Another week, another threat recap. And this week wasn’t without its fair share of cyber incidents. Voter registration misstep? Check. New ransomware? Check. KrebsOnSecurity attack? Check! Here are five of the major security stories happening this week.
Company Security Falls to Outdated Network Devices
With the steady rise in security breaches, one of the biggest contributors is the one companies most often overlook: actual networking hardware. In a recent study done by Cisco, nearly 75% of companies are using outdated, and often completely end-of-lifed products for their networking needs. Even though many of the companies are aware of the vulnerabilities that come with using older hardware, it simply isn’t a concern unless something is actively wrong.
Louisiana Voter Database Made Public
Recently, researchers discovered a database hosted on the darknet that contains the voter registration information for nearly all residents of Louisiana. The database has since been secured by the researcher but, according to Louisiana law, voter information is made widely available to anyone interested in purchasing it for pennies on the dollar. Alongside the voter information, the researcher also discovered an additional database containing the personal records for nearly 7 million individuals from Louisiana.
New Ransomware Claiming Royal Ransom
In the past week, researchers have discovered a new ransomware variant operating under the name, Princess Locker. While it’s not a huge leap in innovation, Princess Locker offers a language selection screen followed by a page listing detailed payment options and a free single file decryption. Unfortunately for victims of this variant, payment starts at 3 bitcoins or roughly $1,800 USD and doubles after three days.
KrebsOnSecurity Taken Offline by Largest DDoS Attack To Date
In what is being quantified as the largest DDoS attack in history, service provider Akamai was forced to take KrebsOnSecurity offline, as the direct traffic to the site hit nearly 600 Gbps and lasted for three days. A possible sign of things to come, the attack seems to have been distributed by a botnet based around compromised IoT devices, which lead to the sheer volume of traffic that was seen.
Biometrics Moving Forward As Use Increases
Following a national consumer survey, as many as 20% of British smartphone users have adopted fingerprint authentication for their devices. With new security breaches occurring at such a rapid rate, biometrics have seen a rise in use as consumers worry over the security of their saved passwords for any number of online services. Many of these users only use the authentication for unlocking their devices, but the capability is there for making online purchases and accessing sites with sensitive information.
It’s that time of week again. Our Threat Recap is bringing you the top news in cybersecurity from new OS releases to remote access of popular cars. Here are five of the major security stories happening this week.
New Ransomware Targets Disk Drives
With the current state of ransomware threatening computer systems around the world, the jump from encrypting specific file types to encyrpting the entire hard drive was inevitable. In the case of Mamba, the latest variant, it begins with replacing the Master Boot Record (MBR) and moves onto encrypting the hard drive itself. Once encryption is complete, the computer will then require a password to unlock, which just so happens to be the decryption key sitting behind the ransom’s paywall.
Remote Access: A Very Real Danger for Tesla
In a recent test, Chinese researchers were able to access several critical and non-critical components of a Tesla Model S. While it may seem benign to have your seat position changed or sunroof opened remotely, these tests have also proven the capability to control brake functionality. They’ve also shown that doors and trunks can be controlled from up to 12 miles away. Tesla has responded with updates to resolve this access, which only seems to occur when the in-dash web browser is in use.
Apple Releases New Mac OS Sierra
Apple announced the release of its latest iteration of the Mac OS, Sierra 10.12. With this update, Apple has been able to remove nearly 70 different security vulnerabilities that had been prevalent in its previous two operating systems. In addition to the OS release, Apple also pushed out Safari 10, the latest update for their web browser, which should also resolve over 20 security issues from previous versions.
Facebook Zero-Day Gives Full Access to Pages
With the continuing rise of businesses using social media to advertise their products and communicate with their customers, exploits are always being researched. Recently, a researcher was able to gain access to any Facebook page by using a bug in the way Facebook deals with its business accounts. By spoofing the Business Manager functionality, the researcher was able to view and edit all associated pages with a given business, without requiring login credentials.
MoDaCo Breach Leaks Data on 880,000 Users
In the past week, MoDaCo, a UK-based smartphone forum, announced they had fallen victim to a security breach. Users of the service have been receiving notifications to change their passwords, although officials are stating that user credentials were all hashed. Researchers have been able to identify around 70 percent of the leaked credentials were already released in previous data breaches, courtesy of Have I Been Pwnd?, a web service that will notify users if their email address has been identified in a data breach.
While ransomware has become a buzzword for some, cyber criminals have made it a lucrative business and one which they are constantly evolving. Each day, the Webroot BrightCloud® Threat Intelligence Platform monitors, classifies and scores 95% of the internet to discover 6,000 phishing sites and 80,000 variants of malware and PUAs.
According to Webroot’s latest research, more than 97% of threats are unique to a single endpoint making traditional signature-based antivirus underprepared and ineffective in protecting businesses against today’s threat landscape. In this podcast, Tyler Moffitt, Senior Threat Research Analyst for Webroot, joins Ryan Morris, contributing editor for Penton Technology, to explain the newest and most challenging forms of ransomware, such as malvertising. In addition, they dive into the latest threat trends and arm MSPs with tested and actionable suggestions to help protect themselves and their customers from becoming another statistic.
Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 1
Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 2
There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.
Patch Tuesday Changing Update Format
In one of the largest changes that Microsoft has implemented, Patch Tuesday is being replaced with monthly batch updates. With the new method of releasing updates, Microsoft is removing the capability of users to choose which updates they install by just forcing the entire update, along with any updates from the previous month that may have been missed. For Windows 10 users, they will begin seeing this new update method first, with other OS support likely to follow.
Phishing Attack Strikes Augusta University
Early this week, employees and students of Augusta University were recommended to change their login credentials, as several of the faculty members fell victim to an email phishing scam. While state authorities are investigating the breach, the University is working to protect the staff members whose information was accessed through the payroll system.
ClixSense Breach Leaves Millions of Users Vulnerable
Recently, ClixSense (the popular paid-to-click site) was compromised along with a page redirecting anyone attempting to access the site to a gay porn site. The company has since forced a password reset for all of its registered users, which number nearly 7 million. After further review, it appears the attackers were able to use an older, unused server to access the main database which held user’s passwords in plaintext, rather than being properly encrypted.
DualToy USB Trojan Enhanced to Target iOS Users
When DualToy was first discovered in the early months of 2015, it was largely focused on Android devices located in China. DualToy is used to load malicious apps when an unsuspecting device is connected to an infected computer via USB. While users across the US and Europe are now seeing a wider spread of infected devices, even iOS users are affected as iTunes is being used to allow the trojan to steal user information.
Apple Switches to HTTPS for iOS Security Updates
In a big move by Apple, the company has finally made all iOS updates available over HTTPS, to ensure users are securely receiving them. This update comes along with the release of iOS 10, in addition to six other vulnerabilities that were patched. While some users experienced issues with the iOS 10 update putting their devices into a recovery mode, Apple was quick to resolve the issue and apologized for any inconveniences.
After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.
……………………………………………………………………………………
Tell me about your background. What led you to create BrightCloud?
I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.
A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.
BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?
We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.
You also have to credit Webroot’s vision in combining cloud-based endpoint security with Webroot threat intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.
How is your approach to threat intelligence different from most?
Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.
The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.
What approaches do you think cybercriminals will be using in the future?
Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.
Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.
Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.
As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.
We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?
There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.
Can machine learning help combat the threats that are keeping you up at night?
Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.
There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.
No Site is Immune to User Information Exposure
In yet another example of poor cybersecurity, Brazzers has issued a statement regarding the unauthorized access to nearly 800,000 sets of usernames, passwords, and email addresses. The data itself lacked any encryption and was viewable in plaintext. Users of the Brazzers forums are being suggested to change their passwords for the site, as well as any sites they may have reused the password on.
Dridex Adds Crypto-Currency Wallets to Attack Vector List
While Dridex, a prolific banking trojan, has been laying low for the past several months, its authors have made significant changes. The first noticeable change is the addition of several crypto-currency wallet managers to its list of keyword searches done when infecting a new computer. By capturing and analyzing data from the infected computer, the command-and-control servers are able to make decisions on how to proceed based on the criteria that is met.
Russian Instant Messaging Service Breached
It was recently announced that over 33 million user accounts from QIP.ru, a Russian instant messaging service, had been illegally accessed and posted publicly. Unfortunately for users of the service, all of their information was unencrypted, leaving it accessible to anyone. After further analysis of the stolen data, it has again been proven that users pick amazingly simple passwords that are also used by thousands of other individuals.
Google to Begin Marking HTTP Sites As Unsafe
In a push to get all website owners to use HTTPS, Google has announced that starting in January of 2017, Google Chrome will begin flagging sites that transmit passwords or credit card information over HTTP. With this effort, Google hopes to make Internet transactions safer. Already they have had a significantly positive response with many of their top 100 sites switching to HTTPS as default.
Cybersecurity Lacking for High-Demand Devices
As we expand further into internet-connected, wearable devices, one commonality has become glaringly obvious–cybersecurity has been a low priority for many companies. As they rush to push these devices to market, there is a lack of significant testing done to ensure customers’ private information is safe. Even more worrying is this security void when it comes to connected systems in homes, as physical security for clients can be breached wirelessly if the connected system is simply shut off.
There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.
European Company Loses Millions in Targeted Phishing Scam
In the last couple weeks, Leoni AG, one of the largest electrical wiring companies in Europe fell victim to a Business Email Compromise (BEC) scam involving the CFO transferring a significant sum of money to a non-verified bank account. This location was likely the main target due to it being the only one of four factories that has the authorization to transfer money, and did so by spoofing an email to the companies CFO with very specific details about their internal transfer protocol, and “sent” from one of the company’s higher ranking executives.
Hotel & Restaurant Chain Warns of Jeopardized Payment Terminals
Recently, Kimpton Hotels has issued a statement that verifies the presence of malware on payment processing devices in over 60 of their locations across the country. It is believed that credit cards used at these locations in the first half of 2016 may be compromised and should be monitored for illicit transactions taking place. While the incident is still under investigation as yet another victim in a long line of large-profile targets, Kimpton officials are still unclear on the source of the breach.
Blizzard and EA Face DDoS Attacks during Releases
With the launch of the latest World of Warcraft expansion, Legion, occurring in the same week as the online-beta release of Battlefield 1, it comes as no surprise that both companies were in a prime position for a cyberattack. Unfortunately, that’s just what happened, as both companies were hit with DDoS attacks that brought several servers down for a period, and affected latency for many gamers trying to access the games upon availability.
NHS Hospitals Hit with Ransomware, Not Paying Up
In a recent study done of nearly 60 NHS institutions in the UK, over half had been the victims of at least one ransomware attack in the last year, though none had resulted in the ransom being paid. Of the hospitals that were affected, the vast majority were able to recover their encrypted data by restoring from backups that are created and stored internally. While ransomware is continuing its spread across the globe in search of easy targets, the best defense is still to have full backups of sensitive information and be prepared for what has become an inevitability for many organizations.
Hacker Exposes Poor IT Security of Kuwait Auto Import Company
While many hackers are on the lookout for a quick payday, or simply to prove they have the capabilities, one hacker has made his mission to teach poor IT admins a lesson. By breaching the Kuwait Automotive Import Company’s main site and obtaining sensitive details on over 10,000 customers, the hacker has definitely sent a message on the importance of strong cybersecurity. After the breach took place, the entire data dump was posted to pastebin, where it remains readily available to the general public.
Windows 10 has been notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.
Fantom behind the scenes
In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.
Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown below. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.
The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.
DECRYPT_YOUR_FILES.HTML ransom note
Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.
The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.
However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in over 24 hours.
Employ a backup solution
Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.
This week’s Threat Recap covers everything from, ‘Fantom’, the new ransomware that disguises itself as a Windows update, to hackers using Facebook photos to trick facial-recognition logins.
Decryption Keys Released for Wildfire Ransomware
Recently, researchers have announced the public availability of decryption keys for users affected by the Wildfire ransomware variant. This particular variant did focused on mainly Dutch email domains and infected over 5,300 systems in the last month alone. Infected users were demanded a ransom of 1.5 bitcoins after opening a fake delivery form via email attachment.
Android Botnet Receiving Commands from Twitter
A new Android app called Android/Twitoor has been used as a backdoor to spread malware onto smartphones. By having the malware check several Twitter accounts periodically, the app is able to receive updates without the malware authors having a need to maintain their own command and control servers. Windows-based Twitter botnets have been in use for several years now, but Android-based version is a much newer practice, as many users rely more and more on mobile devices for everyday banking, communication, etc.
Fantom – New Ransomware Disguised as Windows Update
A new ransomware variant has been discovered in the wild called Fantom. The ransomware disguises itself as an important windows update while it begins encrypting the victim’s files. Once executed, the malware runs a file called WindowsUpdate.exe and displays a locked splash screen showing the update currently in progress. Once encryption is complete, the user is left with an ominous wallpaper and their files showing the added ‘.fantom’ extension.
iOS Vulnerabilities Used to Target Foreign Activist
It has been discovered that three previously unknown vulnerabilities in Apple’s iOS were used to spy on human rights activist, Ahmed Mansoor. It is believed Ahmed received an SMS message that contained a malicious link that was used to infect the smartphone with data-stealing software. Apple has since patched the vulnerabilities that were exploited, though it is still unknown how the attackers gained access to the vulnerabilities, as they would be highly valuable.
Hackers Use Facebook Photos to Fool Facial-Recognition Logins
Biometrics becoming a more implemented form of security, and it was only a matter of time before criminals found a workaround. Using some simple Internet searching and software that creates a 3D facial model, researchers were able to bypass 80% of facial-recognition authenticators they tested. Even more worrisome, by using the 3D rendering software, they were able to simulate movement of certain facial features, in order to pass some of the “liveness” checks that were made.
This week’s Threat Recap is filled with everything from the latest retailer succumbing to malware infection to a possible hack on the NSA. Read up on five of the latest threat happenings to stay informed and up-to-date.
Eddie Bauer Stores Compromised
It is reported that point of sale systems at several Eddie Bauer stores across North America have been compromised. Eddie Bauer states nearly all of its 350 stores may be affected. In their official statement, the company ensured customers that only in-store purchases were at risk and that those shopping through their website weren’t impacted.
Hospitals Remain a Prime Target for Ransomware
The big score for cyber criminals is usually international corporations; however, hospitals are quickly becoming the most commonly targeted organizations for ransomware attacks. Reliance on outdated security measures makes health care facilities tempting to target. The latest in these attacks are coming from email phishing campaigns that employ macro-based malware that is launched by having macros enabled in Office 2007 applications.
Possible NSA Hack Reveals Zero-day Vulnerabilities
Claims of anNSA hacksurfaced this week and several of their exploit tools have been publicly released. That’s in addition to information on several zero-day bugs found in Cisco and Juniper Networks’ software. Both companies have begun patching these vulnerabilities that may have been active for years, yet unknown to all but the NSA. This is not the first time the NSA has held onto zero-day exploits to keep them from being resolved for their own purposes. However, it does leave a question of how many more do they still have?
SMS Scam Target Empathetic Users
Many cellular users in the UK have been victims of a new SMS scam. The scam SMS pretends to be an acquaintance involved in a serious accident and needs a text reply back. Some victims claim it showed a message from their child and sternly requests a text reply to an unknown number. Those falling for the scam have been charged £20 for replying, in hopes of helping their injured friend.
Student Loan Phishing Scheme Ready for New School Year
The Student Loans Company, based in the UK, issued warnings to its customers about fake emails being sent out requesting both personal and financial information. The fake emails seem to be easy to spot, as they tend to have spelling errors and address their victims vaguely, rather than using their names.
