CyberheistNews Vol 4, # 17 WARNING Third Ransomware Strain

CyberheistNews Vol 4, # 17
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 4, 17

Editor's Corner


WARNING Third Ransomware Strain Called CryptorBit Attacks

Welcome to the new world of Malware.

There is a third criminal ransomware gang ramping up their attacks. The malware is called CryptorBit, (also known as HowDecrypt), and follows a very similar attack process as CryptoLocker and CryptoDefense, but the malware corrupts the first 512 or 1024 bytes of -any- data file it finds, regardless of extension. It also seems to be able to bypass Group Policy settings that were put in place to defend against this type of ransomware infection.

Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, up to $500 ransom in bitcoin is demanded to decrypt the files. It was initially released December 2013, and after debugging their criminal infrastructure, attacks are now increasing.

To add insult to injury, the cybercrims are also installing so-called cryptocoin miner software which utilizes the victim's computer to mine digital coins such as Bitcoin, which will get deposited in the malware developer's digital wallet, making them even more money. The cyber gang uses social engineering to get the end-user to install the ransomware using a fake Flash update, or install a rogue antivirus product.

When the workstation is infected, the bad guys want you to install the Tor Browser, enter their address, and follow instructions on their website how to pay. They leave a friendly reminder that the sooner you pay, the more chance you have to "recover the files". Once you pay, supposedly you get their CryptorBit Decryptor program. Based on the payments sent to known CryptorBit Bitcoin addresses, quite a few people appear to have paid the ransom.

   How To Recover Files

First wipe the infected machine(s), rebuild from the ground up, and restore the files from the most recent backup. If there are no backups, try to restore the files from Shadow Volume Copies. If these are not available, you can try to use a utility called DecrypterFixer written by Nathan Scott. (The link goes to a very good page at the bleepingcomputer forum about this topic.)

You can check the owner of the encrypted files, which shows you where the infection started; i.e. which end-user opened the malicious attachment.

   How To Prevent This Infection

First, backup, backup, backup and test your restore procedure on a very regular basis. Next, you cannot just rely on your antivirus, these normally run 6 hours behind attacks like this, which is enough for the bad guys to get their "work" done and vanish. It takes a while for AV to become aware of the attack, find out what the malware looks like, and create a definition for it that needs to be downloaded to the workstation. So reactive defenses are not effective. Some AV products also have proactive defenses, blocking whole classes of files. Still those also fail on a regular basis. See the Virus Bulletin tests here:

Cyber criminals are using known social engineering tactics to trick users into opening the attachments. That means your defense-in-depth needs to start with stepping your users through effective education like Kevin Mitnick Security Awareness Training. Once they have done that training they will think twice before they open a possibly infected attachment. And you get to schedule (set-it-and-forget-it) a whole year of regular simulated phishing attacks to your users which keeps them on their toes with security top of mind. Finally being able to -show- to management who the repeat offenders are is kind of fun too.

With malware like this out there, security education and behavior management is a must for any organization where users have access to email and the web. Find out how affordable this is for your own organization. Get a quote now:

New 0-Day In All IE Versions

A new nasty has shown up, and allows remote code execution, which is the holy grail for hackers. Redmond states that flaw is used for limited, targeted attacks against finance and defense organizations.

The US Department of Homeland Security recommends avoiding IE until this is fixed. The attack leverages a previously unknown "use after free" vulnerability -- data corruption that occurs after memory has been released -- and bypasses both Windows DEP (data execution prevention) and ASLR (address space layout randomization) protections.

I'd recommend using Chrome if you are able to until this is resolved.

Verizon's New 2014 Data Breach Report: Summary

In IT, we are subject to help desk tickets and putting out fires. The problem with this is that most of these are short-term fixes. It is usually about last week's downtime, today's malware infection and next week's new app coming online.

In their new Data Breach Investigation Report (DBIR), Verizon shows this short-term focus has a few drawbacks. If apart from your day-to-day coping with issues, you are also able to spend some time to organize your environment with a long-term perspective that can pay off handsomely.

Verizon took the long-term view in their 2014 DBIR with some surprising results. They wanted to produce "actionable" information you could really do something with, so they looked over a longer period to see if there were patterns. Lo and behold, there were.

There are just nine attack patterns, and only three stand out as the main culprits. The main surprise though is a comprehensive matrix of incident classifications and industries they have affected. There is an enormous difference in the kinds of attacks that different industry sectors are being subjected to. If you know how you are targeted, that makes it easier to defend yourself, so check out Figure 19 on page 15 of the PDF.

One thing to note when you look at all the statistics is that they seem somewhat skewed. This is caused by the requirement that all incidents in the public sector -have- to be reported as opposed to the private sector who often stonewall any data breach.

However, the main message of the new DBIR is unfortunately illustrated in a very simple graphic that compares, over 10 years, the time it has taken for an attacker to compromise an asset versus the time it takes for a defender to discover the breach. The graph shows the amount of time in days or less it took to compromise (the red line) to discovery (the blue line). In other words, most assets were breached in a few days, where the time to discovery was much longer. The gap is widening. Yikes.

Quotes of the Week

"Genius always finds itself a century too early" - Ralph Waldo Emerson

"When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him." - Jonathan Swift

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Exactly -Which- Employees Are The "Weak Link" In Your IT Security?

Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. Let's find out. How?

ONE: We run the (free) Email Exposure Check for you. That gives you all the email addresses out there available on the Internet from your own domain. It's often surprising how many addresses can be found and whose.

TWO: You create (again free) an account on our website, upload the addresses found in step ONE, and 5 minutes later they receive a simulated phishing attack! You will immediately know your phishing attack surface, your Phish-prone percentage and your highest risk employees. Fabulous ammo to get more security budget, fun to do and it takes less than 10 minutes. Let's Find Out!


Phishers Divert Home Loan Earnest Money

Brian Krebs wrote: It looks like it's time to update my "Value of a Hacked Email Account" graphic: Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home.

In this scheme, the attackers intercept emails from title agencies providing wire transfer information for borrowers to transmit earnest money for an upcoming transaction. The scammers then substitute the title company’s bank account information with their own, and the unsuspecting would-be homeowner wires their down payment directly to the fraudsters. More at:


Why Your Employees Are the Single Biggest Threat to Your Company's Data

INC Magazine has a great article that you can send to higher-ups which explains in non-technical terms what we have been saying here for years:

"When the Heartbleed security bug was revealed last week, IT departments across almost every industry scurried to secure their infrastructure. Frighteningly, the bug, which potentially exposed customer data for more than two years, is undetectable.

Heartbleed and cyberattacks like Target have made businesses more aware of the necessity of having sufficient defenses in place to protect trade secrets, customer information, and financial data. Still, says Heather Bear field, a cybersecurity and risk management consultant at professional services firm Marcum, companies still have a long way to go.

"When we speak with CEOs, CFOs, and CIOs, we see a huge investment, tens of thousands of dollars, to make sure their financial statements are in place. But with IT, they think they aren't a target, their infrastructure is sufficient, and they don't need to invest in security," Bear field says. "Those are the organizations that will get hit hard. As we've seen, a breach can bring an company to its knees. You're going to see a huge shift as companies realize how important it is to support their IT department."

Below, read Bearfield's tips to prevent a data breach and save your company a lot of money in the long term.

   Educate your employees.

Believe it or not, your employees are the weakest link in your digital defenses. "Human error is the highest risk to your company. Clicking bad links, stolen laptops, lost thumb drives and company phones--there are so many ways company data can be breached," Bear field says. "Just raising employee awareness can do a lot to better protect your company."

During company consultations, Bear field will simulate phishing attacks to show how easily your network can be compromised. A recent Verizon report finds there's a 100 percent chance that at least one out of 10 people who are sent a malicious email will click a link in it (a phenomenon it calls the "inevitable click"). She also warns that hackers are leveraging current events to entice clicks--everything from the Olympics this past winter to the Malaysian airlines search. Make sure your employees know the danger one click can cause.

   Don't be stubborn about passwords.

Bear field says many companies refuse what should be an simple security tactic to implement. "We still see so much pushback from the C-suite and sales teams on the necessity to change all passwords every 90 days. They feel like they can't remember new passwords, can't come up with a new secure one with frequency, and think the process will trip them up in their workflow," she says. "It sounds so easy, but this is actually a big issue--password security is the first layer of defense but people feel like it's impossible for them. We also suggest case-sensitive, special characters, and lockout after a certain number of attempts."

   Encrypt before you ship.

Encrypting your email messages is another easy way to shore up sensitive information. "For some reason, people often see this as a negative thing [that implies their network isn't secure]. To encrypt an email, all you need to do is enter a username and password, which is maybe five to 10 seconds of your time," she says. "We have automatic encryption software that will encrypt a message if you write a string of numbers [in the body], write the word 'secure,' or other keywords." During one consultation, Bearfield says she showed a CEO how easy it was to access his email by asking him how his daughter enjoyed life after getting her braces off. "All it takes is one message before you realize how important encryption is," she says.

   Dedicate more resources to IT.

IT spending is one of the most forward-thinking investments you can make in your business. "Many organizations do not dedicate resources to their IT departments. Without proper investment, these IT departments are constantly putting out fires and don't have the time or ability to address other important concerns," Bear field says. "They can't keep up with patching, which can leave vulnerabilities exposed for weeks, or months, if not longer."


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

New World Record Base Jump From The World's Tallest Building:

Chuck Aaron is one of the few pilots in the World who is able to perform loops, barrel rolls, and other aerobatic maneuvers with a helicopter:

When I was a kid, there are two things I wanted badly and never got... A real dog and a Kenner AT-AT Walker:

McLaren needed someone to drive a P1 back from Belgium to the UK - it didn't take long to find some willing volunteers...

Looking for a badass camper? Check this one out - 100% Carbon Fiber:

Nissan develops first 'self-cleaning' car prototype. Sweet!:

The struggle of several vessels with large waves. Interesting footage:

An epic love story between a guy and the girl of his dreams through the ages:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews