Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan service, it’s easier than ever. The idea is to use this web portal to contract threat actors to create new ransomware samples for distribution via the desired attack vector. This allows any potential cybercriminal, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model.

Those who join the program have a number of viewing options in the portal. The Account panel shows various stats, including how much money has been made, infection count, current share percentage, etc.

All a criminal needs to do is enter a few simple pieces of information to generate brand new malware that’s ready to infect victims. Note that the portal author specifically requests downloaded samples not be shared with VirusTotal, decreasing the likelihood that security vendors will have encountered the variant.

Since the darknet web portal creator takes a 30% cut of all ransoms, it’s in his best interests to make sure as many victims are infected as possible. He provides a guide with step-by-steps instructions on how to deploy malware using obfuscation techniques to avoid detection.

The author also advertises his web portal on underground forums, and explains the payload and the payout scheme. After all, affiliates’ success means he gets a bigger cut.

Although Webroot will catch this specific variant of ransomware as a service in real time before any encryption takes place, don’t forget that the best protection in your anti-ransomware arsenal is a good backup solution. You can use a cloud service or offline external storage, but keeping it up to date is crucial for business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

The post Satan: A new ransomware-as-a-service appeared first on Webroot Threat Blog.

MongoDB Hacks Spreading Fast

In the past few weeks, researchers have been monitoring the steady rise of hacked MongoDB installations, now surpassing over 28,000 individual systems. While the attacks started with ransoming back the stolen data, the attackers have now begun simply deleting the information from the database and leaving the ransom note for payment anyways. With up to 12 different attackers as well, crossover hacks have occurred on several of the databases, leaving the victim unsure of who to contact or how to retrieve their missing data.

Miami Bank Loses Millions without Notice   

Recently, a major Miami Beach bank has been under heavy scrutiny after nearly $4 million USD were stolen from their accounts without any suspicion arising. According to officials, the thefts began in the summer of 2016 and continued until December, when they were given a report showing a large number of fraudulent transactions taking place in the form of automatic billing payments that were being rerouted. Amidst the scandal, several prominent financial executives were forced to resign.

Amazon Phishing Scheme Targeting User Credentials

Users of retailing giant, Amazon, have noticed some oddly suspicious behavior when attempting to purchase items with prices that are too good to be true. Items being posted for sale the fraudulent merchant are available to purchase, until you add the item to your cart and begin checking out. Once in the cart, the item mysteriously disappears and a message stating that it is no long available appears. Users are then contacted by the vendor via email with a new link to purchase the item, though this link does not direct the user back to the legitimate Amazon site, but instead one that looks similar and wants your credentials badly.

Ukraine Power Stations Still the Focus of Cyber Attacks

It’s been almost exactly one year since the major power outages that affected nearly a quarter million Ukrainians, and once again, the hackers are up to their same tricks. In the last month, officials have been working to determine if the latest power substation failure was a legitimate failure or the results of another cyberattack. With the latter being confirmed, it is still surprising how little damage the hackers have actually done, with nothing more than overwriting the firmware used in the power stations to signal a manual reset to engineers on site. Researchers believe these attacks are merely a test of their capabilities and learning what security is in place and how to bypass it.

Spora Ransomware Offering New Encryption Process

With ransomware being the highest grossing cyber-attack vector, it’s no surprise that attackers are coming up with clever new methods for causing user devastation. By adding an additional encryption step, allowing for offline encryption, the attackers are able to create a new set of AES keys on the local machine which will stop decryptors from unlocking all of the victims with one private key. Additionally, Spora has the capability to gather information about the computer itself and determine an appropriate ransom amount, whether it’s for an individual user or a large corporate network.

The post Cyber News Rundown: Edition 1/19/17 appeared first on Webroot Threat Blog.

To address the need for application security in the digital transformation era, F5 is releasing a new host of products and services.

“The digital transformation has really changed security as a whole,” says Preston Hogue, Director of Security Marketing and Competitive Intelligence. What he means is that everything—EVERYTHING—is moving to the cloud. Think about the companies from years ago, such as Blockbuster, versus their modern counterparts, like Netflix or Hulu. Think about the fact that most of today’s twenty-somethings have never set foot in a physical bank branch, but use online banking daily. Now think about the fact that every service I’ve mentioned so far has an application, which is the primary method of interaction for users.

The application is the new perimeter and identity is the key to that perimeter. Over 70% of all data breaches occur by accessing applications. At F5, we are focused on securing our customers’ applications; both by securing access to the apps, and by securing the apps themselves where they reside.

We spoke with Preston about the newest security products F5 is launching, and how they’re using Webroot BrightCloud® IP Reputation intelligence to help power their solutions.

Webroot: Tell us a little bit about the security launch. What should we expect to see?

Preston Hogue: First, we are launching a family of dedicated security products called Herculon. The first two components of the Herculon product family are the Herculon SSL Orchestrator and the Herculon DDoS Hybrid Defender. These products are dedicated to solving the challenges of SSL/TLS encrypted traffic and ensuring application availability.

Second, we’re announcing a new service called Silverline WAF Express, which will give customers easy, self-service access to our cutting-edge web application firewall. We’ve been deploying web application firewalls on premises for some time and also offer a fully managed service. Since some customers don’t have the time or resources to install and maintain the software, or maintain the racks and stack and everything within their environment, we’re giving them a simpler self-service experience.

Our focus on securing applications means our overall threat research is geared toward application threat intelligence—really trying to get to the root cause of the 70+% of data breaches I mentioned previously—so we’re also announcing increased investment in our F5 Labs threat intelligence team.

Last but not least, we’re also announcing that the services of our security incident response team (SIRT), a dedicated team of highly trained individuals within the support organization, are now available to all F5 customers around the world. This team will be the highest level of escalation for security and service response.

Since threat intelligence is such a huge component of your offerings, what should your target customers consider when choosing threat intelligence sources for themselves?

There are a lot of companies that offer threat intelligence, but it’s challenging because they all claim a kind of broad, generic expertise. We advise that customers look for specificity; for targeted, actionable information that pertains to what they’re trying to do. Looking at a company like Webroot, you’ve taken on very specific aspects of threat intelligence and you’ve been able to master those particular areas—like the Webroot IP reputation intelligence that we integrate.

We see a lot of organizations trying to take on too much. That’s why we’re very definitive about the scope of what we’re trying to accomplish, and why we focus on leveraging our application security expertise around threats and ensuring we can provide very specific, clear, actionable threat intelligence with F5 Labs.

What do you hope your customers will gain by implementing your solutions with Webroot BrightCloud IP Reputation intelligence?

We know we have the expertise when it comes to understanding the overall threat to an application. We partner with companies like Webroot for insight into a particular aspect of threats; in Webroot’s case, it’s insight into IP addresses and additional threat information around user agents and anonymous proxies. We’re very specific in our threat intelligence, and we know we’re not always able to show the entire picture on our own. So we are able to fill in other areas of the overall threat landscape through our partnerships to ensure that we can give our customers the full picture they need.

How do you see the F5 security launch changing the security industry?

F5 has been in application security for over 20 years. From what we’ve seen, digital transformation is changing security as a whole. It has driven applications out of the data center and into the cloud. That means there are 3.2 billion users on the internet, who all potentially have access to these applications, which makes them a big target for breaches. Because of our expertise within the field, F5 is in the perfect position to provide visibility into this threat landscape, and also the control our customers need to achieve a secure application experience.

In his closing comments, Hogue had the following to say, “To secure access to applications and to secure the apps where they reside, you need a complete picture of the threats that target apps. You need a team like F5, with an ecosystem of intelligence partners like Webroot to provide that picture. And that’s how, ultimately, we can help our customers solve today’s security challenges and keep users safe.”

Learn more about Webroot BrightCloud IP Reputation intelligence. Or, for more information about F5’s security launch, read the press release.

The post How F5 is Changing the Application Security Game appeared first on Webroot Threat Blog.

Major Dark Web Marketplace Hacked

Recently, a hacker using the alias cypher0007 reached out to AtlasBay, a large dark web market, with information on two significant vulnerabilities that allowed him to access over 200,000 private messages, names, and addresses. Along with retrieving a good amount of buyer and seller information, the hacker also revealed that the site had no encryption on its private messaging feature. For users of the online marketplace, their data has been secured in addition to AlphaBay releasing patches for both vulnerabilities.

Ransomware Victims Likely to Pay for Data Retrieval

In a recent study, it was revealed that nearly half of businesses hit with ransomware were willing to pay the ransom which often reached over $10,000. Many of the respondents believed that the loss of data was actually less costly than the overall downtime for the business, loss of customers, and the investment in new security measures. More surprisingly, 17% of the victim companies did not involve a law enforcement agency for fear of additional attacks on their infrastructure.

Latest Firefox Update Flags Insecure Logins

Following in the steps of Google, Firefox has released an update that has resolved many security flaws that have been prevalent for quite some time. The main focus appears to be on flagging HTTP login pages as insecure and giving users an additional warning if they begin typing in an insecure username or password field. Also, Firefox has begun refusing to accept SHA-1 certificates from several public companies, as a sign of lost faith.

Android Ransomware Found On Google Play

In the last week, researchers discovered a new ransomware variant embedded in a seemingly innocent app on the Google Play store. The variant, named Charger, begins by prompting the user to allow administrator access to the device. Once access is given, the user is shown a ransom lock screen and the app starts downloading user contact and SMS data while asking for a mere 0.2 bitcoins, or roughly $180. Fortunately, the app was caught early and removed from the app store with a minimal number of total downloads.

Dark Web Hacker Steals Over 1 Billion User Accounts

With corporate hacking being more profitable than ever, it comes as no surprise to see dark web vendors selling data for millions of users. Recently however, one vendor has offered access to over 1 billion unique user accounts from some of China’s largest online vendors. Alongside the initial listing for the main Chinese accounts, the hacker also offers another ~46 million email accounts from varying domains.

The post Cyber News Rundown: Edition 1/27/17 appeared first on Webroot Threat Blog.

Twitter is buzzing with chatter about the RSA Conference 2017 (RSAC). Attendees, vendors, and speakers alike are anxiously awaiting the opportunity to discuss information security and the latest technology at the largest security conference in the world. Attending RSAC? Here’s what you should know about Webroot.

What’s new with Webroot in 2017

Today, we announced the expansion of our platform with 3 new products; Webroot FlowScape® Analytics, Webroot BrightCloud® Streaming Malware Detection, and Webroot SecureAnywhere® DNS Protection leverage the security industry’s most sophisticated artificial intelligence engine to give customers greater protection against today’s most dangerous known and unknown cyber threats.

By providing deeper insight into behaviors in the web and network layers, our new products offer better protection against today’s most advanced threats—both known and unknown—no matter where users are or what devices are connected. – Chad Bacher, SVP of product strategy and technology alliances, Webroot

During RSAC, be sure to visit us in the South Expo at booth #S1307 to experience Webroot threat intelligence and security products in action.

The Webroot Briefing Center Presentation at RSAC

Identifying threats within the barrage of everyday network traffic can be difficult. During our Briefing Center Presentation Securing the Internet of Everything: How Webroot Keeps a Smart City Safe, Chad Bacher will be discussing this how smart cities and other organizations can use advanced inspection modeling, and analytics inside the network to avoid security risks.

In-Booth Presentations

We is hosting multiple in-booth presentations throughout the conference.  Presentation topics will include our insights into the most recent threat trends, stopping polymorphic malware, using machine learning to detect zero-day threats, and more. Be sure to set a private meeting with Webroot security experts, also.

Join leading security pros and innovators, including the Webroot team, at RSAC 2017 to learn about the current state of cybersecurity. Get our thoughts on what the future holds.

The post Webroot Attends RSAC 2017 appeared first on Webroot Threat Blog.

Hotel Doors Locked By Ransomware

A prestigious hotel in Austria was the target of a ransomware attack that left their electronic door locking systems inoperable for several hours. The hack only stopped hotel personnel from activating new keycards due to system is capabilities allowing the functionality without power. Unfortunately, the hotel did pay a ransom of 2 bitcoins. They now have plans to replace the electronic lock system with traditional keys to avoid any future complications.

WordPress Quietly Fixes Critical Vulnerability

Reports have surfaced that WordPress deployed an update resolving several crucial vulnerabilities allowing unauthorized users to access and modify WordPress hosted sites. REST API is the source of the vulnerability. The API was implemented in an earlier version and set to be enabled by default. Fortunately for many WordPress users, the exploit was resolved without any signs of the issue being exploited in the wild.

Ransomware Locks up Texas Police Department

A Texas police department was forced to wipe their servers ridding ransomware encrypting documents and video evidence stored on computers. Officials have stated that the infection started from a spam email link and spread through nearly 8 years worth of data before the individual computer was taken offline.

Netflix Login Generator Creates More Than Credentials

Researchers have discovered a new ransomware variant that comes bundled inside a Netflix login generator application. When users click on the “Generate Login!” button, they are met with a dropped executable that begins encrypting any file located in the main Users directory of the computer. Currently, this variant only runs in Windows 7 and 10 and demands a smaller ransom than normal ($100 or .18 bitcoins), likely in the hope of actually receiving payment.

Office Printers Susceptible to Cyber Attack

While many believe that employees are the main point of vulnerability for a typical corporation, it should be mentioned that the quietest machine in the office can also be an attack vector: the printer. With wireless access becoming ever more prevalent, it’s no surprise that cyber criminals are looking to different areas of opportunity. With nothing more than authority to use the printer, there are several ways to bring the machine to a halt or even gather data that passes through.

The post Cyber News Rundown: Edition 2/3/17 appeared first on Webroot Threat Blog.

The benefits of adopting the managed service provider (MSP) business model are compelling. After all, predictable, recurring revenue; deeper engagement with clients; and a trusted advisor relationship that generates further business opportunities all sound like everything a successful services business could want. However, for some, it still means braving uncharted territory.

Important Considerations

IT solutions providers interested in switching to the MSP model face a number of decisions. Before you do anything else, you have to define your service offerings. There are so many companies who offer products in the primary MSP categories, so it’s important to take your time in performing a detailed analysis of the pros and cons of various products.

• Automation
  Plain and simple, you need automation tools. These include professional services automation (PSA) and remote monitoring and management (RMM) software, which are the backbone of every MSP’s business. Pay close attention not to just features, but the pricing structure and integrations with the other tools you plan to use.
• Timing
  Another challenge can be finding the right timing to migrate existing customers. The process of transitioning current customers can be a minefield of logistical issues, particularly if those customers purchased different products on a staggered schedule. In those cases, you must consider not just what your full managed services offering will look like, but how to get existing customers onto a monthly bundle.

Differentiating Your Business

Remote monitoring is a standard part of the traditional MSP portfolio. Disaster recovery, such as a secure backup system, is also a leading service to pitch to customers, since disasters of all types can hit an organization at any time, and have the potential to cripple their business operations. So what’s going to make you stand out? You might not think so, but many MSPs are leading with another equally important service: endpoint security.

Computers, mobile devices, and servers will always need protection, but modern businesses face a variety of new challenges. Cybercriminals have only increased their efforts at causing mischief, launching new and creative ransomware with startling frequency at companies around the globe. Additionally, many organizations in the healthcare, financial, and retail segments have compliance mandates for handling sensitive data, which typically include endpoint security. In short, the time is right for starting a conversation about security.

Selecting Cybersecurity

The MSP model is about efficiency gains, so choose a provider that helps reduce your TCO. Look for a security offering that doesn’t need a local server, offers flexible monthly billing, and consider a solution that’s cloud-based so it won’t impact system performance. The security application you choose should be effective, lightweight, and have no noticeable impact when running.

Should disaster strike, it’s also very important to have a solution that can remediate systems automatically, reducing the burden on your IT staff. On the topic reducing burdens, the solution should also include PSA or RMM integration, or a management console that can automate routine tasks and give you the granular visibility you need to oversee all your customers in one place.

Making the Switch to the MSP Model

While adding managed services might seem daunting, it’s a powerful way for resellers to add new revenue streams to the business while transitioning into a hybrid or full MSP model. Keeping costs down on monthly contracts gives MSPs a big advantage today, and if the managed services model didn’t work for both customers and IT solution providers, it wouldn’t have seen the adoption and success it has experienced in recent years. Although the transition isn’t easy, it holds a lot of promise. IT solution providers in transition can rest assured that their best and most profitable years are ahead.

Read this case study to find out how SLPowers, an MSP managing 76 different companies with over 2,000 endpoints, got its start in the reseller realm, moved to managed services, and leveraged next-generation endpoint protection to improve customer satisfaction, lower costs, and increase profitability

Or, take a free, no-risk, no-conflict 30-day trial of Webroot SecureAnywhere Business Endpoint Protection with the Global Site Manager to see the solution SLPowers chose in action.

The post Increasing Profits by Moving to the MSP Model appeared first on Webroot Threat Blog.

Throughout 2016, many of the attacks and risks in the world of cybercrime followed “analog” crime: holding something for ransom/extortion, propaganda, theft, and identity scams. You might expect a cybersecurity vendor to see these trends as good for business, but in fact it’s the opposite. The modern world relies heavily on the internet and web applications for all types of transactions. For these technologies to continue advancing, users have to feel safe when they conduct those transactions online. That means those of us in the cybersecurity field are dealing with trust as our most valuable commodity. Erode the trust too deeply and many internet users will either take their business elsewhere, or try to avoid online transactions altogether.

Maintaining customers’ trust should always be the core of any cybersecurity provider’s strategy. In 2017, we plan to continue coming up with new ways to use our threat intelligence and cloud-based security platform to do just that. Here’s a look at what’s in store.

Webroot SecureAnywhere^® DNS Protection

To kick off the year, we’ve introduced our new Webroot SecureAnywhere^® DNS Protection service. By redirecting users’ internet traffic through the Webroot DNS cloud, businesses now get enhanced visibility, control, and peace of mind. Web requests are checked in real time to ensure they are not malware connecting to a Command and Control server, or requests to visit high risk sites. SecureAnywhere DNS Protection also lets businesses fine-tune web access policies by IP address or IP range, and limit access to websites based on their category—with 82 URL categories to choose from. This simple, domain layer security improves productivity, provides great visibility, and is a smart and cost-effective way to dramatically reduce web risks.

Webroot FlowScape^®

The second new offering is a state-of-the-art approach to early threat detection that works by analyzing all the traffic taking place within your network; not just communications to and from the internet, but also those that occur between network-connected devices. Using supervised and unsupervised machine learning and behavioral analytics, the Webroot FlowScape^® solution cuts through everyday network noise to reveal network anomalies and threats that other security technologies miss, and does so early enough for security administrators to prevent those threats from compromising the network. The FlowScape solution is designed for MSSPs and other IT security professionals who need to identify all the adversarial anomalies and risks within their networks.

Webroot BrightCloud^® Streaming Malware Detection

Last, but not least, we are releasing Webroot BrightCloud^® Streaming Malware Detection for polymorphic malware protection. This technology detects malicious files as they stream through the network perimeter in real time, without having to download the entire file, and without causing undue network latency. Streaming Malware Detection is designed to be integrated into network security devices to help identify and eliminate malicious files before they enter the network.

2017 will bring many new security challenges, but with these new solutions in place and other innovations on the Webroot drawing board, we plan to keep building our customers’ safety, security and trust.

The post What’s new from Webroot in early 2017? appeared first on Webroot Threat Blog.

Macros Turn Focus Towards MacOS

Researchers have discovered a trend of malicious Microsoft Word documents for MacOS that behave similar to Windows macro infections. The culprits download and execute a malicious payload to a user’s computer. While not particularly sophisticated, the macro-based infections focus on exploiting the users of the computer, rather than a software vulnerability, as macros can also be used for legitimate applications.

Phishing and Tax Season Go Hand in Hand

It’s tax season and criminals are working on new and clever ways to gain access to sensitive documents, and other available assets. This year brings the usual spear phishing campaigns that spoof an executive requesting tax forms, but arrive with a follow-up email requesting a wire transfer to a listed account. The best defense against these types of attacks is caution on the recipient of any suspicious emails, and using two-factor authentication where available.

Android Malware Triada Takes Top Spot

The reigning Android malware family has changed from Hummingbad, a rootkit downloader that remains persistent on devices and downloads fraudulent apps for ad revenue, to Triada, a malicious backdoor that grants super-user privileges to the malicious payloads that are downloaded according to a recent announcement. This switch comes after nearly a year as the most widespread infection for Android devices.

Teen Hacks 150,000 IoT Devices Overnight

It’s been revealed that a teenager from the UK, in the span of an evening, successfully hacked over 150,000 printers across the world. He created a simple program that sent printer protocol requests to various IoT devices and was able to get responses from and send jobs to different printers. The teen claims he did so to bring attention to the major lack in security for IoT devices that are connected to an insecure network.

Unpatched WordPress Sites Defaced

Thousands of WordPress sites have been defaced by hackers exploiting a bug patched nearly two weeks ago. Sites that haven’t been updated to the latest version were susceptible to a vulnerability in the REST API allowing unauthorized changes to be made to the title and any visible content. Due to the defacements, Google has begun categorizing affected sites by the hacker group’s names.

The post Cyber News Rundown: Edition 2/10/17 appeared first on Webroot Threat Blog.

We’re not telling you anything new when we say that malware continues to pose a major challenge for businesses of all sizes. Polymorphism, in particular, is especially dangerous. Polymorphic executables constantly mutate without changing their original algorithm, meaning the code can change itself each time it replicates, even though its function never changes at all. That’s why it’s so problematic; organizations that rely on traditional endpoint protection methods have little hope of detecting and blocking all the variants that might hit their network, even if they combine their antivirus technologies with network sandboxing.

How BrightCloud® Streaming Malware Detection Works

With all this in mind, we’ve developed Webroot BrightCloud Streaming Malware Detection. This brand new, innovative technology detects malicious files in transit, in real time, at the network perimeter. It can be integrated into perimeter network security devices to complement existing functionality by identifying and eliminating malicious files before they enter the network or have the chance to spread or mutate internally.

In most cases, Streaming Malware Detection can make determinations without requiring the entire file to be downloaded. It scans files in real time to make determinations after only a small portion of the file has streamed through a network perimeter device. Streaming Malware Detection determines quickly whether files are benign or malicious, enabling the device itself to block, drop, or route the file for further investigation, depending on how the technology partner or end customer chooses has configured the appliance.

For partners, Streaming Malware Detection…

• Adds malware detection functionality to your network device and enhances your ability to detect and block known and never-before-seen malware
• Makes determinations on a high percentage of previously unknown, zero-day, and malicious files at the network level
• Processes files at a rate of 5,700 files/min (over 500 times faster than a typical sandbox at 11 files/min)
• Continuously improves its own capabilities via self-learning
• Provides the flexibility to tune and adjust thresholds to minimize false positive rate
• Integrates quickly and efficiently in network edge security devices via precompiled SDK
• Provides an incremental revenue opportunity

How To Get Streaming Malware Detection

We’re currently planning to make this extra layer of protection against polymorphic malware, and targeted malware in general, available for GA in the second calendar quarter of 2017. For the time being, we’re pleased to invite existing and prospective Webroot technology partners to join our beta program. Contact your Webroot account representative to participate.

For more info about Streaming Malware Detection and other new Webroot services, read our press release.

The post Introducing Webroot BrightCloud® Streaming Malware Detection appeared first on Webroot Threat Blog.

The City of San Diego is the 8th largest city in the US and has over 12,000 employees, numerous vendor partnerships, as well as a vast array of diverse systems and devices to protect.

In addition to more traditional endpoints and data centers, the City must protect each new piece of smart technology it implements. These include smart street lighting where adaptive controllers and LEDs work to reduce energy consumption based on foot and street traffic analysis; smart parking, in which networked sensors ease congestion with driver communications and dynamic pricing; smart grid, where data collected from smart meters and phasor measurement units increase grid reliability; smart water utilities for fresh and wastewater management; the list goes on.

You can imagine, then, that the network would be a significant asset—both due to cost and the fact that it’s the connective tissue between all business processes, city services, critical infrastructure, and various devices. Because of the diverse and widespread nature of City devices, the network that connects them is constantly exposed to attacks from all entry points of the perimeter, VPN, WiFi, and from internal people using infected devices.

Some Attacks Are Too Sophisticated For Legacy Security Tools

While legacy security tools can catch up to 95% of the attacks from known threat vectors, the most sophisticated attackers use new forms of polymorphic malware and take advantage of the new attack vectors presented as more devices are added to the network. The remaining 5% of attacks that are too dynamic to be detected by legacy solutions now comprise a serious security gap.

To address the 5%, the City of San Diego has adopted Webroot FlowScape® Network Behavioral Analytics. FlowScape Analytics accelerates network threat detection by automating network monitoring and leveraging supervised and unsupervised machine learning algorithms to protect the City’s core asset: its network. The software can find both known and unknown threat activity by first studying normal network traffic to establish a baseline, next identifying any unusual behaviors and then using advanced heuristics to do a risk assessment.

FlowScape Analytics technology allows us to determine risk of system-wide user behavior and flag anomalies for remediation. – Gary Hayslip, CISO, City of San Diego

Here’s How FlowScape® Analytics Enhances Smart City Networks

What makes FlowScape Analytics special is the additional insight it provides. Most network protection solutions only look at direct traffic between endpoint devices and the internet, i.e. North/South traffic. But what about communications between internal devices within the network (East/West traffic)? FlowScape Threat Detection is tightly integrated with the Webroot BrightCloud® Threat Intelligence Platform to connect the dots between North/South communication and East/West communication. It monitors, maps, and learns both IT and IoT/SCADA/PLC communications. It also detects insider staff and vendor behaviors, which greatly increase risk through policy violations. FlowScape Analytics keeps a real-time asset inventory of anything that talks on the network, and the ports they normally communicate over. The end value is the added visibility across the entire threat landscape of a smart city network.

San Diego Improves Critical Infrastructure with FlowScape® Analytics

Since staff is limited, automating security tools has been a critical requirement for the City. Think of FlowScape Analytics like putting a security analyst in Ripley’s power loader from Aliens. Security analysts don’t have the time or resources to deal with the constant barrage of alerts, so the security framework needs to be able to do some serious heavy lifting on massive amounts of data to determine which network activity is threat related. By implementing FlowScape Analytics to protect their infrastructure, that’s exactly what the City of San Diego has done.

With a daily count of approximately 500,000 cyberattacks against the city of San Diego networks, Webroot FlowScape Analytics gives us the network visibility we need to protect critical infrastructure and services.  – Gary Hayslip, CISO, City of San Diego.

For more information about FlowScape Analytics, download our datasheet.

The post How a Smart City Stays Safe appeared first on Webroot Threat Blog.

Successful companies stand on the shoulders of great customer service. At Webroot, we aim to consistently be the best, and to do so, we rely heavily on our highly skilled, globally-based technical support team to delight our customers at every turn.

At Webroot, we utilize a follow-the-sun approach with customer service support staff in Australia, the United Kingdom, and North America. – Amy Wiley, vice president of engineering service

Because of this, we were honored to win the 2017 SC Award for Best Customer Service at this week’s RSA Conference 2017 during the SC Awards Dinner and Presentation in San Francisco. The SC Awards acknowledge the achievements of companies and information security professionals that focus on protecting businesses and customer data.

The Webroot Family

We support an active and collaborative online community where customers can get involved in discussions about our products, ask IT security concerns, and even submit feature requests. Although our product is cloud-based and customers do not typically require on-site assistance, we do accommodate our customers at no additional cost when needed. Providing exceptional customer service solutions is in Webroot’s DNA and crucial to protecting our customers against the many threats launched by today’s savvy cybercriminals.

Thank you to SC Magazine the honor, and thank you to our customers for being a part of the Webroot family.

The post Webroot wins SC Award for Best Customer Service appeared first on Webroot Threat Blog.

Outerwear Online Retailer Hit with Cyber Attack

Columbia Sportswear announced that they were in the midst of investigating a cyberattack on one of its subsidiary retail sites, prAna, a brand that was acquired by Columbia in 2014. While officials still haven’t confirmed the type of attack, they have stated that it shouldn’t affect any of Columbia’s other affiliated sites.

University Targeted by Fishy Hack

An American university’s computer network was slowed to a crawl by nearly 5,000 infected devices from around the campus, all repeatedly performing searches for seafood. The IT staff noticed the dramatic increase in network traffic caused by the attack, though were initially unable to remedy the situation due to the sheer number of IoT devices sending the commands.

Mandatory Data Breach Reporting Implemented in Australia

In the past several years, thousands of companies and organizations have been victims of some form of data breach, though the number actually being reported is significantly less. While some companies choose to hide the breach from the public for fear of financial loss, this now will change in Australia as they have finally passed legislation for mandatory reporting to the Privacy Commissioner and any affected customers. This reporting must come immediately after a breach has been confirmed and could lead to hefty fines if they go unreported.

Politicians Quick to Adopt New Messaging App

A large number of politicians have been turning to an end-to-end encrypting message app that automatically deletes the conversation after a pre-determined amount of time. Similar to SnapChat, where the picture only lasts for a few seconds, the message app Confide only allows the reading of the message as a finger or cursor passes over the writing. This step dissuades any attempts to save the message’s contents, thereby keeping them from unauthorized eyes.

Ransomware Attack on Water Supply

A security researcher from Georgia created an experiment to simulate a ransomware attack on a water supply system. By using programmable logic controllers that are used in real systems, he was able to show how easily they were to exploit. Many were poorly-secured and even fully accessible online. By using one of these vulnerabilities, an attacker could easily disable several critical systems and damage the actual infrastructure.

The post Cyber News Rundown: Edition 2/17/2017 appeared first on Webroot Threat Blog.

Emergency Services Lines DDoS’d in Texas

Officials have sentenced a cybercriminal who manipulated a bug via the Twitter app to continuously dial 911, which spread to several hundred individuals across multiple states. By tweeting out a malicious link to his followers, anyone who clicked on it was subjected to an endless loop of dialing the local emergency services lines, until the phone carriers were able to shut down the calls.

Magento Database Flaw Exposes User Data

A flaw was discovered that can trigger code to be executed in an online shop’s database that intercepts a customer’s credit card information and resends it to the attacker’s server. This is likely the first time such an attack has been written in SQL and in addition, the code trigger responds to every new customer order by reinserting itself into the site’s source code, if it’s unable to detect the malware in any portion of the page.

IDF Phones Flooded With Malware

Researchers identified a significant number of IDF-related phones were infected with a piece of malware known as ViperRAT, which is capable of extracting and sending any sensitive data on the device. The most common method of infection stems from malicious messaging apps that request administrative permissions for the device, to then gather data and send it to a C&C server.

East Idaho Counties Victims of Ransomware

Two Idaho counties were targets of cyberattacks that left one county still struggling to regain its main systems. Teton County was fortunate to have only their main website defaced, which was promptly restored to normal. Meanwhile, Bingham County was less fortunate to have found ransomware on several computers that then infected their backup servers, bringing all current operations to a halt. The attack was likely initiated from a malicious email attachment that launched an executable file.

Zerocoin Source Code Typo Leads to Breach

Zerocoin made it known that they suffered a breach that allowed an attacker to steal over $500,000 worth of the cryptocurrency. The vulnerability was simply one additional character that caused a bug that, when exploited, allowed the attacker to make one transaction but receive the money repeatedly. The attacker apparently created multiple accounts to hide the influx of the multiple transactions, and had cashed out the majority of the stolen coins by the time the Zerocoin team noticed the variations.

The post Cyber News Rundown: Edition 2/24/2017 appeared first on Webroot Threat Blog.

Chatting with David Dufour, senior director of engineering, Webroot, is always interesting. Quite frankly, so is pinning him down for a short Q+A  about his experience at RSA 2017. One thing I could be sure of, though, was David having an opinion and being a straight shooter. As a first time attendee, I was curious to know what trends a veteran like David noticed and what were some highlights for him.

Webroot: You’ve been attending RSA for a number of years now. What were your expectations going into RSA 2017?

David Dufour: In my experience, RSA would never be confused with a pure play security conference like Black Hat simply because of all the hype and marketing spin, and this year did not disappoint. Going into the conference, it was apparent that Artificial Intelligence was going to be the big buzzword, with all exhibitors talking about how advanced their AI implementations were. The fun always starts when you pin many of these vendors down on exactly what AI means in their environment- how they’ve implemented it and what struggles they’ve had going to market with AI based solutions. This typically results in a glazed stares that leads to an eye twitch indicating they are finding a way to get rid of me.

“There continues to be significant advances in technology that help prevent malware both at the endpoint and in the network.”

What did you experience on the show floor?

Webroot had a prominent spot in the South Hall this year where the atmosphere seems more cutting edge than the North hall that usually hosts traditional security providers. I prefer to cut through the buzzwords and noise to get to the significant trends in the industry. Malware prevention, detection and remediation continues to be the least sexy, yet most critical tool in a security team’s bag. Although many companies purport its demise, there continues to be significant advances in technology that help prevent malware both at the endpoint and in the network. Many organizations still seem to be struggling with automation, knowing that they need to strike a more automated posture, but not yet comfortable allowing automation to run independent of human review.

What was the best part of RSA 2017?

For me, the best part of any event is typically the meetings I’m able to have with new vendors who can dive deep into the theories and implementations behind their solutions. I had several great meetings, both scheduled and impromptu, that showed promise in terms of new ideas for isolating and preventing threats. I’m hopeful some of these new companies will partner with Webroot in the near future to deliver some truly innovative ways of protecting our customers.

The post David Dufour talks about the hype and reality at RSA 2017 appeared first on Webroot Threat Blog.

During tax season most of us are probably still dreading the moment we have to quit procrastinating, buckle down, and file our income taxes. Coincidentally, it’s also a time that cybercriminals are working overtime to scam home users into giving over their financial data, and even their tax returns. The frequency of attacks only increases as the IRS tax deadline (April 18^th this year) looms ever closer.

Don’t Let Tax Season Scammers Steal Your Refund!

According to the IRS, thousands of people have lost millions of dollars and their personal information to tax scams and fake IRS communication in the past few years. In fact, a recent phone scam has been aggressively targeting taxpayers, often members of immigrant populations, in which callers claim to be IRS employees. They use false names and credentials and even spoof their caller ID information to appear more legitimate. The scammers tell their victims they owe money to the IRS and demand it be paid right away through a pre-loaded debit card or a wire transfer. If any victims refuse or sound too skeptical, the scammers threaten them with arrest, deportation, or any number of other downright terrifying legal scenarios.

According to data collected in the 2016 tax season, the IRS saw an approximate 400% surge in phishing and malware incidents, and our own data suggests this number won’t be going down any time soon.

A number of alerts have been issued by the IRS about the fraudulent use of their name or logo by scammers who hope to steal taxpayers’ assets and identity. Regular mail, telephone, fax, emails—scammers are using every phishing tool at their disposal to trick unsuspecting victims, and the proof is in the numbers. According to data collected in the 2016 tax season, the IRS saw an approximate 400% surge in phishing and malware incidents, and our own data suggests this number won’t be going down any time soon.

BOLO (Be on the Lookout)

While the IRS provides a list they call their tax season “Dirty Dozen” scams, here are the top 5 we think you should really watch out for.

Phishing: Taxpayers need to be on guard against fake emails or websites looking to steal personal information. The IRS will never initiate contact with taxpayers via email about a bill or refund. Don’t click on one claiming to be from the IRS. Be wary of emails and websites that may be nothing more than scams to steal personal information.

Phone scams: Phone calls from criminals impersonating IRS agents remain an ongoing threat to taxpayers. The IRS has seen a surge of these phone scams in recent years as con artists threaten taxpayers with police arrest, deportation and license revocation, among other things.

Identity theft: Taxpayers need to watch out for identity theft especially around tax time. The IRS continues to aggressively pursue the criminals that file fraudulent returns using someone else’s Social Security number. Though the agency is making progress on this front, taxpayers still need to be extremely cautious and do everything they can to avoid being victimized.

Return preparer fraud: Be on the lookout for unscrupulous return preparers. The vast majority of tax professionals provide honest high-quality service. There are some dishonest preparers who set up shop each filing season to perpetrate refund fraud, identity theft and other scams that hurt taxpayers.

Fake charities: Be on guard against groups masquerading as charitable organizations to attract donations from unsuspecting contributors. Be wary of charities with names similar to familiar or nationally known organizations. Contributors should take a few extra minutes to ensure their hard-earned money goes to legitimate and currently eligible charities. IRS.gov has the tools taxpayers need to check out the status of charitable organizations.

Preventative Measures

To stay safe during tax season, you need to first understand what is and isn’t normal. When faced with officials or people with perceived authority, we tend to get nervous and want to do anything they say to avoid getting in trouble. (Think about how you probably tense up when you see a cop pull up behind you, even though you know you weren’t speeding.)

The IRS will never:

• Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail you a bill if you owe any taxes.
• Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
• Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
• Ask for credit or debit card numbers over the phone.

Additionally, it’s important that you pay close attention to email addresses, and never share financial information through email. It is normal that online tax preparation services, such as TurboTax, will require several steps of authentication via a secure connection, and may ask for personal information. Because many modern phishing scams can look almost exactly like the real deal, be sure to go directly to your tax prep service’s website in your browser, rather than clicking the links in any emails. If you’re a Webroot user, we also highly recommend you enable the Webroot Filtering Extension to ensure you know which sites are safe to visit.

Know Your Rights

You have the right to be informed, and also the right to appeal any IRS decisions in an independent forum. Have other questions about your rights as a taxpayer? Visit www.irs.gov/taxpayer-bill-of-rights.

The post Top 5 Tax Season Scams appeared first on Webroot Threat Blog.

Locky (.osiris)

O Locky, Locky! Wherefore art thou, Locky?

Alas, could Locky be no more? At the beginning of 2017, data from the field suggested potential Locky infections had decreased dramatically, so we were hoping it was on its way out. Unfortunately, Locky returned with a vengeance, though it had changed its methods somewhat. Upon further investigation, we located a number of binaries in %temp%, “a1.exe” and “a2.exe “, instantly seeing a connection to Nemucod; a name given to a family of Javascript droppers.

After additional research and decompiling several scripts, we’ve come to the conclusion that the same scripts used in previous months to distribute the .crypted “Nemucod” ransomware were suddenly downloading Locky and Kovter instead. Why the change?

Various online reports suggest that Necurs—a set of rootkit/botnet control servers—had gone offline. These were the same servers that sent out massive amounts of spam containing Locky droppers. Based on the information available, we think the bad guys changed their delivery method when these servers fell out of commission. (Incidentally, blocking the %temp% files blocks the infection, so we’re in a good position here!)

Nemucod

The Nemucod script developer used a simple script that runs another script which is then hosted on a compromised website. Those websites then randomize the contents of the script every few minutes. This means that security solutions that still use static signatures are often laughably ineffective at stopping these threats. The randomized website script is not part of the initial script, and is only readable via attachment to the WSCRIPT.exe process.

Initial script received via email:

As you can see, the script above uses “GET” to grab the response text from 1 of 5 compromised websites (var x) and evals that response text.

Sample response text from a compromised site:

When de-obfuscating scripts, I find it simpler to reverse the function used to evaluate the obfuscated content. I de-obfuscated this response script by using the initial script above with the previous function for the variable z2, which is actually eval, as follows:

was modified to

Here’s the final script, which downloads and runs the files (a1.exe and a2.exe).

Below is an example of the network traffic from this script, where the &r parameter is the downloaded payload.

CRYSIS

This ransomware is still only being distributed via compromised user accounts on RDP enabled machines. The most recently used extension is “.wallet” and it’s very common to see the ransom note email as *@india.com.

Below is a ransom note example:

Samples:

https://www.virustotal.com/en/file/31fc83f5e70515777fb4919cf249e3d2208895b96060f68a270f97377944b362/analysis/
https://virustotal.com/en/file/79b08105bbe4b7b407be42656f43c1533c725f951bc4f73c3aa9f3e68d2b3a15/analysis/

Spora

We discovered Spora last month, but data from the field suggests it isn’t too prevalent. The most common infection vector for Spora is Google Installer messages, which are displayed from third party advertisers while browsing the web. The total cost of all services is $120, which is significantly less costly than other ransomware variants, many of which demand at least 2 Bitcoins.

The image below illustrates the different prices for various services.

It also attempts to clear shadow copies via vssadmin.

SAMAS

This ransomware is distributed via compromised JBOSS servers and usually propagates to every system on a network. The most recently used extension is an ironic “.weareyourfriends”. It usually installs in %System32%, since it is typically runs with administrative rights.

Ransomware Staging Tool

Script kiddies looking to make some money need look no further. This ransomware staging tool is exactly what it sounds like: a utility where you just enter your information, browse the folders you want to encrypt, and wait for the money to roll in! We’ve seen a number of variants similar to the binary below. This is so new that it doesn’t yet have its own name, but all variants have been found on compromised RDP systems.

Statistics

Over the last couple of months, the data we’ve seen underscores how important it is for system admins to secure RDP. Unsecured RDP essentially leaves the front door open for cybercriminals. And since modern criminals can just encrypt your data, instead of having to go through the trouble of stealing it, we shouldn’t make it any easier for them to get what they want.

The post Behind the Scenes with Ransomware appeared first on Webroot Threat Blog.

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Boeing Informs Workers of Data Breach

Am I surprised there’s another data breach in the news this week? Not at all, and you won’t be either after reading on. However, I am surprised to hear it happened with Boeing. It reported that one of their employees sent sensitive data outside of the company’s network. I have so many questions. “Do they have security training program for employees?” “Was this an accident?” But before I offer up more of my thoughts, read DefenseNews’ account of the incident and let me know yours.

Russian Hacker Offers Access to University Databases

And the trends keep coming. Did you read the Daily Bruin’s article on a Russian-speaking hacker selling unauthorized access to databases for more than 60 universities and government agencies in the US and United Kingdom? I’m not pointing a finger at anyone, but I mean, another alleged Russian involved attack?! The takeaway for most is simple–SQLi attacks are definitely preventable. Organizations should take the extra effort and be more vigilant (read: do the research) when choosing pre-packaged software bundles.

Toy Maker Ignores Warning of Security Flaw

Instead of droning on about yet another data breach, I’m going to let you hear reactions from a few security experts on this one. But before taking you there, I’m have to ask, “Who hacks children toys?” (Rhetorical!) If you want to read more on the breach itself, feel free. Who am I to deprive you of the details?

Robots across Industries Share Vulnerabilities

I, for one, am glad the security of robotics is becoming more of a concern. We live in 2017 and should act accordingly when it comes to security in a connected world. Many devices lack user authorization, have default passwords that are unchangeable or left as the default, or are using insecure communication methods, all of which leave these machines vulnerable to an outside attack.

Amazon Web Services Go Offline

You all noticed the pretty big internet outage this week, right? If not, you’re either living under a rock or just arrived on planet earth. There’s no way you missed so many sites having issues. Not to mention, the social webs were buzzing. The outage was due to a problem that originated from an Amazon data center in Virginia. I think it’s safe to say interested parties were glad to hear Amazon officials state the issue has since been resolved. Amazon is likely to publish a full report on the cause and resolution to the issue in the coming days.

The post Cyber News Rundown: Edition 3/3/17 appeared first on Webroot Threat Blog.

Talks of integration are often met with audible sighs of displeasure. It’s a lot of work. You have to combine various platforms, software, and the list goes on. At Webroot, we decided to take some of the pain out of this process by partnering with Kaseya to deliver a fully integrated endpoint security solution for its customers.

Kaseya, a provider of complete IT management solutions for managed service providers (MSPs) and mid-sized businesses, was looking for ways to reduce complexity and steer its customers in the right security direction.

Charlie Tomeo, vice president of worldwide business sales at Webroot, sat down to answer a few questions about why we chose to integrate.

Webroot: Integration is practically a buzzword today. I think I just ‘integrated’ my winter and spring wardrobes. What does integration mean for Kaseya customers?

Charlie Tomeo: Integrating Webroot status and monitoring into VSA reduces management complexity by presenting this new information into the familiar tools they already use today. This gives technicians a single pane of glass and makes it easier to follow security best practice standards, which increases protection and security for their customers.

That makes sense. I’ve heard complexity is a “hackers best friend,” so any streamlining is good in my book. What can users expect in the module?

The Webroot SecureAnywhere® endpoint product is the easiest solution to deploy and maintain on the market, but our Kaseya module makes it even easier for VSA users through an intuitive, straightforward GUI-driven install/uninstall. Deployment hierarchy can mirror your Kaseya groups with Webroot groups or sites. Once deployed, the combined deployment and status dashboard gives you that single pane of glass view to manage Webroot protection within the VSA dashboard.

Day-to-day management suddenly gets easy with customized alerts that flow directly into Kaseya, creating tickets and executive dashboard reports quickly summarize infection history and endpoints under protection.

What if I’m reading this and thinking, I don’t need that, my customers are too small to have to worry about security threats. What advice would you provide?

Study after study shows that small customers are just as at-risk as any other organization. But providing enterprise level security protection to small customers is expensive without an MSP that uses a system of streamlined processes. These partners provide an affordable solution to their customers without compromising security or margins. Using the Webroot integration inside the Kaseya VSA allows the MSP to manage their Webroot agents and streamline numerous management tasks, like alerting, reporting, deployment, and updates.

That’s a wrap. To learn more or start a free trial of the Webroot Kaseya Module, visit http://wbrt.io/WebrootKaseya .

The post Integration Holds the Keys to the Castle appeared first on Webroot Threat Blog.

As if the job market isn’t hard enough to break into, rising seniors and recent college graduates are employment scam targets. In January, the FBI issued a warning that employment scams targeting college students are still alive and well.

Employment Scams – A Public Service Announcement

According to the FBI, scammers advertise phony job opportunities on college employment websites soliciting college students for administrative positions. Then the student employee receives counterfeit checks and is told to deposit them into their personal account. Shortly thereafter, the scammer directs the student to withdraw the funds and send a portion, via wire transfer, to another individual. Often, the transfer of funds is to a “vendor”, allegedly for materials necessary for the job. By the time the bank has confirmed that the original checks were fraudulent, the victim’s own money is long gone

Dashed employment hopes and lost wages aren’t the only concern for victims of recent employment scams. Possible consequences of participating in this scam include:

• The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank with a credit bureau or law enforcement agency.
• The student is responsible for reimbursing the bank the amount of the counterfeit checks.
• The scamming incident could adversely affect the student’s credit record.
• The scammers often obtain personal information from the student while posing as their employer, leaving them vulnerable to identity theft.
• Scammers seeking to acquire funds through fraudulent methods could potentially utilize the money to fund illicit criminal or terrorist activity.

Staying Safe

Remember, if it sounds too good to be true, it probably is.

Guaranteed income with no experience needed. Work from home and control your own schedule. Apply today to start earning thousands!

Phone introductions are a fine way to start the conversation, but be wary of opportunities that don’t lead to a face-to-face interview. Although some companies and government agencies may require it, you should be very cautious when sharing your Social Security Number online or over the phone. Tell the employer you’ll only provide that information once you’ve received a formal offer and are filling out W-2 or 1099 paperwork.

Be sure to do your research as well. Look into the company to find out about their market, what they sell, and look for reviews and evaluations from their employees. (Hint: you should be doing this anyway, not just when you suspect a scam.)

You can also take advantage of the Better Business Bureau and the BBB Scam Tracker℠ to research the types of scams that have been reported in your area.

Have you been scammed?

Help others avoid becoming a victim of employment scams by reporting the incident to the Better Business Bureau, the Internet Crime Complaint Center (IC3), and the Federal Trade Commission.

The post Employment scams target recent college grads appeared first on Webroot Threat Blog.