CyberheistNews Vol 5 #18 May 12, 2015 How New Phishing Malware Rombertik Kills Your Hard Drives


CyberheistNews Vol 5 #18 May 12, 2015  


How New Phishing Malware Rombertik Kills Your Hard Drives

InfoSec researchers at Cisco's TALOS group discovered a strain of malware  that spreads through phishing. Attackers use social engineering tactics to  entice users to download, unzip, and open the attachments that ultimately  result in the machine's compromise. 

The strain is dubbed Rombertik, monitors everything that happens inside  an infected machine's browser and exfiltrates it to a server controlled  by the attacker, similar to Dyre. However, when it detects that it is  being analyzed, it takes extreme evasive action; it wipes the Master  Boot Record (MBR) or home directories, trapping the machine in an  infinite boot loop. Here is an example phishing screenshot, courtesy  Cisco at our blog:

The MBR is the first sector of a computer’s hard drive that the machine  reads before loading the operating system. However, deleting or destroying  the MBR involves re-installing the operating system, which almost always means  data is lost. In what is likely a bit of sick humor from the criminals, in case  it cannot get access to the MBR, Rombertik works just like ransomware and  starts encrypting all files in the user’s home folder  (e.g. C:Documents and Settings/Administrator).

The malware chooses a random 256-byte encryption key for each file, but  none of the keys are saved anywhere, so you end up with what is effectively  random, shredded bits instead of your files. After the MBR is overwritten,  or the home folder has been encrypted, the computer is restarted. Only  files with the extensions .EXE, .DLL, .VXD and .DRV will survive.

The upshot: Rombertik begins to behave like a wiper malware sample,  trashing the user’s computer if it detects it’s being analyzed. While the  Cisco TALOS team has observed anti-analysis and anti-debugging techniques  in malware samples in the past, Rombertik is unique in that it actively  attempts to destroy the computer’s data if it detects certain attributes  associated with malware analysis.

What To Do About It:

Ultimately, you need to practice defense-in-depth which protects your entire  attack surface, but here are two tips that will mitigate attacks like this  with the best bang for your IT security budget:


  • Have multiple layers (and different AV engines) of malware scanning in  place; the firewall, your mail server/email gateway, and the desktop. That  means a different vendor, using a different AV engine for your firewall,  your mail server/email gateway and your endpoint AV.

Then filter out almost all email attachment types except a few essential  ones. Check out which AV engines your vendors use, because there is a lot  of OEM-ing going on in the AV space, which might result in you using the  same engine, but with a different label. Not good.

  • Step your users through effective security awareness training and follow  up with regular simulated phishing attacks which will keep them on their  toes with security top of mind. Find out how affordable Kevin Mitnick  Security Awareness Training is for your own organization. Get a quote now  and be pleasantly surprised:

Get Real About User Security Training

Do you despair that users will never learn to avoid stupid security mistakes that compromise your organization? Maybe you're not spending enough time and effort on training. Roger Grimes at InfoWorld wrote an excellent article how to deploy great security awareness training, where he reviews KnowBe4's platform. You should check out this article!


Mitnick's Tips To Combat Social Engineering

Leon Spencer at ZDNet interviewed Kevin Mitnick. A quick summary:  Social engineering helped renowned former hacker Kevin Mitnick break  into so many computer systems that he ended up on the FBI's most wanted  list. Now, the information security expert shares his tips on how to  protect against some of the most effective techniques.

"According to Mitnick, social engineering could be as simple as an attacker  strategically targeting a specific operative in a company with a phishing  email. Or it could be what he calls the "long con": An intensive, weeks-  or months-long manipulation of one or several significant employees within  an organization.

"In either case, social engineering plays the first part of a two-step  attack, where the first part is the "con", getting the target to comply  with a request, and the second part is the exploit resulting from the  vulnerability thrown up by the con, such as a vulnerability in the  software that resides on the victim's desktop.

"Social engineering is a particularly effective method for breaching a  secure network, because any weakness that emerges generally comes down  to human error." Full article with Tips at ZDNet:

Last weekend Kevin was member of a panel at a very intriguing event in  Chicago. He started off the event with 20 minutes of hacks and then was part of a 3-person keynote panel with Sir John Sawers, former Chief of  the Secret Intelligence Service (MI6) and General Keith B. Alexander,  former Commander, U.S. Cyber Command and Director, NSA. More at:

Quotes Of The Week


" Love is a game that two can play and both win.  "
- Eva Gabor, Actress

" Find a place inside where there's joy, and the joy will burn out  the pain. "
- Joseph Campbell - Author

Thanks for reading CyberheistNews!

But if you want to unsubscribe, you can do that right here.

Warm Regards, Stu Sjouwerman  |   Email me:



Security News


What Our Customers Are Saying About Our Security Awareness Training

"I wanted to give you an update on our security awareness training. When  we did the baseline phishing campaign for 85 employees and we had a click  rate of 42%. After that data was captured, HR sent out a mandatory  training notice that all employees had to take the Kevin Mitnick Security  Awareness Training 2015 training video and that it had to be completed by  a certain date. 

"At that date, all but 2 had completed the training. We also require all  new employees to take that training as well. As the end of the training  period neared, I setup scheduled phishing campaigns using random templates,  mostly financial and social, for 4 groups, each group starting a different  week and day. I ran the reports for April, and we had a click rate of 2%,  basically 2 people out of 86 people clicked.

"A very significant reduction in click rates, and more importantly reducing  the possibility of getting hacked from a malicious email. Considering the  costs of recovering from a ransomware attack, the training is well worth  the cost.

"The phishing campaigns will continue each month and monitored, we are sending  out a security tips email each month, and we will be opening up the additional  training modules to all employees soon.

Thanks for your great support and great products!"
- D.H., Senior Network/Desktop Engineer

Find out how affordable Kevin Mitnick Security Awareness Training is for  your own organization. Get a quote now and be pleasantly surprised:

This Week's Five Most Popular HackBusters Posts

What are IT security people talking about? Here are this week's five most  popular hackbusters posts:


  1. So, the NSA Has an Actual Skynet Program:
  2. USBKill — Code That Kills Computers Before They Examine USBs for Secrets:
  3. US Court Rules NSA Phone surveillance Program is illegal:
  4. London Railway System Passwords Exposed During TV Documentary:
  5. The FBI's Secret Air Force Watched The Streets Of Baltimore:


SANS Releases May OUCH!

SANS said: "We are excited to announce the May issue of OUCH! This month,  led by Guest Editor Brian Honan, we focus on securing the cyber generation gap. Many of us have family members that may not be technically savvy and are intimidated by security. This newsletter explains how you can help  those family members and any children that may be visiting them. We  encourage you to share OUCH! with anyone you want, including family,  friends or as part of your security awareness program. All we request  is you do not modify or sell the newsletters." English Version (PDF)

More Evidence That Employee Negligence Is Security Risk No. 1

New survey shows that "companies cannot eradicate security risk solely  through the use of better technology," the report authors said. Technical  security solutions do not stop employees from being phished, nor prevent  IT staff from failing to review logs or improperly configuring servers.

Thirty-six percent of data security incidents handled last year by the  BakerHostetler law firm were due to employee negligence, making it the  leading cause of security incidents. According to the firm's newly  released report, other causes were outsider and insider theft, malware  and phishing attacks.

Take away: "Our analysis shows that best-in-class cyber risk management  starts with awareness that breaches cannot be prevented entirely, so  emphasis is increasingly on defense-in-depth, segmentation, rapid  detection and containment, coupled with ongoing effort to monitor threat  intelligence and adapt to changing risks," said BakerHostetler's Craig Hoffman. Article at:

Run SAP? Almost 95% Of You Are Vulnerable To Hackers

Not many of you run SAP, but why am I talking about this? The lesson  learned is applicable to all of us. Keep on reading.

More than 95 percent of enterprise SAP installations are exposed to  high-severity vulnerabilities that could allow attackers to hijack a  company's business data and processes, new research claims.

According to a new assessment released by SAP (short for Systems, Applications  & Products) solutions provider Onapsis, the majority of cyber attacks against  SAP applications in the enterprise are:

  • Pivots - Pivoting from a low to high integrity systems in order to execute remote function modules.
  • Database Warehousing - Exploiting flaws in the SAP RFC Gateway to execute admin privilege commands in order to obtain or modify information in SAP databases.
  • Portal Attacks - Creating J2EE backdoor accounts by exploiting vulnerabilities to gain access to SAP portals and other internal systems.

More than 250,000 SAP business customers worldwide, including 98 percent of  the 100 most valued brands, are vulnerable for an average of 18 months period  from when vulnerabilities surfaced.

"The big surprise is that SAP cyber security is falling through the cracks  at most companies due to a responsibility gap between the SAP operations  team and the IT security team," Onapsis chief executive Mariano Nunez  says. "The truth is that most patches applied are not security-related,  are late or introduce further operational risk." 

Lesson learned:  You may have your own mission critical apps running, and your organization may have the same "responsibility gap" you need to watch out for.
More at:

6 Ways to Combat Internal Threats to Data Security

Good article by Mary Chaput in CFO Mag about how companies can cut down on  the number of data breaches attributable to employee error or fraudulent  behavior.

The majority of health data breaches that are categorized as "IT  Incidents/Hackers" are the result of employees clicking on phishing  messages or succumbing to social engineering.

There are several reasons why these things occur, some of which are  unintentional — and some that are very intentional and malicious. On the  unintended side, lack of specific training and security awareness is a  primary contributor. Here are the 6 bullet points, and I recommend reading the (short) article at CFO Mag

  1. Develop specific policies and procedures regarding the handling of proprietary or sensitive information.
  2. Improve training.
  3. Ensure only the minimum necessary access to the information.
  4. Communicate and apply consistent sanctions for information privacy or security violations.
  5. Monitor employee activity.
  6. Ensure adequate oversight or governance of information security programs.

Ninety percent of an organization’s data breaches are due to “friendly fire”  – the mistakes and transgressions of the business’s own employees and  business associates. By taking the actions outlined above, a company can  greatly reduce the likelihood of these internal breaches – both the  careless mistakes and the malicious acts. Article at:

Cyberheist 'FAVE' LINKS:


The amazing costumes from this year's Chicago Comic and Entertainment Expo  (C2E2) at McCormick Place Convention Center are a feast for your eyes. You can easily watch this three times and see something new every time!:

A millionaire builds a human slingshot at his home in Utah. Friends come over  for their best ride ever. Also a great way to throw out your back for weeks!:

I love watching Jayson Street. He's a great Social Engineer, and this is 80  minutes of super instructive video to protect your network. Entertaining and  enlightening!:

An amazing, realistic 3D drawing of a glass of water that will blow your mind:

25 Most Dangerous Selfies Ever! Don't do this at home kids. Also, don't always believe what you see:

Don’t you just love it when things just work? No matter how many takes  it took, this is a cool video! (No CGI was used.)

You see all these amazing parkour videos with people doing crazy things? Here is what you did not see - all the times things went wrong. However, NSFW! Several F-bombs from the people in spectacular wipe-outs:

Can a Tesla Model S drift? In Japan they can!

Hamsters can drift too! Check out these two racing each other. Hilarious:

Out of the archives. Juggling comedian Michael Davis performs at the  historic Ford's Theater for the former President and Mrs. Ronald Reagan: This would NEVER happen today, those cleavers are real:

Two guys. One builds custom home interiors. The other builds websites. Throw in a 1968 Camaro Z/28 and watch as they learn the hard way tearing  apart this classic muscle car and then putting it all back together:


  Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 601 Cleveland St. Suite 930, Clearwater, Florida, 33760 

                                                        Unsubscribe here                                                       

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews