CyberheistNews Vol 6 #43 Who Is Learning How To Take Down The Internet?



CyberHeist News CyberheistNews Vol 6 #43
Who Is Learning How To Take Down The Internet?
Stu Sjouwerman

It was all over the news. A sustained DDoS attack that caused outages for a large number of web sites Friday was launched with the help of hacked “Internet of Things” (IoT) devices. Jeff Jarmoc tweeted: "In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters." True words, that.

Early Friday morning someone trained their DDoS attack on Dyn, an Internet infrastructure company that provides critical DNS technology services to major websites. The attack immediately created problems for internet users of Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

This outage was similar to the recent record 620 Gbps (!) DDoS attack on IT security reporter Brian Krebs' site, caused by the Mirai botnet which consists of hacked IoT devices — mainly compromised digital video recorders and IP cameras made by a Chinese hi-tech company called XiongMai Technologies.

The components that XiongMai makes are sold downstream to vendors who then use it in their own products. All credentials are hardcoded in the firmware and cannot be changed. This is a very dangerous practice and we need laws against this ASAP.

Who Is Learning How to Take Down the Internet?

Last month, IT security Guru Bruce Schneier caused waves when he wrote that someone -- probably a country -- was learning how to take down the internet:

"Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins."

It's either a large country, or these two other scenarios:

1) Someone tried to extort DYN and when they did not cough up the dough, they decided to show them what they could unleash.

2) Anonymous and/or other hacktivists decided to flex their virtual muscle and show netizens they are still a force to be reckoned with. Either way is disconcerting.

Hmmm. What can you do about this?

Well, not much. But don't put any of your own critical command & control infrastructure like managing chemical plants, water treatment or power plants in a position where they require the internet to function.

However, and this is something all of us can do, set up redundant DNS providers so that when one is under attack you can shut it down and let other DNS services take over.

Know This Secret Of The Net: One Big Buggy Beta

Guys, I have been saying this for years now:
https://blog.knowbe4.com/bid/252437/the-secret-of-the-net-one-big-buggy-beta

Most people look at me surprised when I tell them the internet is still in beta, but it's true.

Vint Cerf, the father of the Internet said so himself. He was quoted in the book Fatal System Error: "My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work. We never got to do the production engineering."

If you know software development jargon, that means it remained in beta... and -has- been up to now. The protocols they built at the time focused on fault tolerance, they simply were not built for security and the net is one big buggy beta. Unfortunately, the bad guys know this full well, and are exploiting it to the limit.

What this all means is that Web security is fundamentally broken.

You need defense in depth. All six layers need to be in force and controlled within an inch of their lives, starting with your users as your first line of defense, because the bad guys are going after your users first. Keeping them on their toes with security top of mind is a must these days.

The bad guys most often use social engineering to get into a target network. New-school security awareness training is a must to create a human firewall which is your first line of defense, on top of all existing security software layers.

Get a quote and be pleasantly surprised how affordable this is for your organization. Let us know how many users you have and we'll get you a quote:
https://info.knowbe4.com/kmsat_get_a_quote_now-chn

The New Poster Boy Of CyberInsecurity: John Podesta Fell For Social Engineering Attack

Motherboard has a great article explaining just how Podesta, Chairman of the 2016 Hillary Clinton presidential campaign got hacked. (Podesta previously served as Chief of Staff to President Bill Clinton and Counselor to President Barack Obama.)

The man fell for social engineering: a Google credentials phish -- one of the most common phishes that we see in the Phish Alert Button emails that customers send us. The article includes some great screenshots of emails used to hack several other public figures.

In Podesta's case the bad guys used a bit.ly link -- something else we see all the time. And the landing page for the credentials phish probably looked something like this example (see blog).

It is a textbook example of how John Podesta became a Cyber-Insecurity poster child:

  • Using a terrible password to begin with
  • Re-using that password for multiple sites/accounts
  • Sharing the password with assistants
  • Asking an assistant to email him his password when he forgot it
  • Not turning on two-factor authentication
  • Not changing passwords after one account was known to be compromised

Don't be that guy and train your users within an inch of their lives to not be "that guy" either! Blog post with links and screenshots:
https://blog.knowbe4.com/the-new-posterboy-of-cyberinsecurity-john-podesta-fell-for-social-engineering-attack

The New KnowBe4 Ransomware Simulator Is A Smash Hit: Thousands Downloaded

KnowBe4 has been working hard on something brand new, and it's a smash hit. Just this last week alone, thousands of IT pros downloaded it and tested their defenses.

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 5 ransomware infection scenarios and show you if a workstation is vulnerable to infection. RanSim is complimentary; there are no costs.

This will take you 5 minutes at best, and may give you some insight you never expected!

Download RanSim here, and tell your IT Pro friends. This is a cool new tool:
https://info.knowbe4.com/ransomware-simulator-tool-1chn

Want to know more before you download? Here is the "How It Works" technical background and FAQ in our Zendesk tech support section:
https://knowbe4.zendesk.com/hc/en-us/articles/229040167

If you find that your AV is not blocking any of the 5 scenarios, you can discuss the possible consequences with your peers at KnowBe4's Hackbusters forum in the Ransomware topic. We look forward to seeing you on KnowBe4's exciting new online community. Join us at:
https://discuss.hackbusters.com

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Before all else, be armed."- Niccolò Machiavelli

"Si vis pacem, para bellum". Translated: "If you want peace, prepare for war."
- a Latin adage


Thanks for reading CyberheistNews


Security News
A Slick Phish With A Hidden Surprise

Yesterday one of our customers was hit with a highly targeted phishing attack -- one of the slicker attacks we've seen in a while. Once we started digging into it, though, what we found was even more surprising.

The Phish Email

This customer, which happens to be in the banking industry, received several identical phishing emails that appeared to be specially crafted to fool employees into thinking they were being directed by the bank's own IT staff to install an official security update from Microsoft.

Notice that the email purports to originate from a member of the bank's IT department, who is forwarding to employees a copy of an email he received from Microsoft. This use of framing is a clever ploy to lend legitimacy to what is, in fact, a fake Microsoft email. In other words, employees are being asked to take the word of a member of the bank's IT staff that the fake Microsoft email is actually legitimate and trustworthy.

Read the whole blog post with screenshots and the reveal who was behind it:
https://blog.knowbe4.com/a-slick-phish-with-an-hidden-surprise

A Worrisome Milestone In The Evolution Of Ransomware

Michael Gillespie tweeted: "Whew! ID #Ransomware can now identify 200 ransomware families. :) Sad such a milestone was hit so quickly..." He added a list from the MalwareHunterTeam site, that gets added to dynamically.

Well, if you look at other malware statistics, this is still not even a drop in the bucket. There are millions of virus strains out there so just give it (a little bit of) time to reach the 1,000 ransomware strain count. Unfortunately this is going to be an exponential graph because more and more it will be fully automated, enterprise strength criminal malware creating more strains in an effort to evade detection.

Competing cybercrime mafias show the increasing commoditization of crypto-locking malware and the need for black hat developers to differentiate their wares in what is now an increasingly crowded marketplace.

Kaspersky Labs estimates that between April 2015 and March 2016, there were more than 715,000 ransomware victims worldwide, or an increase of 5.5 times over the preceding 12-month period.

BankInfoSecurity reported that efforts to block the bad guys are ramping up but are still in their infancy. The new European public-private "No More Ransom" project, launched July 2016, reports this week that at least 2,500 ransomware victims were able to download the portal's no-charge decryptor tools.

That was mainly for minor strains like CoinVault, WildFire and Shade, avoiding paying around one 1 million in ransoms, happy project organizers say. However, that's just 0.35 percent of the total number of ransomware victims seen from April 2015 to March of this year.

No More Ransom launched as a joint venture between the Dutch National Police and Europol, as well as security firms Kaspersky Lab and Intel Security, a.k.a. McAfee.

Since then, law enforcement agencies from these 13 countries have also signed up: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.

Would be nice to see a similar initiative in North America as well!

But for now, every organization is going to be exposed to this type of cyber harassment that is part of a simmering internet cold war between the US, Russia and China.

Tech Support: Story About How We Got Hit

A reader sent us this real story: "We were hacked and hit about 2 weeks ago. Someone in Accounting used her network workstation to browse for a bank to setup a Health Savings Account. She made a mistake by using the wrong PC as she has a wireless non-network unit at her desk that she was supposed to use for e-mail and internet web browsing.

She also typed the domain name incorrectly, which that took her to a domain squatting "Bear Trap" web site designed to look as a web login page for the real bank she was looking for.

She apparently used her e-mail address as her login name. Once she made a connection a nefarious browser screen appeared telling her that if she touched any key, her computer would be erased. She was also instructed to call a telephone number for repairs.

She followed company policy and immediately disconnected the computer from the network, then I was called. I examined her Chrome browsing history and checked on the sites with a Whois lookup. That site resides in the PRC Central Hacking Agency in Guangdong, China.

These are the same people that hacked the US Govt. OPM records and took the complete data on government and active duty military employees. When I arrived on site I was able to do a system restore on her Win10Pro workstation. No further damage seemed apparent at the time, but the original hack was just a prelude of what was to come out of China.

Since our bookkeeper used her e-mail address, The PRC knew that our domain was ---.net and that they had a financial account to attack. The next day we were notified by our web host service provider that the GPU usage was off the charts. They attacked our website, invaded an older copy of WordPress.

They made various changes to our site that forced us to take the whole site off line. The GPU usage in our web host server rose to over 32,000,000 hits and rising. We are still without a web page as this denial of service attack continues.

I am thankful that at least the damage is confined to our Web site. Our web site is just a Yellow Pages dump of static information. It could have been a more damaging ransomware attack. This damage is ongoing."

-- Name withheld to protect the innocent.

This is the kind of problem that can be avoided by new-school security awareness training.

Preventing And Responding To A Healthcare Ransomware Infection

The healthcare industry is a major target for ransomware infections. Expert Ernie Hayden explains how organizations can take steps to prevent and respond to these attacks.

Healthcare organizations are no stranger to cyberattacks, as private health information has become a valuable commodity for hackers. But the threat of a ransomware infection can go beyond a conventional data breach and cause a hospital's operations, for example, to grind to a complete halt.

The first article in this series described the threat of ransomware attacks and explained what it means for healthcare organizations. This article offers advice to those organizations on how to prevent and respond to ransomware infections. Good write-up at TechTarget (registration required):
http://searchsecurity.techtarget.com/tip/Preventing-and-responding-to-a-healthcare-ransomware-infection#.WAj8V1W-8Es.email

Flipping Security Awareness Training

DARKReading has a great article about how you can turn around awareness training into a great tool to better reduce risk for the organization.

"With threats on the rise from both inside and outside organizations, security has become a high priority for the C-suite and the board. Those at the top recognize they need certain types of security technologies to protect the business.

But the IT teams who actually buy and implement those products (and the rest of the employees who are required to use them) might not be aware of the broader security needs of the business. To better reduce risk for the company, the organization as a whole must look at the full picture to identify what problem needs to be fixed, establish a baseline, execute a solution, and measure success and progress.

Today, everyone is a target, which makes it crucial for every employee, regardless of team or job function, to be responsible for understanding security business objectives and staying current on security best practices. These company-wide security awareness tips will help do that."

Great article to add to a budget request for new-school awareness training:
http://www.darkreading.com/endpoint/flipping-security-awareness-training/a/d-id/1327250


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff




Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews