Author Archives: David Bisson

Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware

Security researchers discovered several Microsoft Windows EXE files using malicious payloads to infect macOS users with infostealers and adware.

Trend Micro found one adware-bearing sample hiding within an installer for the Windows and Mac firewall app Little Snitch, which is available for download from various torrent websites. The sample was able to bypass Mac’s Gatekeeper, since this built-in protection mechanism doesn’t conduct code signature checks for or otherwise verify EXE files on machines running macOS.

Contained within the ZIP file downloaded from the torrent websites is a DMG file that hosts the Little Snitch installer. This installer hides an EXE file that loads an infostealer. The malware then gathers basic system information, such as Memory, BootROMVersion and SMCVersion, and scans the /Application directory for installed apps, such as App Store, FaceTime and Mail. After completing these steps, the malware sends all its findings to its command-and-control (C&C) server.

Additionally, the executable is capable of downloading several files from the internet. These files, in turn, download adware and other potentially unwanted applications.

Bridging Windows and macOS With Malware

These files don’t constitute the only instance of a digital threat crossing between Windows and macOS. In May 2017, for instance, Fox-IT identified a Mac OS X version of Snake malware, which traditionally targets the Windows platform. Less than a year later, security researcher Patrick Wardle of Objective-See uncovered CrossRat, a versatile threat capable of targeting Windows, macOS and Linux machines.

In a few cases, researchers have even observed attack campaigns distributing separate threats that target Windows and Mac computers. Security researchers at Microsoft came across one such instance in 2011 containing both the Mac-based Olyx backdoor and other Windows malware.

How to Defend Against Malicious EXE Files

Security professionals can help protect against adware-laden EXE files by creating security policies that limit the types of websites from which employees can download applications. They can frame this policy within the context of a larger app approval framework through which security teams follow a logical sequence to upload/review apps and ensure vendor integration. At the same time, security professionals should apply user activity analytics to a long-term data repository to sufficiently protect corporate data against digital threats like infostealers.

The post Malicious Windows EXE Files Infect macOS Users With Infostealers and Adware appeared first on Security Intelligence.

DataCamp Implements Partial Password Reset After Data Security Incident

Online data science learning platform DataCamp implemented a password reset for some of its users potentially affected by a data security incident. According to a statement published on its website, DataCamp discovered on 11 February 2019 that a third party had gained unauthorized access to its systems. In the process, the intruders might have exposed […]… Read More

The post DataCamp Implements Partial Password Reset After Data Security Incident appeared first on The State of Security.

Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018

A new report found that banking Trojans accounted for more than half of all malicious payloads observed in the fourth quarter of 2018.

According to the “Proofpoint Quarterly Threat Report,” this threat dominated the cyber landscape at the end of 2018, constituting 56 percent of all malicious payloads Proofpoint researchers detected.

Several new families helped banking Trojans beat out other categories of malware, including downloaders, credential stealers and remote-access Trojans (RATs), which made up 17 percent, 17 percent and 8 percent of total threats, respectively. Ransomware was barely present in Q4 2018 after spiking and quickly declining in the previous two quarters.

That being said, it’s clear that threat actors preferred to use well-known banking malware over newcomers. For example, Emotet and its botnet-like capabilities accounted for 76 percent of banking Trojan activity in the quarter; taken together, Emotet, Ursnif and Panda Banker (aka Zeus Panda) made up 97 percent of banking Trojan detections for Q4 2018.

More Active and More Sophisticated

Proofpoint’s findings help illustrate how threat actors iterated their banking Trojan use in 2018. Check Point found evidence of this trend when it observed banking Trojans increase their global impact by 50 percent between February and June of last year. In fact, the Dorkbot and Ramnit families made it onto the security firm’s “Top 10 Most Wanted Malware” list for June 2018.

Banking Trojans have also grown in sophistication more generally over the past few years. In April 2017, for instance, Proofpoint observed a large email campaign exploiting a new zero-day vulnerability to deliver the Dridex banking Trojan.

Other banking malware, including QakBot, has added wormlike features that enable it to self-propagate through shared drives and removable media. All the while, many banking Trojans increasingly conduct fileless attacks as a way of evading detection. Cisco Talos observed one such fileless campaign involving Ursnif in January 2019.

How Security Professionals Can Defend Against Banking Trojans

Security professionals can help defend their organizations against banking Trojans by using artificial intelligence technologies to move beyond rule-based security. Organizations should also consider using a unified endpoint management solution that can monitor endpoints for suspicious behavior indicative of malware and automatically uninstall any infected applications.

The post Report: Banking Trojans Accounted for More Than Half of All Malicious Payloads in Q4 2018 appeared first on Security Intelligence.

Dunkin’ Says Credential Stuffing Attacks Targeted DD Perks Accounts

Dunkin’ Brands Inc. (“Dunkin'”) said that bad actors recently used credential stuffing attacks to target some DD Perks accounts. Kari McHugh, senior director of customer relations at Dunkin’, wrote in a sample letter sent to the Office of the Vermont Attorney General that the company detected a wave of credential stuffing attacks near the beginning […]… Read More

The post Dunkin’ Says Credential Stuffing Attacks Targeted DD Perks Accounts appeared first on The State of Security.

New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation

Security analysts identified a sample of Linux crypto-mining malware that kills any other malicious miners upon installation.

Trend Micro researchers discovered the malware while doing a routine log check after spotting a script within one of their honeypots that began downloading a binary connected to a domain. This binary turned out to be a modified version of the cryptocurrency miner XMR-Stak.

The script didn’t stop at downloading this sample of Linux malware, which Trend Micro detected as Coinminer.Linux.MALXMR.UWEIU. It removed other crypto-mining malware and related services affecting the machine at the time of infection. The malware also created new directories and files and stopped processes that shared connections with known IP addresses.

A Likeness to Other Threats

In their analysis of Coinminer.Linux.MALXMR.UWEIU, Trend Micro found that the malware’s script shares certain attributes with other threats it previously detected. Specifically, researchers observed similarities between this malicious coin miner and Xbash, a malware family discovered by Trend Micro in September 2018 that combines ransomware, cryptocurrency mining, worm and scanner capabilities in its attacks against Linux and Windows servers.

Researchers also noted that the threat’s code is nearly identical to that of KORKERDS, crypto-mining malware Trend Micro uncovered back in November 2018. There are a few differences, however.

The new script simplified the routine by which KORKERDS downloads and executes files and loads the Linux coin malware sample. It also didn’t uninstall security solutions from or install a rootkit on the infected machine. In fact, the script’s kill list targeted both KORKERDS and its rootkit component. This move suggests that those who coded the script are attempting to maximize their profits while competing with the authors of KORKERDS.

Strengthen Your Crypto-Mining Malware Defenses

Security professionals can help defend against Linux crypto-mining malware by using an endpoint management and security platform capable of monitoring endpoints for suspicious behavior. Organizations should also leverage security information and event management (SIEM) tools that can notify security teams of high central processing unit (CPU) and graphics processing unit (GPU) usage — key indicators of cryptocurrency mining activities — during nonbusiness hours.

The post New Linux Crypto-Mining Malware Kills Other Malicious Miners Upon Installation appeared first on Security Intelligence.

Clipper Malware Found Masquerading as Legitimate Service on Google Play Store

Security researchers discovered a sample of clipper malware that targeted Android users by lurking in the Google Play store.

ESET first came across Android/Clipper.C masquerading as MetaMask, a service that allows users to access Ethereum-enabled distributed applications, in February 2019. This new threat is capable of stealing users’ credentials and private keys to gain access to their Ethereum funds. But Android/Clipper.C is a bit more sophisticated: It’s also a form of clipper malware in that it can replace a bitcoin or Ethereum wallet address copied from the clipboard with one under the attacker’s control.

ESET researchers discovered the malicious app on the Google Play store shortly after it became available for download on Feb. 1. They reported their findings to Google’s security team, which subsequently removed the app from the app marketplace.

Android/Clipper.C is not the only malware sample that’s impersonated MetaMask. Other programs used the MetaMask disguise to phish for sensitive data and steal access to users’ cryptocurrency funds.

The Growing Problem of Clipper Malware

Android/Clipper.C is just the latest instance of clipper malware to prey on users. In March 2018, ESET learned about one sample of this threat category targeting Monero users by masquerading as a Win32 Disk Imager application on download.com.

A few months later, Bleeping Computer discovered another cryptocurrency clipboard hijacker that was monitoring 2.3 million cryptocurrency addresses at the time of discovery. Dr.Web also uncovered an Android clipper in summer 2018, though this threat was not available for download on the Google Play store at that time.

How to Defend Against Disguised Malware Threats

Security professionals can help defend against threats like Android/Clipper.C by investing in a unified endpoint management (UEM) solution that can alert users when malware is detected and automatically uninstall infected apps. They should also leverage artificial intelligence (AI) to spot malicious behaviors and stop malware like Android/Clipper.C in its tracks.

The post Clipper Malware Found Masquerading as Legitimate Service on Google Play Store appeared first on Security Intelligence.

U.S. Senators Concerned by Government Employees’ Use of Foreign VPNs

Two U.S. Senators expressed their concern that federal government employees could be undermining the United States’ national security by using VPNs made by foreign companies. In a letter dated 7 February 2019, U.S. Senators Marco Rubio (R-FL) and Ron Wyden (D-OR) brought up the issue of VPN usage in the federal government to Christopher Krebs, […]… Read More

The post U.S. Senators Concerned by Government Employees’ Use of Foreign VPNs appeared first on The State of Security.

Australia Investigating Digital Attack Attempt against Federal Parliament

Australia’s security agencies have launched an investigation into a digital attack attempt against the country’s Federal Parliament. Sources told the Australian Broadcasting Company that security personnel caught digital attackers in the early stages of breaking into the Federal Parliament’s computer network. It’s unclear whether bad actors stole any information. As a precaution, authorities reset lawmakers’ […]… Read More

The post Australia Investigating Digital Attack Attempt against Federal Parliament appeared first on The State of Security.

Phishers Leveraging Google Translate to Target Google and Facebook Users

Phishers are leveraging Google Translate in their attempts to steal the login credentials for users’ Google and Facebook accounts. Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), received an email in early 2019 informing him that someone had accessed his Google account from a new Windows device. On his phone, the email […]… Read More

The post Phishers Leveraging Google Translate to Target Google and Facebook Users appeared first on The State of Security.

Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware

Researchers discovered Geodo botnets using a new spam campaign to deliver samples of Qakbot malware.

Cofense observed the botnets delivering non-Geodo malware since at least Jan. 28 via increasingly targeted phishing efforts. The attack begins when a user receives a phishing email containing a weaponized Microsoft Office document. That file contains malicious embedded macros that, when enabled, directly deliver Qakbot malware to the victim’s device. Researchers also witnessed the campaign leveraging IcedID, another banking Trojan, as its final payload.

In both cases, the campaign ends by replacing the binary content with that of calc.exe. This tactic is designed to help the campaign hide in plain sight, which signals Geodo’s evolution as a digital threat. Cofense found additional evidence of this evolution in Geodo’s use of targeted addressing, internal signatures and previous threads to prey on state-level government departments in the U.S. as part of a related malware campaign.

A Surge in Banking Trojans

This attack campaign comes amid a rise in activity for banking Trojans such as Qakbot and IcedID. Check Point observed a 50 percent increase in banking Trojan activity in the first half of 2018, with Dorkbot and Ramnit earning spots on the company’s “Most Wanted Malware” list for June of that year. Two months later, Ramnit placed even higher on Check Point’s monthly malware index.

Other security companies have also observed this trend among banking Trojans. For example, Kaspersky Lab detected 61,000 installation packages for mobile banking malware in Q2 2018 — more than a threefold growth over the previous quarter.

How to Defend Against Threats Like Qakbot Malware

Security professionals can help defend against digital threats like Qakbot malware by using tools such as VBA editor to analyze Office documents for malicious macros. Organizations should also lead by example and implement two-factor authentication (2FA) to prevent digital attackers from accessing and weaponizing their business email accounts.

The post Geodo Botnets Using New Spam Campaign to Deliver Qakbot Malware appeared first on Security Intelligence.

Software Vulnerabilities Used by 200 VT Towns Left Employees’ SSNs Exposed

Vulnerabilities in software used by 200 Vermont municipalities left town employees’ Social Security Numbers and other information exposed. Brett Johnson, owner of IT company simpleroute, discovered the flaws after two Vermont towns hired him to do some work for them back in 2017. According to a report in which he wrote about the weaknesses, Johnson […]… Read More

The post Software Vulnerabilities Used by 200 VT Towns Left Employees’ SSNs Exposed appeared first on The State of Security.

14 Essential Bug Bounty Programs of 2019

In 2017, The State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it’s time for an updated list. Here are 14 essential bug bounty programs for 2019. Apple Website: Invite-only […]… Read More

The post 14 Essential Bug Bounty Programs of 2019 appeared first on The State of Security.

Why Security Is Needed to Keep the CI/CD Pipeline Flowing Smoothly

Technology has advanced to a state where clients now expect a constant stream of updates for their software and applications. To fulfill this demand, developers commonly turn to what’s known as a CI/CD pipeline. As noted by Synopsys, this practice embraces two important software development concepts of today’s streamlined world: Continuous Integration (CI): The effort […]… Read More

The post Why Security Is Needed to Keep the CI/CD Pipeline Flowing Smoothly appeared first on The State of Security.

Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan

Security researchers observed an attack campaign that is targeting Linux servers to install samples of SpeakUp, a new backdoor Trojan.

According to Check Point Research, the campaign is currently targeting servers in East Asia and Latin America. The attack begins with the exploitation of CVE-2018-20062, a reported vulnerability affecting ThinkPHP. The campaign then uses command injection techniques to upload a PHP shell, which is responsible for delivering and executing the SpeakUp Trojan as a Perl backdoor.

Upon execution, SpeakUp continuously communicates with its command and control (C&C) server to receive a variety of instructions. It can use the newtask command to execute arbitrary code or execute a file from a remote server, for example. This ability enables SpeakUp to deliver additional backdoors, each of which comes equipped with a Python script designed to scan and infect more Linux servers within its internal and external subnets.

Furthermore, the Trojan can leverage the newconfig command to update the configuration file for XMRig, a cryptocurrency miner that it serves to listening infected servers.

Linux Servers Under Attack

SpeakUp isn’t the only malware targeting Linux servers. On the contrary, these IT assets are under attack from a range of malicious software.

In December 2018, Slovakian security firm ESET identified 21 Linux malware families that serve as OpenSSH backdoors. Around the same time, Anomali Labs unveiled its discovery of Linux Rabbit and Rabbot, two malware families served by a campaign targeting Linux servers in Russia, South Korea, the U.K. and the U.S. that are both capable of installing crypto-miners.

Also in December, Bleeping Computer learned of a new campaign that had leveraged unsecured Intelligent Platform Management Interface (IPMI) cards to infect Linux servers with JungleSec ransomware.

How to Defend Against the SpeakUp Trojan

Security professionals can help defend against malware like SpeakUp by utilizing a unified endpoint management (UEM) tool to monitor assets such as Linux servers for malicious activity. Experts also recommend practicing timely patch management to defend endpoints against cryptocurrency miners, and investing in education and role-based training to help cultivate a security-aware workforce.

The post Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan appeared first on Security Intelligence.

Scammers Threatening YouTube Content Creators with Channel Suspension

Scammers are now using the threat of channel suspension to coerce YouTube content creators into meeting their demands and sending over money. These digital attackers are specifically targeting YouTube’s policy infringement system through which users can report a video that they feel violates the video-sharing website’s policies for acceptable content. When it receives such a […]… Read More

The post Scammers Threatening YouTube Content Creators with Channel Suspension appeared first on The State of Security.

Houzz Says Security Incident Might Have Exposed User Data

Home design website and community Houzz revealed that a security incident might have exposed some users’ personal and account data. On 1 February, Houzz published a security update explaining that it detected the security event in late December 2018. The company didn’t provide exact details about how it learned of the incident. It simply stated […]… Read More

The post Houzz Says Security Incident Might Have Exposed User Data appeared first on The State of Security.

Airbus Reveals It Suffered a Digital Security Incident

European aerospace corporation Airbus SE has revealed that a digital security incident recently affected some of its computer systems. In a press release published on 30 January, Airbus confirmed that its “Commercial Aircraft business” information systems suffered a security incident. The corporation said that the event did not affect Airbus’ commercial operations. But it clarified […]… Read More

The post Airbus Reveals It Suffered a Digital Security Incident appeared first on The State of Security.

Judge Denies Approval of $50M Settlement to Yahoo Data Breach Lawsuit

A federal judge has denied the approval of a proposed $50 million settlement to a class action lawsuit over a data breach at Yahoo. On 28 January, Judge Lucy Koh rejected the settlement in a order submitted to the San Jose division of the U.S. District Court in the Northern District of California. The settlement, […]… Read More

The post Judge Denies Approval of $50M Settlement to Yahoo Data Breach Lawsuit appeared first on The State of Security.

Untold Number of Discover Card Account Holders Notified of Data Breach

An undisclosed number of Discover card account holders have learned of a data breach that might have compromised their account information. According to Bleeping Computer, Discover Financial Services first learned of the security incident on 13 August 2018. The American financial services company subsequently filed data breach notices with the California Attorney General’s office on […]… Read More

The post Untold Number of Discover Card Account Holders Notified of Data Breach appeared first on The State of Security.

Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency

Security researchers observed the Razy Trojan installing malicious extensions across multiple web browsers to steal cryptocurrency.

In 2018, Kaspersky Lab noticed that the Trojan was being distributed via advertising blocks on websites and free file hosting services disguised as legitimate software. The malware uses different infection processes for Google Chrome, Mozilla Firefox and Yandex Browser, disabling automatic updates and integrity checks for installed extensions.

Razy then uses its main.js script to steal cryptocurrency by searching websites for the addresses of digital wallets. If it finds what it’s looking for, the Trojan replaces the wallet addresses with those controlled by the malware’s operators.

Razy can also spoof images of QR codes that point to cryptocurrency wallets, modify digital currency exchanges’ webpages by displaying messages that lure users with the promise of new features, and alter Google or Yandex search results to trick victims into visiting infected websites.

Not the First Cryptocurrency Stealer — And Likely Not the Last

The Razy Trojan isn’t the first malware known for stealing users’ cryptocurrency. In July 2018, for example, Fortinet came across a malware sample that modified victims’ clipboard content to replace a copied bitcoin address with one belonging to threat actors. Just a few months later, researchers at enSilo discovered DarkGate, malware that is capable of crypto-mining and ransomware-like behavior in addition to stealing virtual currency from victims’ wallets.

These malware samples played a part in the rise of cryptocurrency theft last year. In just the first six months of 2018, Carbon Black observed that digital currency theft reached $1.1 billion. One of the incidents that took place within that time period involved the theft of $530 million, as reported by CNN.

How to Defend Against Malware Like Razy

Security professionals can help defend against threats like Razy by incorporating artificial intelligence (AI) into their organizations’ malware defense strategies, including the use of AI in detectors and cyber deception to misdirect and deactivate AI-powered attacks. Experts also recommend using blockchain and other advanced technologies to protect against cryptocurrency threats.

The post Razy Trojan Installs Malicious Browser Extensions to Steal Cryptocurrency appeared first on Security Intelligence.

Video-Sharing Platform Targeted by Credential Stuffing Attacks

Bad actors have targeted a video-sharing technology platform with credential stuffing attacks in order to hijack users’ accounts. On 25 January, Dailymotion published a statement on its website in which it announced that it had been the subject of “a large-scale computer attack.” After discovering the digital offensive, Dailymotion’s technical teams implemented various security measures […]… Read More

The post Video-Sharing Platform Targeted by Credential Stuffing Attacks appeared first on The State of Security.

Malspam Campaign Targeting Russian Speakers with Redaman Malware

An ongoing malicious spam campaign is currently targeting Russian-speaking users with samples of the Redaman banking malware. Since at least September 2018, the malspam campaign has been sending out malicious spam emails written in Russian to users who mostly have email addresses ending in “.ru.” The emails use various subject lines, message content and attachment […]… Read More

The post Malspam Campaign Targeting Russian Speakers with Redaman Malware appeared first on The State of Security.

Malvertising Campaign Used Steganography to Distribute Shlayer Trojan

A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan. Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the “VeryMal” threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That’s not a long time period to remain active. But the […]… Read More

The post Malvertising Campaign Used Steganography to Distribute Shlayer Trojan appeared first on The State of Security.

DHS Issues Emergency Directive on DNS Infrastructure Tampering

The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering. In “Emergency Directive 19-01,” DHS explains that it’s been working with the Cybersecurity and Infrastructure Security Agency (CISA) to track a campaign of DNS infrastructure tampering. A hijack in […]… Read More

The post DHS Issues Emergency Directive on DNS Infrastructure Tampering appeared first on The State of Security.

Adware Installers Disguised as Cracks Installing STOP Ransomware

STOP ransomware is using adware installers disguised as cracks as a new method of distributing itself to unsuspecting users. According to Bleeping Computer creator and owner Lawrence Abrams, websites known for distributing software cracks, or software which has been modified to remove or disable certain features, commonly use adware bundles to generate revenue. These bundles […]… Read More

The post Adware Installers Disguised as Cracks Installing STOP Ransomware appeared first on The State of Security.

How the Federal Shutdown Could Do Long-Term Digital Security Damage

Most people have at least heard of the partial shutdown plaguing the U.S. federal government. Now over three weeks old, the stoppage owes its existence to a conflict over border security funding. President Donald Trump wants $5.7 billion to build a new wall along the U.S. Mexican border, while Democrats say they will not fulfill […]… Read More

The post How the Federal Shutdown Could Do Long-Term Digital Security Damage appeared first on The State of Security.

New Phobos Ransomware Using Same Ransom Note as Dharma

A new strain of ransomware known as “Phobos” is using the same ransom note employed by Dharma to demand payment from its victims. Ransomware incident response provider Coveware found that Phobos’ ransom message differs from Dharma’s only in the branding used for its header and footer. Otherwise, the notes are exactly the same. Both crypto-malware […]… Read More

The post New Phobos Ransomware Using Same Ransom Note as Dharma appeared first on The State of Security.

Microsoft Announces Azure DevOps Bug Bounty Program

The Microsoft Security Response Center (MSRC) has announced the creation of a bug bounty program for Azure DevOps services. On 17 January, MSRC said it would begin awarding bounties of up to $20,000 for reports on eligible vulnerabilities affecting Azure DevOps, a cloud service which helps developers collaborate on code across the entire development lifecycle. […]… Read More

The post Microsoft Announces Azure DevOps Bug Bounty Program appeared first on The State of Security.

Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach

A data breach known as “Collection #1” exposed approximately 800 million email addresses as well as tens of millions of passwords. In the beginning of January, multiple people reached out to Australian web security expert Troy Hunt about a sizable collection of files hosted on cloud service MEGA. This collection, which is no longer available […]… Read More

The post Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach appeared first on The State of Security.

Two Ukrainians Charged with Plot to Hack into SEC and Commit Fraud

The U.S. Department of Justice (DOJ) has charged two Ukrainians with participating in a plot to hack into computers systems at the U.S. Securities and Exchange Commission (SEC) and use the information they stole to commit fraud. On 15 January, the U.S. Attorney’s Office for the District of New Jersey announced a 16-count indictment charging […]… Read More

The post Two Ukrainians Charged with Plot to Hack into SEC and Commit Fraud appeared first on The State of Security.

Del Rio City Hall Disables Internet Connection for All Departments after Ransomware Attack

Officials in the City of Del Rio have disabled the internet connection for all departments at City Hall following a ransomware attack. The City of Del Rio, which is located 152 miles west of San Antonio in Val Verde County, Texas, posted a statement to its website disclosing the attack. Its statement mainly offers insight […]… Read More

The post Del Rio City Hall Disables Internet Connection for All Departments after Ransomware Attack appeared first on The State of Security.

Mozilla Announces It Will Disable Support for Flash Plugin in Firefox 69

Mozilla has announced that it will disable support for the Adobe Flash Player plugin by default in version 69 of its Firefox web browser. On 11 January, Mozilla senior software engineer Jim Mathies opened a Bugzilla ticket announcing his employer’s plan to “disable Flash by default in Nightly 69 and let that roll out.” That’s […]… Read More

The post Mozilla Announces It Will Disable Support for Flash Plugin in Firefox 69 appeared first on The State of Security.

Free Decryption Tool Created for PyLocky Ransomware Family

A researcher has created a free decryption tool which victims of the PyLocky ransomware family can use to recover their affected files. Mike Bautista, a security researcher at the Cisco Talos Intelligence Group, is responsible for developing the tool. Cisco Talos has made this utility freely available for download on GitHub. First reported on by […]… Read More

The post Free Decryption Tool Created for PyLocky Ransomware Family appeared first on The State of Security.

The Top 5 Vendor-Neutral Cloud Security Certifications of 2019

Many organizations migrate to the cloud because of increased efficiency, data space, scalability, speed and other benefits. But cloud computing comes with its own security threats. To address these challenges, companies should create a hybrid cloud environment, confirm that their cloud security solution offers 24/7 monitoring and multi-layered defenses as well as implement security measures […]… Read More

The post The Top 5 Vendor-Neutral Cloud Security Certifications of 2019 appeared first on The State of Security.

Neiman Marcus to Pay $1.5 Million under Data Breach Settlement

Neiman Marcus Group, Inc. has agreed to pay $1.5 million as part of a settlement for an earlier data breach that exposed customers’ information. Ken Paxton, Attorney General of Texas, announced on 8 January that he and his fellow Attorneys General from 42 other states will enter into the $1.5 million settlement with Neiman Marcus. […]… Read More

The post Neiman Marcus to Pay $1.5 Million under Data Breach Settlement appeared first on The State of Security.

Phishing Kit Uses Custom Web Font to Impersonate Major US Bank

A new phishing kit uses a custom web font to implement a substitution cipher in its efforts to target customers of a major U.S. bank.

Researchers at Proofpoint first came across the unnamed phishing kit in May 2018. The landing page leverages stolen branding to steal users’ credentials for a major retail bank, and the source code includes encoded display text.

Digging further, the researchers determined that the base64-encoded woff and woff2 files were the only loaded fonts in the template. They then observed that the kit uses a custom web font file to render the ciphertext as plaintext, which helps it evade detection and conceals its activity from victims.

A Busy Year for Phishing Kits

Phishing kits were a prominent threat in 2018. Check Point came across a new phishing kit on the dark web in April 2018. The template provided would-be criminals with a backend interface for creating convincing fake retail product pages and managing their entire campaign. A few months later, Akamai analyzed a zip file containing phishing kits. One of the five directories analyzed by Akamai had code to target a bank located in the Southern and Midwestern states.

Several new malicious document builders have also emerged over the past two years. In October 2017, Proofpoint discovered ThreadKit, a Microsoft Office document exploit builder kit used for distributing Formbook, Loki Bot and other malware. Just a few months later, the security firm came across LCG Kit, another weaponized document builder service.

How to Defend Against Phishing Attacks

Security professionals can help defend their organizations against phishing attacks by proactively running phishing simulations to test their employees’ security awareness. They should also conduct penetration tests to analyze other aspects of their organizations’ email security.

The post Phishing Kit Uses Custom Web Font to Impersonate Major US Bank appeared first on Security Intelligence.

Humana Informs Customers of Third-Party Security Incident

Humana has notified customers of a third-party security incident that might have exposed some of their personal information. According to a breach notification letter obtained by DataBreaches.net, the for-profit American health insurance company learned on 25 October 2018 that bad actors had gained access to the system credentials of some employees at Bankers Life, one […]… Read More

The post Humana Informs Customers of Third-Party Security Incident appeared first on The State of Security.

Malvertising Campaign Delivers Vidar Information Stealer and GandCrab Ransomware

Researchers have spotted a malvertising campaign that is delivering two payloads to victims: the Vidar information stealer and GandCrab ransomware.

Near the end of 2018, Malwarebytes Labs began tracking a malvertising campaign delivering a variety of payloads. Researchers analyzed the infection chain and traced it to the Fallout exploit kit. They observed this package downloading what they thought was the Arkei stealer, but a closer look revealed the malware to be Vidar, a customizable stealer of passwords, credit card details and digital wallet credentials.

At that point, Malwarebytes analysts looked into Vidar’s command-and-control (C&C) server, discovering that the attacks were retrieving GandCrab ransomware from that location. This sequence of events enables threat actors to first steal victims’ personal and financial information before extorting them for the return of their encrypted data.

A Busy Few Months for the Fallout Exploit Kit

The Fallout exploit kit has been busy over the past few months. In September 2018, FireEye observed the exploit kit targeting users in Japan, Korea, the Middle East, Southern Europe and other countries in the Asia-Pacific region. In that campaign, Fallout infected victims with GandCrab ransomware.

This package of exploits didn’t waste time in diversifying its payloads. Researchers at McAfee observed Fallout exposing users to Kraken ransomware in October 2018. That same month, Palo Alto Networks detected a campaign in which the exploit kit delivered Azorult malware, another threat capable of stealing important information.

How to Block GandCrab and Other Malvertising Payloads

As it continues to evolve, the Fallout exploit kit will likely begin delivering even more payloads. Security professionals should therefore help protect their organizations by consistently leveraging the four steps of vulnerability assessment to keep software up-to-date. Organizations should also help defend against ransomware like GandCrab by using an endpoint management solution to monitor their IT assets for suspicious activity.

The post Malvertising Campaign Delivers Vidar Information Stealer and GandCrab Ransomware appeared first on Security Intelligence.

Kitchen Utensil Manufacturer Discloses Data Breach of E-commerce Site

A manufacturer of kitchen utensils, office supplies and housewares disclosed a data breach of customer information submitted to its e-commerce website. OXO International Ltd confirmed on 17 December 2018 that digital attackers might have compromised the data submitted by customers to its e-commerce website. The manufacturer believes that those responsible for the security incident might […]… Read More

The post Kitchen Utensil Manufacturer Discloses Data Breach of E-commerce Site appeared first on The State of Security.

Phone-Based Phishing Scam Reveals the Growing Sophistication of Attacks Against Apple Users

A new phone-based phishing scam reveals how fraudsters are devising more sophisticated schemes to prey on Apple device users.

According to KrebsOnSecurity, the phishing scam began for Global Cyber Risk LLC CEO Jody Westby when she received an automated call that displayed Apple’s logo, physical address, company domain and customer support phone number. The call warned Westby that unknown attackers had compromised multiple servers containing users’ Apple IDs. It then urged her to ring a 1-866 number immediately.

Suspicious of the call, Westby contacted Apple’s support number directly and requested a callback from a support representative. The agent who called back reassured Westby that Apple had not placed the original call. But when she looked at her phone, Westby observed that her iPhone had lumped together both the scam call and the official callback under Apple’s contact profile on her device. Not surprisingly, this failure of Apple’s own devices to spot a spoof call could potentially fool many users.

The Prevalence of Phishing Attacks Targeting Apple Users

This phony call scam stands out for its extensive use of Apple branding. But by no means is it the only phone-related phishing scam targeting Apple users in recent history. For example, in July 2018, Ars Technica identified an India-based tech support scam using a fake Apple website that popped up a system dialog box with a prompt to call the fraudsters.

These phishing instances come after enterprise mobile security and data management provider Wandera found in 2017 that nearly two-thirds of mobile phishing attacks occur on iOS devices. This rate means that Apple users are twice as likely to experience phishing on their devices than Android users.

Help Your Employees Defend Against Phishing Scams

Security professionals can help employees defend against phishing scams by creating a security awareness training program that uses clear, concise policies based around business requirements. Organizations should also take a layered approach to email security — requiring a mix of both technology and education — to better defend against email-borne phishing campaigns.

The post Phone-Based Phishing Scam Reveals the Growing Sophistication of Attacks Against Apple Users appeared first on Security Intelligence.

Pre-Installed Malware Targets Critical System Apps on Mobile Devices

Several new types of pre-installed malware are targeting critical system apps on mobile devices, making them difficult to remove.

Researchers at Malwarebytes came across two instances of pre-installed malware targeting applications in /system/priv-app/, where critical apps such as settings and system UI reside. The first infection occurred on a THL T9 Pro device. The malware repeatedly installed variants of Android/Trojan.HiddenAds, which is known for displaying lock screen advertisements that take up the device’s entire screen. In this particular case, the infection wrapped itself up in the critical system Android app System UI.

The second infection occurred on a UTOK Q55. In that case, the threat came hardcoded in the device’s Settings app. It fit the “monitor” category of potentially unwanted programs (PUP), which are capable of collecting and reporting users’ information.

The Pre-Installed Malware Problem Persists

These two instances of pre-installed malware aren’t the first detected by Malwarebytes. In March 2017, researchers at the security software provider observed mobile devices manufactured by BLU being shipped out with Android/Adware.YeMobi. Then in December of that year, the researchers found an auto-installer known as FWUpgradeProvider pre-installed on devices bought from legitimate phone carriers in the U.K. and elsewhere.

Other security firms have detected pre-installed malware more recently. For instance, Check Point discovered RottenSys disguised as a system Wi-Fi service; the threat targeted nearly 5 million users for fraudulent ad revenues as of March 2018. A few months later, Avast Threat Labs found adware known as Cosiloon pre-installed on hundreds of Android device models.

How to Protect Mobile Devices From Pre-Installed Malware

Security professionals can protect mobile devices from pre-installed malware and other threats by using a unified endpoint management (UEM) solution to monitor how these devices report to the corporate IT environment. They should also use behavioral analysis to help defend mobile devices against zero-day threats.

The post Pre-Installed Malware Targets Critical System Apps on Mobile Devices appeared first on Security Intelligence.

HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations

The U.S. Department of Health and Human Services (HHS) released voluntary healthcare cybersecurity practices to help medical organizations strengthen their security posture.

On December 28, HHS released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” in response to a mandate to develop healthcare cybersecurity standards laid out by the Cybersecurity Act of 2015. More than 150 cybersecurity and healthcare experts from the private and public sectors worked together for two years to fulfill this directive.

The publication is broken down into three sections. The first examines cybersecurity threats confronting the healthcare industry. The second portion identifies weaknesses that render healthcare organizations vulnerable to threats, and the third and final segment outlines strategies that medical entities can use to defend against digital threats.

Healthcare Data Breaches on the Rise

Healthcare data breaches are on the rise. In a study published by the JAMA Network, researchers analyzed all the data security incidents reported to the Office of Civil Rights at HHS between January 2010 and December 2017. They found a total of 2,149 breaches affecting 176.4 million patient records. The annual number of data breaches increased each year during the analyzed time period except 2015, starting with 199 in 2010 and growing to 344 in 2017.

Of the incidents that exposed patients’ personal health information (PHI), 53 percent originated inside the organization. That’s consistent with the Office of the Australian Information Commissioner’s (OAIC) quarterly statistics for Q3 2018. OAIC received 45 data breach notifications from healthcare organizations during the quarter, 56 percent of which resulted from human error.

Healthcare Cybersecurity Best Practices

Security professionals can begin enforcing healthcare cybersecurity best practices by producing creative employee awareness content that specifically appeals to the company’s workforce. Healthcare organizations should also adopt a security immune system strategy that, among other things, uses artificial intelligence (AI) and automation to mitigate risk across the network.

The post HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations appeared first on Security Intelligence.

Alert Service Compromised to Send Out Spam Message

An unknown individual compromised an alert service and abused their access to send out a spam message to some of the service’s customers. The Australian Early Warning Network (EWN) alert service disclosed first in a Facebook post and later on its website that the compromise took place near the beginning of the year: At around […]… Read More

The post Alert Service Compromised to Send Out Spam Message appeared first on The State of Security.