CyberheistNews Vol 12 #43 [Heads Up] This New Strain of Fake Ransomware Is Sloppy but Dangerous



Cyberheist News

CyberheistNews Vol 12 #43  |   October 25th, 2022

[Heads Up] This New Strain of Fake Ransomware Is Sloppy but DangerousStu Sjouwerman SACP

Conventional ransomware encrypts the victims' files and holds them hostage, unavailable to their owners, promising to provide a decryptor once the victims pay the ransom. In some cases being tracked by security firm Cyble, however, they offer nothing in return. The files are in fact deleted.

One such group working with "fake ransomware" is trolling for victims on malicious adult websites (more malicious than the usual run). The phishbait that lures the victims to bite is a specially crafted website with luring URLs. The phish hook is an executable with a name that would get this email trapped by your filters. :-D

The unknown criminals behind the phishing campaign are, of course, hoping that the marks won't notice. And in any case the victims' system may by default hide file extensions, so the victims may not even see "[dot] exe" in the first place.

Cyble explained in their research report:

"Fake ransomware acts as a usual ransomware but does not encrypt the files. The fake ransomware shows false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable.

"We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere during the infection."

[CONTINUED] at the KnowBe4 blog with links:
https://blog.knowbe4.com/sloppy-but-dangerous-fake-ransomware

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, November 2 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Your Users Can Now Train Anytime, Anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, November 2 @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/kmsat-demo-november-2022?partnerref=CHN

New Phishing Campaign Uses Office Docs to Install Cobalt Strike Beacon

Under the guise of determining applicant eligibility for a U.S. federal government job, this latest phishing attack plants the seed for a future attack on the victim organization.

We've covered plenty of cyberattacks here that leverage a leaked version of Cobalt Strike Beacon to execute PowerShell scripts, log keystrokes, take screenshots, download files and spawn other payloads. But normally, the use of Cobalt Strike Beacon has been covered in conjunction with a completed (and successful) attack on an organization.

But security researchers at Cisco Talos have identified an attack where the goal is simply to deliver Cobalt Strike Beacon – likely to be used by another threat actor who has purchased the access on the Dark Web. Targeting U.S. and New Zealand victims, the campaigns pose as government agencies or trade unions offering the victim assistance in obtaining a job.

In one variant of the attack, the malicious Word documents pull a first stage VB dropper from bitbucket[.]com which decodes part of its contents to a second VB dropper, which – in turn – decodes its contents to PowerShell script (this happens twice, similar to the VB droppers), when – finally – the Cobalt Strike Beacon is downloaded from bitbucket.

The obfuscation and evasion techniques used in the form of repeatedly encoding content and using two different scripting languages demonstrates the lengths attackers will go to in order to avoid detection. And the Beacon payload makes this attack even more dangerous – as the victim organizations are now susceptible to further attack.

The infection point in this attack lies with the victim user, who is most definitely not thinking about whether the assistance email (and its' Word doc attachment) are malicious in nature or not. But with proper security awareness training, users can be taught to see through documents that "require" macros be turned on, etc., for what they really are: the beginnings of a cyber attack.

Blog post with links:
https://blog.knowbe4.com/new-phishing-campaign-uses-office-docs-to-install-cobalt-strike-beacon

[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, November 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!

  • NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, November 2@ 1:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/kcm-demo-november-2022?partnerref=CHN

How to Stop Job Scams

By Roger A. Grimes.

I am reading and hearing about a ton of job scams these days. So many, I wondered how anyone could get a real job or employee, especially in these days of often full-time, work-from-home (WFH) environments.

There are many different types of job scams, both targeting potential victims wanting to be employees and employers. I wrote about many of these job scams a few months ago, but I have one more large defensive recommendation to make in this blog that I think will make it hard for the scammers to be successful.

Fake Job Scam Summary

There are two main scam victims: job candidates seeking employment and employers seeking employees. Both appear to be equally likely to be scammed these days.

Fake jobs scams include the following types (I am sure I am missing some):

  • Fraudulent organization steals employee candidate's money by learning candidate’s financial information
  • Fraudulent organization tricks employee candidates into paying for something unneeded (e.g., background check, new laptop, etc.)
  • Fraudulent organization wants to steal candidates' private information or money by placing a trojan horse program on their computer
  • Fraudulent organization wants to get access to the candidate's current employer by placing a trojan horse program on the employee's work computer to steal money, place malware or steal information from the current employer
  • Employee is offered a plausible job that is actually illegal (e.g., money mule, etc.)
  • Involve a real candidate applying for a real job with a real organization using a fraudulent "headhunter", but then the headhunter switches out the real candidate with a fraudulent, less skilled, person (or fake non-existent person) after the prospective employer has offered the job to the real, intended candidate
  • Fraudulent employee gets hired to spy on the organization
  • Fraudulent employee gets hired by a legitimate organization but does nothing but collect paychecks until they are fired
  • Real employees working for a real organization, but splitting their time "on the clock" among two or more organizations, at least one of which does not know about the other

Note: Equifax just found at least 24 employees working two or more full-time jobs and there are people bragging about working three or more full-time jobs, none of which they are qualified for, on Reddit.

[CONTINUED] with the DEFENSES at the KnowBe4 blog with links:
https://blog.knowbe4.com/how-to-stop-job-scams

Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

DMARC, SPF and DKIM are global anti-domain-spoofing standards, which can significantly cut down on phishing attacks. Implemented correctly they allow you to monitor email traffic, quarantine suspicious emails, and reject unauthorized emails. But less than 30% of organizations are actually using them. And even fewer are using them correctly.

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF and DKIM the right way. You'll also discover six reasons why phishing still might get through to your users' inbox and what you can do to maximize your defenses.

You'll learn:

  • How to enable DMARC, SPF and DKIM
  • How to best configure DMARC and other defenses to prevent phishing attacks
  • What common configuration mistakes organizations make
  • Why a strong human firewall is your best last line of defense

Get the details you need to know now to protect your organization from phishing and social engineering attacks.

Watch the Webinar Now!
https://info.knowbe4.com/implementing-dmarc-chn

New Phishing Attack Attempts to Steal Social Security Numbers

A phishing campaign is impersonating the U.S. Social Security Administration (SSA) in an attempt to steal Social Security numbers, according to researchers at INKY.

"While the display address on the emails reads 'Social_Security_Administration,' further inspection reveals the sender's true origin to be a random Gmail address," the researchers write. "If there is one place a hacker puts his best foot forward, it's with the subject line.

"After all, phishing emails don't do much good unless they are opened, and some type of action is taken. In this case, the subject lines include case and docket numbers to make the phishing threat seem more official."

The emails contain a PDF attachment that instructs users to call a phone number, which will connect them with a scammer.

"All of the SSA brand impersonation phishing emails INKY caught contained a PDF attachment that opened in the form of a letter with SSA-branded elements," the researchers write. "[T]he letter starts with one of SSA's widely used logos alongside a short tagline. It's an image that looks sharp and is readily available online.

"In the body of the letter, the sender claims that illegal & fraudulent activities have been associated with the recipient's SSN and, as a result, their SSN will be suspended in 24 hours. A phone number is given to resolve this issue."

Once they call the scammer, the victim will be asked to provide their Social Security number in order to confirm their identity. "Encouraging readers to call a phone number adds vishing to the mix," INKY says. "Vishing is a type of cybercrime that uses the telephone to steal confidential information.

"In this instance, the phone number provided in the letter does not belong to the SSA. When called, phishers answering ask their victims to confirm their SSN so it can be unsuspended. In some instances, they will even claim that a new one has been issued for a fee."

You wish that these scammers would use their considerable talents for more productive ends. In the meantime, train your users to recognize scams like this.

Blog post with links:
https://blog.knowbe4.com/phishing-attempts-to-steal-social-security-numbers


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [INFOGRAPHIC] 10 Tips for Running a Successful Compliance Training Program:
https://blog.knowbe4.com/successful-compliance-training-program-tips-infographic?

PPS: [BUDGET AMMO] WSJ: "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate":
https://blog.knowbe4.com/wsj-cybersecurity-tops-the-cio-agenda-as-threats-continue-to-escalate

Quotes of the Week  
"Peace cannot be kept by force; it can only be achieved by understanding."
- Albert Einstein - Physicist (1879 - 1955)

"There has never been a good war or a bad peace."
- Benjamin Franklin - United States Founding Father (1706 - 1790)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-43-heads-up-this-new-strain-of-fake-ransomware-is-sloppy-but-dangerous

Security News

[VIDEO] Scary Metaverse - Cybersecurity Risk Implications

The Metaverse, while still mostly a concept at the moment, consists of the possibilities that arise when you combine the advances and affordability in extended reality (XR) space with the decentralized nature and composability of Web3, crypto assets, decentralized finance (DeFi) and its underlying blockchain technology.

It is designed to transform human engagement and interactions and push the boundaries of commercialization. It's also a whole new world with security risks, vulnerabilities, and legitimate user concerns. For as much as these innovations can push the boundaries of human interaction, they also present new opportunities for fraud, cybercrime and scams.

We're not sure where Metaverse, Web3, and NFTs will lead, or whether blockchain will remain a viable infrastructure technology, but what can be seen now is that these environments need better approaches to security. A lot of money is being invested in this area, and a lot of money is being stolen. For example, blockchain analytics firm Elliptic reported that DeFi platforms have lost $12 billion to date.

And the security problems that exist today - scams, impersonation, credential theft, social engineering, vulnerabilities, misinformation, the list goes on - will come with us into the metaverse and may have even more damaging impact. Think about how for example in the metaverse, phishing attacks using deepfake technology could impersonate trusted institutions or your friend’s avatars.

People currently interested in the metaverse are already being duped by phishing scams peddling fraudulent NFTs, metaverse land-sales and other dubious Web3 projects via social media, Discord channels, email and comments on popular YouTube videos.

Another security issue in the metaverse are trolls, sexual and racial harassment which are all problems we are faced with right now on most digital platforms but the immersiveness of VR can have a more devastating effect on their victim's mental well-being.

The risks for children are especially high as they are more likely to explore the metaverse before their parents will, exposing them to inappropriate content without us, the parents or caregivers being aware of it.

Most existing VR worlds already offer a number of tools to combat this, such as personal spaces and muting, blocking and reporting bad behavior.

So as parents, it's important we educate ourselves, as well as vulnerable groups such as our children on the risks as well as the importance of how to use these tools to protect ourselves and our families in this brave new world.

Stay up to date on the rest of this evangelist series to help keep you and your users safe during Cybersecurity Awareness Month and beyond!

Blog post with VIDEO featuring Anna Collard, Evangelist of KnowBe4:
https://blog.knowbe4.com/scary-metaverse

Cyber-Zombie Apocalypse: Ransomware Gangs Continue to Come Back from the Dead

With ransomware gangs making so much money and then dropping off the face of the earth, what's the motivation to come back to life and potentially risk getting caught?

We saw REvil come back from the shadows and hit a Fortune 500 company last month. Similarly, we saw BlackByte do the same thing brandishing a new extortion strategy. And then there's the ransomware-as-a-service groups like Conti who have been shut down – leaving us wondering if (and, more likely, when) they will spring up as a new ransomware variant.

If they're making so much money – as the total ransomware take is estimated by Cybersecurity Ventures to be over $20 billion last year – why shut down and, more importantly, why bother coming back?

There are a few reasons why ransomware gangs continue to come back from the dead:

  • They want to change their stripes – we saw the government specifically crack down on REvil last year, even offering a reward for information leading to their capture. This kind of pressure from authorities is enough for a gang to want to run and hide… that is, until they recode their wares and rebrand themselves as a new gang.
  • They join a cartel or change their business model – some of the recent ransomware cartels have formed to share techniques, code and infrastructure. Others switch from a business model where the gang themselves develops the ransomware code and performs the attacks to an affiliate model to offset the risk of being the threat actors specifically targeted by authorities.
  • There's plenty of money in it – in addition to Cybersecurity Ventures predicting 2021 ransomware costs, they also project that ransomware will cost $265 billion by 2031. So, if you're really good at ransomware, you may not want to stop, as there may be more money left on the proverbial ransomware table to be taken.

No matter the reason, we should assume that in cases other than when the gangs are arrested and put behind bars, like any other industry where someone has experience and skills, those responsible for ransomware will continue to spawn up with a new version in an attempt to make as much money before they have to hide… and do it again.

Blog post with links:
https://blog.knowbe4.com/cyber-zombie-apocalypse-ransomware-gangs-continue-to-come-back-from-the-dead

What KnowBe4 Customers Say

"Hello Stu, thank you very much for reaching out and seeing how our experience has been so far! I can say that with certainty we have been thrilled with KnowBe4. The platform is by far the best that we have used or seen on the market.

"It has made our existing functions far simpler and more effective and has also enabled us to do things we did not previously knew were possible. From a company user perspective as well as an IT team perspective, KnowBe4 has been a fantastic addition to our security infrastructure."

- G.N., Cybersecurity Analyst


"Stu - I have been working with your team - and thus far - am super impressed. I know I always like to hear about how my team is perceived in the market by others, so I thought I would share my feedback with you. So far, nothing but positive things to say; and I am pretty excited about how we will integrate with you guys. So thanks."

- C.M., Founder & CEO

The 10 Interesting News Items This Week
  1. [SABOTAGE?] Internet connectivity worldwide impacted by severed EU subsea cables:
    https://www.bleepingcomputer.com/news/technology/internet-connectivity-worldwide-impacted-by-severed-eu-subsea-cables/

  2. NSA urges enterprises to watch China, Taiwan tensions:
    https://www.theregister.com/2022/10/18/as_chinataiwan_tensions_mount_hows/

  3. [IRONY] 'Fully undetectable' Windows backdoor gets detected:
    https://www.theregister.com/2022/10/18/fully_undetectable_windows_powershell_backdoor/

  4. Jen Easterly, Director, CISA: "Next Level MFA: Fido Authentication":
    https://www.cisa.gov/blog/2022/10/18/next-level-mfa-fido-authentication

  5. New ransomware targets transportation sectors in Ukraine, Poland:
    https://www.scmagazine.com/analysis/ransomware/new-ransomware-targets-transportation-sectors-in-ukraine-poland

  6. Brazil arrests suspect believed to be a Lapsus$ gang member:
    https://www.bleepingcomputer.com/news/security/brazil-arrests-suspect-believed-to-be-a-lapsus-gang-member/

  7. New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers:
    https://www.securityweek.com/new-chinese-cyberespionage-group-wip19-targets-telcos-it-service-providers

  8. China's attack motivations, tactics, and how CISOs can mitigate threats:
    https://www.csoonline.com/article/3676075/china-s-attack-motivations-tactics-and-how-cisos-can-mitigate-threats.html

  9. CISA to focus on hospital, school, and water cybersecurity over the next year:
    https://therecord.media/cisa-to-focus-on-hospital-school-and-water-cybersecurity-over-the-next-year/

  10. The Hunt for Wikipedia's Disinformation Moles:
    https://www.wired.com/story/wikipedia-state-sponsored-disinformation/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews