CyberheistNews Vol 6 #35 Heads-Up! Voice Message Notification Email Warning Could Be Ransomware

Don't play voice mail messages from suspicious sources. Xavier Mertens at the SANS Internet Storm Center had a great item that we have been warning against for a while now.

He started out with: "Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels... everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications."

One of the currently most prevalent ransomware strains called Cerber has even experimented with text-to-speech synthesizers to threaten victims to pay the ransom.

This new voice mail attack email arrives with an attachment, which supposedly contains a voice message, in a .wav file compressed in .zip folder. The folder actually contains hidden malicious code that will install ransomware and renames files to [original file name].crypted.

The delivery mechanism may be exploiting the fact that missed call notification emails are enabled by default in Microsoft Outlook.

Consumers appear to be the first target of this ransomware campaign according to Mertens. The initial phishing attack campaign contained a voice message regarding a modem from Vigor, a UK distributor of ADSL modems for the residential market.

As we all know, the bad guys use the UK as a beta test for their attacks, and debug the whole campaign before they unleash it on the U.S. So use this as a heads-up and alert your users that they need to watch out.

I recommend you send your employees, friends and family something like this, you're welcome to copy/paste/edit:

"Bad guys have found a new way to trick people into infecting their PC with ransomware. This time it looks like a Microsoft email that tells you about a voice mail that was left for you, and wants you to play the voice mail.

The email has an .zip attachment that supposedly has the voice mail message in a .wav file. However, if you unzip the file, the ransomware will encrypt all the files on your computer and possibly all files on the network if you have access. You only get your files back if you pay around 500 dollars.

Do not click on links in "voice mail" emails from someone you do not know, and certainly do not open any attachments!

Remember, Think Before You Click!

Here is the blog post with a screenshot, showing how this looks:
https://blog.knowbe4.com/heads-up-voice-message-notification-email-warning-could-be-ransomware

CRN observed an interesting development in growth of cyber security:

"Cybersecurity is one of the fastest growing, if not the fastest growing, area of IT right now. With that comes an incredible opportunity for growth for vendor startups and solution providers alike. This year's INC 5000 list recognized the companies that are making the most of that opportunity, with growth rates up to 7,613 percent over the past three years.

What's exciting for the channel is that nearly half of the top ten fastest growing companies in the market were solution providers, showing the opportunity is ripe for partners to capitalize on cybersecurity."

Take a look at who made the list. It goes from 10 to 1 and you will find yours truly at #2:
http://www.crn.com/slide-shows/security/300081779/the-10-fastest-growing-cybersecurity-companies-right-now.htm

Hackers believe no password is safe from a determined attacker, but they agree that five key security measures can make it a lot harder to penetrate enterprise networks.

At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Here are the measures:

1. Limit admin access to systems
2. Protect privileged account passwords
3. Extend IT security awareness training
4. Limit unknown applications
5. Protect user passwords with security best practices

Full article with detailed explanation for each point at CIO Magazine:
http://www.cio.com/article/3112740/security/5-security-practices-hackers-say-make-their-lives-harder.html

One of our customers received a clear extortion attempt with a threat of execution of a combined DDoS and Cerber ransomware attack against them. These bad guys claim to be the Armada Collective, but the original gang was arrested and are no longer in the running.

However, there are copycats that have taken the Armada approach, and are sending this type of extortion emails to people. The KnowBe4 blog has the details. You have to start asking yourself if you would pay or not and start buying Bitcoin just in case:
https://blog.knowbe4.com/here-is-a-real-ddos-plus-ransomware-extortion-attack

A new version of Locky ransomware has been spotted now featuring an improved delivery mechanism and better obfuscation which combined make it more difficult for anti-malware products to spot.

Maharlito Aquino, a researcher with Cyren said these changes to Locky, first detected on August 23, are just the latest in a string discovered so far this summer indicating the cybergang developing Locky is not resting on its laurels.

Like earlier versions of Locky, this one uses emails socially engineered to attract those working in the financial sector that contain a zip attachment containing the attack.

Aquino stated that recent Locky versions drop DLL files on infected computers, instead of EXE files. The rest of the infection chain remains as we know it.

Locky sends phishing emails to your employees that have a ZIP file attached to the email body. If a user unzips the attachment, it drops a JavaScript file, which when executed downloads the DLL file.

Next, the DLL is injected into a process, and its malicious code executed which in turn starts the file encryption operation. Another new feature is that this DLL file uses a custom packer to prevent anti-malware scanners to detect it.

This strain locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware which is just a Locky OEM.

Also, in the last two weeks, three new open source ransomware strains have emerged, which are based on Hidden Tear and EDA2. These new ransomware families specifically look for files related to web servers and databases, which suggests they are specifically targeting businesses.

Both Hidden Tear and EDA2 are considered as the first open source ransomware created for educational purposes. However, these were quickly abused by cybercriminals.

And then there is the Bleepingcomputer roundup this week, with 10 stories, 6 new ransomware strains, a decryptor and much more:
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-26-2016-cows-wildfire-locker-locky-and-more/

"Be not afraid of life. Believe that life is worth living, and your belief will help create the fact."- William James

"Life shrinks or expands in proportion to one’s courage."- Anais Nin

Thanks for reading CyberheistNews

C Plummer wrote an excellent blog post where he wrote the following and then reviewed the KnowBe4 platform:

"It’s abundantly clear that even with next-level compensating controls, you cannot stay ahead with technology alone. Bad actors get it. They know you probably spent a heap of money on a firewall that can hear pin a drop.

"They’re not going anywhere near it, because it’s noisy and it’s too much work. Why go through the trouble, when I can simply email everyone in your finance department a fake Amazon order receipt for a Bob Ross painting and hope someone clicks.

It’s not to say that perimeter and endpoint defense is useless, but this is about defense in depth. It has to go all the way down.

Everything we can do with technology:

• https everywhere
• filter malware domains at the firewall
• leverage anti-malware DNS
• make our mail server attachment handling hypersensitive
• tune group policy to neutralize the execution of risky file extensions
• filter malware domains at the client
• whitelist executables at the client
• enforce the principle of least privilege
• use separate accounts for administrative functions
• we can pilot next-gen AV

is subverted the moment a user replies to a phishing email with their password. We need a mandate to educate. When we train our users, when we empower them to protect each other – and to protect the continuity of their very careers – we build a culture of impassioned, sustainable security that transcends technology."

Here is the KnowBe4 review:
https://603security.com/2016/08/25/teach-an-employee-to-phish-and-he-will-protect-you-for-a-lifetime/

And if you are interested in a shortlist of the leading security awareness training companies, Gartner has a brand new review site which you could call "Yelp for IT". It's called PeerInsights and it is very useful:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training

John Leyden at The Registrar had an interesting perspective on how the bad guys actually come into your network based on a new study by US InfoSec firm Praetorian:

The study is based on 100 penetration tests and 450 real-world attacks discovered that stolen credentials offer the best way into enterprise networks.

Software vulnerabilities fail to make it into Praetorian's top five:

1. Weak domain user passwords (a root cause of compromise in 66 per cent of cases).
2. Broadcast name resolution poisoning (aka WPAD – 64 per cent).
3. Local administrator attacks (aka Pass the Hash – 61 per cent).
4. Cleartext passwords stored in memory (aka Mimikatz – 59 per cent).
5. Insufficient network access controls (52 per cent).

Ninety-seven percent of organizations have more than one root cause of compromise. The practical upshot of the report is that there should be more focus on guarding against stolen credentials and network segmentation as defenses, rather than playing "whack-a-mole" with software vulnerabilities.

"Social engineering will always be successful to achieve initial access to an organization," Joshua Abraham, practice manager at Praetorian told The Registrar: "One percent of employees will always be susceptible to social engineering attacks."

That is true. But most organizations start with a percentage of 10-20% of people being Phish-prone. New-school security awareness training is extremely effective in getting that percentage down to just 1%. More:
http://www.theregister.co.uk/2016/08/22/hacker_playbook/

Earlier this week we assisted several companies that were hit by ransomware.

Although companies and organizations hit by ransomware can usually pinpoint the source or employee responsible for a ransomware infestation, they often cannot identify the precise attack vector used to compromise the victim's PC. In the two cases we just handled, however, the attack vector used by the bad guys was identified: macro-laden Word documents delivered through phishing emails.

Malicious Macros

Malicious Word documents are depressingly common and are one of the more frequently used vehicles for delivering ransomware to the desktops of unwitting victims. Massive phishing campaigns pushing Locky, Cerber, and Zepto through macro-laden Word docs have become persistent features of the threat landscape.

Despite that fact, we continue to see these malicious Word documents sailing past anti-virus programs on a daily basis. Even more maddening, though, are the regular reminders that users often enough take the bait and click all the way through these ransomware traps. And there's just no excuse for this to be happening, given the number of hurdles that users must surmount before finally unleashing the ransomware on their companies' PCs and networks.

After opening the malicious emails and attached Word documents, users are warned by Word itself in a yellow bar under the main menu bar that the document contains macros (plain text scripts or programs) that have been disabled by default to protect users against the risk of malicious macros.

A Rogues Gallery

In the interests of teaching users what to look for, we have assembled a small gallery of the most common macro warning screens we've seen used by the bad guys over the past few months. We encourage you to share this gallery with your employees so that they can become more familiar with this common form of social engineering and, most importantly, recognize it when they see it.
https://blog.knowbe4.com/knowbe4s-field-guide-to-macro-warning-screens

Bloomberg reported that the stock of medical device maker St. Jude dropped 5% on Thursday after a report called for investors to short the company’s stock. Why? Serious security vulnerabilities in the company’s implantable cardiac devices.

Hackers found the flaws and decided to send them a message that could not be ignored: hit them in the pocketbook. A report from Muddy Waters Research set off a steep sell off in St. Jude Medical’s stock, helping to push down medical stocks overall.

The report cites the “strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years” as a result of “product safety” issues stemming from remotely exploitable vulnerabilities.

Better get ready, the IoT winter is coming:
http://www.bloomberg.com/news/articles/2016-08-25/carson-block-takes-on-st-jude-medical-with-claim-of-hack-risk

"The threat from ransomware continues to grow and the situation will only get darker before mitigation efforts prove reliable and the miscreants move on to another attack vector.

"This was just one of the points made by a panel of four noted cybersecurity experts gathered in midtown Manhattan on Wednesday morning for the Dell Data Security Ransomware Roundtable.

Beyond technological tools, another piece of the defense-in-depth strategy is user education, the panelists agreed. "Cybersecurity has to be considered for all businesses," Hansen said. Helping people become cognizant of making silly errors is key.

"We're seeing more and more companies offering user education," Kaiser said. "It's important."

But, there are caveats. Hansen admitted that even though there is a lot of user education, the vast majority of employees believe that cybersecurity is not their responsibility. "If end-users continue to be the weak link, attackers will continue to exploit the vulnerability and maintain their assaults," he said. More:
http://www.scmagazine.com/ransomware-the-evolution-of-cybercrime-a-roundtable/article/518236/

• Mac King performs his amazing rope trick - a trick that even fools other magicians, and he is very, very good. I am not able to see how he does it after watching it 3 times!
  http://www.flixxy.com/magician-mac-kings-amazing-rope-trick.htm?utm_source=4

• This one is also fun, but easier to guess when you have 2 shills in the audience:
  http://www.flixxy.com/blake-vogt-magician-blows-judges-minds-americas-got-talent-2016.htm

• Best of the Week video compilation featuring basketball trick shots, unicycle, martial arts, gymnastics, acrobatics and much more!
  http://www.flixxy.com/people-are-awesome-best-of-the-week-august-2016.htm?utm_source=4

• Which is faster - a German rally car or a Russian truck?
  http://www.flixxy.com/can-a-russian-truck-compete-with-a-german-rally-car.htm?utm_source=4

• THE MINDSET BEHIND SUCCESS - This motivational video is actually very good:
  https://www.youtube.com/watch?v=oG-kWW4um0s

• Japan's intro at the Rio Olympics Closing Ceremony gets us 'Super' excited for the Tokyo 2020 Olympics:
  http://www.flixxy.com/tokyo-2020-olympics-intro.htm?utm_source=4

• 'Lucy' the cat likes to run on a treadmill together with her owner Marina Maltseva.
  http://www.flixxy.com/cat-and-girl-running-on-treadmill-together.htm?utm_source=4

• Did you know the KnowBe4 has a ransomware guarantee?
  https://www.youtube.com/watch?v=C93X_hwYRA0&feature=youtu.be

• Amazon Parrot and his owner, guitarist Neno Alfenas, perform a beautiful duet in Sertanópolis, Brazil:
  http://www.flixxy.com/amazon-parrot-and-guitarist-in-beautiful-duet.htm?utm_source=4

• Watch Britney Spears Get Super Real While Totally Slaying Carpool Karaoke:
  http://www.cosmopolitan.com/entertainment/tv/news/a63324/britney-spears-carpool-karaoke-video/

• A story about a concert - based on real events:
  http://www.flixxy.com/encouragement-pass-it-on.htm?utm_source=4

• Introducing the Octobot - Developed by Harvard researchers, the first autonomous, untethered, entirely soft robot — nicknamed the octobot — could revolutionize how humans interact with machines:
  https://www.youtube.com/watch?v=1vkQ3SBwuU4&feature=youtu.be