PC PORTAL

Experienced. Trusted. Solutions.

Malware

By

The Nastiest Malware of 2020

Reading Time: ~ 4 min.

For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.

For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.

But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.

Here are a few of nastiest characters and a breakdown of how they can work together.

  • Emotet botnet + TrickBot Trojan + Conti/Ryuk ransomware
    There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.

    Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
  • Ursnif Trojan + IcedID Trojan + Maze ransomware
    Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
  • Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware

Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.

As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.

The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.

  • Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
  • CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
  • Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
  • QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.

Combine protections to combat combined attacks.

If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.

  • Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
  • Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
  • Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
  • Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.

Discover more about the 2020’s Nastiest Malware on the Webroot Community.

The post The Nastiest Malware of 2020 appeared first on Webroot Blog.

By

Cybersecurity Tips for a Happy National Video Games Day

Reading Time: ~ 3 min.

This year more than others, for many of us, it’s gaming that’s gotten us through. Lockdowns, uncertainty, and some pretty darn good releases have kept our computers and consoles switched on in 2020. GamesIndustry.biz, a website tracking the gaming sector, reported a record number of concurrent users on the gaming platform Steam for several weeks as the lockdown went into effect.

According to NationalToday.com, the authority for such days, video games are an $18 billion industry that trace their origins to the halls of prestigious educational institutions like Oxford University and MIT. Not surprisingly given, the nature of our work, they’ve captured the hearts and imaginations of a good number of here at Webroot. But again, due to the nature our work, we’re well attuned to video game-related hacks and scams.

This March, 66 malicious gaming apps were discovered to have evaded reviewers and found their way into the Google Play store. In April, just as coronavirus was beginning to keep most of us indoors, Nintendo was breached and the accounts of more than 300,000 gamers were compromised. Phishing attacks posing as gaming platforms have risen significantly during this time period.

But too often we hear from gamers that they don’t use an antivirus. With all the time gamers spend online, especially PC gamers, this is a big risk. Many of the reasons we hear for not using an antivirus, in fact, are based on misconceptions.

So, to clear up some of those misconceptions, and to provide some tips for spending National Video Games Safely, we sat down with cybersecurity expert and resident gamer Tyler Moffitt to get his advice.

What kinds of security threats do gamers face?

Not running any security is the main one. It’s a big problem within the gaming community. There are also tailored phishing attempts for online games where accounts can be worth over $100. The happen on platforms including Blizzard, Steam, Epic, Riot and others.

Why do cybercriminals target gamers?

They can be a niche target when big things happen like major game releases. Halo, World of Warcraft, Grand Theft Auto, and Call of Duty have all been targets for scams. But PC gamers not running any antivirus solution other than built-in or free protection are asking for trouble.

Either by game or gaming type, what tends to be the biggest target for hackers?

The way most players are infected with actual malware and not just giving up account info is by downloading game hacks. These are usually aim bots or other ways to cheat at the game. In addition to making games less fun for other players, they endanger the cybersecurity of the individuals doing the cheating. Also, trying to download games for free on torrent sites is just asking for trouble…or a trojan

Any misconceptions about gaming security?

I’d the biggest one is that all antiviruses today will cause problems with gameplay. Many players imagine they’ll have issues with latency, or their frame rate will drop off significantly, and that’s just not true. While years ago this may have been the case with heavy installation suites and large daily definition updates, many anti-viruses has changed throughout the years to do all the heavy lifting in the cloud while still being lightning fast and accurate with threats. The amount of CPU, RAM and bandwidth usage of AVs while idle and during a scan are significantly lighter than they used to be.

What can gamers do to improve online security?

As I mentioned, running an antivirus is essential. There are lightweight options available that won’t impact gameplay. Also, I recommend enabling two-factor authentication on all accounts for online games whenever possible to reduce the risk of falling victim to a malicious hacker.

As a gamer yourself, anything else to consider or personal best practice to share?

Trying to cheat or download premium games for free, especially when prompted to by clickbait-type ads, will almost always lead to a scam or malware. There’s no such thing as a free lunch.

See how Webroot compares to competitors in terms of installation size, scan time, and resource use in in third-party performance testing here.

The post Cybersecurity Tips for a Happy National Video Games Day appeared first on Webroot Blog.

By

Cyber News Rundown: Android Giveaway Fraud

Reading Time: ~ 2 min.

Thousands of Android Users fall Victim to Giveaway Fraud

Upwards of 65,000 Android users were potentially compromised after installing a malicious app promising free giveaways. Over the year the scam was in effect, roughly 5,000 apps were spoofed to lure victims into downloading in exchange for a phony giveaway. In reality, the infection pushes silent background ads which generate ad revenue for the scammers and decrease device performance.

North American Real Estate Firm Hit by Ransomware

A new ransomware variant known as DarkSide claimed its first victim, Brookfield Residential,  after operating for nearly two weeks. The North American real estate developer recently noticed unauthorized access to several systems and was left a ransom note stating that over 200GB of data had been stolen. The data has since been published to DarkSide’s leak site, which has prompted many to speculate the ransom was not paid by Brookfield Residential.

Cryptominers Caught Using AI

Researchers have been at work creating an AI algorithm to detect malicious cryptocurrency miners while avoiding legitimate ones. The detection method compares currently running miners to graphs of both legitimate and illegitimate miners and monitors changes between the processes being used and the scheduling of mining activity. This type of detection may be put to use to decrease the overall use of malicious code that can often tax the system’s CPU usage to max capacity.

Los Angeles School District Suffers Cyber Attack

Just weeks after the FBI issued a warning about the threat of cyberattacks against school districts, the Rialto School District in California has fallen victim to just such an attack. These setbacks have made the return to online schooling particularly difficult. The extent of the attack remains unclear and officials are still working to determine the effects on the 25,000 enrolled students.

Maze Ransomware Cartel Adds New Variant Team

The authors of the lesser-known ransomware variant SunCrypt have recently joined forces with the Maze ransomware cartel. It’s believed the new cartel members were brought in to assist with the high volume of attacks that the Maze Group is handling and are being paid with a portion of its profits. In addition to new revenue streams from its partnership with the organization, cartel members also benefit from access to the Maze Group’s resources including obfuscation techniques and posting cartel member’s stolen data to their dedicated leak site.

The post Cyber News Rundown: Android Giveaway Fraud appeared first on Webroot Blog.

By

Cyber News Rundown: GoldenSpy

Reading Time: ~ 2 min.

Malware Discovered in Chinese Tax Software

As part of an official Chinese tax initiative, researchers have found multiple backdoors into mandatory tax software installed on all Chinese business systems. The new malware is called GoldenHelper, in a nod to the command-and-control domain tax-helper.ltd, and has been in active development and use since 2018. The latest campaign, dubbed GoldenSpy, is adept at avoiding detection and began within months of the old command-and-control servers going offline.

Texas Collections Company Suffers Data Breach

The Texas billing and collection company Benefits Recovery Specialists Inc. has announced that a breach containing data on over 250,000 customers occurred in April. The breach leaked personally identifiable information including Social Security Numbers, birthdates and physical addresses, that could all be used to launch additional attacks. Affected clients began receiving notifications about the breach in June, though the company has still not shared what malware was installed by the perpetrators.

Microsoft Fixes 17-Year-Old DNS Flaw

After nearly 17 years of being active and exploitable, Microsoft has finally identified and resolved a major vulnerability involving a worm-like transmission that requires no human interaction. With the help of a third-party security firm Microsoft was able to patch the vulnerability before it caused significant damage, though the time was certainly there for malicious actors to use the flaw to execute any number of malicious executables onto an endless string of compromised machines.

UK Ticket Provider Leaves 4.8 Million Logins Unsecured

A collection of roughly 4.8 million login credentials have been found in a leaked database belonging to a major UK ticker provider serving customers around the world. Among the credentials were domains belonging to several government agencies along with millions of consumer webmail users. The site has also been targeted in the past by attackers looking to deface the website and has been called vulnerable to SQL injection should attackers pursue that method.

Wattpad Database Compromises Millions of Users

Officials have been working over the past week to remediate a data breach that could affect over 200 million users of Wattpad. The compromised database was listed for $100,000 on a Dark Web sale site, but was later re-listed with no price. Its owners claim to hold records for over 271 million users. Wattpad has stated that, though personally identifiable information was revealed in the breach, no financial information was accessible since Wattpad doesn’t store it directly on its servers.

The post Cyber News Rundown: GoldenSpy appeared first on Webroot Blog.

By

Cyber News Rundown: Malicious COVID-19 Websites Surge

Reading Time: ~ 2 min.

Malicious COVID-19 Websites Surge

In recent months, more than 136 thousand new domains have been registered that reference the current COVID-19 outbreak, many of which have yet to be flagged. A large portion of these sites are distributing phishing campaigns with fake bank login forms and inaccurate URLs, including any number of pandemic buzz words. Hopefully, some of the domain registrars will implement stricter detection for these sites to avoid the preying on of people seeking information during the outbreak.

NASA Employees Face Spike in Cyberattacks

NASA and many other federal departments are among those moving to telework and they are seeing an alarming rise in cyberattacks. These attacks include several variations of phishing campaigns designed to seek sensitive data or login credentials through requests for tax forms or disinformation about the current pandemic. NASA employees are especially seeing these types of attacks targeting mobile devices directly, since they often have fewer active security measures in place when compared to other devices.

Fingerprint Security Still Not Foolproof

A group of researchers that recently spent time studying various mobile devices’ fingerprint security measures found a shockingly high success rate from fake prints. By testing a variety of mobile devices, they learned that creating a continuously-successful print mold, while requiring a significant amount of time, could easily unlock a device before wiping features would be triggered. Advancements in fingerprint technology and better biosecurity implementations are clearly necessary.

Medical Testing Company Suffers Data Breach

After a ransomware attack by Maze authors, a major medical testing firm has had a large portion of stolen data published on the Maze “news” site. The data was leaked nearly a week after the initial attack, which the company refused to pay ransom for. While the stolen data only included victims with surnames beginning with D, G, I, and J, the testing company recommends all clients monitor their financials for any signs of fraud. This attack comes during a time where several ransomware authors pledged to avoid attacking healthcare or medical establishments, though they claim this campaign was started prior to the current outbreak.

Philippines Law Enforcement Arrests Fake News Distributors

At least 32 individuals were arrested in the Philippines for spreading fake COVID-19 information across several social media platforms. Some of the accused were reported to have instigated raids of food storage facilities after making false claims of regional shortages. The country, with over 3,000 confirmed cases of COVID-19, will maintain lockdown procedures to limit the spread of the disease until the end of April.

The post Cyber News Rundown: Malicious COVID-19 Websites Surge appeared first on Webroot Blog.