CyberheistNews Vol 7 #18 May 1st Northrop Grumman Can Make a Stealth Bomber – but Falls for W-2 Phishing Attack




CyberheistNews Vol 7 #18
Northrop Grumman Can Make a Stealth Bomber – but Falls for W-2 Phishing Attack

US military contractor Northrop Grumman notified their employees that hackers managed to gain access to their W-2 tax records.

As The Register just reported, the makers of America’s stealth bomber acknowledged in a letter sent to employees and the California Attorney General’s office that hackers infiltrated its online portal at various times over the course of almost a year, gaining access to workers’ W-2 paperwork for the 2016 tax year.

"The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal."

During tax season, internet criminals race to submit tax refund requests using the stolen W-2 data, tricking the IRS into issuing a fraudulent refund in the name of the victim whose tax data was stolen.

Hackers Used Stolen Credentials

Many larger organizations outsource W-2 management to third party firms, and Equifax Workforce Solutions which ran the tax portal on behalf of Northrop Grumman, says that it does not believe that hackers got into its systems by exploiting a vulnerability, but instead used a legitimate user’s stolen login details.

Bad Guys Could Fly Under the Radar for More Than a Year

Meaning... the bad guys targeted a high-risk employee, sent them a spear phishing attack, obtained their credentials and could fly under the radar for more than a year. Epic Fail.

In response to the attack, Northrop Grumman says it has disabled access to the W-2 portal, except from its own network. The company says it is also working with law enforcement agencies as they continue to investigate a spate of similar attacks targeting W-2 data.

Dozens of well-known organizations have fallen for CEO Fraud attacks targeting their staff’s W-2 data. Some employee groups filed class-action lawsuits against their own company when their W-2 information was stolen.

You have got to have systems in place to protect employee personal data. Don’t be that guy, and put protective measures such as multi-factor authentication in place to reduce the chances of an attacker compromising important online accounts.
America Ponies Up: Ransomware Payments Rise to 1,077 Dollars Per Infection

America was the victim of 34 percent of global ransomware infections in 2016, while only being 4.4 percent of the world's population.

The "why" is clear; a whopping 64 percent of Americans are willing to pay to get their files back, as opposed to only 34 percent of victims worldwide, per Symantec's 2017 Internet Security Threat Report.

Surprisingly, Symantec's results show paying ransom doesn't guarantee universal results as just 47 percent of global victims who paid up in 2016 reported getting their files back, which is in direct contradiction with our own experience, where we helped dozens of victims with a 95% successful return of all their files.

Note, these were organizations at their wit's end who found us on the internet and needed help to get their files back after an employee opened an infected attachment, not existing KnowBe4 customers calling us about our Ransomware Guarantee.

Newly discovered ransomware families jumped last year from 30 in 2015 to 101 in 2016. The number of new variants of existing ransomware code, however, dipped. “It suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

Infections of consumers at the house counted for 69 percent, but Symantec found that that some attackers are executing more sophisticated attacks against businesses, where they silently penetrate the network, move laterally and then encrypt all machines at the same time.

The ransoms themselves also skyrocketed, climbing 266 percent last year, from an average of 294 dollars in 2015 to 1,077 dollars in 2016 helped by a Bitcoin price which is over 1,300 dollars at the time of this writing. The report also showed that attackers have begun customizing individual ransom demands based on the type of data and the volume of files that were encrypted.

Symantec Report Confirmed by Verizon, SANS and NTT

Verizon's vendor-neutral 2017 Data Breach Investigations Report (in which KnowBe4 participated as a data source) found that ransomware levels in 2016 were up 50 percent over 2015 figures. Verizon also found that the types of attacks targeting organizations vary from sector to sector. For instance, manufacturing has the lowest median level DDoS level, but the highest level of espionage-related breaches.

The SANS 2016 Threat Landscape survey reported: "Phishing and spearphishing were among the top ways threats enter organizations, which setup a perfect storm for ransomware to blossom. 75% of threats entered via email attachment, 46% malicious link. User education alone is not sufficient. At a corporate level, perimeter protections, including email screening and ext-gen firewalls can reduce the volume of malware that can trip up an end user. From there, the endpoint needs every advantage to remain secure - behavior based malware detection, whitelisting, access control and appropriate network segmentation."

The growing threat was further confirmed by more research from NTTSecurity: 2017 Global Threat Intelligence Report which found that 22 percent of all global incident engagements were related to ransomware, more than any other category of attack.

Of the ransomware attacks observed via NTTSecurity's intelligence network, 77 percent were concentrated among four industries – business and professional services (28 percent), government (19 percent), health care (15 percent), and retail (15 percent).

Half of all incidents affecting health care organizations involved ransomware. “This may indicate that attackers have identified health care institutions as a vulnerable target more willing to pay ransom than other sectors,” their report noted.

We strongly recommend to phish your own users to prevent these types of very expensive snafus. If you're wondering how many people in your organization are susceptible to phishing, here is a complimentary phishing security test (PST):
https://info.knowbe4.com/phishing-security-test-chn

The KnowBe4 blog has graphs and links to PDF's of the mentioned reports:
https://blog.knowbe4.com/america-ponies-up-ransomware-payments-rise-to-1077-per-infection
Facebook and Google Were Victims of 100 Million-Dollar Phishing Scam

We have been reporting on this massive Cyberheist for a while now, but Fortune Magazine decided to unleash their investigative reporters and find out exactly who those two mysterious high-tech companies were that got snookered for a whopping 100 million dollars.

It is excellent ammo to send to C-level executives to illustrate the urgent need to train employees so they can recognize red flags related to spear phishing.

Here is how the Fortune story starts:

"When the Justice Department announced the arrest last month of a man who allegedly swindled more than 100 million dollars from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.

The mystery is now unraveled. A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the three unnamed companies plus other details of the case.

The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. But the crime also raises questions about why the companies have so far kept silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.

The Massive Phishing Heist

In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies.

The scheme worked. Over a two-year span, the corporate impostor convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over 100 million dollars in payments, which he promptly stashed in bank accounts across Eastern Europe."

Read the whole story here:
http://fortune.com/2017/04/27/facebook-google-rimasauskas/

TV Coverage here:
http://www.cnbc.com/2017/04/27/facebook-and-google-were-victims-of-a-100-million-dollar-phishing-scam-fortune.html
Don’t Miss The May Live Demo: Simulated Phishing and Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, May 10, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
    • NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
    • NEW Access to the world's largest library of awareness training content through our innovative Module Store.
    • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
    • Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 9,000+ organizations have mobilized their end-users as their last line of defense.

Register Now: https://attendee.gotowebinar.com/register/2522614307877554691

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"It is easy to hate and it is difficult to love. This is how the whole scheme of things works. All good things are difficult to achieve; and bad things are very easy to get." - Confucius, Philosopher (551 - 479 BC)

"Hatred paralyzes life; love releases it. Hatred confuses life; love harmonizes it. Hatred darkens life; love illuminates it." - Martin Luther King Jr.



Thanks for reading CyberheistNews
Security News
How Your Company Needs to Train Workers in Cybersecurity

Survey finds workers still violate security policies to remain productive. This is a great article that shows instituting a new-school security awareness program significantly drives down the percentage of incidents.

"With workplace cyberattacks on the rise, industry experts are pressing businesses to train their workers to be more vigilant than ever to protect passwords and sensitive data and to recognize threats.

“It is imperative for organizations of all sizes to instill among employees the critical role they play in keeping their workplace safe and secure,” said Michael Kaiser, executive director of the National Cyber Security Alliance, a group that promotes education on the safe and secure use of the internet. The group's members include such major technology companies as Cisco, Facebook, Google, Intel and Microsoft."

Here is the full story:
http://www.computerworld.com/article/3192346/security/how-your-company-needs-to-train-workers-in-cybersecurity.html

And here are the First Quarter top-clicked non-social media phishing tests put into a nice graphic by SC Media. You could send this in an email to your employees:
https://media.scmagazine.com/documents/295/phishingtest1_73667.pdf
US Dept of HHS Hits CardioNet with 2.5M HIPAA Settlement Fine

DarkReading wrote: "The US Department of Health and Human Services penalized CardioNet with a 2.5 million dollar settlement fee, after a data breach exposed health data on 3,610 CardioNet clients, according to a resolution agreement reached between the parties this month.

An arm of HHS launched a federal investigation, which found indications that CardioNet failed to set security procedures in place to prevent, detect, contain, and correct security violations, as well as conduct risk analysis to determine potential vulnerabilities and risks. The company also appeared to have lacked security policies and procedures to move electronic media and hardware in and out of its facilities, such as ensuring media was encrypted, according to the agreement.""

This is a good story which shows how a data breach caused huge fines because CardioNet failed to meet and be able to demonstrate mandatory requirements of HIPAA. It boils down that they miserably failed to put the required controls in, had a data breach because of it, and got hit hard.

But How Do You Keep Track of These Hundreds of HIPAA Controls?

Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year round:
    • Quick Implementation with Compliance Templates - Pre-built requirements templates for the most widely used regulations like HIPAA.
    • Enable Users to Get the Job Done - You can assign responsibility for controls to the users who are responsible for maintaining them.

    • Dashboards with Automated Reminders - Quickly see what tasks have been completed, not met, and past due. With automated email reminders, your users can stay ahead of any gaps in compliance.
25K Per Year for KCM or 2.5Mil in Fines?

See for yourself how you can minimize the busy work associated with audits and HIPAA compliance, and how easy this becomes using KCM. Request a demo:
https://www.knowbe4.com/demo_kcm

Full story at DarkReading:
http://www.darkreading.com/endpoint/hhs-hits-cardionet-with-$25m-hipaa-settlement-fee/d/d-id/1328742?

Are Ransomware Infections a Data Breach?

While we are discussing healthcare and compliance, there is regulatory movement towards determining ransomware infections are in fact a data breach. Knowing that ransomware accounted for 72% of healthcare malware attacks in 2016, we strongly suggest you take action. Here are the numbers:
http://www.healthcareitnews.com/news/ransomware-accounted-72-healthcare-malware-attacks-2016
Report: We’ll Know Antivirus Is Dead When It Goes Quiet

The Security Ledger wrote: "In-brief: antivirus software may go out with neither a bang nor a whimper – but utter silence. That’s if the trend towards cyber criminal actors using file-less malware continues, according to a new report.

Successful attacks on endpoints that resulted from malicious executable files declined between November and August 2016 by 9% (55% to 46%) while so-called “in memory” attacks that do not place files on the infected system more than doubled, from 7% of attacks to 16%, SentinelOne reported in the company’s Enterprise Risk Index report. The data represent a trend towards more ephemeral attacks that are also harder to detect, the company said.

Full Story:
https://securityledger.com/2017/04/report-well-know-antivirus-is-dead-when-it-goes-quiet
Other Interesting News Items This Week

We often run into articles that may be good ammo to support budget requests, but we cannot cover them all. Here are this week's possibly useful articles:

Nearly Three-Quarters of UK Universities Are Phishing Victims:
https://www.infosecurity-magazine.com/news/nearly-three-quarters-of-uk-unis/

Analysis of 85K Remote Desktop Hacks Finds Education, Healthcare Top Targets:
https://securityledger.com/2017/04/analysis-of-85k-rdp-hacks-finds-education-healthcare-top-targets/

Blind Trust in Email Could Cost You Your Home:
https://krebsonsecurity.com/2017/04/blind-trust-in-email-could-cost-you-your-home/

FIN7 Hackers Change Phishing Techniques:
http://www.securityweek.com/fin7-hackers-change-phishing-techniques
Note: .lnk files are essentially a pointer to an executable (.exe) file

New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic:
http://thehackernews.com/2017/04/apple-mac-malware.html

NoTrove threat actor delivering millions of scam ads:
https://www.helpnetsecurity.com/2017/04/26/notrove-scam-ads/

BrickerBot, the permanent denial-of-service botnet, is back with a vengeance:
https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews