Reading Time: ~< 1 min.

Cyber News Rundown: Botnet Targets Brazil’s Banks

Brazilian Bank Traffic Rerouted by Massive Botnet A botnet containing more than 100,000 routers and other devices was recently spotted hijacking traffic destined for several Brazilian banks. The hijacking victims are then sent to one of at least 50 confirmed phishing...

Unsecure RDP Connections are a Widespread Security Failure

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP)...

EICAR – The Most Common False Positive in the World

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it. If...

Crime and Crypto: An Evolution in Cyber Threats

Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand...

3 Cyber Threats IT Providers Should Protect Against

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cybersecurity teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems...

Responding to Risk in an Evolving Threat Landscape

Reading Time: ~3 min.

There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and medium-sized businesses (SMBs), which have emerged as prime targets for cyberattacks. The risk level for this group in particular has increased exponentially, with 57% of SMBs reporting an increase in attack volume over the past 12 months, and the current reality—while serious—is actually quite straightforward for managed service providers (MSPs):

  • Your SMB clients will be attacked.
  • Basic security will not stop an attack.
  • The MSP will be held accountable.

While MSPs may have historically set up clients with “effective” security measures, the threat landscape is changing and the evolution of risk needs to be properly, and immediately, addressed. This means redefining how your clients think about risk and encouraging them to respond to the significant increase in attack volume with security measures that will actually prove effective in today’s threat environment.

Even if the security tools you’ve been leveraging are 99.99% effective, risk has evolved from minimal to material due simply to the fact that there are far more security events per year than ever before.

Again, the state of cybersecurity today is pretty straightforward: with advanced threats like rapidly evolving and hyper-targeted malware, ransomware, and user-enabled breaches, foundational security tools aren’t enough to keep SMB clients secure. Their data is valuable, and there is real risk of a breach if they remain vulnerable.Additional layers of security need to be added to the equation to provide holistic protection. Otherwise, your opportunity to fulfill the role as your clients’ managed security services providerwill be missed, and your SMB clients could be exposed to existential risk.

Steps for Responding to Heightened Risk as an MSP

Step 1: Understand Risk

Start by discussing “acceptable risk.” Your client should understand that there will always be some level of risk in today’s cyber landscape. Working together to define a businesses’ acceptable risk, and to determine what it will take to maintain an acceptable risk level, will solidify your partnership. Keep in mind that security needs to be both proactive and reactive in its capabilities for risk levels to remain in check.

Step 2: Establish Your Security Strategy

Once you’ve identified where the gaps in your client’s protection lie, map them to the type of security services that will keep those risks constantly managed. Providing regular visibility into security gaps, offering cybersecurity training,and leveraging more advanced and comprehensive security tools will ultimately get the client to their desired state of protection—and that should be clearly communicated upfront.

Step 3: Prepare for the Worst

At this point, it’s not a question of ifSMBs will experience a cyberattack, but when. That’s why it’s important to establish ongoing, communicative relationships with all clients. Assure clients that your security services will improve their risk level over time, and that you will maintain acceptable risk levels by consistently identifying, prioritizing, and mitigating gaps in coverage. This essentially justifies additional costs and opens you to upsell opportunities over the course of your relationship.

Step 4: Live up to Your Promises Through People, Processes, and Technology

Keeping your security solutions well-defined and client communication clear will help validate your offering. Through a combination of advanced software and services, you can build a framework that maps to your clients’ specific security needs so you’re providing the technologies that are now essential for securing their business from modern attacks.

Once you understand how to effectively respond to new and shifting risks, you’ll be in the best possible position to keep your clients secure and avoid potentially debilitating breaches.

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

Reading Time: ~3 min.

For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the next step in fulfilling our commitment to protect everyone’s right to be secure in a connected world.

“Launching Webroot WiFi Security is a valuable and exciting progression in our mission,” said Webroot Director of Consumer Product Andy Mallinger. “Antivirus solutions protect your devices from malware and other cyber threats, and a VPN protects your data as it’s sent and received over networks—especially public networks. This combination allows us to extend our protection of personal data beyond the device to the network.”

Shifting tides

Webroot WiFi Security arrives at a time when the fragile state of our online privacy is becoming more apparent and better understood by internet users around the world. Recent revelations of government surveillance via the Snowden leaks, social media data collection like that in the Facebook/Cambridge Analytica scandal, and data breaches including the Equifax hack have fueled a palpable rise in data privacy concerns.

Over half of internet users from around the world say they are “more concerned about their online privacy than they were a year ago,” according to a 2018 CIGI-Ipsos Global Survey on Internet Security and Trust.

Another key factor with grave implications for data privacy in the United States specifically was the 2017 repeal of privacy regulations for Internet Service Providers (ISPs), which aimed to ensure broadband customers had choice, greater transparency, and strong security protections for their personal info collected by ISPs.

“ISPs are facing less regulation today, and so can continue to share, sell, and profit by passing on user information to third parties— browser history, location, communications content, financial details, etc.—without the user’s knowledge or consent,” said Webroot Sr. VP of Product Strategy & Technology Alliances Chad Bacher.

Taking control of privacy

Now more than ever, individual users must take steps to regain control over their online privacy and security. Along with keeping trusted antivirus software installed on mobile and home devices, users should actively protect their data in transit over networks with a VPN.

But it’s important to note that all VPN applications are not created equal. Many users looking for a privacy solution find themselves wondering if they can trust that their VPN provider has their interests at heart. Consumer wariness concerning the privacy of VPN products is justified—some VPN apps, especially free ones, are guilty of sharing or selling their user data to third parties, limiting bandwidth, or serving ads. Facebook’s VPN app was recently removed from the Apple App Store® following concerns over the app’s misuse of user data.

Webroot WiFi Security provides one of the most powerful forms of encryption available, AES 256-bit encryption, and protects user data from cybercriminals and ISPs alike. Webroot WiFi Security does not collect your browsing activity, the sites you visit, downloaded data (or shared or viewed), DNS queries, or IP addresses. The full Webroot WiFi Security Privacy Statement can be found here.

Privacy plus the protection of Web Filtering

In addition to the privacy safeguards of Webroot WiFi Security that protect users while they work, share, bank, and browse online, users also benefit from the integration of Webroot BrightCloud® Threat Intelligence.* The app’s Web Filtering feature provides an extra layer of protection to keep your financial information, passwords, and personal files from being exploited. Webroot WiFi Security is powered by the same threat intelligence platform the world’s leading IT security vendors trust.

“Not only is Webroot protecting user privacy, it’s also shielding users from phishing sites and websites associated with malware,” said Malinger.

Webroot WiFi Security is compatible with devices running iOS®, Android, macOS® and Windows® operating systems, and is now available to download on the Apple App Store, Google Play store, and Webroot.com.

*Only available on Windows, Mac and Android systems

Cyber News Rundown: Windows 10 Update Deletes Files

Reading Time: ~2 min.

Latest Windows 10 Update Removes User Files

Microsoft recently pulled its latest update, version 1809, after several users complained about personal files being deleted. While some users were able to use third-party software to retrieve deleted files, users whose files wnet missing from the Documents folder are having a much trickier time without restoring from backups. Since hearing of the issue, Microsoft has paused the automatic update until they can find a resolution.

Magecart Campaign Continues Its Spread

Following the attacks on British Airways and Ticketmaster, Magecart skimmer techniques have been discovered on Shopper Approved, a collective of several online stores. Fortunately, the company was able to identify the altered JavaScript code and contact affected vendors. The malicious code itself was targeted at the checkout pages for the affected stores with specific URL keywords, leaving the remainder of the thousands of online retailers unaware anything had occurred.

Vulnerabilities Found in Millions of Chinese Electronics

A new wave of vulnerabilities has been spotted in nearly 9 million devices made by Chinese-based Xiongmai, leaving them susceptible to attack. Serious issues include default admin passwords without a prompt to immediately change it, no encryption when connecting to their cloud servers, and a lack of authorization checks when searching for updates. Many of these devices were known to be compromised during the Mirai botnet attacks, though the access points used for that have since been patched.

FCC To Block Illegal Spam Calls

Most people have received at least one unwelcome call on their mobile phone from a robotic auto-dialer. Now the attorneys general from 35 states are coming together in hopes the FCC can do something about those annoying calls. These types of spam calls seem to have increased in volume in recent years, even after the 2017 Call Blocking Order aimed at stopping them,  forcing customers to block calls themselves. With an estimated 40 billion robocalls this year alone, it’s no surprise so many states are interested in putting a stop to this nuisance.

Google+ Goes Out on Low Note

After constantly struggling with low adoption, Google’s response to more popular social media platforms like Facebook has officially reached its end of its life. Several months ago an API bug was spotted that allowed unauthorized access to thousands of Google+ user accounts. The bug was patched but remained undisclosed until recently. With new GDPR regulations on breach disclosure, even the possibility of low volumes of affected clients could still be trouble for Google.

Cyber News Rundown: Botnet Targets Brazil’s Banks

Reading Time: ~2 min.

Brazilian Bank Traffic Rerouted by Massive Botnet

A botnet containing more than 100,000 routers and other devices was recently spotted hijacking traffic destined for several Brazilian banks. The hijacking victims are then sent to one of at least 50 confirmed phishing sites that will attempt to steal any information the user will provide. Backing this ever-growing botnet are a small collection of tools used to brute-force weak passwords and continue to search for other devices with poor security.

Cyber Attack Shuts Down Canadian Restaurants

A major Canadian restaurant chain announced several of their restaurant brands had suffered a ransomware attack that affected nearly 1,400 stores in recent days. While many of the IT systems were quickly taken offline to prevent further spread of the infection, customers were met with non-functioning payment systems or just closed doors. Fortunately, the company keeps regular backups and was able to restore their systems without paying a ransom.

High-Profile Instagram Accounts Being Hacked

Several high-profile Instagram accounts were hacked and held hostage recently, with some accounts being deleted even after a payment was sent. Though many victims have contacted Instagram multiple times regarding access to their accounts, some were sent automated responses while others regained control of their accounts without hearing from the company.

Google Chrome Cracks Down on Extensions

With dozens of new extensions being added to Google’s Chrome Web Store every day, it has become increasingly difficult for Google to police for malicious apps. That’s why, accompanying the release of Chrome 70, will be the ability for users to restrict browser extensions to a single site and limit the amount of permissions the extension has over the pages viewed. Additionally, Chrome has implemented 2-step verification for all developer accounts to curb the volume of hacked apps made available.

Port of San Diego Hit by Ransomware

It was revealed last week that the Port of San Diego, which controls over 34 miles of coastline, suffered a ransomware attack that temporarily knocked out their computer systems. Fortunately, most routine port operations remained able to function normally while systems were offline. There is still no information on whether the ransom has been paid or how the infection occurred.

Cyber News Rundown: Firefox Vulnerable to DoS Attack

Reading Time: ~2 min.

Firefox Vulnerability Leads to Crash

A new denial-of-service (DoS) attack has been created with the ability to cause desktop versions of the browser Firefox to freeze or crash. Upon visiting sites where the malicious script is present, the user’s browser forces download requests for a massive junk file that can cause the IPC channel for the browser to crash. Luckily, the researcher who created the attack method has contacted Mozilla about the issue, and there’s hope for a swift resolution.

Kodi Media Player Used to Spread Malware

Nearly 5,000 computers were recently compromised with cryptomining malware that was silently distributed either through malicious builds of the Kodi media player or from third-party add-ons used to enhance the player. Most of the infected computers were found to be mining for Monero and have already mined around $6,700 since the beginning of the campaign. When obtaining these types of add-ons, its best to visit official repositories rather than third-parties, as they tend to be more discerning of content they are hosting.

Online Fashion Retailer Breached

SHEIN has revealed a data breach from June that they themselves only discovered within the last month. Nearly 6.5 million customers could be affected, as the systems storing login credentials were compromised in the attack, the company stated in a recent press release. Fortunately for those customers, the company says they do not store payment data so a simple password change should be sufficient to protect their clients.

Scottish Brewery Hit by Ransomware

After publishing a job opening to their own site, Arran Brewery was able to successfully fill the needed position. Unfortunately for the Scottish brewery, attackers posted that listing on several international recruiting sites and received dozens of applications including documents embedded with ransomware, resulting in the company being locked out of crucial systems and a ransom demand of two Bitcoins. Arran Brewery opted to restore their systems from offsite backups rather than pay the ransom, but lost up to three months of data due to outdated backups.

DoorDash Customers Complain About Hacked Accounts

Several dozen people have contacted DoorDash regarding fraudulent orders placed on their accounts. DoorDash’s was confident they were not to blame for the breach, instead blaming “credential stuffing,” a tactic where attackers try using previous breach data from other sites hoping the same password was used multiple times. The company says it has no plans to implement further security measures such as two-factor authentication.

Unsecure RDP Connections are a Widespread Security Failure

Reading Time: ~3 min.

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.

RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.

Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.

Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.

Common RDP-enabled threats

Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.

Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.

Source: https://knowyourmeme.com/photos/1379666-cheeto-lock

Solving the RDP Problem

The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.

However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.

You can learn more about the benefits of security awareness training in IT security here.

Cyber News Rundown: Big Data Mismanagement

Reading Time: ~2 min.

Massive Customer Database Left Exposed by Data Management Firm

A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information spanning from 2013 to 2017 and was likely used by the Veeam marketing team’s automated customer contact functions. Fortunately, the database was taken offline within a week of the researcher contacting Veeam about the server.

Hacker Group Breaches British Airways

After last week’s reveal of the data breach affecting nearly 380,000 of the airline’s customers, it was discovered that the injection methods used were the work of known hacker group MageCart. By compromising third-party actors, the group can access hundreds of sites and begin passing any customer payment information back to their own systems. Even more toublesome, this particular attack appeared to be tailored for the British Airways systems specifically, but could very likely be readjusted for other applications.

Chinese Hackers Using Digitally Signed Drivers for Attacks

A long-active hacker group likely based in China has expanded their tactics to include a seemingly innocent network filtering driver (NDISProxy) to start their latest malware campaign. The driver itself has a signed digital certificate from a Chinese-based security software company, which was likely unaware their certificate was being misused. By injecting itself silently across the infected network, the fully functioning remote access Trojan can be used to execute malicious tasks with ease.

Scam Calls Causing Mobile Traffic Jam

The number of scam calls recoreded by the call management firm First Orion rose nearly 1000% over the past year, from 3.7% of total calls last year to 29% so far in 2018. The projections for the coming year project that number to rise to half of all mobile calls received in the U.S. Unfortunately, service providers have few options for slowing down the bombardment of phony calls facing their customers.

Latest MongoDB Attacks are Ransoming Empty Databases

While MongoDB attacks are nothing new, Mongo Lock has stepped up the game by identifying unprotected databases, exporting the data to their servers, wiping them clean, and leaving behind a ransom note instructing the victim to reach out via email rather than sending a Bitcoin payment directly to a crypto-wallet. Mongo Lock appears to operate via an automation script, though it has been known to fail, leaving the victim with both the ransom note and their original data.

Cyber News Rundown: Banking Trojans in Google Play

Reading Time: ~2 min.

Banking Trojans Still Appearing in Google Play Store

Multiple security researchers recently discovered a handful of banking trojans that have still managed to make their way into the Google Play app store, despite Google having increased its security to detect such apps. Many of the apps are disguised as astrology/horoscope software, but instead of reading the future, they steal SMS and call logs from the device, install unauthorized apps, and even seek out banking credentials based on other installed applications. Some of these apps had been installed by up to 1,000 individuals, many of whom are likely under the assumption that the app removed itself, after showing a fake error message claiming incompatibility with the device.

Obama-themed Ransomware Forges Dangerous Path

A new ransomware variant bearing the face of the former US president, Barack Obama, has been spotted in the wild performing some unusual encryption tactics. Rather than encrypting personal word documents and pictures, this variant focuses on encrypting executable files across the system, which could lead to the system crashing and other devastating results. It is still unclear if this methodology is the intent, or just an oversight by the ransomware’s authors, but this type of damage is unlikely to pay off if it renders the system nonfunctional.

Thousands of Online Stores Compromised

Due to security loopholes in eCommerce sites that use Magento as a host, nearly 8,000 sites have been confirmed to be hosting card-skimming malware, with up to 60 more being compromised every day. The breaches led to malicious scripts being added to the pages to record and upload any customer inputs in real time, rather than following a more complicated path to obtain the same data after the transaction is complete. Unfortunately, it is difficult to determine whether a site is safe without checking the entire codebase for any unauthorized entries.

Fake Tech Support Ads Now Indistinguishable from Real Counterparts

In the run-up to Google’s release of a verification program for third-party vendors to display ads, the company has been inundated with countless fake tech support advertisements that are nearly impossible to identify over a real vendor’s ads. The creators of these fake ads will go to almost any lengths to avoid detection, including creating entire companies to continue their illicit activities.

Unsecured Sites Leaving .git Repositories Easily Accessible

Nearly 400,000 websites have been found with exposed .git directories that could lead to major information exposure, if improperly accessed. These repositories contain everything from passwords and API keys for the site, to forgotten data stored on the sites. Fortunately for the website owners, the researcher who discovered the breach was not acting maliciously, and quickly began contacting them with information on how he found the leak and what they could do to resolve it.

EICAR – The Most Common False Positive in the World

Reading Time: ~4 min.

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.

If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.

If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)

Using the EICAR Test File

Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.

  1. Curiosity. The first time I used the test file, it was purely out of curiosity. What if I zipped the file up or changed its extension from .com to .xyz, and so on. Because the file itself is harmless, I could simulate any number of scenarios without risk to my computer or my data.
  2. Smoke test. The intended purpose of the test file was always to verify that your scanner was properly installed and that the scan engine was functional. Any time you install a new antimalware product, you can give it a quick test with the EICAR file to make sure it is functioning as designed (if the vendor support the file, that is.)
  3. Forensics. Malware writers often try to disable a scanner as soon as their malicious code gains a foothold on a given computer. If you periodically test your scanner and, one day, it fails to detect the test file, that could indicate of an infection. Keep in mind, it could also indicate that another layer of security blocked the file before it got to your scanner. The test itself is not conclusive and should only be considered as part of a bigger picture.
  4. Behavioral information. Between 1997 and 2004, I worked at Microsoft, ensuring none of their software releases were infected. I used 11 different virus scanners on each of my test machines (don’t try this at home). The testing was not about the quality of the scanners, but rather how they’d react in different situations to help me make decisions and gain greater knowledge. For example, antivirus scanners have default configurations that I needed to test and potentially modify. Back then, not all scanners scanned all extension types by default. A directory with EICAR test files that each had different extensions would allow me to determine if my scanner’s default configuration for file types needed to be adjusted. Once I made modifications, I had to test those as well. There were a variety of tests I could run involving filenames with punctuation or foreign language characters, too. Basically, I could test virus handling without needing am actual virus.

Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.

Where to Find EICAR

You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.

Here are the step by step instructions.

  1. Open Notepad.
  2. Copy the following string and paste it into Notepad:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  3. Save the file and cross your fingers that your scanner doesn’t detect it on close.

Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.

The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.

eicar1

You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.

eicar2

However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.

At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.

Questions? Comments? Let’s talk on the Webroot community forum.

Cyber News Rundown: Texas Voter Data Leaked

Reading Time: ~2 min.

Texas Voters’ Data Leaked

A security researcher just discovered a publicly-available file containing sensitive voting information for nearly 99% of all registered voters in the state of Texas. The file was compiled by a data firm that was trying to gauge political opinion for the 2016 elections, as well as more localized campaigns. With all the attention the presidential campaigns brought to election security, mistakes like this one could lead to more serious outcomes if companies who handle such information don’t take the necessary precautions.

Chinese Hotel Breach Exposes 130 Million Guests’ Data

Huazhu Hotels Group has come under fire after several of their customer databases were uploaded to GitHub by their own development team. The databases were found for sale on the Dark Web and contained over 240 million unique records, with information ranging from names and addresses to card numbers and travel itineraries, a portion of which has been verified by a local security firm. The data appears to come from nearly all the hotel group’s brands, and is not localized to a specific region or name.

Instagram Unveils Support for Third-Party 2FA

Nearly a year after Instagram announced their addition of SMS-based 2FA, the company has stated that they now allow support for third-party 2FA applications. In doing so, they give users the option to either set up an SMS verification path or receive a code through another app when attempting to log in to their account. This announcement comes just weeks after a string of high-profile accounts were hacked, leaving users with no options to regain access to the hijacked pages.

Bank of Spain Hit by DDoS Attack

Over the weekend, the Central Bank of Spain fell victim to a DDoS attack that continued through Tuesday afternoon, leaving users with spotty access to the bank’s website. Fortunately, the bank itself remained fully operational through the attack, as they are a central bank rather than commercial. Additionally, all communications with other Central Banks around Europe were unaffected, with no signs of other malicious activity.

HTTPS Now Standard on over Half of Top Sites

With the push to enforce full encryption on the internet, over half of the top million sites are now using HTTPS, with millions of domains switching over every day. This is likely due to Google’s efforts in the last couple months to warn Chrome users who attempt to access an unsecured site, in hopes of encouraging users to take their own security more seriously.

Cyber News Rundown: Dark Tequila Malware

Reading Time: ~2 min.

Dark Tequila Targets Mexican Financial Organizations

Over the past 5 years, one malware campaign has been plaguing the financial industries of Mexico: Dark Tequila. While many researchers have been monitoring samples for most of that time, only recently has the entire campaign come into focus, with over 30,000 unique targets in 2018 alone. Using mostly spear-phishing tactics, the malware is able to spread quickly and steal a significant amount of information with relative ease and, for its finale, a USB infector is copied to any removable drive enabling it to spread across offline channels.

Babysitting App’s Database Breached

Over 93,000 users of the popular child-sitting app Sitter are being notified after the MongoDB database the app uses was compromised. Most information on the app is considered highly sensitive, including names, home addresses, and even full address book contacts for thousands of users. It remains unclear how long the database remained unprotected and Sitter is now contacting all affected users.

Ryuk Ransomware Uses Highly Targeted Attacks

The authors behind the ransomware variant Ryuk have taken significant strides towards ensuring large ransom payouts by focusing exclusively on large corporations and demanding Bitcoin ransoms that only those organizations could even fathom paying. They have already received two ransoms ranging from 15 to 35 Bitcoins, or roughly $225,000, with a daily ransom increase of half a Bitcoin for each day unpaid.

American Healthcare Organization Hit by Phishing Attack

Recently, Augusta University Health announced that, in September 2017, they experienced a data breach that could possibly affect over 400,000 patients. Listing sensitive data from home addresses to social security numbers and other forms of ID, this breach could easily set up future phishing attacks on individuals. Officials are still working to determine how such a breach could have occurred (and remained undetected for nearly 10 months). Because of a lack of encryption, the breach was far more damaging than it otherwise would have been.

Cardio-Imaging Devices Vulnerable to Exploits

Several versions of Philips’ cardiovascular imaging devices have been found to contain multiple exploits that would easily allow an attacker to perform unauthorized code execution and cause the devices to malfunction. Fortunately, these devices are not remotely accessible, and the company has already begun putting new safeguards in place with their next major patch.

Cyber News Rundown: Instagram Hack Baffles Users

Reading Time: ~2 min.

Instagram Hack Baffles Users

Hundreds of Instagram users have found themselves locked out of their accounts over the past week, with all methods of retrieving them having been removed as well. The episode began with many users noticing their accounts had been logged out and contact information changed, including email addresses with a .ru domain. Even though some users have been able to follow Instagram’s prescribed process to regain control of their accounts, many others hit roadblocks, frustration, and days of failed attempts.

Adobe Suite Receives Multiple Patches

Following Patch Tuesday, Adobe users found themselves on the receiving end of 11 total patches for Flash Player, Acrobat, and several other key programs. Most of the patches were related to remote code execution caused by improperly escalated access privileges. The company said it remains confident none of the flaws addressed were exploited before they were patched.

Millions Vanish in Indian Bank Hack

One of India’s largest banks announced that its systems had been hacked this week, with at least $14 million remaining unaccounted for. The largest chunk of funds were stolen with a cyberattack on the bank’s ATM servers that allowed hackers to simultaneously withdraw funds from ATMS in 28 different countries before transferring another couple of million dollars to a company based in Hong Kong. While officials are working closely with law enforcement to determine the attacker’s identities, it is very unlikely that they investigation will turn up anything of worth, judging by investigations of similar hacks in the past.

Finnish DDoS Attack Shuts Down Government Sites

On Sunday a handful of Finnish government sites became unavailable after a DDoS attack prevented users from logging into Suomi.fi, which handles identity verification for ministry-related sites. While some ministry sites don’t require the Suomi site for verification, this attack has prompted an increase in security measures used for sites that providing critical functions. Fortunately, the attack subsided after several hours and all affected sites were returned to normal by Sunday evening.

Fortnite Cheats Lead to Nothing but Infections

With Fortnite more popular than ever amongst the younger generation, a new wave of malicious “cheats” have been making their way around the internet hoping to entice young gamers with hopes of gaining advantages. Many of the available cheat tools offer free in-game currency, movement improvements, and even third-party downloaders for the game itself, all of which result in a malicious payload being installed on the computer while the user remains oblivious.

Page 1 of 9512345...Last »