PC PORTAL

Experienced. Trusted. Solutions.

IT Security

By

Cyber News Rundown: Newegg Breached

Reading Time: ~2 min.

Newegg Breach Lasts Nearly a Month

Newegg finally addressed a recent breach after unknowingly hosting malicious code within a payment page for the last month. While the company is still unclear about how many customers were affected, the injected code does appear to have targeted both desktop and mobile visitors to the Newegg site. This breach is extremely similar to a previous attack on British Airlines, leading officials to believe the same group may have been responsible for both attacks.

EternalBlue Exploit Still Remains a Major Threat

More than a year after the WannaCry attacks brought NSA exploits to light, the cryptomining variant WannaMine is still consistently being spotted in the wild, harming businesses as it spreads. Microsoft was prompt to release multiple patches for the various exploits, but many companies are still falling victim to these attacks due to poor security practices. By operating through several PowerShell scripts, the attack is nearly fileless, making it much more difficult to track through traditional methods.

Ransomware Targets Bristol Airport

Nearly all of the information screens at Bristol Airport have been shut down for the last several days following a ransomware attack on airport systems. Officials were quick to take the systems offline to mitigate further damage and have since returned the airport to normal operations. Luckily, no actual flights were affected by this attack and most passengers noticed only minor delays in services.

Email Breach Hits State Department Staff

A breach of the State Department’s email systems exposed personal information belonging to hundreds of staff members. The security for this department has long been under scrutiny for failing to meet industry standards, including a lack of two-factor authentication for main email systems. The breach is thought to be the result of a phishing attack on a cloud-hosted email server, but the exact cause is still unknown.

Un-owned MongoDB Server Left Exposed

An independent researcher recently found an unsecured database with personal contact information for nearly 11 million individuals, but was unable to find an owner for the server. Though much of the data appeared to be linked to the coupon website SaverSpy, affiliate company Quotient Technology claims they neither own the data, nor suffered a breach. Fortunately, due to the nature of the coupon sites, no payment information was included with the records.

The post Cyber News Rundown: Newegg Breached appeared first on Webroot Blog.

By

Cyber News Rundown: Big Data Mismanagement

Reading Time: ~2 min.

Massive Customer Database Left Exposed by Data Management Firm

A security researcher recently found a database containing customer information for nearly half a billion users of Veeam software on an unsecured AWS server. Most of the data was contact information spanning from 2013 to 2017 and was likely used by the Veeam marketing team’s automated customer contact functions. Fortunately, the database was taken offline within a week of the researcher contacting Veeam about the server.

Hacker Group Breaches British Airways

After last week’s reveal of the data breach affecting nearly 380,000 of the airline’s customers, it was discovered that the injection methods used were the work of known hacker group MageCart. By compromising third-party actors, the group can access hundreds of sites and begin passing any customer payment information back to their own systems. Even more toublesome, this particular attack appeared to be tailored for the British Airways systems specifically, but could very likely be readjusted for other applications.

Chinese Hackers Using Digitally Signed Drivers for Attacks

A long-active hacker group likely based in China has expanded their tactics to include a seemingly innocent network filtering driver (NDISProxy) to start their latest malware campaign. The driver itself has a signed digital certificate from a Chinese-based security software company, which was likely unaware their certificate was being misused. By injecting itself silently across the infected network, the fully functioning remote access Trojan can be used to execute malicious tasks with ease.

Scam Calls Causing Mobile Traffic Jam

The number of scam calls recoreded by the call management firm First Orion rose nearly 1000% over the past year, from 3.7% of total calls last year to 29% so far in 2018. The projections for the coming year project that number to rise to half of all mobile calls received in the U.S. Unfortunately, service providers have few options for slowing down the bombardment of phony calls facing their customers.

Latest MongoDB Attacks are Ransoming Empty Databases

While MongoDB attacks are nothing new, Mongo Lock has stepped up the game by identifying unprotected databases, exporting the data to their servers, wiping them clean, and leaving behind a ransom note instructing the victim to reach out via email rather than sending a Bitcoin payment directly to a crypto-wallet. Mongo Lock appears to operate via an automation script, though it has been known to fail, leaving the victim with both the ransom note and their original data.

The post Cyber News Rundown: Big Data Mismanagement appeared first on Webroot Blog.

By

Cyber News Rundown: Banking Trojans in Google Play

Reading Time: ~2 min.

Banking Trojans Still Appearing in Google Play Store

Multiple security researchers recently discovered a handful of banking trojans that have still managed to make their way into the Google Play app store, despite Google having increased its security to detect such apps. Many of the apps are disguised as astrology/horoscope software, but instead of reading the future, they steal SMS and call logs from the device, install unauthorized apps, and even seek out banking credentials based on other installed applications. Some of these apps had been installed by up to 1,000 individuals, many of whom are likely under the assumption that the app removed itself, after showing a fake error message claiming incompatibility with the device.

Obama-themed Ransomware Forges Dangerous Path

A new ransomware variant bearing the face of the former US president, Barack Obama, has been spotted in the wild performing some unusual encryption tactics. Rather than encrypting personal word documents and pictures, this variant focuses on encrypting executable files across the system, which could lead to the system crashing and other devastating results. It is still unclear if this methodology is the intent, or just an oversight by the ransomware’s authors, but this type of damage is unlikely to pay off if it renders the system nonfunctional.

Thousands of Online Stores Compromised

Due to security loopholes in eCommerce sites that use Magento as a host, nearly 8,000 sites have been confirmed to be hosting card-skimming malware, with up to 60 more being compromised every day. The breaches led to malicious scripts being added to the pages to record and upload any customer inputs in real time, rather than following a more complicated path to obtain the same data after the transaction is complete. Unfortunately, it is difficult to determine whether a site is safe without checking the entire codebase for any unauthorized entries.

Fake Tech Support Ads Now Indistinguishable from Real Counterparts

In the run-up to Google’s release of a verification program for third-party vendors to display ads, the company has been inundated with countless fake tech support advertisements that are nearly impossible to identify over a real vendor’s ads. The creators of these fake ads will go to almost any lengths to avoid detection, including creating entire companies to continue their illicit activities.

Unsecured Sites Leaving .git Repositories Easily Accessible

Nearly 400,000 websites have been found with exposed .git directories that could lead to major information exposure, if improperly accessed. These repositories contain everything from passwords and API keys for the site, to forgotten data stored on the sites. Fortunately for the website owners, the researcher who discovered the breach was not acting maliciously, and quickly began contacting them with information on how he found the leak and what they could do to resolve it.

The post Cyber News Rundown: Banking Trojans in Google Play appeared first on Webroot Blog.

By

Red player one: learning the right security lessons from a red team exercise

A red team exercise can be a valuable way of testing how effective your security controls are. Having your internal security team, or an external consultant, simulate an attacker trying to breach your defences can reveal plenty. Their success or otherwise can show where you need to improve from a security perspective, or what you’re doing right.

I asked Neha Thethi, senior cybersecurity analyst at BH Consulting, to explain how a red team exercise works, how it can be useful, and how to interpret the results.

Are you ready to play?

Firstly, she said that they’re best suited to companies with advanced security already in place. Part of the aim is to check how the organisation reacts when it discovers a breach or attack in progress. For anyone still understanding their risk exposure, a more general vulnerability assessment is more useful than a red team.

Prepare for attack

Whereas pen testing usually involves testing a specific server for technical flaws, a red team exercise has a much wider brief. That could involve finding a weakness in the company’s online application or dropping USB keys near its offices to see if someone will try it on their machine and unwittingly infect the network with malware. In some cases, it’s about using social engineering to gain physical entry to a target’s building or to learn information by a phone call.

“The very nature of red team is to check how you can infiltrate an organisation through whatever means possible, so it could be anything and everything,” Neha explains.

Easy intelligence gathering

A red team generally starts by carrying out reconnaissance of its target, just like any good attacker would. This stage involves gathering open source intelligence, also called OSINT. In practice, Neha describes this as “Google the hell out of them and gather email addresses of key employees from places like LinkedIn.” This can reap big returns for attackers, as it’s a great chance to size up a target’s weak spots.

With a red team exercise, nothing is out of scope unless the client specifically asks for it. Neha says it’s worth agreeing in advance what systems or processes if any are included in the scope of the project.

Set the time

Allocating the right time to a red team exercise is a matter of balancing budgets and priorities. Some red team exercises can go on for months. When the brief is simply to “try and break in”, the “attacker” has the element of surprise on their side. Other times, the goal is to see what progress a supposed attacker could make within a defined period. This might be as little as a week. So, the attacker might find vulnerabilities in a victim’s application but may not get to exploit them in time. Even such cases yield valuable intelligence for the organisation. It identifies potential threats they might not have known about, and they can assess the risk to decide if they need to invest in making it more secure.

Learning the lessons

So what benefit does an organisation get from asking a red team to probe and poke at its security? “The most value the organisation gets is getting the assurance about the areas that they’re good in. it’s very important not just to know what they were weak at, but to report on the things they do well,” Neha says.

The outcome of a red team exercise is a report highlighting any negative aspects of security that the “attacker” uncovers. The document should make recommendations about ways to make those weak points more secure. Equally, it’s just as important to highlight areas where the organisation is doing things right. Many real-world attacks start with phishing. So if a red team’s attempt was unsuccessful because the organisation had trained its employees to spot suspicious emails, that’s a valid finding to include. “One of the most important things in a report is to assure the customer that the measures they have are effective,” Neha says.

With a red team report, context is everything. Some security people tend to focus only on weaknesses. While they have their place, it’s important to take the red team’s findings in context. There will usually be room for improvement, but it’s always encouraging to know what you’re doing right.

The post Red player one: learning the right security lessons from a red team exercise appeared first on BH Consulting.

By

EICAR – The Most Common False Positive in the World

Reading Time: ~4 min.

If you saw a file called eicar.com on your computer, you might think it was malware. But, you would be wrong. Readers, if you haven’t yet met the EICAR test file, allow me to introduce you to it. If you have used the EICAR test file, let’s get a bit cozier with it.

If you ran this file through VirusTotal, 61 out of 62 antimalware scanners currently would detect the EICAR test file as if it were malicious. That’s because the EICAR file is actually a tool that was designed to help users verify their antimalware scanner is functioning properly. The EICAR test file is a harmless piece of code that most vendors have agreed to flag as if it was malicious. Essentially, it’s a false positive—by design—for your benefit. Some scanners detect it, some do not; neither outcome indicates that any scanner is better or worse than another.

If you have heard of EICAR, you may have seen it referred to as a “test virus,” but that’s inaccurate. Think of it more like the test button on a smoke detector in your home. The test button doesn’t simulate fire or smoke; it simply lets you know that the smoke detector is functional. The test button certainly doesn’t tell you anything about the quality of the smoke detector. Similarly, the EICAR test file does not simulate malware, it just causes a scanner to demonstrate how it would handle a threat it detected (assuming the vendor has chosen to recognize the file as malicious, that is.)

Using the EICAR Test File

Now that you know more about EICAR, let’s talk about why, how, and when you might want to use it.

  1. Curiosity. The first time I used the test file, it was purely out of curiosity. What if I zipped the file up or changed its extension from .com to .xyz, and so on. Because the file itself is harmless, I could simulate any number of scenarios without risk to my computer or my data.
  2. Smoke test.The intended purpose of the test file was always to verify that your scanner was properly installed and that the scan engine was functional. Any time you install a new antimalware product, you can give it a quick test with the EICAR file to make sure it is functioning as designed (if the vendor support the file, that is.)
  3. Forensics. Malware writers often try to disable a scanner as soon as their malicious code gains a foothold on a given computer. If you periodically test your scanner and, one day, it fails to detect the test file, that couldindicate of an infection. Keep in mind, it could also indicate that another layer of security blocked the file before it got to your scanner. The test itself is not conclusive and should only be considered as part of a bigger picture.
  4. Behavioral information.Between 1997 and 2004, I ensured that none of their software releases were infected. I used 11 different virus scanners on each of my test machines (don’t try this at home). The testing was not about the quality of the scanners, but rather how they’d react in different situations to help me make decisions and gain greater knowledge. For example, antivirus scanners have default configurations that I needed to test and potentially modify. Back then, not all scanners scanned all extension types by default. A directory with EICAR test files that each had different extensions would allow me to determine if my scanner’s default configuration for file types needed to be adjusted. Once I made modifications, I had to test those as well. There were a variety of tests I could run involving filenames with punctuation or foreign language characters, too. Basically, I could test virus handling without needing am actual virus.

Note: At the Virus Bulletin conference in 1999 I presented the paper, “Giving the EICAR Test File Some Teeth.” If you’re interested in the breadth of test scenarios I explored, you can read the paper on the Virus Bulletin website.

Where to Find EICAR

You’d think the easiest way to get your hands on this file would be to download it straight from www.eicar.org, except that your antimalware scanner might block the download. To get around that, you’d likely have to temporarily disable your web protection—WHICH I DO NOT RECOMMEND. Instead, I’ll show you how to create the file yourself.

Here are the step by step instructions.

  1. Open Notepad.
  2. Copy the following string and paste it into Notepad:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
  3. Save the file and cross your fingers that your scanner doesn’t detect it on close.

Note: You could create the file in Microsoft® Word, but you’d have to save it as plain text. The test file must begin with the test string, and Word includes additional information in .doc and .docx files.

The file eicar.com, will run on older operating systems, but not on a 64-bit OS. When you run it on a compatible OS, the file will display this text.

eicar1

You can change the display message to anything you like. In the following example, I’ve replaced the word EICAR with my name.

eicar2

However, if you change it as I did above, it will no longer be a valid test file and should not be detected by your antimalware program.

At the 1999 Virus Bulletin conference, I asked researchers for EICAR-like test files to test script and macro detection. Although we still don’t have that, the Anti-Malware Testing Standards Organization (AMTSO) provides a set of security feature checks at www.amtso.org/security-features-check. Just be sure to remember that the security feature checks, like the EICAR test file, don’t indicate the quality of the product, but they can be used to ensure that certain features are functioning.

Questions? Comments? Let’s talk on the Webroot community forum.

The post EICAR – The Most Common False Positive in the World appeared first on Webroot Blog.