The attachment is an infected Word file, which holds a ransomware payload and encrypts the files of the unlucky end-user who opens the attachment, and all connected network drives if there are any.
I suggest you send this Scam Of The Week to all your friends, family and employees with something like the following message (Feel free to copy/paste/edit:)
"Cyber criminals are preying on American tax payers that have made the April 15th deadline and are now waiting to hear about their refund. There is a massive phishing scam going on right now which tries to trick you into opening a Microsoft Word attachment. But if you do, all your files will get hijacked and encrypted. If that happens, you only get your files back after paying around $500 ransom. Remember, think before you click, and do not open any attachments you did not ask for!"
Step employees through effective security awareness training, it is how to stay safe out there on the Wild, Wild, Web. Here is what the email looks like:
New TeslaCrypt Ransomware Uses More Exploit Kits As Infection Vector
The new Internet Security Threat report from Symantec shows that the growth of file-encrypting ransomware attacks expanded from 8,274 in 2013 to 373,342 in 2014. This is 45 times more crypto-ransomware in the threat landscape within a one-year span.
Combine that with the new Verizon Breach Investigations Report last week which showed that you’ve got one minute and 22 seconds to save your files from being encrypted and you see the problem. Verizon calculated 82 seconds as the median time it takes for an employee to open a phishing email that lands on a company’s network and in their inbox.
TeslaCrypt is one of the latest copycat ransomware strains which has ripped off the CryptoLocker brand, and is now infecting user's workstations through multiple exploit kits.
Apart from a laundry list of file types that ransomware normally encrypts, TeslaCrypt also tries to cash in on the $81 billion game market and encrypts over 40 file types associated with popular computer video games, like Call of Duty, Minecraft, and World of Warcraft as well as files related to iTunes. In other words: "all your files are belong to us".
Instead of phishing attacks with attachments, the TeslaCrypt strain uses multiple exploit kits. An exploit kit (EK) is crimeware that gets sold on the dark web, and allows cyber gangs to infect legit websites. The workstation of the employee who clicks through to or visits that infected website gets exploited when it is not updated with the latest patches.
TeslaCrypt started out with the Angler EK, but recently also the Sweet Orange and Nuclear EKs. The Nuclear kit is used in a campaign right now. Employees that click on a link in a phishing email are being redirected to compromised Wordpress sites that have this EK installed.
Brad Duncan, security researcher at Rackspace observed April 16th that in one case the kit successfully exploited a vulnerability in an out-of-date version of Flash player (18.104.22.168).
Once the workstation is infected, the delivered ransomware still uses the Cryptolocker branding. However, when the victim visits the payment site that instructs them on how to pay the ransom, it becomes obvious you are dealing with TeslaCrypt, which is the screen shot you see in our blog which has the links to the reports mentioned above as well:
The payment process is run through a website located in the TOR domain. Each instance of the ransomware has its own Bitcoin BTC address. The files are encrypted by using the AES cipher, and encrypted files gain the .ecc extension.
What To Do About It
- The rule "Patch Early, Patch Often" still applies, but these days, better to "Patch Now" all workstations for both OS fixes and popular third party apps that are part of your standard image rolled out to end-users. A product like Secunia can scan for all unpatched third party apps.
- Make sure your Backup/Restore procedures are in place. Regularly TEST, TEST, TEST if your restore function actually works. The latter is often overlooked.
- The TeslaCrypt strain uses social engineering to make a user click on a link in a phishing email (It does not use email attachments). Also, this type of ransomware can use malicious ads on legit websites to infect workstations. End users need to be stepped through effective security awareness training so that they are on their toes with security top of mind when they go through their email or browse the web.
Find out how affordable this is for your organization today. You will be pleasantly surprised.
A Serious Legal Liability: Bad or No Security Awareness Training
If you have trouble getting budget for employee security education, please read this article and then forward it to the head of your legal department and/or or the person in your organization who is responsible for compliance.
The Department of Health and Human Services has stated that bad or no security awareness training is a main cause for compliance failures. This is true for not only health care, but all kinds of industries like banking, finance, manufacturing, and surprisingly, high-tech.
It does not stop with mere compliance failures causing regulatory fines. Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack. The problem is that to be "letter of the law" compliant, you only need to herd your users once a year into the break room, keep them awake with coffee and donuts, and give them a "death by PowerPoint" awareness update. However, ineffective security awareness training could turn out to be a serious legal liability.
Why? Cybercrime goes after the low-hanging fruit: your users. Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link? So your end-user did not get effective awareness training and falls for the hacker trick. Their workstation gets infected with a keylogger, the hacker now knows their login and password, and with that penetrates your network.
Simply put: if it's the Eastern European cyber-mafia, their focus is to transfer out money from your operating account over a long weekend. If it's the Chinese, they will steal your intellectual property. If it's independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites.
In all three cases you run the risk of a lawsuit:
- You might sue the bank for negligence, and they might sue you back. Massive legal fees are inevitable. If it is found out the attackers came in by social engineering a user, your case is significantly weakened. Go to Brian Krebs' site and search for Patco Construction, a nightmare scenario. Here it is:
- If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period. If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
- If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, a class action lawsuit is not far away. (This is the legal profession's biggest growth industry). If it is found out the attackers came in by social engineering a user, your case is significantly weakened.
See the trend here? Not scaling your training to a level that effectively mitigates the risk you are exposed to is a severe legal liability. We have a whitepaper called "Legal Compliance Through Security Awareness Training" written by KnowBe4 and Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC. He explains the concept of acting "Reasonably" or taking "Appropriate" or "Necessary" measures.
Reading this whitepaper will help you to prevent violating compliance laws or regulations. In it, there are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. I strongly recommend you download this whitepaper if you have not already:
Quotes of the Week:
" There are none so blind as those who will not see. " - John Heywood, ca. 1546
" If you light a lamp for someone else it will also brighten your path. " - Buddha (563 - 483 BC)
" As my friend said to me, and I say to others, "There are two types of people in the world: Those who have had a major disk failure and those who are about to... " - John Harper
Thanks for reading CyberheistNews!
Please forward to your friends. But if you want to unsubscribe, you can do that right here.
Compliance In Half The Time At Half The Cost
I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They are expensive in both dollars and your IT staff time.
Imagine an environment in which your organization is completely compliant 24/7/365. We have a new product, KnowBe4 Compliance Manager (KCM), that can help you to achieve that state. It is an IT compliance workflow automation tool that allows you to:
- Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).
- Eliminate duplication of effort.
- Assign the Directly Responsible Individual (DRI) for a control.
- Direct your auditors to one location for evidence of compliance controls being in place and up to date.
- NEW: Auditor Role, your auditor can log in remotely and save you billable hours.
Go to this link for more info and to request a web demo:
Example Of Whaling: Super Sophisticated Social Engineering
My staff tried to social engineer me the other day, trying to catch me as a prank. It was a 2-stage attack, trying to get me to reveal my credentials.
They spoofed our Director of HR, and sent me the email below. This is an example of very high operational sophistication, typical of top-tier "whaling" attacks, those cases when an individual is subjected to spearphishing attempts because they hold valuable information or wield influence within an organization. They had done their homework and knew I was active on the SpiceWorks forum for IT admins.
10:45 AM (1 hour ago)
I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.
The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):
Could you please talk to him?
Nine out of ten would fall for something like this. The only thing that saved me was the fact that when I hovered over the link I saw that the domain was one I had created myself for simulated phishing attacks. But it was a close call! One more second and I would have been pnwned. Yikes.
The Wall Street Journal has woken up to the the threats of spear phishing and ransomware and have a good video about this I suggest you send to your management levels. This will be real and understandable to them:
90% Of Security Incidents Trace Back To PEBKAC and ID10T Errors
Don't have time to read through the massive Verizon report mentioned in the Editor's Corner? Here is a great summary; 90% of security incidents are still caused by PEBKAC and ID10T errors, according to Verizon's 2015 Data Breach Investigations Report. Phishing attacks are a prime example of how the Problem Exists Between Keyboard And Chair as the DBIR said it takes a mere one minute and 22 seconds after a phishing email is sent before the first victim clicks on the tainted link. At ComputerWorld:
Top 10 Tips To Involve Employees In Cyber Security
IT might be accountable for cyber security, but every employees needs to be responsible for protecting the organization's computing resources. While while technology is good, and quite necessary, it can't work in a vacuum. People are still the weakest link in the security chain. For this reason, Kaspersky Lab has published a short e-booklet with Top 10 Tips for Educating Employees about Cybersecurity. Utilizing these tips along with good security technology will go a long way in helping protect your business from security events. Read the complete story at NetworkWorld:
Cyberheist 'FAVE' LINKS:
This Week's Links We Like. Tips, Hints And Fun Stuff.
While you were offline, this droid stole the Internet. BB-8 on the stage at Star Wars Celebration 2015. This is one heck of a new cool droid, check it out!
SpaceX just delivered an espresso machines to the International Space Station, including a Zero Gravity Coffee Cup. NASA shows the science of it. Cool!
Astronaut's Daughter Sends Message To Her Father With The Help Of 11 Cars:
Why We Don't Have Teleportation Yet. Hint: It's all Volkswagen's fault!
What is the ability of the human body combined with fantasy? Wheelman will demonstrate extraordinary things with a smile on his face:
Phone out of juice again? Never again with IKEA's Wireless Charging collection of furniture, which has built-in Qi-enabled wireless chargers:
Wendy the 'talking, meowing and singing dog' and her human, Marc Métral, amazed the audience and judges of Britain's Got Talent 2015:
Learn how to quickly and easily peel an orange - it only involves three cuts of a knife:
A couple takes off in an inflatable 'flyfish' banana boat somewhere in Brazil:
Goalkeeper cat is the best goalie ever!:
Out of the archives: The first car ever that can drive on land, on water and underwater. I still want one!
And one last Classic Charlie Chaplin - The Lion's Cage. For theses scenes with the lion, Chaplin made some 200 takes, in many of which he was actually inside the lion’s cage!: