CyberheistNews Vol 7 #25 [ALERT] New Fileless, Code-Injecting Ransomware Bypasses Antivirus




CyberheistNews Vol 7 #25
[ALERT] New Fileless, Code-Injecting Ransomware Bypasses Antivirus

Security researchers have discovered a new fileless ransomware in the wild, which injects malicious code into a legitimate system process (svchost.exe) on a targeted system and then self-destructs itself in order to evade detection by antivirus.

The nasty has been called SOREBRECT and unlike more generic "spray-and-pray" ransomware, it has been designed to specifically target enterprise systems in various industries.

SOREBRECT also takes pains to delete the infected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps. These deletions deter analysis and prevent SOREBRECT’s activities from being traced.

This malicious code, after it has taken control of the machine, uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files. I am sure that Mark Russinovich is not happy about this!

Why PsExec?

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs,” Trend Micro says.

SOREBRECT Also Encrypts Network Shares

SOREBRECT also scans the local network for other connected computers with open shares and locks files available on them as well. “If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted,” researchers say.

In addition, SOREBRECT uses the Tor network protocol in an attempt to anonymize its communication with its command-and-control (C&C) server, just like almost every other malware.

SOREBRECT Ransomware Spreads Worldwide

According to Trend Micro, SOREBRECT was initially targeting Middle Eastern countries like Kuwait and Lebanon, but from last month, this threat has started infecting people in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

This is not the first time when researchers have come across Fileless malware. Two months ago, Cisco's Talos researchers discovered a DNSMessenger attack that was completely fileless and used DNS TXT messaging capabilities to compromise systems.

In February, Kaspersky researchers also discovered fileless malware that resided solely in the memory of the compromised computers, which was found targeting banks, telecommunication companies, and government organizations in 40 countries.

Fileless malware is much harder to detect by antivirus than malware that first lies down a file on disk, and then does its dirty work. Kaspersky said: ""Unfortunately the use of common tools combined with different tricks makes detection very hard. In fact, detection of this attack would be possible in RAM, network and registry only."

What to Do About It

Below the best practices for securing your systems and network against SOREBRECT suggested by TrendMicro.
  • Restrict user write permissions
  • Limit privilege for PsExec
  • Back up files
  • Keep the system and network updated
  • Deploy multi-layered security mechanisms
  • Foster a cybersecurity-aware workforce.
Trend Micro advised: "User education and awareness helps improve everyone’s security posture. Like other malware, ransomware’s points of entry is typically through email and malicious downloads or domains. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices."

We could not agree more. You need defense-in-depth and a human firewall as your last line of defense. Here is a free job-aid for your employees. It's a single page with the 22 Social Engineering Red Flags. They can print it and pin it to their wall. This is a link to a PDF that is hosted at HubSpot, where our website lives:
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf?
Did WannaCry Ransomware Escape North Korean Containment?

Mike Mimoso at Kaspersky's Threatpost blog raised the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed.

Malware expert Jake Williams, @MalwareJake on Twitter and founder of Rendition InfoSec, said there are “mind-blowing mistakes” in the ransomware code after an analysis of both the malware and the leaked NSA EternalBlue exploit used to spread the attack.

For starters, the developers used only three Bitcoin addresses for remittance which is by itself amateur hour. However, it's not amateurs behind the WannaCry attack. North Korea is unique among APTs in that the hackers fund themselves and their country through network exploitation and theft.

A Washington Post report cites an internal NSA assessment that connects, with “moderate confidence,” the North Korean government’s Reconnaissance General Bureau to WannaCry.

Williams contends that the developers behind WannaCry failed to properly contain it and the EternalBlue exploit before it was ready to be fully deployed. “The killswitch domain by itself—having a way to turn this off—I totally understand.

It makes perfect sense to want to have that there,” Williams said. “But if you’re going to do that, the killswitch wouldn’t simply accept a 200 status code, basically a success that yes we connected to the domain. This is version 0.0 and never intended to be in the wild. I’m 100 percent sure of that.”

So it’s likely this escaped a test environment hopping from an unpatched test machine to the public internet, and eventually more than 200,000 computers and servers in 150-plus countries.

“They failed to contain it,” Williams said. “When you build something like this, it’s like carrying around Ebola. Pushing Ebola out isn’t hard, it’s harder to keep something like that contained. Full blog post here:
https://blog.knowbe4.com/did-wannacry-ransomware-escape-north-korean-containment
CIA Director Brennan: "Russia's Cyber Capability Increasingly Sophisticated and Not Bound by Law"

I was at the Gartner Security & Risk Management Summit at National Harbor, in DC this week. One of the keynotes was by CIA Director George Brennan, who was sworn in as director of the Central Intelligence Agency on March 8, 2013. As director, he managed intelligence collection, analysis, covert action, counterintelligence and liaison relationships with foreign intelligence services.

Before becoming director, Brennan served at the White House for four years as assistant to the President for Homeland Security and Counterterrorism and helped coordinate the U.S. government’s approach to homeland security, including its policies for responding to terrorism, cyberattacks, natural disasters and pandemics.

Brennan discussed the role of private-public partnerships and the evolving nature of cyber threats and options for protecting mission-critical capabilities as well as our privacy, national security and future prosperity. The presentation covered a lot of ground, and I wanted to highlight just a few items.

"Russia's Intelligence Agencies Not Bound by Law"

First, he explained the cyber threats coming out of Russia, China, Iran and North Korea: "It's a constant barrage of these spear phishing attacks. I think you have all heard about Russia's capabilities over the past year or so, increasingly sophisticated, increasingly capable, and also their intelligence security services are not really bound by law and limits of the law that US agencies are rightly limited by."

"It’s going to take a 9/11 in the cyber realm"

Brennan is urging Americans to encourage federal lawmakers to push forward cybersecurity-focused legislation, regulations and other rules so that the U.S. is better prepared in cyberspace. “You all need to continue to put the pressure on your elected representatives in Congress to take this matter seriously,” Brennan said.

“People frequently say it’s going to take a 9/11 in the cyber realm in order for us as a country to be able to come to terms and deal more effectively with cyber challenges. A lot of work needs to be done in the halls of Congress, as well as in the executive branch, in order to allow the government to deal with the challenges of the 21st century,” he said.

“The next Pearl Harbor will be cyber,”

An example of this is Sen. Angus King (I-Maine) who is sponsoring federal legislation that would require utilities to have manual-control capabilities. “The next Pearl Harbor will be cyber,” he said. “It’s a cheap way to attack. No bombers or submarines needed.” U.S. officials say it is possible that malware, including BlackEnergy, still lurks in American utility networks. There is no federal requirement that it be rooted out. Much more needs to be done.

There is something that can be done about this now

The vast majority of these attacks start with phishing emails. KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments. If you have a Platinum subscription you can even send them "vishing" attacks straight to the phone on their desk.
See a demo: https://info.knowbe4.com/kmsat-request-a-demo
See Me on Video at the NYSE Cyber Investing Summit Pitching KnowBe4

The CyberWire wrote: Pitches: Innovation from Young Companies

The Pitch Panel was the Cyber Investing Summit's fast round of innovation pitches, moderated by Allegis's Bob Ackerman and Wells Fargo's Rich Baich.

The pitches were interactive conversations as much as they were the sort of high-concept company introductions familiar from, for example, Shark Tank.

KnowBe4 and the Creation of the Human Firewall

CyberWire reported: "Stu Sjouwerman, CEO of KnowBe4, presented his company's approach to creating what he called "the human firewall," effective training to protect employees against social engineering attacks. This is the sort of approach Kevin Mitnick, KnowBe4's Chief Hacking Officer, had earlier called "inoculation."

Ackerman asked an obvious question about training. How do you make it stick? Do you shame employees with their results. Sjouwerman thought that was exactly the wrong use of training: "No--that's no way to a security culture," and training is effective if and only if it leads to the formation of a healthy security culture.

Begin by establishing a baseline graph of employee susceptibility to social engineering. If the training is effectively conducted, you see over time the success of phishing go down." More at:
https://thecyberwire.com/events/2017-cyber-investing-summit/pitches-innovation-from-young-companies.html#sthash.caJcK539.dpuf

And here is a video of yours truly at the New York Stock Exchange during the Pitch Panel:
https://info.knowbe4.com/hubfs/Q&A.mp4

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark." - Michelangelo - Sculptor, Painter,
Architect, Poet and Engineer (1475 - 1564)

"When it is obvious that the goals cannot be reached, don't adjust the goals, adjust the action steps."
- Confucius



Thanks for reading CyberheistNews
Security News
Southern Oregon University Lost $1.9 Million Due to CEO Fraud

Mail Tribune reported that Southern Oregon University is just the latest victim of CEO fraud (which the FBI calls Business Email Compromise or BEC) after hackers used social engineering to trick university employees into transferring money into one of the bad guys-controlled bank accounts.

University officials announced on Wednesday that in late April, they wired $1.9 million to what they thought was Andersen Construction, a contractor they had hired to construct a pavilion and student recreation center. However, the construction company reported three days later that they never received their payment.

A recent FBI Public Service Announcement about fraudsters targeting universities and their students appears to have been issued due to the SOU case.

The FBI PSA explains how many universities are frequently engaged in large construction projects that require regular and very large electronic payments. If criminals can identify which construction companies are involved (which is normally very easy), it's a matter of sending spear phishing emails that use social engineering and spoofed emails to target individuals responsible for making payments.

The FBI describes in further detail how this type of BEC happens:
  • The scammer, posing as an established vendor, sends an e-mail to the university’s accounting office with bank account changes to be used for future payments.
  • Typically, it is an individual purporting to be from a construction company with which the university has an existing business relationship.
  • The scammer often spoofs the actual e-mail address of the company with a similar domain. For example, if the actual domain is abcbuilders.com, the scammer might register and use abcbuilders.net to send the e-mail.
  • The university sends their next payment to the scammer’s bank account, and the money is often unrecoverable by the time the university realizes they have been the victim of fraud.
Southern Oregon University spokesman Joe Mosley couldn't share specifics as to exactly how SOU fell prey to the fraud. The university says there is a process in place for vendors to change their bank account numbers.

“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said Mosley. “We’re not alone.”

That couldn't be more true. Last year, CEO fraud was a $5.3 billion business according to data reported to the FBI. No industry is immune to falling into cybercriminals' crosshairs. Firms like Leoni AG, a cable manufacturer and FACC AF, an aerospace company are among thousands of victims of the crime in 2016.

SOU is cooperating with the FBI in their ongoing investigation. Stepping high-risk employees like HR and Accounting through new-school security awareness training prevents disasters like this.
ICO Less Likely to Issue Fines for Data Breaches If They Show Staff Training

The UK's Information Commissioner's Office has said that in the event of a data breach it would be less likely to issue a monetary penalty to charities which had taken “reasonable steps” to prevent it, including staff training. This may very well also be true in America in the near future.

When asked whether the Information Commissioner would be more likely to fine organisations who could not show evidence that at least 80 per cent of its staff were trained in data protection, a spokeswoman for the ICO said it would take “full account of the facts” in any investigation.

“In deciding whether it is appropriate to impose a monetary penalty and in determining the amount of that penalty, the commissioner will take full account of the facts of the contravention and of any representations made to her,” said the ICO spokeswoman.

“That includes whether or not ‘reasonable steps’, such as staff training, were taken to prevent the contravention.”

The comment came after Civil Society News learnt that organisations in the charity sector have been briefed that the ICO would be more likely to fine an organisation in the event of a data breach if it could not show that at least 80 per cent of its staff had been given specific data protection training.

'Would make no difference for serious breaches'

Tim Turner, a data protection trainer and consultant, told Civil Society News that this has been the case for a while, even if it’s not been made public by the ICO. He said however, if the data breach in question is serious enough, the amount of trained staff “may make no difference”.

“If there is another obvious breach – like a lack of encryption, or poor or absent procedures - it may make no difference," he said. "But having trained the large bulk of staff is part of building a case that it was an unavoidable accident, where someone makes a mistake.”

Anjelica Finnegan, policy and research manager at Charity Finance Group, said the ICO has not made clear what it considers these “reasonable steps” to be, and called on the ICO to ensure that any judgement “take that charity’s individual situation into account”.

“The statement issued by the ICO makes clear that the Commissioner wants evidence that organisations are doing what they can to protect the personal data that they store. What has not been made clear is how the ICO will determine what constitutes reasonable steps, or what they consider training to be.

“It is important, that the Information Commissioner does not go into investigate a data breach with an unrealistic expectation of what they would see as sufficient training for staff.

“The ICO must ensure that any judgement on a data breach within a charity takes the charity's individual situation into account - this includes the charity's income and resources, including the number of paid staff and volunteers." Full article:
https://www.civilsociety.co.uk/news/ico-less-likely-to-issue-fines-for-data-breaches-if-organisation-s-can-evidence-staff-training.html
Top UK University Under 'Ransomware' Cyber-Attack

The university describes it as a "ransomware" attack, such as last month's cyber-attack which threatened NHS computer systems.

The attack was continuing on Thursday morning, with access to online networks being restricted. The university has warned staff and students of the risk of data loss and "very substantial disruption".

University College London (UCL) is a "centre of excellence in cyber-security research", a status awarded by the GCHQ intelligence and monitoring service.

The central London university, ranked last week in the world's top 10, says that a "widespread ransomware attack" began on Wednesday, using so-called "phishing" emails, with links that would download destructive software.
http://www.bbc.com/news/education-40288548#
Cybersecurity Spend: ROI Is the Wrong Metric

Rick Howard, CSO wrote at CSOonline: "Think about what your network defenders do throughout the day, every day, in the course of getting their jobs done. Can you describe it in one sentence? How would you characterize the thousands of tasks that the InfoSec team fields every day?

For the past few years, my role at Palo Alto Networks has included traveling around the world to talk with board members and C-level executives, and it’s been a fascinating educational experience. Our conversations mostly revolve around cybersecurity strategy, and what I’ve learned is that everybody has a different take on how to defend an organization against cyber adversaries.

One question that inevitably comes up is: “How much money should I spend on security?” In an attempt to benchmark and evaluate their own spend, some will ask, “What are other organizations like mine spending?” Others want to know how to calculate the return on investment (ROI) for their security spend.

These questions are common, but they indicate a fundamental misunderstanding about how to evaluate the efficacy of a cybersecurity program, and a misguided approach to resourcing for them. Rather than focus on ROI, I advise executives and board members to focus on network defender first principles." More:
http://www.csoonline.com/article/3200270/network-security/cybersecurity-spend-roi-is-the-wrong-metric.html
Make Cyber Security Personal for Employees, Says CISO

Howard Solomon at ITWorld Canada wrote: "With people arguably the weakest point in an organization’s cyber defenses, security awareness training is a hot topic for CISOs.

But what’s the most effective security awareness strategy: The carrot or the stick?

At TMX Group. which runs the Toronto Stock Exchange and the TSX Venture Exchange, the answer is a subtle carrot.

“My overall goal is to make security personal,” CISO Bobby Singh told the RiskSec Toronto conference this week. “The intention is to get users to understand how to protect corporate data as they protect their financial data in their personal life.”

While the organization looks for security champions outside the IT department, does phishing simulations four times a year – having one-on-one meetings with offenders who repeatedly click on bad links in the tests – and occasional ‘lunch and learn’ sessions, the focus of awareness training has shifted.

“Instead of talking to users about protecting corporate data we’re talking about how to protect their financial data – what multifactor authentication looks like, how it should be done, how do you know what your kids are talking about on SnapChat … and we’re hoping that while doing the personal stuff the transition of behavior will come into the corporate side.”

But, he admitted, “at the end of the day some of the behavior gets changed [only] when you have a risk/reward model attached to certain behaviors.”
http://www.itworldcanada.com/article/make-cyber-security-personal-for-employees-says-ciso/394046

NOTE: Phishing your employees only 4 times a year does not work. You need to send them at the very least once a month, twice is even a little better.
Other Interesting News Items This Week

Ulster University Also Suffered Ransomware Outage This Week:
https://www.infosecurity-magazine.com/news/ulster-university-also-suffered/

Jaff Ransomware Decryption Tool Released – Don't Pay, Unlock Files for Free:
http://thehackernews.com/2017/06/jaff-ransomware-decryption-tool.html

Compromised websites redirecting tech support scam hosted on numeric domains:
https://www.grahamcluley.com/compromised-websites-redirecting-tech-support-scam-hosted-on-numeric-domains/

Texas is the Top Target for Ransomware:
https://www.infosecurity-magazine.com/news/texas-is-the-top-target-for/

CIA reportedly hacked Wi-Fi routers for years:
https://www.cnet.com/news/cia-reportedly-hacked-wi-fi-routers-for-years-wikileaks/

Here are the May new training modules released, with an indication on the subscription levels which give access to these modules:
https://blog.knowbe4.com/knowbe4-may-2017-new-training-modules-released
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews