The Webroot Weekly Community Digest: 2/9/18

  • 9 February 2018
  • 4 replies
  • 32 views

Userlevel 7
Badge +48
Welcome to the Weekly Webroot Digest! 
 
This is a weekly series to highlight the best articles and news stories going on in the Community. 

 
What was your favorite story? What topics would you like to see? Sound off in the comments! 
 


 
Cyber News Rundown: Scarab Ransomware Strikes Back
 
With a few interesting changes to the original Scarab ransomware, Scarabey is quickly targeting Russian-speaking users with brute force attacks on unsecured RDP connections, rather than with the spam email campaigns used by its predecessor. Additionally, Scarabey takes the ransom a bit further by deleting 24 files from the encrypted machine for every 24 hours that the ransom remains unpaid.
 
Security Glue Between the Silos of Endpoint, Server, Cloud and Network Security Gets More Critical
 
Endpoint and Host security techniques have diverged. There used to be considerable similarity between the techniques and tools used to secure desktops, servers, and even networks. Desktops evolved to become Endpoints, as mobile devices proliferated and they were assembled into a collective of being in the category of not-a-server.
 
Zero-day vulnerability discovered affecting every version of Adobe’s Flash Player on all platforms
 
Lets attackers persuade users to open Microsoft Office documents, web pages, and spam e-mails. The South Korean Computer Emergency Response Team (KR-CERT) has issued a security alert warning of a zero-day vulnerability affecting Adobe’s Flash Player.
 
OpenWall unveils kernel protection project
 
The folk at OpenWall have called for assistance to create a security module to watch Linux kernels for suspicious activity.
 
 

4 replies

Userlevel 6
Badge +20
Hey freydrew,

Thanks for sharing. I also just came across this article where the PowerShell command/tool, Invoke-PSImage, can be used to extract malicious scripts from images and execute them in memory; more info here - https://blog.knowbe4.com/2018-winter-olympics-malware-campaign-hides-malicious-powershell-script-in-image

Fileless attacks are not new, but I was wondering if Webroot had any protection built in currently to address this besides disabling and restricting PowerShell.

Sorry, I couldn't find a good place to post this, so I thought it might be OK to post it here. If there's a better place to post this, please let me know. I don't know how to start a new post, where to do it, and even if I'm allowed to. I usually just reply to other people's posts 🙂
Userlevel 7
Badge +48
Hey Webgroot, 
 
This is yet another innovative evolution to the word document macro script game. Users should always educated themselves and never enable any macro scripts when prompted. Historically, it has been used to deliver ransomware. Our Ransomware Prevention Guides have always recommended to disable macro scripts in the Microsoft office suite applications. You can do this in the trust center under settings. 
 
If you want to start a new post you can do so in a few different spots. 
 
Product Related topics
Product Help topics
News and Announcements
 
Curious to hear if you think we dont' have enough boards or what else you're looking for! 
 
Thanks!
Userlevel 6
Badge +20
Yes, agreed. We do provide our users with security awareness training and have covered macros in Office documents, however this doesn't really answer the question of whether Webroot can protect against these kind of attacks 🙂 In the future, instead of macros there may be a more clever way to extract a malicious script from an image into memory. How would Webroot protect against that then? Ideally you wouldn't want to even get to that point, but as malicious actors become more crafty, we need to consider this possibility and find new ways to combat it.
Userlevel 7
Badge +35
Hello,
 
We would not currently protect against this type of attack. This is really still a macro/script attack and having macros in Office documents covered would have stopped the payload in this highly targeted attack. The clever use of steganography to deliver the second powershell script still required the email attachment to be downloaded and the macro executed in this case. Macro and script protection is actively being worked on. 
 
-Dan
 
 

Reply