CyberheistNews Vol 7 #11 [ALERT] New Ransomware Phishing Scheme Lets Wannabe Cybercrims In For Nothing...

CyberheistNews | KnowBe4

CyberheistNews Vol 7 #11
[ALERT] New Ransomware Phishing Scheme Lets Wannabe Cybercrims In For Nothing...

ZDNet reported on a new scheme for aspiring cyber criminals that lets them into the ransomware racket at no cost at all, but at a steep 50/50 split with the people that provide them with the malicious code.

We think that this will not be a major hurdle and that this strain that uses phishing with malicious attachments will take off in the very near future.

This new ransomware operation is providing malicious software to affiliates for nothing in exchange for a big slice of any successful scores. The move represents another evolution in ransomware which could make it an even more dangerous threat, because criminals may be tempted to download it and launch a ransomware campaign as they don't need to part with their cash to do so."

Victims are infected with the Dot ransomware using malicious phishing attachments, which will encrypt their files when they run and open a ReadMe HTML, informing them they need to pay a Bitcoin ransom in order to regain access to their data.

"The simplistic and straight-forward design of Dot ransomware enables just about anyone to conduct cybercrime," warn Fortinet researchers, who predict Dot will soon become a big threat to businesses.

"Although we haven't seen this ransomware in the wild, with the advertisements being made accessible on hacking forums, it's only a matter of time until people start taking the bait."

The scheme reared its ugly head in mid-February and all the user needs to get started is access to the download via the Tor browser and register a Bitcoin address.

Once this is done, the Dot criminal coders allow a download with a getting started guide, including help on which file types to use to distribute ransomware, and hints about the level of ransoms to charge in which countries. They provide a dashboard to keep track of the number and status of infections and the code is designed like normal modern software.

Today, new-school security awareness training is a required step to keep your network secure. If you want to have a quick look at the week in ransomware, check out the March 10 issue at Bleepingcomputer:
SEC Phishing Emails Target Execs for Inside Info

A sophisticated phishing attack is trying to get confidential corporate information. Bad guys are sending spoofed emails claiming to be from the Security and Exchange Commission, and target lawyers, compliance managers, and the very company officials who file documents with the SEC.

Late February 2017, FireEye identified this spear phishing campaign based on multiple similar tools, tactics, and procedures, and have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.

Spear Phishing Campaign

All of the observed intended recipients of the spear phishing campaign appeared to be involved with SEC filings for their respective organizations. Many of the recipients were even listed in their company’s SEC filings. The sender email address was spoofed as EDGAR <>, the attachment is named “Important_Changes_to_Form10_K.doc”.

First International Cybermafia

John Miller, a director of threat intelligence at FireEye, described the attackers as among "the most sophisticated financial actors" and said their methods were similar to hackers who targeted ATM machines and other parts of the banking system. He also warned the hacking tools they sought to install were particularly insidious.

“It's the Swiss army knife of malware. It lets you do whatever you want to with the compromised system," Miller said. Fin7 is the first international cybermafia, a group of cybercriminals from Russia, Ukraine and other parts of Europe and China. More about which industries are targeted at the KnowBe4 Blog:
KnowBe4's Email Exposure Check Discovers Data Breach

Has your database escaped the building?

You may be aware of the one-time Email Exposure Check (EEC) we can run for you. We find all the email addresses of your domain that are out there and available on the internet. But if *we* can find them, so can the bad guys!

Here's a scary example: An EEC we ran for a customer discovered several of their email addresses listed on a website ending with the file extension '.sql', which led to the discovery of a complete dump of that company's customer's database.

To add insult to injury, it was even indexed by Google. This information was publicly available and had been exposed to the internet for several months. Ouch.

This is the kind of thing that the Email Exposure Check might uncover for you. Apart from the email addresses of your employees and on which (hacker) sites we found these addresses, this constitutes your phishing attack surface.

This is so important that we have a special offer for you. Even if you already ran your one-time no charge EEC, you are eligible for another one! And if you haven't done so already, request your complimentary one-time Email Exposure Check. Find out what your phishing attack surface is. There is no charge. Do it now and we will email you the PDF.

Send Me My Email Exposure Check:

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"You have power over your mind - not outside events. Realize this, and you will find strength."
- Marcus Aurelius - Roman Emperor (121 -180 AD)

"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."
- Buddha

"Age is an issue of mind over matter. If you don't mind, it doesn't matter." - Mark Twain

Thanks for reading CyberheistNews
Security News
Verizon: "Most Breaches Trace to Phishing, Social Engineering"

BankInfoSecurity wrote: "Ninety percent of data breaches seen by Verizon's data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they're legitimate users."

"Because organizations don't have multifactor [authentication] rolled out, it makes it trivial to get in," says Chris Novak, director of global investigative response for Verizon, in a discussion about the company's latest Data Breach Digest, a companion report to the company's annual Data Breach Investigations report

In an audio interview with Information Security Media Group at the recent RSA Conference 2017, Novak discusses:

Nitty-gritty details of what organizations go through when they suffer a breach; Organizations' ongoing inability to know where their top assets are and on which systems that data gets stored, especially after merger and acquisition activity; The move by even non-European organizations to comply with the EU's General Data Protection Regulation.

Novak is a co-founder and the director of the Verizon Investigative Response Unit - a division of the Verizon RISK Team. He's also worked as a principal for Cybertrust and a senior security consultant for Ubizen." We recommend you listen to the 10-minute interview here. It's worth it and good ammo:
Phishing: Draining the Corporate Bottom Line

ComputerWorld had a good Op-Ed about the cost of phishing.

"If someone acted on a link or attachment, the time spent can rise exponentially. This usually involves a full incident response process, focused on cleaning up any damage, restoring corrupted files, and investigating the possibility of a data breach. Given that HIPAA requires any such attack be considered a breach until proven otherwise, these organizations must approach the investigation process even more completely.

"Phishing is also a drain on overall organizational workload. Many larger organizations now require annual phishing training. Employees must read outside messages with greater care, and must learn to contact IT when they have a suspected message. The hours all employees of an organization spend on activities related to phishing can add up fast.

"To further complicate the impact on the organization as a whole, there is a constant fear of being a victim of a phishing attack that can slow down normal operations. This fear often leads to employees being reluctant to act on a message that is legitimate. I encountered one such situation this week, by employees who received a message confirming their access to a new system they requested. Multiple users thought it might be phishing. This delayed their accessing the system they needed, and required the operational security team to investigate to confirm its legitimacy.

"According to a study by the Ponemon Institute, the average yearly cost to a 10,000 person company for phishing-related activities is a staggering 3.7 million dollars. This includes an average of 4.16 hours per year wasted by each individual employee dealing with phishing. In my experience, that number is low.""

The article lists a series of best practices that I recommend:

One of these is install a Phish Alert Button for your employees that they can click if they see something suspicious. We have a no-charge download for you here, that works for Outlook, Gmail and Notes:
New Malware Hides in Memory, Uses DNS to Communicate, Spreads Through Phishing

Cisco has a separate threat research group called Talos. They just published a report on a scary new form of malware that’s hard to detect.

They called it DNSMessenger, and the malicious code uses Microsoft PowerShell scripts to hide itself in memory and connect directly with a command & control server using the compromised machine's Domain Name Service port.

It’s distributed through a phishing campaign with a Microsoft Word document attached, trying to look like a known or reputable source. Once the user opens the file, it pretends to be a protected document secured by McAfee Security and asks the user to once again click to view the content that was supposedly in the original file.

As you guessed, the file has no content and the second click instead executes the malicious script hidden in the file, leading to the workstation being compromised.

Here is the new angle that makes it hard to detect. The malicious code does everything in memory, and the second stage is stored in the Alternate Data Stream with the NTFS (standard Windows) file system or directly inside the registry, while a third-stage PowerShell script establishes communications with a command-and-control server via DNS that is used to pass text messages.

Normally, HTTP and HTTPS gateways are monitored by security software, but that's not always the case for DNS, and the hackers know it.

Talos could not yet immediately see what commands are going back and forth: “We were unable to get the C2 (command and control) infrastructure to issue us commands during our testing,” the Talos team said in a blog post Thursday. “Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.”

“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos team added. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”
Are 60% of SMB Cyberattack Victims out of Business in Six Months?

Adam Janofsky wrote in the Wall Street Journal that U.S. legislators met Wednesday to discuss the direction the federal government should take to help small businesses defend themselves against cyberthreats.

Cybersecurity has become a leading issue for the committee in recent years as small businesses find themselves increasingly under siege from threats such as ransomware and data breaches.

Small companies typically lack the resources to protect themselves against such attacks, and are often seen as easy targets for extortion. A common statistic cited at the Wednesday hearing was that 60% of small businesses that fall victim to a cyberattack go out of business within six months.

A key issue for the House Small Business Committee’s cybersecurity hearing, which included representatives from the Federal Trade Commission and the National Institute of Standards and Technology, was whether there should be a single government entity to oversee cybersecurity resources.

So far, Congress and the White House have taken a piecemeal approach to helping companies defend against cyberthreats, with a number of agencies now playing slight roles.

Charles Rowe, president of America’s Small Business Development Centers, part of the U.S. Small Business Administration, argued that new legislation would quickly grow out of date due to the constantly-evolving nature of cyberthreats.

“I think we’ve got a lot of resources here and I think the biggest problem we have is that they’re not coordinated,” said Mr. Rowe, who suggested there should be a new Cybersecurity Coordinating Committee between agencies like NIST and the FTC. Here is the link to the full article at WSJ:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews