HSBC Sites Downed Briefly After Cyber Attack

Earlier this week, it was reported that HSBC had been the victim of a cyber attack and both it’s US and UK sites had been taken offline. The messages remaining on both sites announced that an organization called OurMine had found a vulnerability and would only stop the attack once an HSBC employee contacted them. Seemingly as promised, the attack ceased and the sites were brought back online early Wednesday morning.

http://www.dailystar.co.uk/news/latest-news/529814/HSBC-suffers-major-security-breach-as-hackers-launch-cyber-attack-on-bank-s-servers

Malicious Pokemon Go Look-alike Apps On the Rise

With the recent popularity of the Pokemon Go app, it comes as no surprise that a massive influx of third-party apps claiming to be related have hit the appstore. While many of these are seemingly harmless, some offer cheats and other Pokemon-related info to attract users and then require permission to view personal information stored on the phones. With nearly 200 unofficial apps found so far, it is likely that more will replace the ones that are being removed.

http://www.csoonline.com/article/3095706/security/a-surge-of-pokemon-go-related-apps-is-out-to-steal-your-data.html

Ransomware’s Latest Scam Skips Encryption

Recently, researchers have discovered a new variant of ransomware that operates with significantly less sophistication than normally seen. Ranscam, the variant in question, lives up to it’s name by simply deleting the files once the ransom message is displayed, while stating the usual encryption and bitcoin payment instructions. Regardless of the victims payment status, the files are completely removed, leaving nothing to decrypt if/when a payment is made.

https://threatpost.com/ranscam-ransomware-deletes-victims-files-outright/119197/

Omni Hotels Face Data Breach

This week, Omni Hotels & Resorts made a statement that they had suffered a security breach over the past 6 months on it’s point-of-sale systems. The attack follows the long string of hotel security infractions that have occurred in the last year, as they make for highly profitable targets in an industry with out-of-date cyber protection. Fortunately for Omni, their recently appointed CIO has already begun implementing new solutions to protect against similar attacks in the future.

http://www.csoonline.com/article/3094997/data-breach/omni-hotels-new-cio-shores-up-cybersecurity-amid-data-breach.html

Stampado Ransomware Available On Dark Web For Low Price

In an unusual move by malware authors, the creators of the Stampado ransomware variant have released a lifetime license for a measly $39 USD. The variant itself is similar to Cryptolocker, but with the additional function of not requiring administrator privileges when launching. While it’s currently not widespread, the price point removes a major barrier for cyber criminals who may be deterred by a high upfront cost.

http://www.infosecurity-magazine.com/news/brand-new-stampado-ransomware/

The post Threat Recap: Week of July 11th appeared first on Webroot Threat Blog.

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

• January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
• March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
• April 2016: 7-Zip used instead which created an archive to password protect files
• April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
• May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
• June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

If you have found yourself a victim of this ransomware, please submit a support ticket.

The post Nemucod Ransomware Analysis appeared first on Webroot Threat Blog.

This week’s Threat Recap is filled with everything from the latest retailer succumbing to malware infection to a possible hack on the NSA. Read up on five of the latest threat happenings to stay informed and up-to-date.

Eddie Bauer Stores Compromised

It is reported that point of sale systems at several Eddie Bauer stores across North America have been compromised. Eddie Bauer states nearly all of its 350 stores may be affected. In their official statement, the company ensured customers that only in-store purchases were at risk and that those shopping through their website weren’t impacted.

Hospitals Remain a Prime Target for Ransomware

The big score for cyber criminals is usually international corporations; however, hospitals are quickly becoming the most commonly targeted organizations for ransomware attacks. Reliance on outdated security measures makes health care facilities tempting to target. The latest in these attacks are coming from email phishing campaigns that employ macro-based malware that is launched by having macros enabled in Office 2007 applications.

Possible NSA Hack Reveals Zero-day Vulnerabilities

Claims of an  NSA hack surfaced this week and several of their exploit tools have been publicly released. That’s in addition to information on several zero-day bugs found in Cisco and Juniper Networks’ software. Both companies have begun patching these vulnerabilities that may have been active for years, yet unknown to all but the NSA. This is not the first time the NSA has held onto zero-day exploits to keep them from being resolved for their own purposes. However, it does leave a question of how many more do they still have?

SMS Scam Target Empathetic Users

Many cellular users in the UK have been victims of a new SMS scam. The scam SMS pretends to be an acquaintance involved in a serious accident and needs a text reply back. Some victims claim it showed a message from their child and sternly requests a text reply to an unknown number. Those falling for the scam have been charged £20 for replying, in hopes of helping their injured friend.

Student Loan Phishing Scheme Ready for New School Year

The Student Loans Company, based in the UK, issued warnings to its customers about fake emails being sent out requesting both personal and financial information. The fake emails seem to be easy to spot, as they tend to have spelling errors and address their victims vaguely, rather than using their names.

The post Threat Recap: Week of August 15th appeared first on Webroot Threat Blog.

This week’s Threat Recap covers everything from, ‘Fantom’, the new ransomware that disguises itself as a Windows update, to hackers using Facebook photos to trick facial-recognition logins.

Decryption Keys Released for Wildfire Ransomware

Recently, researchers have announced the public availability of decryption keys for users affected by the Wildfire ransomware variant. This particular variant did focused on mainly Dutch email domains and infected over 5,300 systems in the last month alone. Infected users were demanded a ransom of 1.5 bitcoins after opening a fake delivery form via email attachment.

Android Botnet Receiving Commands from Twitter

A new Android app called Android/Twitoor has been used as a backdoor to spread malware onto smartphones. By having the malware check several Twitter accounts periodically, the app is able to receive updates without the malware authors having a need to maintain their own command and control servers. Windows-based Twitter botnets have been in use for several years now, but Android-based version is a much newer practice, as many users rely more and more on mobile devices for everyday banking, communication, etc.

Fantom Ransomware Disguised as Windows Update

A new ransomware variant has been discovered in the wild called Fantom. The ransomware disguises itself as an important windows update while it begins encrypting the victim’s files. Once executed, the malware runs a file called WindowsUpdate.exe and displays a locked splash screen showing the update currently in progress. Once encryption is complete, the user is left with an ominous wallpaper and their files showing the added ‘.fantom’ extension.

iOS Vulnerabilities Used to Target Foreign Activist

It has been discovered that three previously unknown vulnerabilities in Apple’s iOS were used to spy on human rights activist, Ahmed Mansoor. It is believed Ahmed received an SMS message that contained a malicious link that was used to infect the smartphone with data-stealing software. Apple has since patched the vulnerabilities that were exploited, though it is still unknown how the attackers gained access to the vulnerabilities, as they would be highly valuable.

Hackers Use Facebook Photos to Fool Facial-Recognition Logins

Biometrics becoming a more implemented form of security, and it was only a matter of time before criminals found a workaround. Using some simple Internet searching and software that creates a 3D facial model, researchers were able to bypass 80% of facial-recognition authenticators they tested. Even more worrisome, by using the 3D rendering software, they were able to simulate movement of certain facial features, in order to pass some of the “liveness” checks that were made.

The post Threat Recap: Week of August 22nd appeared first on Webroot Threat Blog.

Windows 10 has been notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.

Fantom behind the scenes

In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.

Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown below. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.

The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.

DECRYPT_YOUR_FILES.HTML ransom note

Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.

The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.

However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in over 24 hours.

Employ a backup solution

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed: 7D80230DF68CCBA871815D68F016C282

Additional MD5 seen: 4AC83757EBF7ACD787F732AA398E6D53

65E9E1566DEC1586358BEC5DE9905065

60DBBC069931FB82C7F8818E08C85164

86313D2C01DC48D617D52BC2C388957F

The post Fantom ransomware impersonates Windows update appeared first on Webroot Threat Blog.

European Company Loses Millions in Targeted Phishing Scam

In the last couple weeks, Leoni AG, one of the largest electrical wiring companies in Europe fell victim to a Business Email Compromise (BEC) scam involving the CFO transferring a significant sum of money to a non-verified bank account. This location was likely the main target due to it being the only one of four factories that has the authorization to transfer money, and did so by spoofing an email to the companies CFO with very specific details about their internal transfer protocol, and “sent” from one of the company’s higher ranking executives.

Hotel & Restaurant Chain Warns of Jeopardized Payment Terminals

Recently, Kimpton Hotels has issued a statement that verifies the presence of malware on payment processing devices in over 60 of their locations across the country. It is believed that credit cards used at these locations in the first half of 2016 may be compromised and should be monitored for illicit transactions taking place. While the incident is still under investigation as yet another victim in a long line of large-profile targets, Kimpton officials are still unclear on the source of the breach.

Blizzard and EA Face DDoS Attacks during Releases

With the launch of the latest World of Warcraft expansion, Legion, occurring in the same week as the online-beta release of Battlefield 1, it comes as no surprise that both companies were in a prime position for a cyberattack. Unfortunately, that’s just what happened, as both companies were hit with DDoS attacks that brought several servers down for a period, and affected latency for many gamers trying to access the games upon availability.

NHS Hospitals Hit with Ransomware, Not Paying Up

In a recent study done of nearly 60 NHS institutions in the UK, over half had been the victims of at least one ransomware attack in the last year, though none had resulted in the ransom being paid. Of the hospitals that were affected, the vast majority were able to recover their encrypted data by restoring from backups that are created and stored internally. While ransomware is continuing its spread across the globe in search of easy targets, the best defense is still to have full backups of sensitive information and be prepared for what has become an inevitability for many organizations.

Hacker Exposes Poor IT Security of Kuwait Auto Import Company

While many hackers are on the lookout for a quick payday, or simply to prove they have the capabilities, one hacker has made his mission to teach poor IT admins a lesson. By breaching the Kuwait Automotive Import Company’s main site and obtaining sensitive details on over 10,000 customers, the hacker has definitely sent a message on the importance of strong cybersecurity. After the breach took place, the entire data dump was posted to pastebin, where it remains readily available to the general public.

The post Threat Recap: Week of August 29th appeared first on Webroot Threat Blog.

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

No Site is Immune to  User Information Exposure

In yet another example of poor cybersecurity, Brazzers has issued a statement regarding the unauthorized access to nearly 800,000 sets of usernames, passwords, and email addresses. The data itself lacked any encryption and was viewable in plaintext. Users of the Brazzers forums are being suggested to change their passwords for the site, as well as any sites they may have reused the password on.

Dridex Adds Crypto-Currency Wallets to Attack Vector List

While Dridex, a prolific banking trojan, has been laying low for the past several months, its authors have made significant changes. The first noticeable change is the addition of several crypto-currency wallet managers to its list of keyword searches done when infecting a new computer. By capturing and analyzing data from the infected computer, the command-and-control servers are able to make decisions on how to proceed based on the criteria that is met.

Russian Instant Messaging Service Breached

It was recently announced that over 33 million user accounts from QIP.ru, a Russian instant messaging service, had been illegally accessed and posted publicly. Unfortunately for users of the service, all of their information was unencrypted, leaving it accessible to anyone. After further analysis of the stolen data, it has again been proven that users pick amazingly simple passwords that are also used by thousands of other individuals.

Google to Begin Marking HTTP Sites As Unsafe

In a push to get all website owners to use HTTPS, Google has announced that starting in January of 2017, Google Chrome will begin flagging sites that transmit passwords or credit card information over HTTP. With this effort, Google hopes to make Internet transactions safer. Already they have had a significantly positive response with many of their top 100 sites switching to HTTPS as default.

Cybersecurity Lacking for High-Demand Devices

As we expand further into internet-connected, wearable devices, one commonality has become glaringly obvious–cybersecurity has been a low priority for many companies. As they rush to push these devices to market, there is a lack of significant testing done to ensure customers’ private information is safe. Even more worrying is this security void when it comes to connected systems in homes, as physical security for clients can be breached wirelessly if the connected system is simply shut off.

The post Threat Recap: Week of September 5th appeared first on Webroot Threat Blog.

After sitting down with Hal Lonas to get a deeper look at the inner workings of Webroot, there was no questioning why he’s uniquely qualified to serve as the company’s CTO. And with machine learning getting thrown around as the hot new buzzword, it was refreshing to hear Hal’s down-to-earth perspective on motivations, ideas, solutions and what drives Webroot to continue innovating in the world of threat intelligence.

……………………………………………………………………………………

Tell me about your background. What led you to create BrightCloud?

I have been developing software products for years and got into the security software space as Director of Development with Websense in 2000. At the time, websites were being classified manually, even though the number of sites and security breaches were already increasing exponentially. It just seemed like the wrong way to solve the problem.

A few of us saw the trends of cloud computing, machine learning advances, and threat escalation as an opportunity to do things differently. So we dropped out of Websense and started BrightCloud, which was founded and architected on the belief that automated classification using machine learning and the scalability of the cloud was the only way to go.

BrightCloud technology does a great job in combatting today’s threats; dynamic ones that appear, damage, and disappear. Was it built with polymorphism in mind?

We actually didn’t build BrightCloud tech with polymorphic or transitory malware in mind. We built it to bring incredible speed, scale, and flexibility to finding threats. So when polymorphism came to the forefront several years ago and started overwhelming traditional signature-based solutions, we were at the right place at the right time. There are many other security problems that BrightCloud technology solves based on the architecture and platform we’ve built, for example finding phishing and fraudulent sites in real time.

You also have to credit Webroot’s vision in combining cloud-based endpoint security with BrightCloud intelligence. Webroot endpoint technology was designed from the ground up to be cloud-based and globally scalable, to minimize the time from threat detection to global protection. Additionally, Webroot had the guts to transform the product and the company from a traditional antivirus offering to a platform-based service approach. That’s a key aspect to the entire ecosystem we protect.

How is your approach to threat intelligence different from most?

Well for one thing, we don’t generate white lists, black lists, or static feeds of data. You could use our data in that way, but the threat landscape is way too big and dynamic for that, and we offer so much more. As soon as you publish a list, it’s out of date. Security professionals need a service where they can ask questions and get security advice at the moment of truth, which is just before you click on a website, before your firewall accepts a connection from an unknown IP, or before you run that downloaded file or mobile app. That’s what we do with the BrightCloud system at Webroot. And that’s what gives our products and partners protection no one else can provide.

The way our technology works, everything on the internet has a reputation score somewhere between totally trustworthy—so a score of 100—down to clear and present danger scores of single digits. That allows our customers to set a risk threshold for activity they want to allow or block, and decide when to warn users. That’s a very different approach than others in the field are taking. When we say ‘actionable threat intelligence’, that’s what we mean; we inform critical decisions at the moment of truth billions of times every day.

What approaches do you think cybercriminals will be using in the future?

Ransomware has been very successful, so I think we’re going to see more of that. The bad guys are going to find areas where we are lazy in protecting ourselves and they’re going to exploit those weaknesses. We might find things like demands of payments simply not to attack us, almost like extortion for so-called protection.

Besides security, we might also find other business areas where we’ll be forced to improve, like getting rid of passwords for authentication, and making data backups easier and testing them to see if they work.

Also, as legacy operating systems from Microsoft, Apple, and Google get more secure, attacking them will become less easy and profitable. That means the bad guys are going to look at other areas to attack, like newer home and business devices connected to the internet. We describe this as the new and expanding attack surface area.

As more new products and devices get added to networks, it seems as if those products are being rushed to market and that security is an afterthought. In a lot of cases, many times not in the product at all when it’s released.

We observed in our quarterly threat brief that malware attacks have actually gone down in the past few months. Does that mean that the overall threat level is decreasing?

There may be a number of contributing factors here. Based on what we’ve observed, our impression is that even if there are fewer attacks, they’re more impactful. For example, a single organization hit by ransomware may struggle for days or weeks trying to recover or decide whether they should pay. Additionally, cybercriminals are taking time to regroup as security solutions get smarter and as more threats are stopped earlier by machine learning and automation. As the bad guys figure out their next move, we’ll see threats take off again, most likely in new areas.

Can machine learning help combat the threats that are keeping you up at night?

Absolutely. Not only can it help, but we believe it’s the only way to solve the growing threat problem, which is why our next quarterly threat brief will focus specifically on machine learning. Of course you have to be smart about it, and threat researchers and analysts are still key parts of the puzzle, but we’ve figured out how to leverage and amplify their knowledge and productivity a thousand-fold. As threats become more transitory and harder to find, humans are going to be even more overwhelmed and won’t be able to keep up without automation.

The post A Conversation with Hal Lonas about Threat Intelligence and Machine Learning appeared first on Webroot Threat Blog.

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Patch Tuesday Changing Update Format

In one of the largest changes that Microsoft has implemented, Patch Tuesday is being replaced with monthly batch updates. With the new method of releasing updates, Microsoft is removing the capability of users to choose which updates they install by just forcing the entire update, along with any updates from the previous month that may have been missed. For Windows 10 users, they will begin seeing this new update method first, with other OS support likely to follow.

Phishing Attack Strikes Augusta University

Early this week, employees and students of Augusta University were recommended to change their login credentials, as several of the faculty members fell victim to an email phishing scam. While state authorities are investigating the breach, the University is working to protect the staff members whose information was accessed through the payroll system.

ClixSense Breach Leaves Millions of Users Vulnerable

Recently, ClixSense (the popular paid-to-click site) was compromised along with a page redirecting anyone attempting to access the site to a gay porn site. The company has since forced a password reset for all of its registered users, which number nearly 7 million. After further review, it appears the attackers were able to use an older, unused server to access the main database which held user’s passwords in plaintext, rather than being properly encrypted.

DualToy USB Trojan Enhanced to Target iOS Users

When DualToy was first discovered in the early months of 2015, it was largely focused on Android devices located in China. DualToy is used to load malicious apps when an unsuspecting device is connected to an infected computer via USB. While users across the US and Europe are now seeing a wider spread of infected devices, even iOS users are affected as iTunes is being used to allow the trojan to steal user information.

Apple Switches to HTTPS for iOS Security Updates

In a big move by Apple, the company has finally made all iOS updates available over HTTPS, to ensure users are securely receiving them. This update comes along with the release of iOS 10, in addition to six other vulnerabilities that were patched. While some users experienced issues with the iOS 10 update putting their devices into a recovery mode, Apple was quick to resolve the issue and apologized for any inconveniences.

The post Threat Recap: Week of September 12th appeared first on Webroot Threat Blog.

While ransomware has become a buzzword for some, cyber criminals have made it a lucrative business and one which they are constantly evolving. Each day, the Webroot BrightCloud® Threat Intelligence Platform monitors, classifies and scores 95% of the internet to discover 6,000 phishing sites and 80,000 variants of malware and PUAs.

According to Webroot’s latest research, more than 97% of threats are unique to a single endpoint making traditional signature-based antivirus underprepared and ineffective in protecting businesses against today’s threat landscape. In this podcast, Tyler Moffitt, Senior Threat Research Analyst for Webroot, joins Ryan Morris, contributing editor for Penton Technology, to explain the newest and most challenging forms of ransomware, such as malvertising. In addition, they dive into the latest threat trends and arm MSPs with tested and actionable suggestions to help protect themselves and their customers from becoming another statistic.

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 1

Penton Technology Podcast with Tyler Moffitt – Ransomware – Part 2

The post Protecting Against Emerging Ransomware appeared first on Webroot Threat Blog.

It’s that time of week again. Our Threat Recap is bringing you the top news in cybersecurity from new OS releases to remote access of popular cars. Here are five of the major security stories happening this week.

New Ransomware Targets Disk Drives

With the current state of ransomware threatening computer systems around the world, the jump from encrypting specific file types to encyrpting the entire hard drive was inevitable. In the case of Mamba, the latest variant, it begins with replacing the Master Boot Record (MBR) and moves onto encrypting the hard drive itself. Once encryption is complete, the computer will then require a password to unlock, which just so happens to be the decryption key sitting behind the ransom’s paywall.

Remote Access: A Very Real Danger for Tesla

In a recent test, Chinese researchers were able to access several critical and non-critical components of a Tesla Model S. While it may seem benign to have your seat position changed or sunroof opened remotely, these tests have also proven the capability to control brake functionality. They’ve also shown that doors and trunks can be controlled from up to 12 miles away. Tesla has responded with updates to resolve this access, which only seems to occur when the in-dash web browser is in use.

Apple Releases New Mac OS Sierra

Apple announced the release of its latest iteration of the Mac OS, Sierra 10.12. With this update, Apple has been able to remove nearly 70 different security vulnerabilities that had been prevalent in its previous two operating systems. In addition to the OS release, Apple also pushed out Safari 10, the latest update for their web browser, which should also resolve over 20 security issues from previous versions.

Facebook Zero-Day Gives Full Access to Pages

With the continuing rise of businesses using social media to advertise their products and communicate with their customers, exploits are always being researched. Recently, a researcher was able to gain access to any Facebook page by using a bug in the way Facebook deals with its business accounts. By spoofing the Business Manager functionality, the researcher was able to view and edit all associated pages with a given business, without requiring login credentials.

MoDaCo Breach Leaks Data on 880,000 Users

In the past week, MoDaCo, a UK-based smartphone forum, announced they had fallen victim to a security breach. Users of the service have been receiving notifications to change their passwords, although officials are stating that user credentials were all hashed. Researchers have been able to identify around 70 percent of the leaked credentials were already released in previous data breaches, courtesy of Have I Been Pwnd?, a web service that will notify users if their email address has been identified in a data breach.

The post Threat Recap: Week of September 19th appeared first on Webroot Threat Blog.

Another week, another threat recap. And this week wasn’t without its fair share of cyber incidents. Voter registration misstep? Check. New ransomware? Check. KrebsOnSecurity attack? Check! Here are five of the major security stories happening this week.

Company Security Falls to Outdated Network Devices

With the steady rise in security breaches, one of the biggest contributors is the one companies most often overlook: actual networking hardware. In a recent study done by Cisco, nearly 75% of companies are using outdated, and often completely end-of-lifed products for their networking needs. Even though many of the companies are aware of the vulnerabilities that come with using older hardware, it simply isn’t a concern unless something is actively wrong.

Louisiana Voter Database Made Public

Recently, researchers discovered a database hosted on the darknet that contains the voter registration information for nearly all residents of Louisiana. The database has since been secured by the researcher but, according to Louisiana law, voter information is made widely available to anyone interested in purchasing it for pennies on the dollar. Alongside the voter information, the researcher also discovered an additional database containing the personal records for nearly 7 million individuals from Louisiana.

New Ransomware Claiming Royal Ransom

In the past week, researchers have discovered a new ransomware variant operating under the name, Princess Locker. While it’s not a huge leap in innovation, Princess Locker offers a language selection screen followed by a page listing detailed payment options and a free single file decryption. Unfortunately for victims of this variant, payment starts at 3 bitcoins or roughly $1,800 USD and doubles after three days.

KrebsOnSecurity Taken Offline by Largest DDoS Attack To Date

In what is being quantified as the largest DDoS attack in history, service provider Akamai was forced to take KrebsOnSecurity offline, as the direct traffic to the site hit nearly 600 Gbps and lasted for three days. A possible sign of things to come, the attack seems to have been distributed by a botnet based around compromised IoT devices, which lead to the sheer volume of traffic that was seen.

Biometrics Moving Forward As Use Increases

Following a national consumer survey, as many as 20% of British smartphone users have adopted fingerprint authentication for their devices. With new security breaches occurring at such a rapid rate, biometrics have seen a rise in use as consumers worry over the security of their saved passwords for any number of online services. Many of these users only use the authentication for unlocking their devices, but the capability is there for making online purchases and accessing sites with sensitive information.

The post Threat Recap: Week of September 26th appeared first on Webroot Threat Blog.

As the world continues to become more connected, it’s more important than ever to be “cyberaware.” But what does cyberawareness look like? Being cyberaware means being able to interact safely within cyberspace without falling victim to cybercrimes like identity theft, transaction fraud, hacking, and others you’ve probably heard about in the news.

You might think cybercrime isn’t something that would happen to you. After all, it happens to celebrities and big corporations—headline worthy names that will get people’s attention—but not to ordinary home users or small businesses. But that’s the kind of thinking modern cybercriminals use to their advantage. That’s why we strongly encourage you to educate yourself about internet risks, and learn how you can stay ahead.

October is National Cyber Security Awareness Month, making it the perfect time to discover tools and resources to keep yourself, your family, and your devices safe. Sponsored by The National Cyber Security Alliance (NCSA) and Department of Homeland Security, National Cyber Security Awareness Month exists to encourage vigilance and protection by all computer and device users.

There’s nothing more worthy of protection than your identity and data, and the Webroot team is standing by to help you do just that. In addition to our Webroot Cyberaware Campaign, we’ve compiled a list of other resources for you to access. Be smart. Be safe. Be cyberaware.

Resources

1. Department of Homeland Security
2. StaySafeOnline.org
3. THINK. CONNECT.

The post Get Cyberaware during National Cyber Security Awareness Month appeared first on Webroot Threat Blog.

Alright, everyone, this week has been a whopper. I didn’t foresee Facebook Messenger adopting full user encryption, but it’s definitely time. And Apple’s move to auto-updating macOS? We can only wait and see how users react. Catch up on those stories and more in this week’s edition of the Threat Recap. Here are five of the major security stories happening this week.

Facebook Messenger Adopts Full User Encryption

Facebook has been rolling out end-to-end encryption for all of its nearly 1 billion Messenger users. This type of encryption allows users to maintain completely private conversations and even enables users to have message “expire” after a predetermined amount of time. While encryption is still an opt-in feature, it is definitely a step in the right direction for keeping users’ sensitive information private.

Apple Moving Towards Updating macOS Automatically

Following the path of Microsoft, Apple has announced that they will begin pre-downloading new macOS updates automatically, without any indication to users. While Microsoft’s attempts to auto-upgrade users to Windows 10 wasn’t as successful as anticipated, Apple hopes that users will be more inclined to follow through with the upgrade since it’s already been silently installed.

Hutton Hotel Warns Customers of Payment Breach

In a year filled with payment processing breaches, yet another hotel has been forced to announce that their systems had been compromised. The Hutton Hotel in Nashville has warned customers from the past year to be vigilant of any fraudulent charges made using their credit cards and has offered free credit monitoring to all patrons who made purchases on-site in the last several years. While the investigation is underway, officials are still unclear as to how the breach occurred or how long ago it may have taken place.

New Iteration of WildFire Ransomware, Dubbed Hades Locker

When WildFire Locker’s servers were taken offline in August, many hoped it would lead to a decline in user ransoms. Unfortunately, the developers were not apprehended and have released Hades Locker, a new ransomware variant that is largely based around WildFire. Once executed, Hades Locker will begin encrypting all files on any mapped drives and appending file extensions to include “.~HL”, while also removing any shadow volume copies to prevent local file recovery.

DressCode Android Malware Found on Google Play Store

Recently, researchers have discovered dozens of popular apps currently on the Google Play store that are infected with DressCode malware. Once the app is installed, DressCode is able to connect the device to a botnet that is being used to drive click fraud. Additionally, DressCode can be harmful if connected to home and work networks, as it has the capability to download sensitive information it finds, along with accessing other devices that are on the network.

The post Threat Recap: Week of October 3rd appeared first on Webroot Threat Blog.

Recently, source code for the Internet of Things (IoT) botnet malware, Mirai, was released on hack forums. This type of malware was used last month in an historic distributed-denial-of-service (DDoS) attack against KrebsOnSecurity, which was estimated to have sent 650 gigabits per second of traffic from unsecured routers, IP cameras, DVRs and more to shut down the domain. Thanks to DDoS prevention measures by engineers at Akamai, the company protecting Krebs, the attack was unsuccessful; however, they report that this attack was nearly double the size of the largest one they’d previously seen.

Now that this malware is released publicly, we can expect to see more DDOS attacks coming from botnets such as unsecured routers and other IoT devices. For those wondering who would leave the default firmware username and password on their devices, the answer is “millions of people.” In fact, using Telnet alone (TCP/IP protocol for remote access), Mirai-author, Anna-senpai, reported “I usually pull max 380k bots.” It’s worth noting that many are saying Mirai wasn’t the only malware variant involved in the attack. Level 3 Communications reported that the Bashlight botnet may have played a part, as well.

How the Mirai attack worked

Mirai continuously scans the internet for IoT devices and logs into them using the factory default or hard-coded usernames and passwords.

Once infected, the devices connect to command and control servers to gather details of the attack and target. They then produce large amounts of network traffic—spoofed to look legitimate—at the target servers. With hundreds of thousands of these running in tandem, it’s not hard to shut down most sites. These devices-turned-botnet will still function correctly for the unsuspecting owner, apart from the occasional sluggish bandwidth, and their botnet behavior may go unnoticed indefinitely.

Infected systems can be cleaned by rebooting them, but since scanning for these devices happens at a constant rate, it’s possible for them to be reinfected within minutes of a reboot. This means users have to change the default password immediately after rebooting, or prevent the device from accessing the internet until they can reset the firmware and change the password locally. If you’re taking these steps, make sure to no longer use Telnet, FTP, or HTTP, and instead use their encrypted counterparts SSH, SFTP, and HTTPS.

The underlying problem is that IoT manufacturers are only designing the devices for functionality and aren’t investing in proper security testing. Right now, it’s up to the consumer to scrutinize the security on any devices they use. In the future, some kind of vendor regulation may be necessary.

Hack forums have removed the published code, but it’s still available here.

The post Source Code for Mirai IoT Malware Released appeared first on Webroot Threat Blog.

French TV Network Brought Down By Hacker Group

Earlier this year, it was reported that TV5Monde fell victim to a cyberattack that nearly caused the demise of the network. Rather than gain access to retrieve sensitive information, the attack was aimed at simply destroying any and all network systems. While the reasoning behind the attack is still unknown, it has allowed TV5 to greatly improve its employee security measures and methods for operating safely.

Card Breach at Vera Bradley Retail Stores

Recently, Vera Bradley issued a statement regarding a card-processing breach that occurred over the past several months. The company has since resolved the breach but is still urging customers to monitor their credit card accounts for any fraudulent charges. Currently, only three stores located around Detroit seem to have been affected.

Amazon Pushes out Password Resets for Millions

In the past week, Amazon has started forcing password resets to customers that may have reused their credentials on possibly compromised sites. Along with changing passwords, users are also encouraged to enable two-step authentication to further protect their accounts. While the data leaks aren’t directly related to Amazon’s customers, researchers from Amazon have determined that credentials may have been used for multiple sites.

Ransomware Now Displaying Legal Notice for Victims

In the last month, the new ransomware variant DXXD has been hitting a large number of users. DXXD has made a change in that it displays the ransom note and a legal notification prior to users logging into their windows machine. The legal note explains that the user’s information has been compromised and gives multiple ways to contact the attackers to resolve the encryption.

UK Police Websites Susceptible to Attacks

Nearly 25% of UK police related sites have no form of secure connection according to a recent study. Even more troublesome, the majority of these sites ask for user information to identify case information without ensuring a properly secured network connection or encryption when transferring sensitive data. While many municipalities have improved their online security measures, it’s surprising to see so many still lacking, with new data breaches occurring almost weekly.

The post Threat Recap: Week of October 10 appeared first on Webroot Threat Blog.

DDoS Attack on Dyn Crippled the Internet

A portion of the internet went down after suffering a crippling blow from a series of global attacks on a cloud-based Internet Performance Management (IPM) company, called Dyn. Major websites including Twitter, Reddit, Spotify and even game servers for Battle Field 1 have been affected.

Malware Using Trump’s Name to Entice Users

With the election swiftly approaching, have you started to see an influx in Donald Trump-themed articles and email spam lately? Beware! Malware authors are in full swing creating threats aimed solely to infect users. They are counting on the polarized emotions to leave users disarmed. Take caution this election season and stay safe online.

School District Has Data Breach via Third-Party Vendor

The value of data is remaining higher than ever, and compulsory schools are finding out the hard way. Recently, a third-party data management vendor used by Katy ISD in Katy, TX, was exposed. The vendor in question, SunGard K-12, considers the incident low risk. Fortunately for the students and their families, the data breach was quickly noticed.

Axis Bank Discovers Unknown Login on Internal Servers

In yet another announcement of a bank becoming a victim of cybercrime, Axis Bank in India has made an official claim to the Royal Bank of India that its servers were compromised. Since the discovery, Axis has launched a full investigation, which has reported no unauthorized monetary transfers or signs of customer data loss.

Android Malware Still Affecting Non-Updated Users

In the past few weeks, the Android Trojan known as Ghost Push has continued to spread across older versions of the Android OS. By rooting itself to a device, the trojan is exceedingly difficult to remove, as even a factory reset will prove unhelpful. By displaying a steady stream of ads, the creators are able to profit from the clicks generated. There is a solution–upgrading your device to either Android 6.0 or 7.0 will stop the malware from propagating, as it is unable to root either of these operating systems.

CryPy Ransomware Using Python-Based Encryption

Ransomware authors have taken to new methods of targeting users and improving their profit odds. A a new variant called CryPy ransomware—written using Python—is being used to retrieve multiple RSA key tokens and encrypt a variety of files while allowing some “free” unlocks to the user. I wouldn’t say this is particularly useful, but being able to unlock specific files gives the victim a feeling of hope to recover the remaining and may increase the chances of the ransom being paid.

The post Cyber News Rundown: Edition 10/21/2016 appeared first on Webroot Threat Blog.

A portion of the internet went down after suffering a crippling blow from a series of global attacks on a cloud-based Internet Performance Management (IPM) company, called Dyn. Major websites including Twitter, Reddit, Spotify and even game servers for Battle Field 1 have been affected.

This was all made possible by an unknown group of malicious actors that targeted a DDoS attack on a company called Dyn. Dyn provides an internet DNS system which allows users to connect to websites by routing a human readable internet address to their corresponding IP addresses. For example, http://webroot.com becomes: 66.35.53.194.

Dyn was being overloaded by requests from tens of millions of IP addresses all at once, causing their service to go down. Imagine a one-lane highway designed to handle the traffic flow of about 100 cars per hour. Then imagine that the same highway was suddenly riddled with over 10,000 cars. This would cause a bottleneck so severe, that the traffic would just stop. That’s essentially what happened Friday morning with Dyn.

The internet is a superhighway with destinations to a number of IP addresses rather than the actual domains of the websites. The issue is that there has to be a record of what websites and domains translate to what IP addresses. A Top Level Domain (TLD) provides that service, and they are the answer to the question of which name belongs to each IP address.

In this case, it’s been confirmed that an Internet of Things botnet, called Mirai, has been identified as a participant in the well planned and sophisticated attacks. The motive for this attack is only being speculated, given that the actual actors for the attacks have not yet surfaced or explained their intent.

Dyn has released an update on the DDoS event here, and you can subscribe for real-time updates on the status of the attack.

The post DDoS attack on Dyn cripples the internet appeared first on Webroot Threat Blog.

Fake BSOD Lock Screens Popping Up Again

In a nod to screen-locking malware from past years, a new variant has arrived that now requests a simple call to support for assistance. Rather than demand a ransom to remove the fake screen, it provides a number to a fake tech support line and suggests calling them. Fortunately for many users of Windows 8.1 or higher, the malware is disguised as Microsoft Security Essentials, a security software bundle that was removed and replaced by Windows Defender after Windows 7, which would be suspicious to see on any newer OS.

Surprising Value of Personal Records

The value placed on compromised data has a varied range with cyberattacks becoming the norm in many highly lucrative industries. Due to the high return on investment of financial records, they draw some of the highest price tags—$14 to $25 per record. However, data that may take more effort or time to analyze, such as medical records, can demand only a fraction of that for the sensitive information contained within. Because the medical industry is so low-tech in terms of securing patient information, they are a prime target for attacks, as we have seen in recent months.

Adobe Pushes Emergency Patch after Flaw Exploited

Recently, Adobe Systems was forced to issue an emergency patch to stop a flaw that could allow unauthorized code execution through Flash Player. The move came after reports of the vulnerability being exploited were announced. For most users, simply ensuring they are on the latest versions of any Adobe products in use will protect them from this vulnerability. Additionally, many users who have Flash Player through their browser will have the update installed automatically.

Ontario Schools Hit with DDoS Attack

In the same week as the major DDoS attack that affected the East Coast of the US, students preparing for their Grade 10 literacy test were unable to write the exam as the district’s computer systems were targeted with a similar attack. With this year’s exam being the pilot for future online testing, it was a major setback for officials looking to determine its viability, but also a disappointment for students who had been working hard in preparation for the test.

Russian Cybercriminals Taking Bank Attacks Worldwide

After spending the last couple years attacking local banks with cyberattacks, Russian criminals are now expanding their successful attack techniques to other countries. The largest factor contributing to this expansion is likely the value of the Ruble to other international currencies, as local attacks net a lower profit than foreign attacks on countries with a stronger currency. While the group behind the attacks is still unknown, it is likely they are spread through various countries to avoid detection.

The post Cyber News Rundown: Edition 10/28/2016 appeared first on Webroot Threat Blog.

Happy Halloween! To commemorate this annual night of fright, our team wanted to accentuate the unpredictability of cyber threats. What they came up with was not only funny and entertaining, but also serves as a reminder to stay vigilant when online.

This Halloween and beyond, remember these sage words of advice. Files that used to be benign can turn malicious over time. An email from your closest friend could be phishing in the end. This Halloween, use common sense. Defend yourself with confidence. Before you go to trick or treat, get protection that can’t be beat.

The post Cyber Threat Halloween Prank appeared first on Webroot Threat Blog.