Internet Security Threat Updates & Insights. Webroot provides real-time protection for PCs and Macs against viruses, malware, phishing attacks and identity theft. Our unique, smart cloud technology scans fast and secures your online identity and financial information without interrupting or slowing down your online experience.
Reading Time: ~2 min.Latest Windows 10 Update Removes User Files
Microsoft recently pulled its latest update, version 1809, after several users complained about personal files being deleted. While some users were able to use third-party software to retrieve deleted files, users whose files wnet missing from the Documents folder are having a much trickier time without restoring from backups. Since hearing of the issue, Microsoft has paused the automatic update until they can find a resolution.
Magecart Campaign Continues Its Spread
Vulnerabilities Found in Millions of Chinese Electronics
A new wave of vulnerabilities has been spotted in nearly 9 million devices made by Chinese-based Xiongmai, leaving them susceptible to attack. Serious issues include default admin passwords without a prompt to immediately change it, no encryption when connecting to their cloud servers, and a lack of authorization checks when searching for updates. Many of these devices were known to be compromised during the Mirai botnet attacks, though the access points used for that have since been patched.
FCC To Block Illegal Spam Calls
Most people have received at least one unwelcome call on their mobile phone from a robotic auto-dialer. Now the attorneys general from 35 states are coming together in hopes the FCC can do something about those annoying calls. These types of spam calls seem to have increased in volume in recent years, even after the 2017 Call Blocking Order aimed at stopping them, forcing customers to block calls themselves. With an estimated 40 billion robocalls this year alone, it’s no surprise so many states are interested in putting a stop to this nuisance.
Google+ Goes Out on Low Note
After constantly struggling with low adoption, Google’s response to more popular social media platforms like Facebook has officially reached its end of its life. Several months ago an API bug was spotted that allowed unauthorized access to thousands of Google+ user accounts. The bug was patched but remained undisclosed until recently. With new GDPR regulations on breach disclosure, even the possibility of low volumes of affected clients could still be trouble for Google.
Reading Time: ~2 min.Brazilian Bank Traffic Rerouted by Massive Botnet
A botnet containing more than 100,000 routers and other devices was recently spotted hijacking traffic destined for several Brazilian banks. The hijacking victims are then sent to one of at least 50 confirmed phishing sites that will attempt to steal any information the user will provide. Backing this ever-growing botnet are a small collection of tools used to brute-force weak passwords and continue to search for other devices with poor security.
Cyber Attack Shuts Down Canadian Restaurants
A major Canadian restaurant chain announced several of their restaurant brands had suffered a ransomware attack that affected nearly 1,400 stores in recent days. While many of the IT systems were quickly taken offline to prevent further spread of the infection, customers were met with non-functioning payment systems or just closed doors. Fortunately, the company keeps regular backups and was able to restore their systems without paying a ransom.
High-Profile Instagram Accounts Being Hacked
Several high-profile Instagram accounts were hacked and held hostage recently, with some accounts being deleted even after a payment was sent. Though many victims have contacted Instagram multiple times regarding access to their accounts, some were sent automated responses while others regained control of their accounts without hearing from the company.
Google Chrome Cracks Down on Extensions
With dozens of new extensions being added to Google’s Chrome Web Store every day, it has become increasingly difficult for Google to police for malicious apps. That’s why, accompanying the release of Chrome 70, will be the ability for users to restrict browser extensions to a single site and limit the amount of permissions the extension has over the pages viewed. Additionally, Chrome has implemented 2-step verification for all developer accounts to curb the volume of hacked apps made available.
Port of San Diego Hit by Ransomware
It was revealed last week that the Port of San Diego, which controls over 34 miles of coastline, suffered a ransomware attack that temporarily knocked out their computer systems. Fortunately, most routine port operations remained able to function normally while systems were offline. There is still no information on whether the ransom has been paid or how the infection occurred.
Reading Time: ~2 min.Firefox Vulnerability Leads to Crash
A new denial-of-service (DoS) attack has been created with the ability to cause desktop versions of the browser Firefox to freeze or crash. Upon visiting sites where the malicious script is present, the user’s browser forces download requests for a massive junk file that can cause the IPC channel for the browser to crash. Luckily, the researcher who created the attack method has contacted Mozilla about the issue, and there’s hope for a swift resolution.
Kodi Media Player Used to Spread Malware
Nearly 5,000 computers were recently compromised with cryptomining malware that was silently distributed either through malicious builds of the Kodi media player or from third-party add-ons used to enhance the player. Most of the infected computers were found to be mining for Monero and have already mined around $6,700 since the beginning of the campaign. When obtaining these types of add-ons, its best to visit official repositories rather than third-parties, as they tend to be more discerning of content they are hosting.
Online Fashion Retailer Breached
SHEIN has revealed a data breach from June that they themselves only discovered within the last month. Nearly 6.5 million customers could be affected, as the systems storing login credentials were compromised in the attack, the company stated in a recent press release. Fortunately for those customers, the company says they do not store payment data so a simple password change should be sufficient to protect their clients.
Scottish Brewery Hit by Ransomware
After publishing a job opening to their own site, Arran Brewery was able to successfully fill the needed position. Unfortunately for the Scottish brewery, attackers posted that listing on several international recruiting sites and received dozens of applications including documents embedded with ransomware, resulting in the company being locked out of crucial systems and a ransom demand of two Bitcoins. Arran Brewery opted to restore their systems from offsite backups rather than pay the ransom, but lost up to three months of data due to outdated backups.
DoorDash Customers Complain About Hacked Accounts
Several dozen people have contacted DoorDash regarding fraudulent orders placed on their accounts. DoorDash’s was confident they were not to blame for the breach, instead blaming “credential stuffing,” a tactic where attackers try using previous breach data from other sites hoping the same password was used multiple times. The company says it has no plans to implement further security measures such as two-factor authentication.
While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.
RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.
Tips to avoid compromised RDP as seen in the Atlanta #ransomware attack:
-Dont use common TCP ports (still not foolproof)
-Set max number of attempts for lockout
-Set a very secure UN and PW
-If you use paid encryption like VNC, TeamViewer, LogMeIn, that takes care of everything
Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.
Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.
Common RDP-enabled threats
Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.
Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.
The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.
However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.
Reading Time: ~2 min.Massive Customer Database Left Exposed by Data Management Firm
A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information spanning from 2013 to 2017 and was likely used by the Veeam marketing team’s automated customer contact functions. Fortunately, the database was taken offline within a week of the researcher contacting Veeam about the server.
Hacker Group Breaches British Airways
After last week’s reveal of the data breach affecting nearly 380,000 of the airline’s customers, it was discovered that the injection methods used were the work of known hacker group MageCart. By compromising third-party actors, the group can access hundreds of sites and begin passing any customer payment information back to their own systems. Even more toublesome, this particular attack appeared to be tailored for the British Airways systems specifically, but could very likely be readjusted for other applications.
Chinese Hackers Using Digitally Signed Drivers for Attacks
A long-active hacker group likely based in China has expanded their tactics to include a seemingly innocent network filtering driver (NDISProxy) to start their latest malware campaign. The driver itself has a signed digital certificate from a Chinese-based security software company, which was likely unaware their certificate was being misused. By injecting itself silently across the infected network, the fully functioning remote access Trojan can be used to execute malicious tasks with ease.
Scam Calls Causing Mobile Traffic Jam
The number of scam calls recoreded by the call management firm First Orion rose nearly 1000% over the past year, from 3.7% of total calls last year to 29% so far in 2018. The projections for the coming year project that number to rise to half of all mobile calls received in the U.S. Unfortunately, service providers have few options for slowing down the bombardment of phony calls facing their customers.
Latest MongoDB Attacks are Ransoming Empty Databases
While MongoDB attacks are nothing new, Mongo Lock has stepped up the game by identifying unprotected databases, exporting the data to their servers, wiping them clean, and leaving behind a ransom note instructing the victim to reach out via email rather than sending a Bitcoin payment directly to a crypto-wallet. Mongo Lock appears to operate via an automation script, though it has been known to fail, leaving the victim with both the ransom note and their original data.
Reading Time: ~2 min.Banking Trojans Still Appearing in Google Play Store
Multiple security researchers recently discovered a handful of banking trojans that have still managed to make their way into the Google Play app store, despite Google having increased its security to detect such apps. Many of the apps are disguised as astrology/horoscope software, but instead of reading the future, they steal SMS and call logs from the device, install unauthorized apps, and even seek out banking credentials based on other installed applications. Some of these apps had been installed by up to 1,000 individuals, many of whom are likely under the assumption that the app removed itself, after showing a fake error message claiming incompatibility with the device.
Obama-themed Ransomware Forges Dangerous Path
A new ransomware variant bearing the face of the former US president, Barack Obama, has been spotted in the wild performing some unusual encryption tactics. Rather than encrypting personal word documents and pictures, this variant focuses on encrypting executable files across the system, which could lead to the system crashing and other devastating results. It is still unclear if this methodology is the intent, or just an oversight by the ransomware’s authors, but this type of damage is unlikely to pay off if it renders the system nonfunctional.
Thousands of Online Stores Compromised
Due to security loopholes in eCommerce sites that use Magento as a host, nearly 8,000 sites have been confirmed to be hosting card-skimming malware, with up to 60 more being compromised every day. The breaches led to malicious scripts being added to the pages to record and upload any customer inputs in real time, rather than following a more complicated path to obtain the same data after the transaction is complete. Unfortunately, it is difficult to determine whether a site is safe without checking the entire codebase for any unauthorized entries.
Fake Tech Support Ads Now Indistinguishable from Real Counterparts
In the run-up to Google’s release of a verification program for third-party vendors to display ads, the company has been inundated with countless fake tech support advertisements that are nearly impossible to identify over a real vendor’s ads. The creators of these fake ads will go to almost any lengths to avoid detection, including creating entire companies to continue their illicit activities.
Nearly 400,000 websites have been found with exposed .git directories that could lead to major information exposure, if improperly accessed. These repositories contain everything from passwords and API keys for the site, to forgotten data stored on the sites. Fortunately for the website owners, the researcher who discovered the breach was not acting maliciously, and quickly began contacting them with information on how he found the leak and what they could do to resolve it.
A security researcher just discovered a publicly-available file containing sensitive voting informationfor nearly 99% of all registered voters in the state of Texas. The file was compiled by a data firm that was trying to gauge political opinion for the 2016 elections, as well as more localized campaigns. With all the attention the presidential campaigns brought to election security, mistakes like this one could lead to more serious outcomes if companies who handle such information don’t take the necessary precautions.
Chinese Hotel Breach Exposes 130 Million Guests’ Data
Huazhu Hotels Group has come under fire after several of their customer databaseswere uploaded to GitHub by their own development team. The databases were found for sale on the Dark Web and contained over 240 million unique records, with information ranging from names and addresses to card numbers and travel itineraries, a portion of which has been verified by a local security firm. The data appears to come from nearly all the hotel group’s brands, and is not localized to a specific region or name.
Instagram Unveils Support for Third-Party 2FA
Nearly a year after Instagram announced their addition of SMS-based 2FA, the company has stated that they now allow support for third-party 2FA applications. In doing so, they give users the option to either set up an SMS verification path or receive a code through another app when attempting to log in to their account. This announcement comes just weeks after a string of high-profile accounts were hacked, leaving users with no options to regain access to the hijacked pages.
Bank of Spain Hit by DDoS Attack
Over the weekend, the Central Bank of Spainfell victim to a DDoS attack that continued through Tuesday afternoon, leaving users with spotty access to the bank’s website. Fortunately, the bank itself remained fully operational through the attack, as they are a central bank rather than commercial. Additionally, all communications with other Central Banks around Europe were unaffected, with no signs of other malicious activity.
HTTPS Now Standard on over Half of Top Sites
With the push to enforce full encryptionon the internet, over half of the top million sites are now using HTTPS, with millions of domains switching over every day. This is likely due to Google’s efforts in the last couple months to warn Chrome users who attempt to access an unsecured site, in hopes of encouraging users to take their own security more seriously.
Over the past 5 years, one malware campaign has been plaguing the financial industries of Mexico: Dark Tequila. While many researchers have been monitoring samples for most of that time, only recently has the entire campaign come into focus, with over 30,000 unique targets in 2018 alone. Using mostly spear-phishing tactics, the malware is able to spread quickly and steal a significant amount of information with relative ease and, for its finale, a USB infector is copied to any removable drive enabling it to spread across offline channels.
Babysitting App’s Database Breached
Over 93,000 users of the popular child-sitting app Sitter are being notified after the MongoDB database the app uses was compromised. Most information on the app is considered highly sensitive, including names, home addresses, and even full address book contacts for thousands of users. It remains unclear how long the database remained unprotected and Sitter is now contacting all affected users.
Ryuk Ransomware Uses Highly Targeted Attacks
The authors behind the ransomware variant Ryuk have taken significant strides towards ensuring large ransom payouts by focusing exclusively on large corporations and demanding Bitcoin ransoms that only those organizations could even fathom paying. They have already received two ransoms ranging from 15 to 35 Bitcoins, or roughly $225,000, with a daily ransom increase of half a Bitcoin for each day unpaid.
American Healthcare Organization Hit by Phishing Attack
Recently, Augusta University Health announced that, in September 2017, they experienced a data breach that could possibly affect over 400,000 patients. Listing sensitive data from home addresses to social security numbers and other forms of ID, this breach could easily set up future phishing attacks on individuals. Officials are still working to determine how such a breach could have occurred (and remained undetected for nearly 10 months). Because of a lack of encryption, the breach was far more damaging than it otherwise would have been.
Cardio-Imaging Devices Vulnerable to Exploits
Several versions of Philips’ cardiovascular imaging devices have been found to contain multiple exploits that would easily allow an attacker to perform unauthorized code execution and cause the devices to malfunction. Fortunately, these devices are not remotely accessible, and the company has already begun putting new safeguards in place with their next major patch.