PC PORTAL

Experienced. Trusted. Solutions.

Malware

By

Cyber News Rundown: Trickbot Spreads Via Subway Emails

Trickbot spreading through Subway company emails

Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections.

Scores of municipal websites attacked in Lithuania

At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility.

Researchers discover millions of medical records online

Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data.

Ransomware strikes city of Independence, Missouri

Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale.

Data Breach Compromises Patient Data at California Hospital

California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data.

The post Cyber News Rundown: Trickbot Spreads Via Subway Emails appeared first on Webroot Blog.

By

Cyber News Rundown: Biological Worries Over Malware Attacks

Biological Worries Over Malware Attacks

Researchers have recently unveiled the latest potential victim for malware authors: biological laboratories. By illicitly accessing these facilities, hackers may be able to digitally replace sections of DNA strings, causing unexpected results when biologists go to create or experiment with these compounds. While it is fortunate that this specific targeted attack was simulated in a closed environment, it brought to light the extreme focus that a cyber-attack may be capable of implementing, and the lengths some attackers may go to accomplish their goal.

SMS App Exposes Messages of Millions

Despite the weeks of effort from the developer, GO SMS Pro an instant messaging app with over 100 million users is still suffering from messages being leaked. What originated as a bug has left the messaging app critically flawed for upwards of three months, with no clear signs of resolution, as even new versions of the app have been unable to rectify the problem. The researchers who discovered the flaw were able to view video and picture messages, along with other private messages, due to the URL shortening that occurs when the messages are sent to contacts that don’t have the app installed.

Colorado Health Service Provider Suffers Patient Data Breach

Sometime during the middle of September, the Colorado-based health service provider AspenPointe suffered a data breach that may have compromised the sensitive health information of nearly 300,000 patients. The facility noticed the unauthorized access over a two-week period, but only began notifying patients of the breach in the third week of November. Officials have also confirmed that everything from names to medical history, and other highly sensitive personal information was stolen, though no reports of misuse have yet arisen.

Ransomware Shuts Down Alabama School District

The Huntsville City school district, one of the largest in Alabama, has been forced to close all operations following a ransomware attack that took place as students and staff were returning from Thanksgiving break. District officials worked quickly to take all devices offline, be them computers or smart phones, to stop the spread of the attack. Students were also sent home early, with no firm statement on when classes would resume, as the attack could take them days or weeks to recover from.

Five Arrested in Louisiana Child Crime Sweep

At least 5 individuals have been arrested by the Louisiana Cyber Crime Unit, following an investigation into the online exploitation of children. By tracing IP addresses and even simply viewing social media profiles of all 5 individuals, law enforcement agents have been able to confirm charges of possession or creation of child pornography, thus removing another group of child predators from the general population.

The post Cyber News Rundown: Biological Worries Over Malware Attacks appeared first on Webroot Blog.

By

The Nastiest Malware of 2020

Reading Time: ~ 4 min.

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.

The post The Nastiest Malware of 2020 appeared first on Webroot Blog.

By

Cybersecurity Tips for a Happy National Video Games Day

Reading Time: ~ 3 min.

This year more than others, for many of us, it’s gaming that’s gotten us through. Lockdowns, uncertainty, and some pretty darn good releases have kept our computers and consoles switched on in 2020. GamesIndustry.biz, a website tracking the gaming sector, reported a record number of concurrent users on the gaming platform Steam for several weeks as the lockdown went into effect.

According to NationalToday.com, the authority for such days, video games are an $18 billion industry that trace their origins to the halls of prestigious educational institutions like Oxford University and MIT. Not surprisingly given, the nature of our work, they’ve captured the hearts and imaginations of a good number of here at Webroot. But again, due to the nature our work, we’re well attuned to video game-related hacks and scams.

This March, 66 malicious gaming apps were discovered to have evaded reviewers and found their way into the Google Play store. In April, just as coronavirus was beginning to keep most of us indoors, Nintendo was breached and the accounts of more than 300,000 gamers were compromised. Phishing attacks posing as gaming platforms have risen significantly during this time period.

But too often we hear from gamers that they don’t use an antivirus. With all the time gamers spend online, especially PC gamers, this is a big risk. Many of the reasons we hear for not using an antivirus, in fact, are based on misconceptions.

So, to clear up some of those misconceptions, and to provide some tips for spending National Video Games Safely, we sat down with cybersecurity expert and resident gamer Tyler Moffitt to get his advice.

What kinds of security threats do gamers face?

Not running any security is the main one. It’s a big problem within the gaming community. There are also tailored phishing attempts for online games where accounts can be worth over $100. The happen on platforms including Blizzard, Steam, Epic, Riot and others.

Why do cybercriminals target gamers?

They can be a niche target when big things happen like major game releases. Halo, World of Warcraft, Grand Theft Auto, and Call of Duty have all been targets for scams. But PC gamers not running any antivirus solution other than built-in or free protection are asking for trouble.

Either by game or gaming type, what tends to be the biggest target for hackers?

The way most players are infected with actual malware and not just giving up account info is by downloading game hacks. These are usually aim bots or other ways to cheat at the game. In addition to making games less fun for other players, they endanger the cybersecurity of the individuals doing the cheating. Also, trying to download games for free on torrent sites is just asking for trouble…or a trojan

Any misconceptions about gaming security?

I’d the biggest one is that all antiviruses today will cause problems with gameplay. Many players imagine they’ll have issues with latency, or their frame rate will drop off significantly, and that’s just not true. While years ago this may have been the case with heavy installation suites and large daily definition updates, many anti-viruses has changed throughout the years to do all the heavy lifting in the cloud while still being lightning fast and accurate with threats. The amount of CPU, RAM and bandwidth usage of AVs while idle and during a scan are significantly lighter than they used to be.

What can gamers do to improve online security?

As I mentioned, running an antivirus is essential. There are lightweight options available that won’t impact gameplay. Also, I recommend enabling two-factor authentication on all accounts for online games whenever possible to reduce the risk of falling victim to a malicious hacker.

As a gamer yourself, anything else to consider or personal best practice to share?

Trying to cheat or download premium games for free, especially when prompted to by clickbait-type ads, will almost always lead to a scam or malware. There’s no such thing as a free lunch.

See how Webroot compares to competitors in terms of installation size, scan time, and resource use in in third-party performance testing here.

The post Cybersecurity Tips for a Happy National Video Games Day appeared first on Webroot Blog.

By

Cyber News Rundown: Android Giveaway Fraud

Reading Time: ~ 2 min.

Thousands of Android Users fall Victim to Giveaway Fraud

Upwards of 65,000 Android users were potentially compromised after installing a malicious app promising free giveaways. Over the year the scam was in effect, roughly 5,000 apps were spoofed to lure victims into downloading in exchange for a phony giveaway. In reality, the infection pushes silent background ads which generate ad revenue for the scammers and decrease device performance.

North American Real Estate Firm Hit by Ransomware

A new ransomware variant known as DarkSide claimed its first victim, Brookfield Residential,  after operating for nearly two weeks. The North American real estate developer recently noticed unauthorized access to several systems and was left a ransom note stating that over 200GB of data had been stolen. The data has since been published to DarkSide’s leak site, which has prompted many to speculate the ransom was not paid by Brookfield Residential.

Cryptominers Caught Using AI

Researchers have been at work creating an AI algorithm to detect malicious cryptocurrency miners while avoiding legitimate ones. The detection method compares currently running miners to graphs of both legitimate and illegitimate miners and monitors changes between the processes being used and the scheduling of mining activity. This type of detection may be put to use to decrease the overall use of malicious code that can often tax the system’s CPU usage to max capacity.

Los Angeles School District Suffers Cyber Attack

Just weeks after the FBI issued a warning about the threat of cyberattacks against school districts, the Rialto School District in California has fallen victim to just such an attack. These setbacks have made the return to online schooling particularly difficult. The extent of the attack remains unclear and officials are still working to determine the effects on the 25,000 enrolled students.

Maze Ransomware Cartel Adds New Variant Team

The authors of the lesser-known ransomware variant SunCrypt have recently joined forces with the Maze ransomware cartel. It’s believed the new cartel members were brought in to assist with the high volume of attacks that the Maze Group is handling and are being paid with a portion of its profits. In addition to new revenue streams from its partnership with the organization, cartel members also benefit from access to the Maze Group’s resources including obfuscation techniques and posting cartel member’s stolen data to their dedicated leak site.

The post Cyber News Rundown: Android Giveaway Fraud appeared first on Webroot Blog.