CyberheistNews Vol 11 #47 [Heads Up] New Dangerous and Persistent "Metamorphic" Malware Strain Called Tardigrade




CyberheistNews Vol 11 #47
[Heads Up] New Dangerous and Persistent "Metamorphic" Malware Strain Called Tardigrade

Michael Kan at PCMag reported on this new strain of Windows malware. It can constantly adapt to avoid detection and was first found targeting the biotech industry, including the infrastructure behind vaccine manufacturing, according to security researchers.

The warning comes from a non-profit called BIO-ISAC, which focuses on information sharing to protect the biotech industry from cybersecurity threats.

The threat is setting off alarm bells because it goes beyond typical polymorphic malware, which will only rewrite part of its computer code to evade detection. Instead, the uncovered malware goes even further by completely recompiling its code during each infection when it first connects to the internet.

This “metamorphic” ability prevents the malware from leaving a consistent signature behind, making it harder for antivirus programs to spot. According to Wired, one security researcher tested the malware almost 100 times and “every time it built itself in a different way and communicated differently.”

As a result, BIO-ISAC has dubbed the malware Tardigrade, the microorganism that can survive extremely hot and cold conditions, including the vacuum of outer space. But unlike a real tardigrade, the malware can secretly hijack a computer system to steal and modify files.

Contains the sneaky ability to spread both via phishing emails and USB devices

The nonprofit first uncovered the malware this past spring when one of its member companies, Biobright, investigated a ransomware attack on a large, unnamed biomanufacturing facility. The security researchers obtained the ransomware along with the program that loaded the malicious coding, which turned out to be unusually complex.

BIO-ISAC has since uncovered the Tardigrade malware attacking a second facility. This prompted the group to issue Monday’s warning to the biotech industry, saying it believes Tardigrade is “actively spreading in the bioeconomy.”

In addition, it contains the sneaky ability to spread both via phishing emails and USB devices. Definitely a reason to step your users through new-school security awareness training and send them frequent social engineering tests.

Blog post with links to the full article at PCMag:
https://blog.knowbe4.com/new-dangerous-and-persistent-metamorphic-malware-strain-called-tardigrade
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, December 1 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, December 1 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458567/AF80CEB2B3F0DC9990B8C517FF96E937?partnerref=CHN2
Avoid Donating to Charity Scammers During Today's Giving Tuesday 2021

Giving Tuesday is a great way for organizations and people to give back. However, this gives cybercriminals opportunities to take advantage of you with charity scams.

The Federal Trade Commission provided some helpful tips to help you and your users to donate safely this holiday season and all year round:
  • Do some research online - Start by searching for causes you care about along with phrases like "best charity" or "top rated charity." When you consider giving to a specific charity, search its name plus “complaint,” “review,” “rating,” or “scam.” You can use resources such as Charity Navigator or CharityWatch to verify your search.
  • Be careful how you pay - If someone wants donations in cash, by gift card, or by wiring money, don’t do it. That’s a trap for scammers to take your money. Be on the safe side and pay by credit card or check, and keep records of your donations. Before you click on a donation link, check out this FTC article to help you make sure your money is going where you think it is https://www.consumer.ftc.gov/articles/before-giving-to-charity.
  • Keep scammers’ tricks in mind - Some cybercriminals try to trick you into paying them by thanking you for a donation that you never made, or use a local area code when making a call. Make sure to watch out for red flags such as guaranteeing sweepstakes winnings in exchange for a donation (it's illegal) or claims that your donation is tax-deductible when it's not. If you're feeling rushed or pressured to make a donation, that should also be a red flag that something isn't quite right.
Every year cybercriminals prove there is no social engineering scheme too low for them to use in their attacks. New-school security awareness training can train your users on how to spot and report any malicious activity.

Please forward this link to the blog post to anyone who might benefit:
https://blog.knowbe4.com/avoid-donating-to-charity-scammers-during-giving-tuesday-2021
See How You Can Get Audits Done In Half The Time, Half The Cost And Half The Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, December 1 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18 and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: TOMORROW, Wednesday, December 1 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458496/42F79CC73B0CCD4BE3562B17E18D017C?partnerref=CHN2
Phishing Campaign Targets TikTok Influencers

Phishing emails are targeting large TikTok accounts with phony copyright warnings or offers for account verification, according to researchers at Abnormal Security.

“An email campaign sent in two rounds on October 2, 2021, and November 1, 2021 to more than 125 individuals and businesses appeared to target large-volume TikTok accounts of all kinds and across disparate locales,” the researchers write.

“Among the typical talent agencies and brand-consultant firms we would expect to see, this actor sent messages to social media production studios, influencer management firms, and content producers of all types....From well-known digital media channels to individual actors, models, and magicians, the campaign reached out to content creators worldwide.

Several emails were sent to the wrong company of the same name in the same country, and many of the email addresses used appear to have been lifted directly from social media.”

The researchers add that the attackers set a time constraint to ensure that the victim acts quickly, then send a link to trick the user into entering their credentials.

“This campaign indicates that attackers have linked TikTok with the social media giants, including Facebook and Twitter, in the impersonation game,” the researchers write. “In the original phishing email, designed to appear like a copyright violation notice from TikTok, the victim was instructed to respond to the message, lest their account be deleted in 48 hours.”

Abnormal notes that hackers sometimes demand a ransom to return the account to its owner. “While we were unable to identify the end goal of the campaign, past targeting of social media accounts on other platforms offers several options,” the researchers write.

“Social media accounts have become increasingly valuable in recent years, creating the incentive to ransom them back to the original owners for a hefty fee. An underground economy has evolved to offer ban-as-a-service, manipulating abuse reporting mechanisms to harass and censor other users, primarily on Instagram.

Sadly, victim accounts in this scenario often end up deleted, especially for those on TikTok.” New-school security awareness training can enable your employees to recognize social engineering tactics so they can avoid falling for these attacks.

Abnormal Security has the story:
https://abnormalsecurity.com/blog/tiktok-credential-phishing
Kevin Mitnick presents When Cybercriminals Hide in Plain Sight: Hacking Platforms You Know and Trust

Today’s hackers are concealing their attacks in places you wouldn’t expect… utilizing tools your users know and trust to deliver their malicious payloads. From hijacked single sign-on apps, to weaponized calendar invites, and even malicious office printers, you’ll learn why trusted tools just aren’t as trustworthy as your end users believe.

In this exclusive webinar Kevin Mitnick, KnowBe4’s Chief Hacking Officer and The World’s Most Famous Hacker, and Perry Carpenter, KnowBe4’s Chief Evangelist & Strategy Officer, show you why your users should think twice before trusting even the most established platforms.

In this webinar they’ll share:
  • Why you shouldn’t always trust legitimate providers like Microsoft Teams
  • How something as innocuous as an office printer can be weaponized
  • Why pre-texting bots may be your organization’s biggest threat
  • Kevin’s top three tips for preventing cyber attacks
  • Eye-opening hacking demos you won't want to miss
See the dangers lurking behind these seemingly innocent actions for yourself. And earn CPE credit for attending!

Date/Time: Wednesday, December 8 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3545187/26BE4D26544A2C533782A5B93E452ED3?partnerref=CHN


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: "KnowBe4 Launches Holiday Cybersecurity Resource Kit to Protect Against Dangerous Holiday Scams Time."
https://www.globenewswire.com/news-release/2021/11/22/2339173/0/en/KnowBe4-Launches-Holiday-Cybersecurity-Resource-Kit-to-Protect-Against-Dangerous-Holiday-Scams.html

Quotes of the Week
"The person who says it cannot be done should not interrupt the person who is doing it."
- Chinese Proverb


"Why do you stay in prison when the door is so wide open?"
- Rumi, Poet (1207 - 1273)


Thanks for reading CyberheistNews

Security News
FBI: Cyber Attacks Target Organizations Involved in Mergers and Acquisitions

A new notification from the FBI warns organizations of attacks at the perfect time when organizations are spending money, new people are being introduced, and operations are in flux.

Threat actors like nothing more than a dash of chaos when it comes to timing their attacks. If they can get the social engineering theming just right, that chaos – when added to a sense of urgency – causes individuals to rush and not think actions through properly. This allows cyber attacks to succeed far more often than they should.

According to the FBI notification, the threat actors responsible are very aware of who they are targeting: “During the initial reconnaissance phase, cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.”

Judging from the warning put out by the FBI’s Internet Complaint Center (IC3) earlier this month, cybercriminal gangs are using these major financial events as the perfect juncture for ransomware attacks involving extortion.

Think about it – let’s take a fictitious public company being bought by a private investment firm. The entire cost of the deal revolves around the stock price. Now, if a ransomware attacker can succeed in stealing data from and encrypting the systems of the public company, having the public find out could cause the stock price to diminish – thus lowering the value of the company and its purchase price.

If your organization is going through a merger or acquisition (or planning to in the future), it’s imperative that you put up the strongest possible defense against ransomware – which includes the use of security awareness training to include users in the defending against such attacks where malicious email content finds its’ way past security solutions and into the user’s xnbox.

Blog post with links:
https://blog.knowbe4.com/fbi-cyber-attacks-target-organizations-involved-in-mergers-and-acquisitions
Unisys Survey Reports Significant Security Knowledge Gap

A new survey from Unisys has found that approximately 80% of remote workers are unfamiliar with cybersecurity threats, Digital Information World reports.

The survey found that most employees are unaware of social engineering attacks associated with mobile devices. “The survey identified a widespread lack of consumer awareness on avoiding and addressing online threats,” Unisys says. “Two out of five (39%) people report not being wary of clicking on suspicious links, despite phishing attacks accounting for more than 80% of reported security incidents.

Just 21% are aware of more sophisticated scams like SIM jacking, which is when a scammer gets your phone number transferred to a phone they control, and only a quarter (24%) know where to report these types of scams.” The survey found that nearly half of employees install programs of work devices that haven’t been approved by their company.

“[A]lmost half (45%) in the U.S., Australia, and New Zealand have downloaded or installed software not approved by the IT department, typically because these other apps are ones that they use in their personal life (42%) or because they are perceived to be better than those provided by their company (42%),” the report says.

Unisys also found that many employees believe their employer is responsible for protecting their data while they’re working remotely.

“Most employees (62%) consider it their own responsibility to keep their personal data safe and secure while working from home, though a significant proportion – nearly two out of five (38%) – say that they consider it to be the responsibility of their employer,” Unisys says.

Mat Newfield, Chief Security and Infrastructure Officer, said that ongoing cybersecurity training is an essential measure in preventing cyberattacks.

“Doing cybersecurity training once a year is useless,” Newfield said. “It’s got to be ongoing. You test that the employees are learning, then you test again. Constantly test without fear of reprisal and make it personal. CISOs need to stop training people to protect the corporation. It’s not employees’ responsibility to protect the company, it’s the CISO’s.

So what organizations need to do is change their approach to make it about the employee and his or her family. It’s not [the employee’s] responsibility to make all of the CISO’s policies personal. It’s the CISO’s responsibility to make their policies personal to [the employee].”

New-school security awareness training can enable your employees to recognize and thwart social engineering attacks.

Digital Information World has the story:
https://www.digitalinformationworld.com/2021/11/around-8-in-10-of-remote-workers-are.html
John Scimone, SVP and Chief Security Officer at Dell Technologies, says “security is everyone's job.”

Organizations need to build a culture of security in order to defend themselves against cyberattacks, according to John Scimone, Senior Vice President and Chief Security Officer at Dell Technologies.

In an interview on MIT Technology Review’s Business Lab podcast, Scimone explained that cybercriminals take advantage of confusion and fear in order to trick employees into falling for phishing attacks.

“[A]s we think about how criminals operate, criminals feed on uncertainty and fear, regardless of whether it's cybercrime or physical world crime, uncertainty and fear creates a ripe environment [for] crime of all sorts,” Scimone said. “Unfortunately, both uncertainty and fear have been plentiful over the last 18 months.

And we've seen that cyber criminals have capitalized on it, taking advantage of companies’ lack of preparedness, considering the speed of disruption and the proliferation of data that was taking place. It was an opportune environment for cybercrime to run rampant.

In our own research, we saw that 44% of businesses surveyed have experienced more cyberattacks and data loss during this past year or so.”

Scimone stated that all employees need to be trained to recognize phishing attacks. “It's not just my own corporate security team or the security teams within our product and offering groups,” Scimone said. “It touches every employee and every employee fulfilling their responsibility to help protect our company and protect our customers.

We've been building over many years a culture of security where we arm our employees with the right knowledge and training so that they can make the right decisions, helping us thwart some of these criminal activities that we see, like all companies.

One particular training program that's been very successful has been our phishing training program. In this, we are continuously testing and training our employees by sending them simulated phishing emails, getting them more familiar with what to look for and how to spot phishing emails. Even just in this last quarter, we saw more employees spot and report the phishing simulation test than ever before.”

MIT Technology Review has the whole story and the full 25-minute interview. Great for a break, warmly recommended.

Blog post with links:
https://blog.knowbe4.com/john-scimone-svp-and-chief-security-officer-at-dell-technologies-says-security-is-everyones-job
What KnowBe4 Customers Say

"Hi Stu, thank you for taking the time out to enquire about our status with KnowBe4. Well, what can I say? I am in awe of the features of the training subscription that we purchased. We have an issue here at work with users' behaviour with regards to clicking on these phishing email attacks.

Even though we have Kaspersky running on our O365 back-end we still get socially engineered emails passing through. Remember all it takes is just one email and one click and it's game over.

I especially love the content in the ModStore. I love how you also incorporate humour into the training material. I found our users actually read the ones with humour in them much more than the serious stiff three paragraphs of information emails.

I am definitely a happy customer, and we will be renewing our subscription when it is due. What makes your product different from others is that our users are having FUN while changing their behaviour. Keep up the great work!"
A.R., ICT Manager
The 11 Interesting News Items This Week
    1. New Dangerous and Persistent 'Metamorphic' Malware Family Called Tardigrade:
      https://blog.knowbe4.com/new-dangerous-and-persistent-metamorphic-malware-family-called-tardigrade

    2. Almost 50% Of Surveyed Companies Are Not Confident They Can Fend Off A Ransomware Attack:
      https://www.forbes.com/sites/edwardsegal/2021/11/23/almost-50-of-surveyed-companies-are-not-confident-they-can-fend-off-a-ransomware-attack/

    3. New Windows Event Tracking Attacks Can Allow Hackers to 'Blind' Security Products:
      https://www.securityweek.com/new-etw-attacks-can-allow-hackers-blind-security-products/

    4. Brokers Report Cyber Insurers Requiring Security Steps Along With Higher Premiums:
      https://www.insurancejournal.com/news/national/2021/11/23/643279.htm

    5. Arrest in ‘Ransom Your Employer’ Email Scheme:
      https://krebsonsecurity.com/2021/11/arrest-in-ransom-your-employer-email-scheme/

    6. US SEC warns investors of ongoing govt impersonation attacks:
      https://www.bleepingcomputer.com/news/security/us-sec-warns-investors-of-ongoing-govt-impersonation-attacks/

    7. FBI warns of phishing targeting high-profile brands' customers:
      https://www.bleepingcomputer.com/news/security/fbi-warns-of-phishing-targeting-high-profile-brands-customers/

    8. GoDaddy says data breach exposed over a million user accounts:
      https://techcrunch.com/2021/11/22/godaddy-breach-million-accounts/

    9. The CISA Infrastructure Dependency Primer:
      https://www.cisa.gov/idp

    10. The BABADEDA Crypter - an Emerging Crypter targeting the Crypto, NFT, and DeFi communities:
      https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

    11. BONUS. Hit by ransomware? Make sure you don't make this first obvious mistake:
      https://www.zdnet.com/article/hit-by-ransomware-make-sure-you-dont-make-this-first-obvious-mistake/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews