When WannaCry ransomware spread throughout the world last year by exploiting vulnerabilities for which there were patches, we security “pundits” stepped up the call to patch, as we always do. In a post on LinkedIn Greg Thompson, Vice President of Global Operational Risk & Governance at Scotiabank expressed his frustration with the status quo.
Greg isn’t wrong. Deploying patches in an enterprise department requires extensive testing prior to roll out. However, most of us can patch pretty quickly after an announced patch is made available. And we should do it!
There is a much larger issue here, though. A vulnerability can be known to attackers but not to the general public. Managing and controlling vulnerabilities means that we need to prevent the successful exploitation of a vulnerability from doing serious harm. We also need to prevent exploits from arriving at a victim’s machine as a layer of defense. We need a layered approach that does not include a single point of failure–patching.
A Layered Approach
First off, implementing a security awareness training program can help prevent successful phishing attacks from occurring in the first place. The 2017 Verizon Data Breach Investigations Report indicated that 66% of data breaches started with a malicious attachment in an email—i.e. phishing. Properly trained employees are far less likely to open attachments or click on links from phishing email. I like to say that the most effective antimalware product is the one used by the best educated employees.
In order to help prevent malware from getting to the users to begin with, we use reputation systems. If almost everything coming from http://www.yyy.zzz is malicious, we can block the entire domain. If much of everything coming from an IP address in a legitimate domain is bad, then we can block the IP address. URLs can be blocked based upon a number of attributes, including the actual structure of the URL. Some malware will make it past any reputation system, and past users. This is where controlling and managing vulnerabilities comes into play.
The vulnerability itself does no damage. The exploit does no damage. It is the payload that causes all of the harm. If we can contain the effects of the payload then we are rethinking how we control and manage vulnerabilities. We no longer have to allow patches (still essential) to be a single point of failure.
Outside of offering detection and blocking of malicious files, it is important to stop execution of malware at runtime by monitoring what it’s trying to do. We also log each action the malware performs. When a piece of malware does get past runtime blocking, we can roll back all of the systems changes. This is important. Simply removing malware can result in system instability. Precision rollback can be the difference between business continuity and costly downtime.
Some malware will nevertheless make it onto a system and successfully execute. It’s at this point we observe what the payload is about to do. For example, malware that tries to steal usernames and passwords is identified by the Webroot ID shield. There are behaviors that virtually all keyloggers use, and Webroot ID Shield is able to intercept the request for credentials and returns no data at all. Webroot needn’t have seen the file previously to be able to protect against it. Even when the user is tricked into entering their credentials, the trojan will not receive them.
There is one essential final step. You need to have offline data backups. The damage ransomware does is no different than the damage done by a hard drive crash. Typically, cloud storage is the easiest way to automate and maintain secure backups of your data.
Greg is right. We can no longer allow patches to be a single point of failure. But patching is still a critical part of your defensive strategy. New technology augments patching, it does not replace it and will not for the foreseeable future.
What do you think about patch and pray? Join our discussion in the Webroot Community or in the comments below!
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
City of Atlanta Faces Ransomware Roadblock
In the past week, the city of Atlanta has been dealing with the aftermath of a ransomware attack that effectively halted the police department’s Special Operations Section, which monitors non-emergency city functions. In a surprising twist, however, the ransomware author’s contact portal was leaked through several media outlets, prompting the author to remove the portal entirely and leaving the city with no means of paying the ransom. While the city was able to quickly return to normal operations for most employees, the recovery process will likely be ongoing for some time.
Facebook’s Data Collection Larger Than First Thought
Over the past week or so, researchers have been taking a deeper look into the data being collected by Facebook, with or without users’ permission. It was revealed that, due to lax API permissions for the Facebook installation on older versions of Android, Facebook was allowed to gather both call and SMS logs without user opt-ins. For some, extensive details of calls made by users were meticulously stored for up to several years. Details included call duration, recipient, and the date and time of the call. While Facebook claims any stored data is deleted if the user chooses to revoke permissions, users have been able to download their own data after removing the app, as the opt-in feature is the default setting when installing Facebook for the first time.
UK Anti-Doping Agency Hit By Cyber Attack
Recently, the UK’s anti-doping agency was targeted by an attack attempting to access drug testing and medical records for athletes. A Russian hacking group is believed to be responsible, as the attack comes not long after a doping scandal that affected several Russian athletes. Fortunately, the anti-doping agency has confirmed that no data was compromised in the attack and a simple reboot of their servers was all the remediation necessary.
Facebook Boosting Bounty Hunter Program After Data Handling Debacle
Following the latest scandal regarding the misuse of user data by third-party apps, Facebook has begun a complete overhaul of their bug bounty hunter program. In addition, they are reworking the company’s app review system to better determine permissions needed by apps that request access to a user’s friends list. Finally, any apps running on the Facebook platform that have been found to misuse customer data will be permanently blocked from accessing the development platform.
Sanny Malware Receives Multi-Step Delivery System
While Sanny has been well known and documented for several years, a new update has completely changed the delivery method of the malware. By portioning out the steps in the attack, rather than deploying everything in one drop, Sanny is capable of bypassing any UAC prompts and making multiple checks for the operating system version. Once the malicious macro is launched from within the email attachment, it checks for the specific OS and begins downloading additional files to bypass any OS security checks and executes its final payload.
The brazen theft of cryptocurrency has been an ongoing issue for years now, mostly affecting exchanges and users who fail to store their private keys securely. But what about scams purporting to be giving free cryptocurrency away? It seems a little ridiculous, but there is a serious problem with this new incarnation of the classic “Nigerian letter” scam.
How crypto scams work
The scam is very simple. It asks victims to send fairly small amounts of cryptocurrency in return for a larger amount to be sent back later. The scammers often target influential Twitter accounts that likely have followers interested in cryptocurrency. After a popular account tweets—Elon Musk, for example—the scammer immediately replies to that tweet from an account imitating the influencer. So, @eloonmusk is impersonating @elonmusk, and @officialmacafee is impersonating @officialmcafee.
The biggest red flag here is that tweets pretending to be giving away crypto are not from verified accounts. They don’t have the blue checkmark badge next to their account name, which means they are NOT who they say they are. Usually, these imposter tweets will be supported by an entire botnet of fake accounts working in cahoots to increase the perceived legitimacy of the scam tweets. The tactics these bots use include liking and following each other’s posts and making fraudulent replies to these posts saying they received their Ethereum or Bitcoin successfully. They will even host scam websites that show “proof” this scheme is legitimate.
In an attempt to thwart such scammers, leaders in the crypto community have gone as far as to change their Twitter account names to include explicit warnings that they are not giving away cryptocurrency. Ethereum founder Vitalik Buterin is an example of this method, as well as one of the users most commonly targeted by the scam.
Excellent work, etherchain!https://t.co/doAqk8HbAq
(Anyone replying to this claiming to be giving away ETH is a scammer, as usual)
— Vitalik “Not giving away ETH” Buterin (@VitalikButerin) March 13, 2018
Despite the bold disclaimer, scammers refuse to be shaken and continue to adapt their profiles and language to deceive victims.
What can be done to combat crypto scams?
Recently, Twitter attempted to remedy crypto scams by shadow banning the spammer accounts, but several cryptocurrency influencers were caught amid the ban and experienced temporary issues with their accounts.
“People just started DMing me that they couldn’t see my tweets in threads,” Twitter user @cryptomom told CoinDesk. “It would say ‘tweet unavailable.’ Others said they aren’t getting notifications when I tweet. But no word from Twitter. There is some really weird shit going on for crypto Twitter people right now. A rash of permanent bans and suspensions.”
Adding to confusion, Twitter mistakenly verified an account posing as Tron founder Justin Sun.
Cryto scams could prove to be a hurdle for Twitter and its users who’re active in the crypto space. It’s important for people to understand that these scams will NEVER pay you. These fake accounts will do their best to prove their legitimacy, but they are just preying on the greed of victims.
Twitter will need to introduce new methods for combatting this type of spam. Twitter CEO Jack Dorsey recently announced a new verification process is coming that will make it easier for all users to obtain verification, according to the Chicago Tribune. This change will help the numerous crypto organizations and influencers on Twitter establish a verified presence. It is important for users to be protected from predatory scammers, while also protecting the integrity of a platform that has become a major hub for cryptocurrency discussion and information sharing.
What do you think can be done to stop cryptocurrency scams on Twitter? Join me in the Webroot Community or drop me a line in the comments below!
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
Zenis Ransomware Makes Resolution Problematic for Victims
Researchers recently discovered a new ransomware variant named Zenis that encrypts in the usual way, but, in a new twist, also deletes all available backups and event logs, and even disables startup repair. In a further departure from the norm, the ransom note doesn’t mention a specific price. Instead, the author requests that victims send the ransom note and another small file to various email addresses to verify that the ransomware author can decrypt them. The author then sends a final price, likely based on the types and quantity of files that will need to be encrypted. It’s still unclear how the variant is being distributed—possibly through RDP or spam emails.
Orbitz Suffers Major Data Breach
Travel site Orbitz has admitted to being the latest victim in a continuing trend of data breaches that affect hundreds of thousands of customers. In this case, the data for nearly 800,000 Orbitz customers was compromised, and the breach lasted from January 2016 until December of 2017. While officials are still working to determine the initial access point, they have discovered that the lost data included full payment info, as well as complete personal data for the company’s customers.
Fake Amazon Ad Achieves Top Position in Google Search Results
In the last several days, researchers found that the top search result for Amazon.com was actually fake and was redirecting anyone who clicked it to a fake tech support page that tried to scare the visitor into contacting Windows Support. Fortunately, Google worked quickly to remove the malicious link from its search results, and GoDaddy took down the domain within an hour of being notified.
Facebook Faces Backlash After Misuse of Sensitive Data
Facebook has announced that the personal data for nearly 50 million users had been illicitly obtained by a third-party analytics firm, which carefully maneuvered through Facebook’s Terms of Service to get data on more than just consenting users. While the data collection app was knowingly downloaded by 270,000 users, the app itself collected not only their data, but the personal data of their entire network of friends. Though Facebook removed the app in 2015 and demanded that the data be destroyed, the app’s creator ignored the request and continued using it for profit.
Celebrity Picture Contains Hidden Crypto-miner
Hackers have recently taken to using image files to distribute malware and other malicious content, as they are simple to reconfigure and difficult to detect. In the latest case, a picture of Scarlett Johansson contained functionality that executed shell commands on a user’s machine and mined Monero cryptocurrency. It had already acquired ~$90,000 worth of Monero by the time of discovery.
Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders and internet security providers. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.
It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.
You can teach an old bot older tricks
- 0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
- 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit
- 711287e1bd88deacda048424128bdfaf – systeminfo32.dll
- 58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
- 30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
- 5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
- 88384ba81a89f8000a124189ed69af5c – importDll32.dll
- 3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
- 311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll
Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.
Image 1: TrickBot’s plug and play modules used to extend the bots functionality
Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.
Image 2a: Peering inside tabDll.dll
Image 2b: Abnormally large .rdata section
The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.
When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.
Image 3: Debug symbol filename of the downloaded module tabDll.dll
This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.
Image 4: String references to EternalRomance exploit used for lateral movement
This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.
Image 5: Copied code from ImprovedReflectiveDLLInjection
Image 6: Printf statements from the copied project on GitHub
The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.
Image 7: Debug symbol filename of the embedded PE file.
When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.
Image 8: Iterate over user profiles and create
Image 9: Execution of the copied binary
Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.
Image 10: Peering inside screenLocker_x86.dll
This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:
Image 11: Peering inside “MyFunction”
Image 12: Creation of the Locker Window
If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.
It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines.
The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead of cybersecurity professionals.
In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:
The CLIMB Exploit
Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:
It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.
With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.
The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.
My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).
Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.
Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.
There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.
The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.
Global Gas Station Software Found Unsecured
Researchers have recently discovered a vulnerability that would allow anyone to remotely access thousands of gas stations from around the world. The vulnerability stems from having these stations be connected to the Internet and can give the potential attacker control of gas prices, access to customer payment information, and even control over surveillance cameras. Unfortunately, due to the average age of the pumps in question and the preinstalled software also being outdated, it is unlikely that many of the machines will, or even can, be updated to protect against these vulnerabilities.
NHS Staff Ignoring Security Policies in Favor of Usability
In a recent survey of NHS professionals, it was found that nearly half are using non-approved messaging apps on a regular basis, rather than more secure channels, as they as quicker and easier to use. Even more alarming, a similar number were either completely unaware of their organization’s policies for safely transferring data or had not received any training on the subject. With data security becoming ever more necessary, the organizations that hold our most sensitive data should be held to an even higher standard, as typical consumers have little choice but to trust that they will keep it safe.
Fortnite Mobile Invite Scams Flood Market Prior to Launch
In the days preceding the launch of Fortnite’s Mobile iOS functionality, hundreds of users have taken to posting fake “invites” for sale, throughout various social media sites. While the actual launch is still several days away, these invites have been offered for a variety of prices in hopes of finding someone eager enough to pay to play early.
AMD Chips Contain Critical Vulnerabilities
Over the last week or so, several critical flaws have been found within AMD processor chips that could be harmful, if exploited. While it would already require some administrative access to even begin using the vulnerabilities for harm, the exploit does allow unsigned, and possibly malicious, code to be uploaded to AMD’s Secure Processing Platform without performing any security checks. As these vulnerabilities are still being researched, the extent of their severity has yet to be fully decided.
Florida Virtual School Hit by Data Breach
Within the last few weeks, officials have been working to contact students, parents, and staff that may have been affected by a data breach that occurred sometime in the last year. While it is still unclear on what sensitive data may have been compromised, identity and credit monitoring services are being provided to anyone who has been in the database over the two-year period when it was illicitly accessed.
We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.
According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.
It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?
They see you when you’re sleeping, know when you’re awake
Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.
The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.
Hacked by default
Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”
The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.
For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.
Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.
Secure is the new smart
Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.
“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”
Here are a few more tips for being a smart IoT consumer:
Update login info
Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.
Secure wireless networks
Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access.
Update software and firmware
Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.
Install security software and malware protection
Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.
Invest in proven solutions
Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.
Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.
MoviePass Subscription Service Tracks More Than Your Viewing Habits
The CEO of MoviePass recently revealed the full extent of its tracking functionality, which was originally thought to use your location to find a nearby theater. The application can track any user from their home to the theater, and then onward through the rest of their journey, keeping notes on businesses and restaurants the user may visit. While this data is said to only be used to help enhance the user’s evening, it does seem to be a massive breach of privacy given that there is nothing in the terms of service that mentions the full extent of the tracking.
Latest Crypto-Miner Introduces Kill List for Competitive Processes
A new cryptocurrency miner has recently been discovered that seems to have an edge over its competition: the ability to terminate conflicting processes to maintain control over the device’s processing power. While the use of a ‘kill list’ isn’t new to malware in general, this does seem to be the first program that uses it for mining purposes, rather than continuing to propagate.
MacOS Users Getting Browsing Security Update
Within the last week, Google has announced it will begin rolling out a new security feature for MacOS that will give Chrome users additional warnings when attempting to access malicious or compromised websites. While these features have been functional for Windows users for quite some time, it will begin implementing them for MacOS in April of this year. As Mac malware continues to proliferate, the necessity of these features grows right alongside it.
ComboJack Malware Targets Multiple Cryptocurrencies
Recently, researchers have spotted a new email spam campaign that downloads ComboJack, malware that seeks out several types of cryptocurrency wallet addresses currently stored on the device’s clipboard. By running endless checks on the clipboard for any cryptocurrency wallet address information, ComboJack will immediately replace any found address with one belonging to the attacker, while it continues to check for others.
School Employee W-2 Info Stolen in Phishing Scam
Officials have recently been contacting employees of an Alabama school district after a successful phishing attempt led to tax information being sent to a fake email address supposedly belonging to the superintendent of the district. The phishing scam affected at least 30 employees and has forced them to file their taxes manually, rather than electronically, as some returns had already been illicitly filed by the attacker.
First thing’s first—I’d like to introduce myself. I’m senior security analyst Randy Abrams, and I’m delighted to be part of the Webroot team and our online community.
Prior to joining the team, I was a research director responsible for analyzing and reporting the test results of antimalware products. I also helped create test methodologies and looked for anomalies in the testing process. Before that, I worked as a director of technical education, where my role was very similar to my mission here at Webroot: to help all users stay more secure on the internet. Everything else I do is the means to meet these ends.
Earlier in my career, I spent 12 years at Microsoft working closely with researchers from major antimalware companies, as well as from several smaller antivirus companies, to ensure we did not release infected software. As a result, I bring a unique perspective to my role here at Webroot. I am a consumer (I use Webroot on my laptop). In the past, I have been an enterprise customer, worked at a test lab, and served on the vendor side of the industry.
Testers are Human. They Do Not Always Get it Right.
One of the most contentious parts of working in the security industry is antimalware testing. I used to joke that the reason antimalware testers are so arrogant is because antimalware researchers created them in their own image. Relationships between the testers and vendors have improved quite a bit in the past few years, but there still is a lot of friction. Scoring poorly on a test not only affects sales, but when the reason for the poor score was due to mistakes in testing, users do not get the quality of information they need to properly compare products.
Unfortunately, antimalware testing is really, really hard to get right. And it is not because of incompetence. You will never hear me say, or even imply, that testers are incompetent. The reason that testing is so hard to get right is because antimalware products have become so complex. There are interdependencies on cloud-based protections, reputation systems, whitelisting and blacklisting, scanning and remediation, and in some cases, like ours, system rollback. Additionally, sample acquisition and selection are problematic.
In the past, I have seen some serious mistakes resulting in products offering high-quality protection appear mediocre or worse. For vendors, a deeper problem arises when trying to dispute the test results. The public tends to think that testers always get it right and that vendors are just whining because they didn’t receive the score they thought their product deserved. No vendor was ever acquitted of a bad test in the court of public opinion.
In coming blogs, I will discuss some of the challenges testers face, and the impact these have on accurately presenting the information needed to make informed choices when selecting security software. As a former research director for a test lab, I dealt with issues, like the selection of samples, that could seriously impact reported results. Sample selection and acquisition is much more difficult than it would seem. When you see vendors score 100 percent, then the sample selection was too small.
When measuring performance, the ratio of file types (exe, .bmp, .mp3, .docx, etc.), as well as compression methods used in the file set, make a huge difference in real-world performance results. Even the files selected for false positive testing can affect the perceived quality of a product. Which is more important, detection of a file we see attacking tens of thousands of users, or the file we saw three times six months ago and never again? Given equal protection scores, would you rather have a product with one false positive or one with three false positives? These are a few of the issues that affect the quality of testing and understanding of what was actually tested. Believe it or not, one of the biggest problems with testing is not the results, it is the lack of meaningful analysis.
Have any questions or comments? I look forward to continuing the discussion on the Webroot Community.
Thanatos Ransomware Causing Major Damage for Victims
A new ransomware variant has recently appeared and is proving to be more troublesome than most that came before it. By using individual encryption keys for each file, which it does not save, decryption is nearly impossible, even after paying the relatively small ransom of $200. Thanatos is also the first ransomware to accept Bitcoin Cash as a payment method.
Cryptojacking Found on LA Times Site
Researchers have stumbled onto yet another unsecured Amazon AWS server running a cryptominer. This time, the LA Times’ Homicide Report is at fault. Initially, the researchers found that the widely-accessible server had public write access turned on, which they reported to the server’s owner. Unfortunately, the researchers weren’t the first to find the server, which is how the Monero miner was placed on a single, moderately trafficked site within the LA Times network.
UK School CCTV Feeds Popping Up on US Websites
Recently, surveillance videos from several UK schools made their way onto a US-based website that hosts unsecured camera footage from around the world. While the footage was mainly from the exterior of the schools, it still causes concern over the safety and privacy of the students the cameras are meant to protect. While the breach can be traced back to the camera manufacturers, who did not implement strong device security, responsibility also falls on the staff who set up the cameras in the first place. This news serves as a reminder to always take cybersecurity precautions and change manufacturer default settings.
Cryptocurrency Miner Packed with Annoying Adware
A new cryptocurrency miner named UpdateChecker has been making the rounds over the last few days. The program is distributed as a fake Flash Player update and comes with the bonus of ads that run at hour-long intervals. The malware itself is downloaded from fake Adobe update websites and will immediately begin optimizing itself for the local machine and checking for updates to its own files. Unfortunately for victims of UpdateChecker, it is rather troublesome to remove, as it will relaunch itself if you kill the process, and can restart the miner anytime you shut it off.
Apple Repair Center Generating Excessive Emergency Calls
Since late last year, emergency dispatchers and police departments in Sacramento County, California have received over 1,600 calls originating from a local Apple repair facility. The calls are likely from one of two devices Apple manufactures that can make emergency calls without a SIM card or service provider. While this isn’t the first case of Apple devices triggering hundreds of emergency calls, the company is working with local law enforcement agencies to find a resolution.
In the past, security awareness training for user education—i.e. empowering users to make more savvy IT decisions in their daily routines—was considered a “nice to have,” not a necessity. The decision to adopt user education was typically passed over because of budget, lack of in-house expertise, and the general lack of availability of high-quality, low-cost, computer-based training. In particular, small- to medium-sized businesses (SMBs) have suffered from these types of constraints, compared to larger, more resource rich organizations.
Today, it’s clear that end user education isn’t just “nice to have,” and SMBs know it. As recently as August of 2017, a Better Business Bureau study on the State of Cybersecurity revealed that almost half of SMBs with 50 employees and under regard security awareness training among their top 3 security expenditures, alongside firewalls and endpoint protection.
The increase in interest and budget allocation for end user education is understandable. On average, SMBs face $80,000 in annual losses following a ransomware or data loss breach. Users are on the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials. If you’re not educating your users, then you are putting your organization at an unnecessary and costly risk.
Getting your end user education program started
Introduce to Stakeholders
Like any new program, building a foundation for success begins when you engage your stakeholders and management teams. Send an email explaining the value of security awareness to management, share details and reports around your first phishing and training campaigns, and loop in IT. Not sure how to craft that first email? Check out Webroot’s Security Awareness Training for help and templates to get you started.
Start out with a Phishing Campaign
Consider starting your security awareness program with a simulated phishing campaign. The results of the simulation can also be used to demonstrate value to any more skeptical or reluctant IT decision-makers. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. Webroot Security Awareness Training comes with a variety of template options to help you get started. We recommend using a template that mimics an internal communication from HR or the IT department to get the most eyes on the email. For early campaigns, it’s also a good idea to use Webroot’s “404 Page Note Found” template so users who fall for the phishing lure are unaware. This will help keep water cooler talk at a minimum, giving you a more accurate baseline. After that, be sure to link your phishing campaigns to training pages and courses to maximize the training opportunity.
Share results with End Users
Use feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organization. For instance, sharing results of a simulated phishing campaign can help employees understand the impact of poor online habits and motivate them to practice better behaviors.
Webroot Security Awareness Training lets admins see who clicked what in a phishing simulation. Bear in mind: the point of sharing results is not to shame the unwitting marks who fell for the scam. Instead, try capitalizing on everyone’s engagement by sharing an overall statistical report, so users can recognize whether they clicked or avoided the phishing lure, without fear of embarrassment. More importantly, such a report would show the statistics around the organization as a whole, opening the door for further training programs to fill security gaps and provide a continuous learning experience.
Continuous Training: Set up your phishing and training program
Once end users are engaged and understand the value, the next step is setting up a training program. There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Depending on the needs of each organization, you may want to increase the frequency and adjust intervals throughout the year. Webroot Security Awareness Training includes numerous pre-built phishing templates you can use, including real-world phishing scenarios (defanged from the wild.) It also offers professionally developed and engaging topical training courses, which you can be proud to share with your company. Courses range from cybersecurity best practices and 5-minute micro-learning courses to in-depth compliance courses on PCI, HIPAA, GDPR, SEC/FINRA, and more.
When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it.