CyberheistNews Vol 6 #21 [ALERT] This New Ransomware Strain Adds DDoS Bot Causing More Damage



CyberHeist News CyberheistNews Vol 6 #21
[ALERT] This New Ransomware Strain Adds DDoS Bot Causing More Damage
Stu Sjouwerman

Excuse my French, but Holy S#!+, some ransomware developers have created a new evil way to monetize their operations by adding a DDoS component to their malicious payloads. Security researchers from Invincea reported this a few days ago on a new malware sample they found.

Instead of "just" encrypting data files on the workstation (plus any network drive it can find) and locking the machine, this variant of the Cerber ransomware also started adding a DDoS bot that can quietly blast spoofed network traffic at various IPs. This is the first time DDoS malware has been bundled within a ransomware infection.

Invincea said: "The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive."

This means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim. Two attacks for the price of one. Yikes.

The Knowbe4 blog lists 8 things you can do about it, also please share on social media and forward to your peers. This plague gets nastier by the month!:
https://blog.knowbe4.com/alert-this-new-ransomware-strain-adds-ddos-bot-causing-more-damage

Scam Of The Week: LinkedIn Email "Change Your Password".

You probably remember the 2012 LinkedIn data breach. It was a big deal because something like 6.5 million user account passwords were posted online, but LinkedIn never confirmed the final number of people that were impacted.

Well, it turns out that really 117 million records were stolen which have both emails and passwords that were easily decrypted. And this new number is all over the news because that database is now being sold on the dark net. It is not unusual for such stolen material to turn up for sale long after the initial data breach.

LinkedIn is invalidating the compromised passwords and currently sending out emails to users, asking them to change their passwords in response to this report (though the email LinkedIn is sending is vague about the actual nature of the threat).

And of course the bad guys have jumped on this too. It's prime time for them to exploit user fear and confusion and send out their own fake versions of that email, and other LinkedIn-themed phishing attacks.

This means you need to inoculate your users before they fall for these new scams. I have some copy you can send employees. You're welcome to copy/paste/edit:

"The original LinkedIn 2012 databreach turns out to have been much larger than the estimated 6.5 million username and passwords that were stolen. There are really more than 100 million records compromised and LinkedIn is sending emails to these users that they need to change their password.

The bad guys however, are jumping on this as well and are sending phishing emails with a fake LinkedIn login page. If you fall for this scam and log in on their fake page, your credential will be stolen, your LinkedIn account compromised and/or your computer infected with all kinds of malware.

If you receive an email that seems to come from LinkedIn, hover over the links and make sure they are legit before you click. Even better, do not click on anything and just go to LinkedIn using your browser and change your password. If you have used your LinkedIn password at other sites, it's time to change those as well!"

Go to www.LinkedIn.com, click Help, (bottom right) and choose Changing Your Password. In case you want to get another layer of password protection, LinkedIn also offers dual factor authentication by which you can have a one time numerical code sent to your smartphone each time you need to access your LinkedIn account.


For KnowBe4 customers, we have added a new template in the Current Events section. It is very close to the original LinkedIn email, so it has a 4-star difficulty rating. The subject is "Reset your LinkedIn Password".

PS: If you are not a KnowBe4 customer yet, send a (no-charge) Phishing Security Test to your users and find out the Phish-prone percentage of your employees. The results are often shocking but a good way to get budget. Start here:

https://www.knowbe4.com/phishing-security-test-offer

How To Stop Your Ex-Girlfriend Sending Nude Photos To A Fake Facebook Profile

In a case of sophisticated social engineering, a fraudster created a fake profile of actor Vincent Gallo. The bad guy then proceeded to engage in a 2-month long scam, flirting online and sending the ex-girlfriend nude pictures of "himself", until she sent pics of herself and decided to fly in and meet him.

Gallo is suing Facebook over the fake profile, allegedly used to friend Gallo’s friends and acquaintances, for online sex chats, and to lure Los Angeles women to meet in person.

The bogus account had some 3,000 friends, including some of the real Gallo’s real friends and acquaintances. More about this case at the KnowBe4 blog:
https://blog.knowbe4.com/how-to-stop-your-ex-girlfriend-sending-nude-photos-to-a-fake-facebook-profile

TeslaCrypt Gives Up And Releases Master Decryption Key

Larry Abrams from the Bleepingcomputer site noted: "In a surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware.

"When the ESET researcher realized what was happening, he took a shot in the dark and used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site. More:
https://blog.knowbe4.com/teslacrypt-gives-up-and-releases-master-decryption-key

Tech Support Scammers Start Locking Windows PCs

Tech support scammers have come up with a new way to trick users: screen lockers showing fake Windows alerts telling users that their Windows copy has expired or has been corrupted: This scheme actually prevents users from using their computers until they call the provided toll-free “tech support” phone number and provide their payment info.

According to Malwarebytes researcher Jérôme Segura, the Windows locker is delivered to unsuspecting users bundled with other (potentially unwanted) software or posing as an update for a legitimate, popular application. More at their blog:
https://blog.malwarebytes.org/cybercrime/social-engineering-cybercrime/2016/05/tech-support-scammers-get-serious-with-screen-lockers/

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Don’t let the past steal your present."- Cherralea Morgen

"You must be the change you wish to see in the world."- Mahatma Gandhi

"If you like nerds, raise your hand. If you don't, raise your standards."
- Violet Haberdasher


Thanks for reading CyberheistNews


Security News
As The Phish, We All Need To Recognize The
Baited Hook

A real security manager going by the pseudonym "J.F.Rice", observed:

"In the past, we taught our employees to watch out for spelling errors, poor formatting, grammatical mistakes, janky graphics and other obvious clues to spot a fake. These days, phishing scams are not only slick and professional- looking, but also well thought out and tailored to their audience. They are much harder for the average user to immediately recognize as malicious...

"I’ve focused my attention on alerting our employees and teaching them how to detect the signs of phishing in this new threat landscape. Much of the old advice is no longer very helpful. What is still true, though, is that harmful messages usually carry a sense of urgency (open NOW!) and a threat of consequences (or you’ll be FINED!), and they come from an unexpected sender.

"But I’m also teaching my employees about relevance (are you the appropriate person to receive the email?) and situational awareness (does the email make sense, is it expected, is it appropriate?). These are more abstract concepts, and harder to teach. I believe it is paying off, however, and I believe it is part of the reason we’ve been able to go 90 days without an incident." Here is the whole article:
http://www.csoonline.com/article/3071710/security/as-the-phish-we-all-need-to-recognize-the-baited-hook.html

Compromised Web Server Tells You To Pay For Damage To ISP Servers

A reader alerted me with: "And this just in, some compromised web sites utilize a "Pop Under", that includes your ISP data, instructing you to call the number on the web page, or be charged for damage to the ISP servers."

This pop-under appears when the users closes the browser and at that point the users needs to know this is another type of scam.

HHS Office For Civil Rights To Release Guidance For Dealing With Ransomware Attacks

The U.S. Department of Health and Human Services Office for Civil Rights is working on official guidance to help healthcare organizations formulate plans to bolster against ransomware attacks and to figure out effective ways to react to such attacks, according to the Bloomberg Bureau of National Affairs.

Deven McGraw, deputy director for health information privacy at OCR, first discussed the ransomware guidance at a recent cybersecurity panel event held by Politico. According to a new report from the Ponemon Institute, ransomware, denial-of-service attacks and malware are the top threats facing healthcare organizations today.

The OCR guidance additionally will look to shed light on when a ransomware attack is considered a breach, thus requiring healthcare organizations to inform the OCR and patients, according to Bloomberg BNA. To date, healthcare organizations have not been reporting ransomware attacks as breaches. More:
http://www.healthcareitnews.com/news/hhs-office-civil-rights-release-guidance-dealing-ransomware-attacks

KnowBe4 has just released a 7-minute training module called Ransomware for Hospitals which trains hospital workers on the red flags seen with those attacks.
https://www.knowbe4.com/knowbe4-training-modules-overview/

New KnowBe4 CEO Fraud Training Module

In this 10-minute module, employees are quickly brought up to speed to inoculate them against what the FBI calls "Business Email Compromise" and what is commonly known as CEO Fraud. Concepts like social engineering, email spoofing, and the two ways that CEO Fraud is being perpetrated are covered. There is a short video with a live demo of an infected Excel file, and a short quiz to test understanding at the end. Downloadable PDF Resources: Social Engineering Red Flags, and Security Awareness: Best Practices. The course was added to the accounts of all gold and platinum customers at no charge.

What does a "Human Firewall" look like, anyway?

So you've subscribed to security awareness training that includes training modules as well as simulated phishing campaigns for your organization. You may have gotten to the point where you're rolling out the training modules to your employees and setting up your very first phishing campaign to establish a baseline Phish Prone Percentage.

But you're now wondering: what can your organization expect? Does this stuff really work? Are you going to see any kind of actual payoff from this training? More:
https://blog.knowbe4.com/what-does-a-human-firewall-look-like-anyway


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff
    • Here is a Virtual Reality view of the future and it's scary as hell. Think glasses or contact lenses that project all this straight into your eyes, and then need a reboot...:
      https://vimeo.com/166807261



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews