CyberheistNews Vol 6 #32 Scary Stuff And Hot Security Products At Black Hat And DEF CON

CyberHeist News CyberheistNews Vol 6 #32
Scary Stuff And Hot Security Products At Black Hat And DEF CON
Stu Sjouwerman

I have been in Las Vegas all week with lots of interesting stuff to report!

The Black Hat USA 2016 Conference is over and I was there to check out everything that was hot and scary, also making a stop at DEF CON. BlackHat was first held nearly 20 years ago, and gives InfoSec pros a place to gather and learn about the latest risks and trends from the top people in the field.

Again, this year there were topics about critical infrastructure security; enterprise systems and datacenter technologies; vulnerabilities targeting nearly every platform, operating system and device imaginable; and the latest in vulnerability research and information security development.

If you could not make it to the show (and meet Kevin Mitnick and yours truly), Dark Reading did their homework and created a slide show with 10 Hottest Briefings -- two for each of these five categories:

  • Overall: Vehicle Networks & FIDO
  • Application Security
  • Microsoft
  • Mobility
  • Internet of Things

Check them out here:

Hot Security Products At Black Hat 2016

There was a ton of news about BlackHat, and it would take days to sift through all of it. Luckily some of the NetworkWorld reporters did much of that and I selected two slide shows that will get you a quick update on the main issues. The first is the Hot Products slide show, the second is an overview of the Hot Issues that are relevant at the moment. Here is the first one:

This second set of slides is interesting, specifically slide 12 which shows a video of CSO's Steve Ragan who sat down with a hacker named Munin to chat about a prototype of a tool that could help administrators defend their networks from phishing attacks and other threats.

Sounds interesting, right? Well not so much when you see the clip. It's a great example of (bone-headed) old-school thinking about awareness training and only relying on the next shiny technical control to block something.

Looking at the average short lifespan of phishing domains, Munin proposes to simply block *any* new domain name that enters your network for 24 hours. Can you imagine the help desk tickets that would generate? Sheesh. Check it out:

Social Engineering CTF Was A Lot Of Fun

Chris Hadnagy's Team ran a fun Capture the Flag contest this year. Here is a synopsis of the SECTF from their website: "This truly unique event will challenge you and test your abilities to use social engineering skills to gather small amounts of data from unsuspecting companies over the phone. Each contestant will be assigned a target company. Each contestant will be provided with flags, a sample report and their call time."

Large companies were attacked live over the phone, with sometimes surprising results. For legal reasons no pictures could be taken, no names given, and no audio recordings made. This was for strict entertainment and instruction of the people there learning about social engineering. The room was packed!

Also, the Security Innovation services team held their CMD+CTRL Hackathon as an official DEF CON Contest.

These are interactive learning events where development and IT teams come together to put their security skills to the test. Players learn offensive and defensive tactics in real-world environment where they compete to find vulnerabilities in web applications and defend IT infrastructure. At DEF CON, the contest was based on Security Innovation’s Web Application CMD+CTRL Hackathon.

“Every year our security engineers attend DEF CON to share their knowledge and stay on top of the latest threat and vulnerability trends,”said Security Innovation CTO, Jason Taylor. “This year, Security Innovation was honored to be chosen to present not only 2 speaking topics, but also showcase our CMD+CTRL Hackathon as an official event contest. I’m proud of the team for this recognition and we are all excited to share our knowledge and experiences from the past year of security projects.”

Much more at the official DEF CON website:

Scam Of The Week: Real Email From Paypal. And, Yes, It's Really Malicious.

Score another one for the bad guys, who have yet again demonstrated their seemingly inexhaustible ability to concoct new methods to exploit legitimate services in order to bypass existing anti-malware defenses and spam traps.

Proofpoint researchers report in a special security advisory that malicious actors are delivering the Chthonic banking trojan (itself a variant of the infamous Zeus trojan) through the Paypal "money request" feature.

Using legitimate (and undoubtedly compromised) Paypal accounts, the bad guys are sending potential victims bogus phishing requests for money through Paypal. In addition to losing a few hundred bucks to imposters, potential victims may also fall victim to the Chthonic banking trojan if they click the embedded link in the email.

So, how did it come to this? Paypal allows users of the "money request" feature/service to include a personalized message. And that enables the bad guys to push malicious links that lead to Chthonic on unsuspecting users. In the example offered by Proofpoint, the malicious link takes the form of a shortener link, which then redirects to a malicious domain controlled by the bad guys.

If there is any good news to be had from this situation, it's that this malware campaign still appears to be low volume. In other words, the bad guys haven't yet figured out how to automate this campaign. Also, the embedded malicious link is not being hidden behind a Paypal redirect URL, which would make the bait appear even more legitimate than it already does.

Nonetheless, I recommend sending this to your employees, friends and family. You're welcome to copy/paste/edit:

"Bad guys are sending people phishing emails and take over their PayPal accounts. Once they have control, they send people bogus money requests through PayPal. However, to make things worse, they include a personal message which leads to a Trojan that could steal your banking information. So, remember to always Think Before You Click, even if the email gives every appearance of coming from legitimate, trusted sources."

The Wicked Way Ransomware Can Get You in Regulatory Hot Water

About a year ago I wrote here that there would be an increase in enforcement activity against organizations with allegedly defective cybersecurity practices that fail to protect consumer data against hackers.

My prediction was based on a federal appeals court decision upholding the Federal Trade Commission’s authority to pursue regulatory enforcement action against a victim of a major cyber-attack. I was not the only one who saw that one coming, and Douglas Brent at Stoll Steenon Ogden wrote: "Fast forward to July 2016, when an alarming enforcement threat was included in guidance from the Health & Human Services’ Office for Civil Rights, which enforces the HIPAA Security rule." You can bet your boots that other regulators will follow soon, meaning PCI, GLBA, FFIEC and others so this is advanced warning.

Here is the upshot. Even if you have already encrypted your data, it may still be treated as a breach. How's that? After all, when it comes to protecting personal information, encryption is good, right?

No. So how is it a breach?

HHS/OCR says whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination, noting a breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted which . . . compromises the security or privacy of the PHI.”

The guidance says OCR will presume a breach of PHI because the action of the ransomware itself is necessarily an unauthorized “possession or control” of the information and is thus a “disclosure” not permitted under the HIPAA Privacy Rule.

Brent suggests: "If you are not yet a ransomware victim, make sure your encryption practices related to PHI will assure a low probability of “compromise” in the event of unwelcome encryption by criminals. Unless you are intimately familiar with encryption standards for data at rest, you may need assistance from your IT expert and your lawyer.

"And, if attacked by a ransomware-wielding criminal, engage counsel immediately because your thorough, good faith and reasonable forensic examination ought to be done by IT experts working with your counsel and protected by attorney client privilege.

If your experts determine there has not been a reportable breach, you may have to justify that determination to regulators at HHS/OCR. This could be especially true if the attack on your business has drawn media attention."

Here Are 8 Things to Prevent Ransomware Infections (apart from having weapons-grade backup)

    1. From here on out with any ransomware infection, wipe the machine and re-image from bare metal.

    2. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly.

    3. Make sure your endpoints are patched religiously, OS and 3rd Party Apps.

    4. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers.

    5. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA).

    6. Review your internal security policies and procedures, specifically related to financial transactions to prevent CEO Fraud.

    7. Check your firewall configuration and make sure no criminal network traffic is allowed out.

    8. Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email.

Since phishing is the #1 ransomware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.

KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open attachments, then enable macros, which in turn cause a ransomware infection.

See it for yourself and get a live, one-on-one demo.

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Having once decided to achieve a certain task, achieve it at all costs of tedium and distaste. The gain in self confidence of having accomplished a tiresome labor is immense."- Arthur Helps - Historian (1813 - 1875)

Thanks for reading CyberheistNews

Security News
Spiceworks Question: "Have We Been Hacked?"

Q: "I received my weekly KnowBe4 report this morning, telling me that only one member of staff has clicked on their test phish this week (Yay!).

OK, so I clicked through to see which staff member it was, so I could check if they'd done their training yet (some still haven't) and have a quiet word with them. Anyway, I see it's one of the partners, and possibly the single least technical person in the office. He sees computers as confusing magical boxes that need to be tamed by wizards.

OK, no surpises there. But then I see the link was clicked through from WinXP (what?!), using IE 8 (hello?!) and I think, he hasn't seriously still got an XP machine at home running IE 8 has he?!

And then I see that the IP address he clicked from was based in Denver Colorado.

And I think that's strange... was he on holiday in the States? I check with a member of his team, and no, he was still in London on that day... (of course he's abroad now, conveniently).

So here's the question. Has his corporate e-mail been hacked? Has our network been breached? Almost certainly, if his e-mail was being accessed on XP, it would have been via OWA, as we haven't had any office machines or laptops running XP in a long time.

So, the next thing to do would be to check the Exchange IIS logs and see if that IP is logged as accessing our OWA server. But seriously, how worried should I be?"

Answers are here, very good advice!

The Latest From Black Hat 2016: Ransomware By The Numbers

The annual Black Hat security conference always produces a wealth of interesting papers, presentations, talks, live demos, and security news. Among the more eye-opening presentations so far was a multi-country study sponsored by our friends at Malwarebytes on the "state of ransomware."

The Numbers

As you might have suspected, the numbers are pretty bad and largely confirm the results of our own study, which revealed that ransomware infections have doubled in the last two years. Fully 40 percent of businesses and organizations participating in the survey reported experiencing ransomware attacks in the past year. More shocking, however, were the reported impact of these attacks, almost half of which were launched through malicious emails (aka, phishing or malspam).

Just over one-third (34 percent) of the surveyed organizations reported financial losses as a result of ransomware attacks. Worse, 20 percent had to halt business operations completely following a ransomware attack.

The growth in ransomware attacks has been explosive recently, with malware researchers seeing a 259 percent rise in ransomware delivered via exploit kits just in the past five months. In the first quarter of 2016 alone there were at least 32 new ransomware strains discovered. That kind of growth is driven by pure greed: almost 60 percent of ransomware victims pay the ransom, which is getting ever more expensive -- 20 percent of ransom amounts now exceed 10,000 dollars.

Costly Recovery Time

The effects of successful ransomware attacks on business operations were found to be especially severe. The average time to recover and return to normal operations was nine hours. A large number of organizations (63 percent), however, reported that the process of rebooting systems, fixing vulnerabilities, and patching endpoints required more than a full business day.

Healthcare and financial organizations have been particularly hard hit, with 3.5 percent of affected organizations reporting that "lives were at stake" when their core operations were impacted by ransomware attacks.

Defending Against Ransomware: Take the First Step

All too often ransomware attacks succeed because organizations fail to take basic steps to protect, educate, and train their employees. One of the first steps you can take to harden your organization against ransomware is to assess just how exposed it is to email-borne malware attacks. In other words, just how big of an email attack surface is your company presenting to the outside world?

The Email Exposure Check is a one-time complimentary service that can help answer that question. We will email you back a report containing the list of exposed addresses and where we found them within 2 business days, or sooner! This shows you your phishing attack surface which the bad guys will use to try to social engineer your users into opening an attachment infected with ransomware.

This Week's Five Most Popular HackBusters Posts
    1. On This Day 25-years Ago, The World's First Website Went Online:

    2. Over two weeks after the shutdown of Kickass Torrents and arrest of its admin in Poland, the world's biggest BitTorrent meta-search engine has apparently shut down its operation:

    3. The ABC of Cybersecurity: T is for Trojan:

    4. Hack Apple & Get Paid up to 200,000 dollars Bug Bounty Reward:

    5. Pokémon GO Creator's Twitter Account Hacked:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews