used in online accounts for Bed,
Bath, & Beyond. While the breach didn’t affect payment card
information, the retailer quickly began contacting affected customers and took
steps to safeguard against future incidents.
Johannesburg Shutdown After Cyber Attack
Three months after a cyber attack hit Johannesburg,
South Africa, the city is once again dealing with network outages. After a
ransom note was posted to several social media outlets, city officials are
still attempting to downplay the attacks by claiming they purposefully took
down the sites rather than them being ransomed by hackers. In addition to the ransom
note, hackers also posted screenshots proving their control over the city’s
network systems and their expectation of payment.
UniCredit Financial Data Leak
Officials working for UniCredit,
an Italian banking firm, announced that unauthorized access to their systems
has left the sensitive information of nearly 3 million Italian exposed. Fortunately,
the stolen information did not include any financial data, but did contain personally
identifiable information such as names and contact details. It is unclear how hackers
gained access to the data, though it appears the data may have even been taken
years earlier in prior security breaches faced by the firm.
Ransomware Shuts Down New Mexico School District
Las
Cruces Public Schools, a New Mexico school district, was forced to take
their entire system offline following a ransomware attack. While email and
other important services are still offline, students have still been attending
classes as normal, though the process of fully remediating the incident has just
begun. It is still unclear how the attack was initiated, but it’s the latest in
a long line of educational institutions that have fallen victim to ransomware
this year.
Malware Attack on Indian Power Plant
It has been confirmed that both an Indian
nuclear power plant and another piece of infrastructure have fallen victim
to a malware attack apparently tied to North Korean actors. Fortunately, the
attacks did not allow unauthorized control of the systems, though this attack
may have been only a test to determine security and response times in
preparation for a larger, future attack.
