Industry Intel

DDoS Attack on Dyn Crippled the Internet

A portion of the internet went down after suffering a crippling blow from a series of global attacks on a cloud-based Internet Performance Management (IPM) company, called Dyn. Major websites including Twitter, Reddit, Spotify and even game servers for Battle Field 1 have been affected.

Malware Using Trump’s Name to Entice Users

With the election swiftly approaching, have you started to see an influx in Donald Trump-themed articles and email spam lately? Beware! Malware authors are in full swing creating threats aimed solely to infect users. They are counting on the polarized emotions to leave users disarmed. Take caution this election season and stay safe online.

School District Has Data Breach via Third-Party Vendor

The value of data is remaining higher than ever, and compulsory schools are finding out the hard way. Recently, a third-party data management vendor used by Katy ISD in Katy, TX, was exposed. The vendor in question, SunGard K-12, considers the incident low risk. Fortunately for the students and their families, the data breach was quickly noticed.

Axis Bank Discovers Unknown Login on Internal Servers

In yet another announcement of a bank becoming a victim of cybercrime, Axis Bank in India has made an official claim to the Royal Bank of India that its servers were compromised. Since the discovery, Axis has launched a full investigation, which has reported no unauthorized monetary transfers or signs of customer data loss.

Android Malware Still Affecting Non-Updated Users

In the past few weeks, the Android Trojan known as Ghost Push has continued to spread across older versions of the Android OS. By rooting itself to a device, the trojan is exceedingly difficult to remove, as even a factory reset will prove unhelpful. By displaying a steady stream of ads, the creators are able to profit from the clicks generated. There is a solution–upgrading your device to either Android 6.0 or 7.0 will stop the malware from propagating, as it is unable to root either of these operating systems.

CryPy Ransomware Using Python-Based Encryption

Ransomware authors have taken to new methods of targeting users and improving their profit odds. A a new variant called CryPy ransomware—written using Python—is being used to retrieve multiple RSA key tokens and encrypt a variety of files while allowing some “free” unlocks to the user. I wouldn’t say this is particularly useful, but being able to unlock specific files gives the victim a feeling of hope to recover the remaining and may increase the chances of the ransom being paid.

French TV Network Brought Down By Hacker Group

Earlier this year, it was reported that TV5Monde fell victim to a cyberattack that nearly caused the demise of the network. Rather than gain access to retrieve sensitive information, the attack was aimed at simply destroying any and all network systems. While the reasoning behind the attack is still unknown, it has allowed TV5 to greatly improve its employee security measures and methods for operating safely.

Card Breach at Vera Bradley Retail Stores

Recently, Vera Bradley issued a statement regarding a card-processing breach that occurred over the past several months. The company has since resolved the breach but is still urging customers to monitor their credit card accounts for any fraudulent charges. Currently, only three stores located around Detroit seem to have been affected.

Amazon Pushes out Password Resets for Millions

In the past week, Amazon has started forcing password resets to customers that may have reused their credentials on possibly compromised sites. Along with changing passwords, users are also encouraged to enable two-step authentication to further protect their accounts. While the data leaks aren’t directly related to Amazon’s customers, researchers from Amazon have determined that credentials may have been used for multiple sites.

Ransomware Now Displaying Legal Notice for Victims

In the last month, the new ransomware variant DXXD has been hitting a large number of users. DXXD has made a change in that it displays the ransom note and a legal notification prior to users logging into their windows machine. The legal note explains that the user’s information has been compromised and gives multiple ways to contact the attackers to resolve the encryption.

UK Police Websites Susceptible to Attacks

Nearly 25% of UK police related sites have no form of secure connection according to a recent study. Even more troublesome, the majority of these sites ask for user information to identify case information without ensuring a properly secured network connection or encryption when transferring sensitive data. While many municipalities have improved their online security measures, it’s surprising to see so many still lacking, with new data breaches occurring almost weekly.

Alright, everyone, this week has been a whopper. I didn’t foresee Facebook Messenger adopting full user encryption, but it’s definitely time. And Apple’s move to auto-updating macOS? We can only wait and see how users react. Catch up on those stories and more in this week’s edition of the Threat Recap. Here are five of the major security stories happening this week.

Facebook Messenger Adopts Full User Encryption

Facebook has been rolling out end-to-end encryption for all of its nearly 1 billion Messenger users. This type of encryption allows users to maintain completely private conversations and even enables users to have message “expire” after a predetermined amount of time. While encryption is still an opt-in feature, it is definitely a step in the right direction for keeping users’ sensitive information private.

Apple Moving Towards Updating macOS Automatically

Following the path of Microsoft, Apple has announced that they will begin pre-downloading new macOS updates automatically, without any indication to users. While Microsoft’s attempts to auto-upgrade users to Windows 10 wasn’t as successful as anticipated, Apple hopes that users will be more inclined to follow through with the upgrade since it’s already been silently installed.

Hutton Hotel Warns Customers of Payment Breach

In a year filled with payment processing breaches, yet another hotel has been forced to announce that their systems had been compromised. The Hutton Hotel in Nashville has warned customers from the past year to be vigilant of any fraudulent charges made using their credit cards and has offered free credit monitoring to all patrons who made purchases on-site in the last several years. While the investigation is underway, officials are still unclear as to how the breach occurred or how long ago it may have taken place.

New Iteration of WildFire Ransomware, Dubbed Hades Locker

When WildFire Locker’s servers were taken offline in August, many hoped it would lead to a decline in user ransoms. Unfortunately, the developers were not apprehended and have released Hades Locker, a new ransomware variant that is largely based around WildFire. Once executed, Hades Locker will begin encrypting all files on any mapped drives and appending file extensions to include “.~HL”, while also removing any shadow volume copies to prevent local file recovery.

DressCode Android Malware Found on Google Play Store

Recently, researchers have discovered dozens of popular apps currently on the Google Play store that are infected with DressCode malware. Once the app is installed, DressCode is able to connect the device to a botnet that is being used to drive click fraud. Additionally, DressCode can be harmful if connected to home and work networks, as it has the capability to download sensitive information it finds, along with accessing other devices that are on the network.

Another week, another threat recap. And this week wasn’t without its fair share of cyber incidents. Voter registration misstep? Check. New ransomware? Check. KrebsOnSecurity attack? Check! Here are five of the major security stories happening this week.

Company Security Falls to Outdated Network Devices

With the steady rise in security breaches, one of the biggest contributors is the one companies most often overlook: actual networking hardware. In a recent study done by Cisco, nearly 75% of companies are using outdated, and often completely end-of-lifed products for their networking needs. Even though many of the companies are aware of the vulnerabilities that come with using older hardware, it simply isn’t a concern unless something is actively wrong.

Louisiana Voter Database Made Public

Recently, researchers discovered a database hosted on the darknet that contains the voter registration information for nearly all residents of Louisiana. The database has since been secured by the researcher but, according to Louisiana law, voter information is made widely available to anyone interested in purchasing it for pennies on the dollar. Alongside the voter information, the researcher also discovered an additional database containing the personal records for nearly 7 million individuals from Louisiana.

New Ransomware Claiming Royal Ransom

In the past week, researchers have discovered a new ransomware variant operating under the name, Princess Locker. While it’s not a huge leap in innovation, Princess Locker offers a language selection screen followed by a page listing detailed payment options and a free single file decryption. Unfortunately for victims of this variant, payment starts at 3 bitcoins or roughly $1,800 USD and doubles after three days.

KrebsOnSecurity Taken Offline by Largest DDoS Attack To Date

In what is being quantified as the largest DDoS attack in history, service provider Akamai was forced to take KrebsOnSecurity offline, as the direct traffic to the site hit nearly 600 Gbps and lasted for three days. A possible sign of things to come, the attack seems to have been distributed by a botnet based around compromised IoT devices, which lead to the sheer volume of traffic that was seen.

Biometrics Moving Forward As Use Increases

Following a national consumer survey, as many as 20% of British smartphone users have adopted fingerprint authentication for their devices. With new security breaches occurring at such a rapid rate, biometrics have seen a rise in use as consumers worry over the security of their saved passwords for any number of online services. Many of these users only use the authentication for unlocking their devices, but the capability is there for making online purchases and accessing sites with sensitive information.

It’s that time of week again. Our Threat Recap is bringing you the top news in cybersecurity from new OS releases to remote access of popular cars. Here are five of the major security stories happening this week.

New Ransomware Targets Disk Drives

With the current state of ransomware threatening computer systems around the world, the jump from encrypting specific file types to encyrpting the entire hard drive was inevitable. In the case of Mamba, the latest variant, it begins with replacing the Master Boot Record (MBR) and moves onto encrypting the hard drive itself. Once encryption is complete, the computer will then require a password to unlock, which just so happens to be the decryption key sitting behind the ransom’s paywall.

Remote Access: A Very Real Danger for Tesla

In a recent test, Chinese researchers were able to access several critical and non-critical components of a Tesla Model S. While it may seem benign to have your seat position changed or sunroof opened remotely, these tests have also proven the capability to control brake functionality. They’ve also shown that doors and trunks can be controlled from up to 12 miles away. Tesla has responded with updates to resolve this access, which only seems to occur when the in-dash web browser is in use.

Apple Releases New Mac OS Sierra

Apple announced the release of its latest iteration of the Mac OS, Sierra 10.12. With this update, Apple has been able to remove nearly 70 different security vulnerabilities that had been prevalent in its previous two operating systems. In addition to the OS release, Apple also pushed out Safari 10, the latest update for their web browser, which should also resolve over 20 security issues from previous versions.

Facebook Zero-Day Gives Full Access to Pages

With the continuing rise of businesses using social media to advertise their products and communicate with their customers, exploits are always being researched. Recently, a researcher was able to gain access to any Facebook page by using a bug in the way Facebook deals with its business accounts. By spoofing the Business Manager functionality, the researcher was able to view and edit all associated pages with a given business, without requiring login credentials.

MoDaCo Breach Leaks Data on 880,000 Users

In the past week, MoDaCo, a UK-based smartphone forum, announced they had fallen victim to a security breach. Users of the service have been receiving notifications to change their passwords, although officials are stating that user credentials were all hashed. Researchers have been able to identify around 70 percent of the leaked credentials were already released in previous data breaches, courtesy of Have I Been Pwnd?, a web service that will notify users if their email address has been identified in a data breach.

There’s a lot that happens in the cybersecurity world, with many stories getting lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot Threat Recap, highlighting 5 major security news stories of the week.

Patch Tuesday Changing Update Format

In one of the largest changes that Microsoft has implemented, Patch Tuesday is being replaced with monthly batch updates. With the new method of releasing updates, Microsoft is removing the capability of users to choose which updates they install by just forcing the entire update, along with any updates from the previous month that may have been missed. For Windows 10 users, they will begin seeing this new update method first, with other OS support likely to follow.

Phishing Attack Strikes Augusta University

Early this week, employees and students of Augusta University were recommended to change their login credentials, as several of the faculty members fell victim to an email phishing scam. While state authorities are investigating the breach, the University is working to protect the staff members whose information was accessed through the payroll system.

ClixSense Breach Leaves Millions of Users Vulnerable

Recently, ClixSense (the popular paid-to-click site) was compromised along with a page redirecting anyone attempting to access the site to a gay porn site. The company has since forced a password reset for all of its registered users, which number nearly 7 million. After further review, it appears the attackers were able to use an older, unused server to access the main database which held user’s passwords in plaintext, rather than being properly encrypted.

DualToy USB Trojan Enhanced to Target iOS Users

When DualToy was first discovered in the early months of 2015, it was largely focused on Android devices located in China. DualToy is used to load malicious apps when an unsuspecting device is connected to an infected computer via USB. While users across the US and Europe are now seeing a wider spread of infected devices, even iOS users are affected as iTunes is being used to allow the trojan to steal user information.

Apple Switches to HTTPS for iOS Security Updates

In a big move by Apple, the company has finally made all iOS updates available over HTTPS, to ensure users are securely receiving them. This update comes along with the release of iOS 10, in addition to six other vulnerabilities that were patched. While some users experienced issues with the iOS 10 update putting their devices into a recovery mode, Apple was quick to resolve the issue and apologized for any inconveniences.

Windows 10 has been notorious about automatically installing updates on users’ machines and now there is a ransomware that aims to capitalize on it. The new ransomware, Fantom, is based on the EDA2 open-source ransomware project on GitHub called hidden tear that’s recently been abandoned.

Fantom behind the scenes

In an attempt to conceal malicious intention, the authors of this ransomware modified the file properties to show copyright and legal trademarks mimicking a Windows update.

Once this dropper is executed, the payload “WindowsUpdate.exe” is dropped in AppData\Local\Temp displaying the fake Windows Update screen as shown below. This screen locks you out of doing anything else on your computer, keeping in line with the scam that Windows 10 doing its normal interrupt of updates.

The percentage counter does work and will go up at about a percent per minute. However, it’s fake and doesn’t represent anything other than to communicate to you that this “Windows update” will take a while and that you shouldn’t be alarmed of CPU usage and hard drive activity. You can close this fake update overlay by ending the process “WindowsUpdate.exe” using task manager, but the encryption of your files is unaffected.

DECRYPT_YOUR_FILES.HTML ransom note

Encryption is done using AES-128 encryption and when a file is encrypted it will append “.fantom” to the extension of the file. Also in every directory that a file is encrypted, a standard ransom note “DECRYPT_YOUR_FILES.HTML” is created.

The ransom note doesn’t have an onion link as your payment portal for your files – a standard for most encrypting ransomware. Instead, you’re asked to email the cyber criminals and await response. This tactic is meant to target less savvy computer users who would be intimidated by creating a bitcoin wallet address and using a tor browser to connect to the darknet for ransom payment. To increase odds of gaining trust, two “freebie” files for decryption are allowed.

However, it’s clear that these cyber criminals have a very loose grip on the English language so we don’t anticipate much traction with their scams through email. We also reached out as a test and have yet to hear back in over 24 hours.

Employ a backup solution

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed: 7D80230DF68CCBA871815D68F016C282

Additional MD5 seen: 4AC83757EBF7ACD787F732AA398E6D53
65E9E1566DEC1586358BEC5DE9905065
60DBBC069931FB82C7F8818E08C85164
86313D2C01DC48D617D52BC2C388957F