CyberheistNews Vol 6 #17 Scary New CryptXXX Ransomware Also Steals Your Bitcoins




CyberHeist News CyberheistNews Vol 6 #17
Scary New CryptXXX Ransomware Also Steals
Your Bitcoins
Stu Sjouwerman

Now here's a new hybrid nasty that does a multitude of nefarious things. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton has followed suit and is trying to muscle into the ransomware racket with an even worse criminal malware multitool.

At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now adds professional grade encryption creating a .crypt extension to the filename. More at the KnowBe4 blog:
https://blog.knowbe4.com/scary-new-cryptxxx-ransomware-also-steals-your-bitcoins

Scam Of The Week: Secure Document Phishing Attacks Trap Employees

There is a new wave of phishing scams. In the industry this is called the "secure doc" theme. It's getting very popular with the bad guys. We are seeing a spike of malicious ones coming in at the moment.

There are active phishing campaigns using fake DocuSign, EchoSign and Secure Adobe PDF attachments trying to trap employees into opening them up. One user reported receiving one of these, with the "from" address spoofed as coming from their own attorney. That's a nasty form of spear phishing.

It is also interesting to see that "secure doc" emails are one of the most misflagged categories of real emails that we see. Users have trouble figuring out whether a "secure doc" email is real or a phish -- even when dealing with secure document delivery services that are used/contracted by their own employers.

I suggest you send your users something like the following. You're welcome to copy/paste/edit, and add a line or two how your own organization uses secure documents:

"I'm warning you about a recent wave of phishing attacks that try to trick you into opening "secure documents." You receive an email that looks like it is a DocuSign, EchoSign or Secure Adobe PDF notification with an important document attached that needs to be looked at.

The bad guys try to trick you into opening and clicking the attachments, and "enable macros" or "enable editing" but when you do, your workstation gets infected with malware or ransomware.

When you receive this type of document, which you did not ask for, and it's from someone you do not know, be very cautious and if you want to be sure, delete the email. If it looks like it comes from someone you do know, pick up the phone, use a phone number you know is valid (not a phone number from the suspicious email itself), and verify if this was actually sent by them and what the purpose was."


Learn more at this blog post about the three different ways the bad guys attack with examples and screen shots:
https://blog.knowbe4.com/scam-of-the-week-secure-document-phishing-attacks-trap-employees

A Short History & Evolution Of Ransomware

Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries a ransomware attack is now looked at as a possible data breach.

September 2013 is when ransomware went pro with CryptoLocker being released in the wild, however there is more to it both before and after that fateful date. Many more ransomware strains are expected. This is only the early days, and as we said, it’s a very successful criminal business model with many copycats. Cybercrime is furiously innovating in both the technical and social engineering areas.

Check out "A Short History & Evolution of Ransomware". It's a bit longish but "Know Your Enemy." Read it over a lunch break!
https://www.knowbe4.com/what-is-cryptolocker-ransomware/

These CISOs Explain Why They Got Fired

Great article by Doug Drinkwater at CSO. Some people learn by reading a book, some learn by trial and error, and some need to pee on the electrified fence to get the message. Don't be that guy. If you are (willy-nilly) wearing the CISO hat in your organization, here is his very instructive story:

"Chief Information Security Officer (CISO) leads an increasingly precarious life. Since the emergence of the job title in the late 1990s, the CISO job has become more complex - and demanding - by the day.

"Whereas once this was a technical job focused largely on fixing firewalls and patching vulnerabilities, today’s security chiefs are expected to do this and a whole lot more. They’re charged with juggling the day-to-day operations of their security team with meeting board expectations while also staying abreast of an ever-evolving threat landscape and regular regulatory changes.

"As a result, it could be argued that the CISO job is a poisoned chalice: the job is well-paid, respected and increasingly available to people of all backgrounds (thanks to the well-publicized InfoSec skills shortage), and yet the average job can last 18 months or less. A CISO could be dismissed for any number of things, from a breach or missed vulnerability to failing to align security operations with the board’s business goals.

"One former head of InfoSec spoke of the challenge facing security heads in thriving - and even surviving - in their job. 'CISOs have an incredibly difficult job in that they are responsible for something they can never provide 100 percent assurance on, i.e. securing the enterprise. All it takes is one missed vulnerability, one insider or one accidental "insecure" process.' So, how do CISOs avoid getting the chop? Here are three tips:
http://www.csoonline.com/article/3057243/security/these-cisos-explain-why-they-got-fired.html

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"If you're going through hell, keep going."- Winston Churchill

"If you find yourself in a hole, stop digging"- Will Rogers


Thanks for reading CyberheistNews


Security News
NEW: This Week's Most Popular HackBusters Posts

There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that. Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the -real- hot topics. We tweet when a #1 hot security topic bubbles up.

Here is a link to this week's most popular hackbusters posts:
http://www.hackbusters.com/news/popular/week

Microsoft CyberTrust Blog: Ransomware--Understanding The Risk

It's interesting to see what Redmond has to say about ransomware, they have been relatively quiet about it. Tim Rains is Director, Security at Microsoft and reports on their telemetry which covers hundreds of millions of systems. There is good news and bad news, it depends on how you look at it. This is a long, technical article but it has good stuff in it:
http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/

A Lesson On Patching: The Rise Of SAMSAM Crypto-Ransomware

It's not only phishing that causes ransomware infections. Drive-by-downloads and unpatched machines are also infection vectors. Trend Micro has a very good example of this!

"The critical role of patch management comes into play when vulnerabilities are used by attackers as entry points to infiltrate their target systems and networks or when security flaws are abused to spread any threats. The case of the infamous SAMSAM crypto-ransomware supports this.

The said threat deviated from other crypto-ransomware families. Instead of arriving via malicious URLs or spam emails, it leverages security flaws in unpatched servers. Last March 2016, SAMSAM hit the Kentucky hospital by encrypting all its files, including those found in the network.

From the healthcare industry, SAMSAM moves to target the education sector. In a recent attack, a significant number of servers and systems were exposed to SAMSAM and other malware via JBoss server vulnerabilities. JBoss is an open source application server that runs on Java. Systems or servers with ‘Destiny’ software were also affected. According to a report by CISCO, this software is typically used by K-12 schools worldwide.

Follett has already released a patch to protect users of Destiny software." More:
http://blog.trendmicro.com/trendlabs-security-intelligence/lesson-patching-rise-samsam-crypto-ransomware/

Law Enforcement, Government Agencies See Phishing As Main Cyber Risk

In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks.

Read how the new founded Global Cyber Alliance (CBA)’s Strategic Advisory Committee (SAC) meeting agreed that phishing is the main cyber security risk today on Softpedia News:
http://news.softpedia.com/news/law-enforcement-government-agencies-see-phishing-as-main-cyber-risk-503272.shtml

Cybercrime Swaps Targets From Banks To Healthcare

The Register had a really interesting article based on a new IBM X-force report. It covers how healthcare has bumped up to the #1 spot for attacks with banks moving from 1 to 3.

Interesting to see that the article mentions how employee education and security policies are helping reduce the effectiveness of spear phishing.

"The improvement in areas such as workers becoming unwitting conduits for attack is a sign that employee education and security policies are helping to reduce the effectiveness of spear phishing and similar hacking tactics. Or, put another way, workers are more wary of baited emails that actually come packed with malicious code." Here is a link to the article and full IBM report:
http://www.theregister.co.uk/2016/04/20/cybercrooks_switching_targets/


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • A bridge needs to be built, so time to bust out the cranes, right? Not so fast, a Chinese company has built a monster machine that has a creative way to do that:
      https://youtu.be/PbaD2-2Ktwc


Subscribe To Our Blog


Ransomware Has Gone Nuclear Webinar




Get the latest about social engineering

Subscribe to CyberheistNews