CyberheistNews Vol 11 #18 [Heads Up] End-User Attempt to Pirate Software Leads to Ryuk Ransomware Attack




CyberheistNews Vol 11 #18
[Heads Up] End-User Attempt to Pirate Software Leads to Ryuk Ransomware Attack

Bleeping Computer recently reported that an end user in a research institute --a student in this case-- attempted to pirate expensive data visualization software, which resulted in a Ryuk ransomware attack.

We've seen ransomware distributed in the past through cryptocurrency miners but this type of 'crack site' attack takes ransomware attacks to a whole other level.

The student had searched for data visualization software that they wanted to install at home. Instead of buying a legit license, the student proceeded to search for a cracked version and downloaded it. The illegal download resulted in an infection with an information-stealing trojan that stole the credentials needed by Ryuk cybercriminals to log into the institute and wreak havoc.

This attack lost the institute a week's worth of research data and a week-long network outage as servers were rebuilt from scratch and data restored from backups.

Ryuk ransomware is not to be messed with. We recently covered a story from a few months ago that a Ryuk strain has a worm-like feature in your Window LAN devices, and the ransomware-as-a-service gang has only gotten more devious in their schemes.

Unfortunately, this will not be the last time a user tries to obtain cracked software from a warez site. Continued user education is essential to ensure phishing and ransomware attacks do not infect your organization in the future.

New-school security awareness training can ensure your users are up-to-date on the latest attack types.

Blog post with links to details:
https://blog.knowbe4.com/students-attempt-to-pirate-software-leads-to-ryuk-ransomware-attack
A Master Class on IT Security: Roger Grimes Teaches You Phishing Mitigation

Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they’re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist where he’ll share a comprehensive strategy for phishing mitigation. With 30+ years experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against ever-present IT security threats like phishing.

In this webinar you’ll learn:
  • How to develop a comprehensive defense-in-depth plan for phishing mitigation
  • Ideas for security policies you can implement now
  • Technical controls all organizations should consider
  • Gotchas to watch out for with cybersecurity insurance
  • Why it’s critical to develop your organization’s human firewall
Get the details you need to know now to protect your organization from phishing and social engineering attacks. And earn CPE credit for attending.

Date/Time: THIS WEEK, Wednesday, May 12 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3151816/E12A84D42EF20BA0D051048AD863ACEB?partnerref=CHN2
W-2 Form Office 365 Credential Scam Creatively Uses Typeform Service to Bypass Your Security Layers

By creating phishing site pages using an online service for building surveys and forms, scammers figured out an original way to trick users out of their Office 365 credentials.

With the new U.S. May 15th deadline for submitting your tax returns quickly approaching, the bad guys are taking advantage of the theming and attempting to use it to steal Office 365 credentials. According to security researchers at Armorblox, this latest scam focuses on a phishing email informing the potential victim that their 2020 W-2 form is available for download from OneDrive – complete with a “Learn about messages protected by Office 365” link to add some credibility to the email.

The malicious link takes the victim to a webpage showing a blurred tax form, gated by Typeform. The assumption here is because the user was told it’s a OneDrive link, the intent is to collect their Office 365 credential, despite being obviously hosted on a completely different platform.

Any credentials provided are met with an invalid password error – thought to be a smoke screen to allow the scammers to collect as many credentials as possible.

The obvious errors that should provide warning to the recipient include the mismatch between it purporting to be a OneDrive link and it actually taking the user to Typeform’s website. At least in the example provide by Armorblox, the senders email address is a Hotmail account.

Users with proper new-school security awareness training will identify these issues a mile away and spot the email for what it really is – a scam. I highly suggest getting started on implementing this before your organization’s Office 365 credentials are stolen and used by the bad guys for even more criminal exploits.

Full story at Knowbe4 blog:
https://blog.knowbe4.com/w-2-form-office-365-credential-scam-creatively-uses-typeform-service-to-bypass-security-checks
[PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, May 19 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, May 19 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3110189/C3639F74026BD1E842AE0EF87CD46B6C?partnerref=CHN
[EYE OPENER] Brand New Malware Families Found in Phishing Campaign

Researchers from FireEye's security team found new malware families in a financial phishing campaign. The Malware strains are dubbed Doubledrag, Doubledrop, and Doubleback and have been detected.

So far, this campaign has targeted US, EMEA, Asia, and Australia regions. The attack has been rolled out in two phases. This campaign has been achieved by the bad guys posing as account executives that represented various industries.

While the phishing emails contain a PDF attachment it also included a [dot]js file. Victims believed that since the PDF file was 'unreadable', they attempted to double click on the [dot]js file. Unfortunately, that resulted in the Doubledrag downloader being executed.

Doubledrag then proceeds to download a dropper (i.e. the Doubledrop malware strain) in order to kick in the second phase of the attack. Doubledrop then proceeds to completely own the infected machine by loading a backdoor (i.e. the Doubleback strain) into memory.

The researchers from FireEye said in a statement, "Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,"

While the analysis of the strains are ongoing, these phishing attacks are not going to stop anytime soon. Measures taken such as frequent phishing tests prepare your users in the event they receive a malicious email.

Blog Post with details:
https://blog.knowbe4.com/heads-up-new-malware-families-found-in-phishing-campaign
Re-Check Your Email Attack Surface Now. (We are always adding new breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro now leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.

DO THIS COMPLIMENTARY TEST NOW

Get your EEC Pro Report in less than 5 minutes. It’s often an eye-opening discovery. You are probably not going to like the results...

Get Your Report:
https://info.knowbe4.com/email-exposure-check-pro-chnsa-w-video
Ever Scratched Your Head: "How Come the Bad Guys Get Through My Email Filters"?

I have been saying this for the last 10 years, and here is another recent example. They own your latest rev security tools and use them for testing until they find a way through.

Recorded Future's Insikt Group has found procurement documents indicating that a PLA Unit has sought to purchase foreign antivirus programs. The Insikt Group thinks it likely that the intention is to use them for exploitation, either to use them as test environments for PLA-developed attack tools or to identify vulnerabilities that could be exploited for initial intrusion in zero-day attacks.

The tools for which PLA Unit 61419 sought subscriptions included some well-known names: Kaspersky, Avira, McAfee Total Protection, Dr. Web, Nod32 ESET, Norton, Symantec, Trend Micro, Sophos and Bitdefender.

Here is the article with full details at Recorded Future:
https://www.recordedfuture.com/china-pla-unit-purchasing-antivirus-exploitation/

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: The Greatest Security Software Company Eye Chart Ever At Optiv:
https://www.optiv.com/sites/default/files/images/Cybersecurity-Technology-Map-Web-min.png

PPS: [NEW FEATURE] AI-Driven Phishing Helps You Deliver a Personalized Simulated Phishing Experience to Each User:
https://blog.knowbe4.com/new-feature-ai-driven-phishing-helps-admins-deliver-a-personalized-simulated-phishing-experience-to-each-user



Quotes of the Week
"It is during our darkest moments that we must focus to see the light."
- Aristotle - Philosopher (384 - 322 BC)



"He who lives in harmony with himself lives in harmony with the universe."
- Marcus Aurelius - Roman Emperor (121 -180 AD)


Thanks for reading CyberheistNews

Security News
Kaspersky Report: Phishing Trends in Q1 2021

Researchers at Kaspersky have released their observations on the phishing landscape in the first quarter of 2021. The most impersonated brands have remained the same as last year, with online retailers topping the list.

“The Top 10 organizations used by phishers as bait remained practically unchanged in Q1 relative to 2020,” the researchers write. “Online stores (15.77%) still lead the way, followed by global internet portals (15.50%) and banks (10.04%).

Fraudsters’ continued targeting of users of electronic trading platforms is explained by the pandemic-related restrictions that remained in force in many countries this quarter.”

Kaspersky also notes that some phishing campaigns have been requesting very small amounts of money to trick users into entering their payment card details.

“Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services,” the researchers write. “The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027).

The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site.”

Kaspersky has the story:
https://securelist.com/spam-and-phishing-in-q1-2021/102018/
Attackers Increasingly Attempt to Bypass Multifactor Authentication

Researchers at Symantec note that threat actors are increasingly working to overcome multifactor authentication (MFA). The researchers point to a series of recent, sophisticated attacks that all incorporated measures to bypass MFA.

“For attackers, stealing credentials or brute forcing passwords is no longer enough—if they don’t have access to victims’ multi-factor access token or code they will still not be able to access their accounts. The increasing use of MFA means that attackers have had to endeavor to find ways to bypass it, or avoid carrying out attacks that may be stalled by it.

When we look at recent high-profile attacks, such as SolarWinds, the Microsoft Exchange Server ProxyLogon attacks, and the vulnerabilities found in Pulse Secure VPN recently, all these attacks help attackers avoid the hurdle of needing to overcome MFA.”

Symantec has the story:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks
A Snapshot of the Ransomware Landscape

Organizations need to take steps to disrupt the ransomware industry by making these attacks more expensive to carry out, according to Jen Miller-Osborn from Palo Alto Networks' Unit 42. On the CyberWire’s Research Saturday podcast, Miller-Osborn discussed trends in ransomware targeting and tactics.

“Unfortunately, healthcare has been hit quite heavily, which is one thing that we really don't like to see,” she said. “But that's definitely been an area that's been a focus. What we've seen by far is manufacturing quite a bit.

And then, you know, we're seeing kind of legal services, construction, high tech – it kind of runs the gamut from there. But if you look at this chart from a perspective of potential amount of money that could be made by ransoming these various organizations, you can see a lot of the focus is on organizations that potentially have larger resources and maybe more difficulty in recovering if they lose their data.”

Miller-Osborn added that even if a victim does pay the ransom, the recovery will still be very costly. “A lot of times, the incident response can be just as expensive, if not more so, than the ransom was, which is another reason that organizations really need to pay attention that this is a legitimate problem and that you could potentially be out a lot of money one way or the other,” Miller-Osborn said. “So, you really want to really want to get ahead of that scenario and try and keep this from happening.”

The CyberWire has the story:
https://thecyberwire.com/podcasts/research-saturday/181/notes
What KnowBe4 Customers Say

"We are loving the content and services you are providing us with. Thank you so much for reaching out, we are having great responses to our new changes and your site has made it so much easier to help our users. Service has been exceptional and I appreciate your staff working so hard so we can reach our goals!"
- W.A., Junior Cyber Security Analyst



"Hello there Stu. Yes. I’ve been happy with KnowBe4. It’s a great system and I know we’re only using about 50% of its offerings. I especially like the new “Library” function for end-users. I wanted to have a place where people can go to get follow-up materials without the “pressure” of a required course. I’ve received a few requests from users asking if there are more materials that they can use with their family."
- P.F. CISSP, Information Security Officer



[NEW FEATURE] AI-Driven Phishing Helps You Deliver a Personalized Simulated Phishing Experience to Each User

We are excited to announce the availability of KnowBe4’s new AI-Driven Phishing feature. The KnowBe4 phishing platform now leverages machine learning to recommend and deliver informed and personalized phishing campaigns based on your users’ training and phishing history.

Using data from KnowBe4’s AIDA, our Artificial Intelligence Driven Agent, a new recommendation engine enables you to automate the dynamic selection of unique phishing security test templates for your users.

Think of it as your own AI phishing assistant that automatically chooses the best phishing test for each user, at that moment. When you use AI-Driven Phishing, you essentially create a unique phishing campaign for each of your users to make sure every user receives simulated phishing tests personalized to their individual level.

It analyzes user data such as the number of failed phishing security tests, the types of attack vectors in those failures, how often suspicious emails are reported through the Phish Alert Button, the frequency and recency of training completions, and more.

Details:
https://blog.knowbe4.com/new-feature-ai-driven-phishing-helps-admins-deliver-a-personalized-simulated-phishing-experience-to-each-user
The 10 Interesting News Items This Week
    1. 'Phishing' Sites Buying Workplace Login Details Linked to Well-Funded Startup:
      https://www.vice.com/en/article/7kvvbb/argyle-payroll-login-phishing

    2. UNICC and Group-IB Take Down 134 Fake Websites Impersonating WHO:
      https://cisomag.eccouncil.org/websites-impersonating-who-taken-down/

    3. SC Mag Best IT Security-related Training Program: KnowBe4:
      https://www.scmagazine.com/scawards/excellence-awards/best-it-security-related-training-program-knowbe4/

    4. Then a Hacker Began Posting Patients’ Deepest Secrets Online:
      https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/

    5. The UNC2529 Triple Double: A Trifecta Phishing Campaign:
      https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html

    6. How Cost Cutting on Cybersecurity Presents an Opportunity for Hackers:
      https://gbhackers.com/cost-cutting-on-cybersecurity/

    7. CISA Publishes Analysis on New 'FiveHands' Ransomware:
      https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

    8. The Biden administration will prioritize cybersecurity in the distribution of $1 billion in federal IT funding:
      https://www.washingtonpost.com/politics/2021/05/04/cybersecurity-202-biden-administration-will-prioritize-cybersecurity-distribution-1-billion-federal-it-funding/

    9. Cuba Ransomware partners with Hancitor for spam-fueled attacks:
      https://www.bleepingcomputer.com/news/security/cuba-ransomware-partners-with-hancitor-for-spam-fueled-attacks/

    10. How Rising Cryptocurrency Prices Effect Cybersecurity:
      https://www.secplicity.org/2021/05/06/understanding-how-rising-cryptocurrency-prices-effect-cybersecurity/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews