CyberheistNews Vol 7 #12
A Single Spear Phishing Click Caused the Yahoo Data Breach
A single click was all it took to launch one of the biggest data breaches ever.
One mistaken click. That's all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo's network and potentially the email messages and private information of as many as 1.5 billion people.
The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI indicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations. (The FSB is the successor of the KGB).
Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld
One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.
The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.
Here's how the FBI says they did it:
The hack began with a spear phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.
Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.
It was all over the press, but CSO had the best story about, with more detail, background and even video:
http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html
A single click was all it took to launch one of the biggest data breaches ever.
One mistaken click. That's all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo's network and potentially the email messages and private information of as many as 1.5 billion people.
The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI indicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations. (The FSB is the successor of the KGB).
Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld
One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.
The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.
Here's how the FBI says they did it:
The hack began with a spear phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.
Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.
It was all over the press, but CSO had the best story about, with more detail, background and even video:
http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html
Petya MFT Ransomware Returns, Wrapped in Extra Nastiness
Kasperksy researchers discovered a new variant of last year's Petya Master File Table (MFT) ransomware, with "new and improved" crypto and ransomware models. Remember, MFT ransomware only encrypts the table where access to all files is kept, and does not encrypt the files themselves. It's a very effective way to lock a machine and demand ransom in a few seconds.
Kaspersky's Ivanov and Sinitsyn called the new version “PetrWrap” (because it wraps Petya), which uses the PsExec tool to install ransomware on every workstation and server it can access.
Instead of using the original Petya code, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware 'on the fly'”, the Kaspersky post states. This on-the-fly patching was created to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.
If the PetrWrap malware coders had stuck with Petya's ransomware-as-a-service model, they would need a Petya private key to decrypt victims' data, but with this new version they can use their own keys.
Once the workstation or server is infected, the victim ends up with the file system's master file table encrypted with a better scheme than the old Petya used. The PetrWrap coders used a tried-and-true, debugged version of Petya's low-level bootloader, ensuring they had "production-quality" criminal software to make sure their infections would be successful.
Kasperksy researchers discovered a new variant of last year's Petya Master File Table (MFT) ransomware, with "new and improved" crypto and ransomware models. Remember, MFT ransomware only encrypts the table where access to all files is kept, and does not encrypt the files themselves. It's a very effective way to lock a machine and demand ransom in a few seconds.
Kaspersky's Ivanov and Sinitsyn called the new version “PetrWrap” (because it wraps Petya), which uses the PsExec tool to install ransomware on every workstation and server it can access.
Instead of using the original Petya code, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware 'on the fly'”, the Kaspersky post states. This on-the-fly patching was created to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.
If the PetrWrap malware coders had stuck with Petya's ransomware-as-a-service model, they would need a Petya private key to decrypt victims' data, but with this new version they can use their own keys.
Once the workstation or server is infected, the victim ends up with the file system's master file table encrypted with a better scheme than the old Petya used. The PetrWrap coders used a tried-and-true, debugged version of Petya's low-level bootloader, ensuring they had "production-quality" criminal software to make sure their infections would be successful.
Scam of the Week: New FBI and IRS Alerts Against W-2 Phishing
(In case you missed our NewsFlash yesterday..)
There is a wave of W-2 phishing attacks going on. We see these coming in through thousands of reported scam attempts via our Phish Alert Button. The FBI and the IRS have repeatedly posted warnings that these attacks have started early and that the volume has gone up significantly this year.
Remember those Nigerian prince emails? They are also called 'Nigerian 419' scams because the first wave of them came from Nigeria. The '419' part of the name comes from the section of Nigeria's Criminal Code which outlaws the practice. Well, those gangs have all "growed up" and they are now behind many of today's W-2 scams. It is surprisingly easy to do a little bit of research and send a spoofed email that looks like it is from the CEO.
These W-2 scams are hitting everywhere, even a cybersecurity contractor was hit with one of these. On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company fell for a W-2 spear phishing attack. Ouch.
Here is a link to the KnowBe4 blog with cut&paste ready copy you can send to your users:
https://blog.knowbe4.com/scam-of-the-week-new-fbi-and-irs-alerts-against-w-2-phishing
(In case you missed our NewsFlash yesterday..)
There is a wave of W-2 phishing attacks going on. We see these coming in through thousands of reported scam attempts via our Phish Alert Button. The FBI and the IRS have repeatedly posted warnings that these attacks have started early and that the volume has gone up significantly this year.
Remember those Nigerian prince emails? They are also called 'Nigerian 419' scams because the first wave of them came from Nigeria. The '419' part of the name comes from the section of Nigeria's Criminal Code which outlaws the practice. Well, those gangs have all "growed up" and they are now behind many of today's W-2 scams. It is surprisingly easy to do a little bit of research and send a spoofed email that looks like it is from the CEO.
These W-2 scams are hitting everywhere, even a cybersecurity contractor was hit with one of these. On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company fell for a W-2 spear phishing attack. Ouch.
Here is a link to the KnowBe4 blog with cut&paste ready copy you can send to your users:
https://blog.knowbe4.com/scam-of-the-week-new-fbi-and-irs-alerts-against-w-2-phishing
Warm Regards,
Stu Sjouwerman
Quotes of the Week
"No act of kindness, no matter how small, is ever wasted." - Aesop - Author (620 - 560 BC)
"Kindness is the language which the deaf can hear and the blind can see." - Mark Twain
Thanks for reading CyberheistNews
"Kindness is the language which the deaf can hear and the blind can see." - Mark Twain
Thanks for reading CyberheistNews
Security News
KnowBe4 Live Webinar: Strains of CEO Fraud - Urgent Request for W-2s
Recently, the news has been packed with W-2 phishing and CEO fraud, also known as "Business Email Compromise" attacks, costing companies over 3.4 billion dollars. Per a new “urgent alert” issued by the U.S. Internal Revenue Service, internet criminals have now combined both schemes and at the same time are targeting a much wider range of organizations than ever before.
Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “Strains Of CEO Fraud: Urgent Request for W-2s”, on Today, March 21, 2017, at 2:00 PM EDT.
We will look at scary features of the new blended and current threats of W-2 phishing and CEO fraud, give actionable info that you need to prevent infections, and what to do when you are hit.
Erich will cover these topics:
Recently, the news has been packed with W-2 phishing and CEO fraud, also known as "Business Email Compromise" attacks, costing companies over 3.4 billion dollars. Per a new “urgent alert” issued by the U.S. Internal Revenue Service, internet criminals have now combined both schemes and at the same time are targeting a much wider range of organizations than ever before.
Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “Strains Of CEO Fraud: Urgent Request for W-2s”, on Today, March 21, 2017, at 2:00 PM EDT.
We will look at scary features of the new blended and current threats of W-2 phishing and CEO fraud, give actionable info that you need to prevent infections, and what to do when you are hit.
Erich will cover these topics:
- Latest attack vectors
- Who’s at risk?
- Real world examples of W-2 fraud attacks
- Proven methods of protecting your organization
- How to create a “human firewall”
Mandiant M-Trends 2017: "Cybercrime Skills Now on Par With Nation States"
There was some good news reported in Mandiant's M-Trends 2017 report, but this was heavily outweighed by a lot of very bad news.
Mandiant, which is a FireEye company, found that in 2016 companies are becoming a little better at identifying breaches with the average number of days between being compromised and discovery now at 99 days, down from 146 days in 2015.
However more than 3 months is an eternity on the internet, and cybercrime bad guys can make off with the crown jewels in just a few days. At the same time some cybercriminals have increased their skillset to being comparable to that of a state-level actor. Guess why that is. You got it, they are the very same people. Read the story below about the Yahoo hack and shiver.
In 2016 cybercriminals not only became better at their job, but continued to alter the style of their attacks, becoming more subtle. Mandiant said that in 2013 most attacks against financial institutions were all about getting in and out as quickly as possible with little regard given to whether or not they were discovered.
This began to change in 2014 with a more mature style of attack taking place. By 2016 attackers stepped up to using custom backdoors and further increased the resilience of their command and control infrastructure so as to maintain a presence and counter forensic techniques.
The bad guys in 2016 became not only more sophisticated and aggressive, but also went old school and calling their victims on the phone as part of the social engineering aspect of their scam.
“Perhaps the most unexpected trend we observed in 2016 is attackers calling targets on the telephone to help them enable macros in a phishing document or obtain the personal email address of an employee to circumvent controls protecting corporate email accounts,” the report stated.
“Based on our observations of trends from the past several years, organizations must adopt a posture of continuous cyber security, risk evaluation and defensive adaptation or they risk significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks,” the report recommended.
Part and parcel of that is inoculating employees against social engineering attacks with new-school security awareness training which includes frequent simulated phishing attacks to keep them on their toes with security top of mind.
Download the Mandiant report here:
https://www2.fireeye.com/OFFER-RPT-M-Trends-2017.html
There was some good news reported in Mandiant's M-Trends 2017 report, but this was heavily outweighed by a lot of very bad news.
Mandiant, which is a FireEye company, found that in 2016 companies are becoming a little better at identifying breaches with the average number of days between being compromised and discovery now at 99 days, down from 146 days in 2015.
However more than 3 months is an eternity on the internet, and cybercrime bad guys can make off with the crown jewels in just a few days. At the same time some cybercriminals have increased their skillset to being comparable to that of a state-level actor. Guess why that is. You got it, they are the very same people. Read the story below about the Yahoo hack and shiver.
In 2016 cybercriminals not only became better at their job, but continued to alter the style of their attacks, becoming more subtle. Mandiant said that in 2013 most attacks against financial institutions were all about getting in and out as quickly as possible with little regard given to whether or not they were discovered.
This began to change in 2014 with a more mature style of attack taking place. By 2016 attackers stepped up to using custom backdoors and further increased the resilience of their command and control infrastructure so as to maintain a presence and counter forensic techniques.
The bad guys in 2016 became not only more sophisticated and aggressive, but also went old school and calling their victims on the phone as part of the social engineering aspect of their scam.
“Perhaps the most unexpected trend we observed in 2016 is attackers calling targets on the telephone to help them enable macros in a phishing document or obtain the personal email address of an employee to circumvent controls protecting corporate email accounts,” the report stated.
“Based on our observations of trends from the past several years, organizations must adopt a posture of continuous cyber security, risk evaluation and defensive adaptation or they risk significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks,” the report recommended.
Part and parcel of that is inoculating employees against social engineering attacks with new-school security awareness training which includes frequent simulated phishing attacks to keep them on their toes with security top of mind.
Download the Mandiant report here:
https://www2.fireeye.com/OFFER-RPT-M-Trends-2017.html
MIT Launches Online Cybersecurity Course for Business Professionals
A growing trend in the cybersecurity industry is rooted in educating everyone about the risks of a cyber attack.
Universities around the world are developing undergrad and graduate degree programs, professional mentors are engaging with high school students, girls are coding. Everyone's getting in on cybersecurity awareness, particularly as it relates to business risk.
That's why MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy. MIT Professor Howard Shrobe, director of cybersecurity and a principal research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), said, "We created this course to tackle the ever-important issue of cybersecurity. Cyber-attacks continue to occur and we are basically stuck in what I often refer to as “cyber hell”, paying this reactive game of catch-up in which bad actors always seem to have the advantage."
The six-week course offers a holistic, comprehensive view of key technologies, techniques and systems. The goal, said Shrobe, is for participants to walk away with a broad understanding of hardware, software, cryptography, and policy to make better, safer long-term security decisions. More:
http://www.csoonline.com/article/3179483/leadership-management/online-cybersecurity-course-targets-business-professionals.html?
A growing trend in the cybersecurity industry is rooted in educating everyone about the risks of a cyber attack.
Universities around the world are developing undergrad and graduate degree programs, professional mentors are engaging with high school students, girls are coding. Everyone's getting in on cybersecurity awareness, particularly as it relates to business risk.
That's why MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy. MIT Professor Howard Shrobe, director of cybersecurity and a principal research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), said, "We created this course to tackle the ever-important issue of cybersecurity. Cyber-attacks continue to occur and we are basically stuck in what I often refer to as “cyber hell”, paying this reactive game of catch-up in which bad actors always seem to have the advantage."
The six-week course offers a holistic, comprehensive view of key technologies, techniques and systems. The goal, said Shrobe, is for participants to walk away with a broad understanding of hardware, software, cryptography, and policy to make better, safer long-term security decisions. More:
http://www.csoonline.com/article/3179483/leadership-management/online-cybersecurity-course-targets-business-professionals.html?
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- An Amtrak train pulls into Rhinecliff station in New York, sending a wave of snow onto passengers standing on the platform:
http://www.flixxy.com/amtrak-train-showers-commuters-with-snow.htm?utm_source=4
- You can now watch these declassified nuclear test movies on YouTube:
http://www.theverge.com/2017/3/15/14937904/declassified-nuclear-test-movies-youtube
- Brazilian pilot Fabio Borges impresses the spectators with a skillful demonstration of his delta-wing jet plane:
http://www.flixxy.com/delta-wing-jet-dancing-on-its-tail.htm?utm_source=4
- French-German street-artist Youri Cansell, aka Mantra, paints a superb portrait on a wall using only a spray-can:
http://www.flixxy.com/street-art-a-superb-female-portrait-painted-on-a-wall.htm?utm_source=4
- Talk about a physical security risk. Dang:
http://www.zdnet.com/article/this-weaponized-usb-stick-gets-even-more-dangerous/
- Genki Sudo and his group 'World Order' travel to Nagoya and meet up with female Japanese idol group SKE48 for the 'Singularity' music video:
http://www.flixxy.com/genki-sudo-world-order-singularity.htm?utm_source=4
- Jimmy Fallon's Interview With J.J. Abrams Goes Horribly, Hilariously Wrong -- Watch!:
http://www.msn.com/en-us/tv/news/jimmy-fallons-interview-with-jj-abrams-goes-horribly-hilariously-wrong-watch/ar-BByetW7?li=BBmkt5R&ocid=spartandhp
- Watch Dale Earnhardt Jr. take Mark Zuckerberg for the ride of his life. Starts at 11:20:
https://www.cnet.com/roadshow/news/watch-dale-earnhardt-jr-take-mark-zuckerberg-for-the-ride-of-his-life/
- This one's for the IT Heroes. Great Sophos ad!:
https://www.youtube.com/watch?v=E3gb1x64wzI&t=3s
- For the kids: 'Mischief' the white-necked raven has an amazing talent to mimic any sound he hears. Ravens are considered to be some of the smartest of all animals:
http://www.flixxy.com/raven-talks-like-a-human.htm?utm_source=4 - From the archives: A group of horses laugh uncontrollably at a man's inability to park in this hilarious Volkswagen ad from Germany. Super funny:
http://www.flixxy.com/horses-laugh-hysterically-at-bad-driver-in-funny-vw-commercial.htm?utm_source=4