Antivirus News

Attackers Demand $2.5 Million Ransom After Coordinated Ransomware Attacks on Texas Government Entities

  • Two of the impacted municipalities, the City of Borger, and the City of Keene, have publicly disclosed that they’ve been impacted by the coordinated ransomware attack.
  • Keene Mayor Gary Heinrich said that the threat actor infiltrated into the city’s IT software, which is managed by a managed service provider (MSP).

The attacker who hit over 22 local government entities in Texas with a coordinated ransomware attack has demanded a collective ransom payment of $2.5 million.

Update on the attack

  • An update from the Department of Information Resources (DIR) reveal that the number of impacted entities has come down to 22.
  • Nearly 25% of the impacted entities have been moved from the response and assessment stage to remediation and recovery stage.
  • A number of impacted entities have restored their operations back to normal.
  • However, the identities of the impacted entities still remain undisclosed because of security reasons.

Meanwhile, two of the impacted municipalities have publicly disclosed that they’ve been impacted by the ransomware attack.

City of Borger

  • The City of Borger in Texas has released a press release stating that the attack has impacted the City’s business and financial operations.
  • However, the City assured that it continues to provide phone services and other basic emergency services such as Police, Fire, 9-1-1, Animal Control, Water, Wastewater and Solid Waste Collection.
  • The City confirmed that it is currently working with responders to bring its computer systems back online.

“State and Federal agencies continue investigating the origins of this attack; however response and recovery are the City’s priority at this time. Based on the current state of the forensic investigation, it appears that no customer credit card or other personal information on the City of Borger’s systems have been compromised in this attack,” read the press release.

City of Keene

The City of Keene in Texas admitted in a Facebook post that the attack has impacted the City’s services to process credit card payments.

“Keene is working with law enforcement to resolve a cyber incident that impacted servers state-wide. Because this is an investigation, we can’t share much.
Here’s what you need to know:
• No credit card payments or utility disconnections for now
• Our drinking water is safe
• Check back here for updates,” read the Facebook post.

Keene Mayor Gary Heinrich told National Public Radio that the threat actor infiltrated into the city’s IT software that is managed by an outsourced company, which also supports many of the other affected municipalities. Heinrich added that the threat actor demanded a collective ransom of $2.5 million.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house,” said Henrich.

  • + Aware

Georgia Department of Public Safety hit with ransomware attack

  • The incident impacted three Georgia police departments including Georgia State Patrol, Georgia Capitol Police, and Georgia Motor Carrier Compliance Division.
  • The attack infected the entire DPS network forcing the department to shut down all its IT systems including email servers, public website, and backend servers.

Attackers infected the Georgia Department of Public Safety (DPS) with ransomware. The ransomware infection crippled all the laptops installed in police cars across the state.

What happened?

According to a report from Fox 5 News, the ransomware was first spotted by an officer on a field laptop on July 26, 2019. The officer became aware of the ransomware when he noticed an abnormal message on the laptop screen.

The ransomware didn’t infect the police car laptops directly, but the DPS backend, making laptops installed in police cars across some departments lose connectivity and access to data.

What is the impact?

  • The attack infected the entire DPS network forcing the department to shut down all its IT systems including email servers, public website, and backend servers.
  • The incident impacted three Georgia police departments including Georgia State Patrol, Georgia Capitol Police, and Georgia Motor Carrier Compliance Division.
  • The ransomware infection also disabled the department to access police car laptops that contained the agency’s data.
  • This has forced the officers to use car radios or work phones instead of laptops to request any desired information.

“The way that it works is if an agency has a crash that they need us to respond to, they would sent that information electronically, and then we would dispatch it from there. The difference is now they are just having to make a phone call into our communication centers to give us that information, you know, just via a phone call,” Stallings explained, a local media reported.

What was the response?

  • Upon learning the incident, the department notified the Georgia Technology Authority.
  • Lt. Stephanie Stallings, public information director for the Georgia State Patrol said that the officials are investigating the ransomware attack and conducting a forensic analysis on the DPS system.

Credential stuffing attack: What is it and how to stay protected?

  • Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.
  • Attackers attempt to use the stolen set of credentials against multiple websites in order to compromise and take full control of user accounts.

What is it – Credentials stuffing attack is a type of cyber attack where attackers use usernames-passwords combinations leaked at other sites to gain illegal access on user accounts.

  • Attackers steal credentials that are leaked at other sites or sold at underground forums and try to brute-force those credentials into various other sites in an attempt to gain unauthorized access to the user account.
  • Attackers attempt to use the breached credentials against multiple websites in order to compromise and take full control of user accounts.
  • Before that, attackers use bots, computer programs, toolkits, or software to automatically test the list of breached credentials.

Examples of Credential stuffing attacks

Example 1 – Intuit, a victim of credential stuffing attack

In February 2019, the financial software company Intuit learned that TurboTax account users’ tax return information was compromised in a credential stuffing attack. The financial company disclosed that an unauthorized party accessed TurboTax accounts by using the username-password combination obtained from a non-Intuit source.

The unauthorized party who gained illegal access to TurboTax user accounts obtained information contained in the previous year’s tax return or current tax return in progress.

  • The exposed information included users’ names, Social Security numbers, addresses, dates of birth, driver’s license numbers.
  • The compromised information also included users’ financial information such as salary and deductions.

Example 2 – Dunkin’ Donuts suffered a credential stuffing attack

On January 10, 2019, Dunkin’ Donuts suffered a credential stuffing attack which led to attackers gaining unauthorized access to some of its customers’ accounts. Attackers used user credentials leaked at other sites to gain access to DD Perks rewards accounts.

DD Perks account includes information such as users’ first and last names, email addresses (also used as usernames), 16-digit DD Perks account number and DD Perks QR codes.

Once attackers gained access to customers’ Dunkin’ Donuts accounts via credential stuffing attack, they have put up the breached accounts for sale. The accounts are then bought by other persons who use the reward points at Dunkin’ Donuts shops to receive free beverages and other discounts.

It is to be noted that this is the second credential stuffing attack that Dunkin’ Donuts has experienced in the last three months. The first credential stuffing attack occurred on October 31, 2018.

How to stay protected?

  • In order to stay protected from credential stuffing attacks, it is best to never reuse the same passwords across multiple sites.
  • It always recommended to use unique passwords for each account and periodically rotate passwords.
  • It is further recommended to use strong, complex, and unique passwords that are difficult to crack.

It is best to use two-factor authentication while login and log out after the session is complete.

Windows 7 and Office 2010 Support Ending Soon: Security Suites Continue to Provide Protection!

January 14, 2020 is the day: Microsoft will retire Windows 7 and Office 2010 without fail. That is also the day when extended support will end. At least for consumer users, it will be the end of the road. Corporate users can still buy a reprieve.

Windows 7 support to end soonJanuary 2020 will see the end of Windows 7 support. Already in January 2015, Microsoft sounded the initial warning bell, as that month marked the end of regular support for Windows 7. In just one year from now, January 14, 2020, the large final gong will sound, ending even so-called extended support. After that date, there will be no more updates for bug fixes, for more security, or for internal Microsoft applications. For private users, the installed security suite will be required to take over the entire protection task from that point on. Corporate users will have it a bit easier, as they will be able to purchase another 3-year support package. Microsoft is offering the so-called Extended Security Updates (ESU) until January 2023. There are no official prices on this.

Office 2010 is also at the end of its life cycle

Incidentally, Microsoft is also sending Office 2010 into retirement. There will be no further updates after October 2020 for that application either. That doesn’t sound terrible at first, but it is. Because in the past, there have always been critical vulnerabilities in Office products which hackers have exploited. The Office 2013 version is expected to be supported until 2023. The follow-up or update version, Office 2016, is currently being actively promoted at low prices. Switching over to Office 2016 or even to the new 2019 version is not quite as dramatic as changing an operating system.

Internet security suites will provide protection even after 2020

Most manufacturers of security packages will still support their version even after 2020. However, the security packages on an old Windows 7 system will be required to monitor for more and more security gaps over time. Those who wish to or have no choice but to keep using Windows 7 ought to refrain from using certain applications, because Internet Explorer, for example, will no longer be receiving any updates.

Especially an outdated Internet Explorer or a vulnerable Outlook will significantly increase the risk of a malware infection. Microsoft will probably discontinue support for Security Essentials in 2020 as well. At least, that was the procedure when support of Windows XP was ended.

That is why users ought to look closely at whether their PC is still suitable for Internet use after 2020. Sometimes an old Windows operating system is only needed because special hardware needs to be controlled or industry software will not continue to run otherwise. However, Internet access is usually not absolutely necessary in that case.

So how much time do the users have left?

Naturally, manufacturers of security software will not support the outdated Windows 7 forever. The procedure is expected to be similar to the discontinuation of Windows XP. The normal versions for consumer users were supported by most providers for at least 12 months. Some even offered additional updates for 24 months. For enterprise products, the phase is usually longer, as they often include special extended support.

Those who are unsure can always inquire with the manufacturer of their security solution.

Private users ought to consider switching to another operating system. Windows 8.1 is not recommended, however, as regular support for that system already ended in January 2018. The extended support also only continues until 2023. That is why consumer users need to accept the possibility of upgrading to Windows 10 where possible.

Update and support for Windows 10

Looking at the Windows lifecycle fact sheet on Microsoft’s website and reading the item concerning the editions of Windows 10, it is confusing at first. Because Microsoft does not provide a specific end date for support. After each major update for the Home and Pro versions, which are always expected to be released in March and September, support will continue for another 18 months. The support period for the Enterprise and Education versions even runs a bit longer. If Microsoft adheres to its deadlines, then after the October 2018 update (version 1809), the new March or April 2019 update will be almost around the corner.

Thus: only those who always participate in the major updates, such as the Creators Update, will also remain in the support agreement. Those who don’t install the updates will no longer receive support at some point.

Continuously new vulnerabilities

On the large February 2019 Patch Tuesday – for all operating systems and Windows applications – there were notices concerning more than 70 new security vulnerabilities. Microsoft classified 20 of them as critical. These gaps are still being closed. As of January 14, 2020, the messages about Windows 7 and its internal tools will still keep piling up, but the gaps will no longer be closed. That will be the beginning of many attacks. The Hasso Plattner Institute’s Database for Vulnerability Analysis, for example, identifies in 2018 alone more than 150 vulnerabilities for Windows 7.

Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks

Despite the declining values of cryptocurrencies, criminals continue to hammer away at container management platforms, cloud APIs, and control panels.

The cloud-based infrastructures that enterprise organizations are increasingly using to run their business applications have become a major target for illicit cryptomining operations.

According to new research from AT&T Cybersecurity, cryptomining has become the primary reason for most cloud infrastructure attacks these days. There’s no sign the attacks will let up soon, either, despite the drop in values of major cryptocurrencies, the vendor said in a report Wednesday.

Cryptojacking — or attacks where an organization’s (or an individual’s) computers are surreptitiously used to mine for Monero and other cryptocurrencies — has emerged as a major problem over the last 18 months or so.

Cybercriminals have been extensively planting mining tools such as Coinhive on hacked websites and quietly using the systems of people visiting the sites to mine for cryptocurrencies. They have also been deploying mining software on larger, more powerful enterprise servers and on cloud infrastructure for the same purpose.

“Hijacking servers to mine currency really picked up in 2017, at the height of the cryptocurrency boom when prices were at the highest and the potential rewards were very significant,” says Chris Dorman, security researcher at AT&T Cybersecurity. “Even though bitcoin prices have dropped 80% since their peak, the prevalence of server cryptojacking continues.”

AT&T Cybersecurity’s researchers examined cryptomining attacks against a range of cloud infrastructure targets. Container management platforms are one of them. The security vendor says its researchers have observed attackers using unauthenticated management interfaces and open APIs to compromise container management platforms and use them for cryptomining.

As one example, the researchers pointed to an attack that security vendor RedLock first reported last year, where a threat actor compromised an AWS-hosted Kubernetes server belonging to electric carmaker Tesla and then used it to mine for Monero. AT&T Cybersecurity said it has investigated other similar incidents involving malware served from the same domain that was used in the Tesla attack.

Attackers have also been frequently targeting the control panels of web hosting services, as well. In April 2018, for instance, an adversary took advantage of a previously unknown vulnerability in the open source Vesta hosting control panel (VestaCP) to install a Monero miner on web hosts running the vulnerable software.

Container management systems and control panels are not the only cloud infrastructure targets. API keys are another favorite. AT&T Cybersecurity says many attackers are running automatic scans of the web and of sites such as GitHub for openly accessible API keys, which they then use to compromise the associated accounts.

The trend requires due diligence on multiple fronts. Almost all server-side exploits in the cloud, for instance, stem from exploits in software such as Apache Struts and Drupal, Dorman says. “Typically, we see the attackers start scanning the Internet for machines to compromise within two or three days of an exploit becoming available,” he notes. So, keeping machines patched fairly quickly is key.

Similarly, ensuring complex password use and enforcing account lockouts is critical to preventing attackers from simply brute-forcing passwords to cloud servers, he says.

In terms of cloud accounts being compromised — when an attacker steals the root AWS key, for instance — there are free tools available to check all public source code and to verify if any credentials have been accidentally published, Dorman notes.

Malicious Docker images are yet another avenue of attack. Cybercriminals are hiding cryptominers in prebuilt Docker images and uploading them to Docker Hub, AT&T Cybersecurity said. Prebuilt images are popular among administrators because they can help reduce the time required to set up and configure a container app. However, if the image is malicious, organizations can end up running a cryptominer as well. So far, though, only a relatively small number of organizations have reported downloading and running malicious containers, AT&T Cybersecurity said.

For enterprises, cryptomining attacks in the cloud are a little trickier to address than attacks on on-premises systems. Deploying network detection tools, for instance, typically tends to be more difficult in the cloud. “You may have to rely upon your cloud provider letting you know if they see malicious traffic,” Dorman says.

It’s also important to centralize all logs provided by your cloud provider and to ensure that alerts are generated off of suspicious events. “For example, if you see someone log in to your root AWS account, and that isn’t normal for your environment, you should investigate immediately.”

watch gard firewall security

WatchGuard Expands Secure Wi-Fi Portfolio with 802.11ac Wave 2 Access Point for Midsize Enterprises

Complete with WatchGuard Wi-Fi Cloud, new access point offers fast, reliable, secure Wi-Fi and location analytics for restaurants, medical offices, retail branches and distributed enterprise offices.

WatchGuard® Technologies, a global leader in network security, secure Wi-Fi and network intelligence, today unveiled a new secure, 802.11ac Wave 2 access point (AP), the latest in its family of secure Wi-Fi products. The AP125 offers major performance improvements over Wave 1 APs, giving midmarket and distributed enterprise organizations secure, enterprise-grade wireless network performance without the high cost associated with most Wave 2 APs. When APs are managed with WatchGuard Wi-Fi Cloud, businesses gain access to the industry’s most sophisticated and reliable Wireless Intrusion Prevention System (WIPS) technology. It also offers a powerful location-based analytics engine equipped with customizable reports for automated inbox delivery, guest engagement tools with social authentication, intelligent network visibility and troubleshooting, and a highly-scalable cloud-based management system.

“Simply put, Wave 1 APs can’t provide the level of security, network resource distribution or scalability and management that organizations need today, and most competing Wave 2 APs can’t automatically detect and prevent the six known Wi-Fi threat categories,” said Ryan Orsi, director of product management for Wi-Fi at WatchGuard. “This is extremely problematic for low-traffic environments like restaurants, medical offices, small K-12 schools that still require secure, high-performing Wi-Fi access to function. Our new indoor AP is designed specifically to meet these needs, offering industry-leading security through our patented WIPS technology, performance and scalability that can’t be beat, all at a price that’s accessible for organizations of any size.”

“When customers ask for Wi-Fi, they want to make an investment into a future-proof infrastructure with the best technology available,” said Jean-Pierre Schwickerath, head of IT, HILOTEC AG. “With the 2×2 Wave 2 AP125, we found the perfect match for these SMB requirements: it has a small footprint, a most attractive price, and easy installation, configuration and management of the whole network out of WatchGuard’s Wi-Fi Cloud. With this powerful little beast, we can deliver and guarantee a high quality Wi-Fi network, protected by WIPS, which will make the customer happy for many years to come.”

AP125 Product Details:

  • Designed for lower client density environments and equipped with 2×2 802.11ac Wave 2 Multi-User MIMO (MU-MIMO), the AP125 can now stream data to multiple devices simultaneously utilizing the network more effectively.
  • Outfitted with dual concurrent 5 GHz and 2.4 GHz band radios supporting 802.11a/n/ac Wave 2, 802.11b/g/n, 2 spatial streams, and data rates of up to 867 Mbps and 300 Mbps, respectively.
  • The AP125 can be managed using the Firebox Gateway Wireless Controller or via WatchGuard Wi-Fi Cloud.


AP125 and Trusted Wireless Environments:

WatchGuard is proud to deliver secure Wi-Fi products that organizations can use to build Trusted Wireless Environments. In doing so, companies can rest assured that they are protected by verified, comprehensive security that automatically detects and prevents the six known Wi-Fi threat categories, while enjoying the benefits of Wi-Fi networks with market-leading performance and scalable management.

What’s more, WatchGuard’s secure Wi-Fi products are compatible with most other Wi-Fi solutions, so companies can leverage them to deploy a WIPS overlay without ripping out and replacing every existing AP in their network. For more information about how managing the AP125 as a dedicated WIPS sensor, and how to build a Trusted Wireless Environment, click here.

To join the Trusted Wireless Environment movement and advocate for a global security standard for Wi-Fi, click here.


Additional Wi-Fi Cloud Features:

Unlock the rest of the power of the Wi-Fi Cloud and gain easy-to-customize, engaging captive portals with authentication options including Facebook, Twitter, SMS, email, and a powerful location-based analytics engine equipped with customizable reports for automated delivery to your inbox. With intelligent network visibility and troubleshooting features, IT professionals can now have the answer to one of their most challenging and frequently-asked questions: “Why is the Wi-Fi not working?”

The AP125 is available for purchase now through WatchGuard channel partners and resellers. List pricing for the AP125 ranges between $340 and $690 USD, based on the Wi-Fi package and number of years selected.

The teams at Norton, Symantec and LifeLock are fighting online crime 24x7x365

Norton teams up with Symantec’s Security Technology and Response (STAR) division, which is a global team of security engineers, virus hunters, threat analysts, malware analysts, and researchers that provide the underlying security technology, content, and support for all Symantec corporate and consumer security products. Our team of global threat analysts operates a follow-the-sun-model to provide 24×7 coverage to Symantec customers to track the latest developments on the threat landscape. Analysts continuously monitor a worldwide network of Symantec protected machines as well as a large-scale, global network of honey pots (machines designed to lure attackers). The group is Symantec’s and Norton’s eyes and ears when it comes to surveying and keeping a finger on the pulse of the Internet security threat landscape. With this partnership, we are able to provide you the latest, breaking news about all threats on the Internet landscape. Not only do we notify you of the latest outbreaks to be aware of, we also want to educate you about how to stay safe against these threats.

Some years ago, traditional antivirus was all that was needed to protect a computer from malware. However, with the huge shift in the threat landscape over the last few years, antivirus is just not enough to stay protected today. To address this, Norton has developed a collaborative partnership with the STAR team in order to alert readers as soon as a malware outbreak, data breach, fake app outbreak or other security incidents as they happen.

New exploit lets attackers take control of Windows IoT Core devices

Speaking at a conference today, a security researcher has revealed a new exploit impacting the Windows IoT Core operating system that gives threat actors full control over vulnerable devices.

The vulnerability, discovered by Dor Azouri, a security researcher for SafeBreach, impacts the Sirep/WPCon communications protocol included with Windows IoT operating system.

Azouri said the vulnerability only impacts Windows IoT Core, the Windows IoT OS version for devices meant to run one single application, such as smart devices, control boards, hobbyist devices, and others.

The vulnerability does not impact Windows IoT Enterprise, the more advanced version of the Windows IoT operating system, the one that comes with support for a desktop functionality, and the one most likely to be found deployed in industrial robots, production lines, and other industrial environments.

The researcher said the security issue he discovered allows an attacker to run commands with SYSTEM privileges on Windows IoT Core devices.

“This exploit works on cable-connected Windows IoT Core devices, running Microsoft’s official stock image,” Azouri said in a research paper shared with ZDNet.

“The method described in this paper exploits the Sirep Test Service that’s built-in and running on the official images offered at Microsoft’s site,” the researcher said. “This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on IoT devices. It serves the Sirep/WPCon protocol.”

Using the vulnerability in this testing service he discovered, the SafeBreach researcher said he was able to expose a remote command interface that attackers can weaponize to take control over smart devices running Microsoft’s Windows IoT Core OS.

During his tests, Azouri built such a tool, a remote access trojan (RAT) that he named SirepRAT, which he plans to open-source on GitHub.

The upside to Azouri’s SirepRAT is that it doesn’t work wirelessly, as the testing interface is only available via an Ethernet connection. This implies that the attacker needs to be physically present near a target, or compromise another device on a company’s internal network and use as a relay point for attacks on vulnerable devices.

ZDNet has reached out for comment to Microsoft, but we did not receive a response before this article’s publication.

Azouri has presented his research today at the WOPR Summit security conference in Atlantic City, NJ, USA. We’ll update this article in the coming days to include links to the SirepRAT GitHub repo and Azouri’s whitepaper.

The Windows IoT operating system is a free successor of the Windows Embedded project. According to SafeBreach, the OS has the second largest market share in the IoT devices market, with a 22.9 percent stake, behind Linux, which has a 71.8 percent market share.

Updated on March 4: A Microsoft spokesperson contradicted the researcher’s claims and said that the testing interface is not enabled by default in retail images of Windows 10 IoT Core.

4G and 5G protocols prone to privacy attacks, new study reveals

  • The issue existed in the cellular paging (broadcast) protocol in the latest generation of mobile communications.
  • An exploit called ToRPEDO was revealed by the researchers to target 4G and 5G-enabled devices.

A new research study has uncovered serious privacy risks associated with 4G as well as the latest 5G protocols. The researchers discovered that attackers could break into devices running on these protocols to conduct denial-of-service attacks.

The study, which was done by scholars from Purdue University and the University of Iowa, analyzed cellular paging in 4G and 5G devices.

Worth Noting

  • Paging protocol balances the device’s energy consumption for different processes (for example, phone calls) running in the device.
  • Attackers can inject malicious paging messages into this protocol to perpetrate denial-of-service attacks.
  • Information such as device location, phone number, Twitter handles etc., could be compromised in 4G and 5G devices.
  • ToRPEDO, short for Tracking via Paging Message Distribution, is the method proposed by the researchers to exploit privacy.
  • IMSI-Cracking and PIERCER were the other two methods devised in the study.

Why it matters?

  • The development of 5G — the soon-to-be norm for mobile network protocols — will vastly be affected by this privacy issue.
  • Identities of 4G and 5G phone users could be exposed.
  • Sensitive information such as payment data of users could also be at risk.

The bottom line – Though the paper details loopholes in the telecommunication protocols, it also delineates the limitations associated with their attack methods.

“For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers (i.e., $200 each) could be an impediment to carrying out a successful attack.”

Similarly, PIERCER would require a separate base station for the attack to be successful. The IMSI-Cracking attack only works when the victim does not realize that notifications are deactivated as part of the attack. In fact, this method was checked for 4G devices only and is not validated on 5G Networks.

Computers vulnerable to attack through USB ports, report

University of Cambridge and Rice University researchers have created a platform that allows cyberattacks to be conducted through a variety of computer peripherals through their USB-C port.

The platform, called Thunderclap, an open-source platform created to study the security of computer peripherals and their interactions with operating systems in computers with Thunderbolt ports, reportedScientific Daily. Computers running Windows, macOS, Linux and FreeBSD were all found vulnerable through their USB-C port.

The specific vulnerability derives from the fact that peripherals have direct memory access to the unit they are connected to which allows them to bypass the operating system’s security policies. While such attacks are not new and the systems feature input-output memory management units to protect against such attacks these are often turned off and can be bypassed Scientific Daily reported.

In addition, Thunderbolt 3 which combine power input, video output and peripheral device DMA over in the same port have greatly increased the threat from malicious devices. The researchers believe vendors need to do more to fix these issues and consumers also have to do their part by ensuring their devices are fully patched.