CyberheistNews Vol 7 #37
Ransomware Can Destroy Backups in Four Ways 
I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.
He started out with "The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad." I have added number 4 at the end as a bonus.
And then he described three bad guy tactics to ruin your backups:
"To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery."
Excellent advice!
I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.
He started out with "The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad." I have added number 4 at the end as a bonus.
And then he described three bad guy tactics to ruin your backups:
- Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their malware that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.
- Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.
- Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.
- Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.
"To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery."
Excellent advice!
Bromium: "Large Enterprises Spend Nearly 300K Per Year on SecurityAwareness Training." Really?
Security company Bromium put out a press release asking publicly: "Large Enterprises Spend Nearly 300K Per Year On Security Education, So Why Are Endpoint Attacks More Successful Than Ever?"
Oooh, I like this one! It is so full of holes I don't know where to start... :-D
Here is what they said: "Bromium®, Inc., the pioneer and leader in virtualization-based enterprise security that stops advanced malware attacks, today released new research which found the cost of security education for large enterprises is at an all-time-high of 290,033* dollars per year per organization, and that user education is rocketing up the CIO’s priority list.
"Yet despite those investments, the end user remains the greatest risk to the organization’s security from targeted zero-day and nation state threats to common ransomware and phishing attacks.
They continued with:
"The research is based on a survey of 500 CIOs from large enterprises in the US (200), UK (200) and Germany (100). Key research findings include:
https://blog.knowbe4.com/large-enterprises-spend-nearly-300k-per-year-on-security-education.-really
(You can also download this as a PPT file from the blog)
Simon Crosby, CTO for Bromium lent himself for this PR fluff and was quoted saying: “While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defense’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming.”
Our comment: That is exactly the attitude that has made social engineering so successful. It's the faulty fixed idea that you "cannot patch a stupid user". Well, guess what, with the right training... you can to a very large degree. More than 13,000 KnowBe4 customers demonstrate this year after year.
And then comes the most hair-raising statement of the release: “Insanity is doing the same thing over and over again and expecting different results, yet this is exactly what businesses are doing by piling time and money into education.”
With that statement, they just alienated 94% of the CIOs out there. Umm, aren't these the people you are selling to? Moreover, it implicitly assumes that training does not work. Nothing could be farther from the truth. KnowBe4 is growing so fast because our customers tell their friends in IT that it really works, is surprisingly affordable, and it's actually fun to phish your own users!
I'm not copying the whole release. You can have a good chuckle and read it here. They also explain who did the research and how they did their (faulty) math. Very entertaining.
https://globenewswire.com/news-release/2017/09/14/1121075/0/en/Large-Enterprises-Spend-Nearly-300K-Per-Year-On-Security-Education-So-Why-Are-Endpoint-Attacks-More-Successful-Than-Ever.html
Security company Bromium put out a press release asking publicly: "Large Enterprises Spend Nearly 300K Per Year On Security Education, So Why Are Endpoint Attacks More Successful Than Ever?"
Oooh, I like this one! It is so full of holes I don't know where to start... :-D
Here is what they said: "Bromium®, Inc., the pioneer and leader in virtualization-based enterprise security that stops advanced malware attacks, today released new research which found the cost of security education for large enterprises is at an all-time-high of 290,033* dollars per year per organization, and that user education is rocketing up the CIO’s priority list.
"Yet despite those investments, the end user remains the greatest risk to the organization’s security from targeted zero-day and nation state threats to common ransomware and phishing attacks.
They continued with:
"The research is based on a survey of 500 CIOs from large enterprises in the US (200), UK (200) and Germany (100). Key research findings include:
- 99 percent of CIOs see users as ‘the last line of defense’ against hackers. This means the burden of securing the enterprise has shifted to user education and often stringent policies and procedures that limit teams’ ability to get work done and puts a tremendous amount of personal responsibility on the end user.
- Based on an average of seven hours of cybersecurity training per employee, large enterprises waste 290,000 dollars per year.
- Skilled employees in HR, legal, IT and risk departments spend an additional 276 hours a year helping to arrange and deliver in-house training.
- Most businesses (90 percent) have used external consultants for over three days (27 hours) a year to review and advise on security policies and procedures.
- 94 percent of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware.
- 99 percent of CIOs correctly see users as the "last line of defense" because all in-place security systems (all filters) have failed and the threat sits in the end-user's inbox. In all of its roughly 25 years, endpoint security (antivirus) has not been able to effectively protect workstations and is in fact getting worse. The correct thing to blame is antivirus, and Bromium should position against that, not end-user training.
- A whopping 7 hours of training? Where did that number come from? What are they doing all that time? It's totally unreal. Employees in organizations that use KnowBe4 for awareness training spends about 1-2 hours a year max, and often much less than that. They spend maybe 2 seconds to think before they click when they spot some red flags in emails, that's all.
- "Skilled employees in HR, legal, IT and risk departments spend an additional 276 hours a year helping to arrange and deliver in-house training"... Really? This type of employee costs about 80 bucks an hour, so that means 22,080 dollars in costs. You can outsource your whole 2,000-user awareness training program to KnowBe4 for less than that.
- "Most businesses (90 percent) have used external consultants for over three days (27 hours) a year to review and advise on security policies and procedures." Now you are talking about real waste, That type of advice comes free, provided by your KnowBe4 Customer Success rep who helps you with your onboarding process as part of the service.
- "94 percent of CIOs have pushed for increased investment in user education following recent headlines around phishing and ransomware." For good reason! A recent Gartner analysis shows this is the #1 thing CIOs are pushing for. Why? All existing security layers are bypassed by social engineering and no software can protect against that, despite what Bromium's PR claims.
https://blog.knowbe4.com/large-enterprises-spend-nearly-300k-per-year-on-security-education.-really
(You can also download this as a PPT file from the blog)
Simon Crosby, CTO for Bromium lent himself for this PR fluff and was quoted saying: “While end users are often the easiest target for hackers, the idea that they should be ‘the last line of defense’ for a business is simply ridiculous. The fact is, most employees are focused on getting their jobs done, and any training will go out the window if a deadline is looming.”
Our comment: That is exactly the attitude that has made social engineering so successful. It's the faulty fixed idea that you "cannot patch a stupid user". Well, guess what, with the right training... you can to a very large degree. More than 13,000 KnowBe4 customers demonstrate this year after year.
And then comes the most hair-raising statement of the release: “Insanity is doing the same thing over and over again and expecting different results, yet this is exactly what businesses are doing by piling time and money into education.”
With that statement, they just alienated 94% of the CIOs out there. Umm, aren't these the people you are selling to? Moreover, it implicitly assumes that training does not work. Nothing could be farther from the truth. KnowBe4 is growing so fast because our customers tell their friends in IT that it really works, is surprisingly affordable, and it's actually fun to phish your own users!
I'm not copying the whole release. You can have a good chuckle and read it here. They also explain who did the research and how they did their (faulty) math. Very entertaining.
https://globenewswire.com/news-release/2017/09/14/1121075/0/en/Large-Enterprises-Spend-Nearly-300K-Per-Year-On-Security-Education-So-Why-Are-Endpoint-Attacks-More-Successful-Than-Ever.html
This Week's Five Most Popular Hackbusters Posts
There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that.
Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the -real- hot topics.
Here are a few of this week's most popular Hackbusters posts:
http://www.hackbusters.com/
And while you are there, check out the Hackbusters Community!
The KnowBe4 Hackbusters forum was established to facilitate online discussions in information security, industry best practices and the ever growing threat from hackers around the world. The forum boasts a vendor-neutral tech friendly atmosphere, whereby members can openly discuss hot button issues and other topics such as social engineering, ransomware and phishing, to name a few.
See what your peer are talking about! Please register or Login to join in the discussions.
https://discuss.hackbusters.com/top
There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that.
Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the -real- hot topics.
Here are a few of this week's most popular Hackbusters posts:
- Beware of vulnerability found in Bluetooth
- Equifax Releases New Information About Security Breach as Top Execs Step Down
- Ransomware Can Destroy Backups in Four Ways
- Russian hacker was forcibly kept in Czech asylum
- Equifax- or the new gold standard for “how not to do Incident Response”!
http://www.hackbusters.com/
And while you are there, check out the Hackbusters Community!
The KnowBe4 Hackbusters forum was established to facilitate online discussions in information security, industry best practices and the ever growing threat from hackers around the world. The forum boasts a vendor-neutral tech friendly atmosphere, whereby members can openly discuss hot button issues and other topics such as social engineering, ransomware and phishing, to name a few.
See what your peer are talking about! Please register or Login to join in the discussions.
https://discuss.hackbusters.com/top
Live Webinar: Your Organization Through the Eyes of an Attacker
Attackers follow a number of paths as they search for entry-points into your organization. In this webinar, we'll show you easy ways to stalk and attack your organization to improve security. This will be a practical session providing a high-level overview of the theory/practices used, and then showing you how to simulate those same tactics using both free and subscription-based aspects of KnowBe4’s platform.
Join security awareness expert Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst for this 30-minute webinar “Your Organization Through the Eyes of an Attacker” on Tuesday, September 26, 2017, at 2:00 PM EDT.
Perry will cover these topics:
https://register.gotowebinar.com/register/8084556552263745539
Attackers follow a number of paths as they search for entry-points into your organization. In this webinar, we'll show you easy ways to stalk and attack your organization to improve security. This will be a practical session providing a high-level overview of the theory/practices used, and then showing you how to simulate those same tactics using both free and subscription-based aspects of KnowBe4’s platform.
Join security awareness expert Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst for this 30-minute webinar “Your Organization Through the Eyes of an Attacker” on Tuesday, September 26, 2017, at 2:00 PM EDT.
Perry will cover these topics:
- Understanding the attacker's workflow
- Selecting targets and entry points
- How to create your own 'Red Team' activities using KnowBe4 as part of a penetration testing initiative and/or to promote a culture of security awareness
https://register.gotowebinar.com/register/8084556552263745539
let's stay safe out there!
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Quotes of the Week
"Dwell on the beauty of life. Watch the stars, and see yourself running with them." - Marcus Aurelius - Roman Emperor (121 -180 AD)
"The future belongs to those who believe in the beauty of their dreams." - Eleanor Roosevelt
Thanks for reading CyberheistNews
"The future belongs to those who believe in the beauty of their dreams." - Eleanor Roosevelt
Thanks for reading CyberheistNews
Security News
Trend Micro: CEOs Are the Most Spoofed
Trend Micro researchers reported that cybercriminals spoofed the CEO email address the most, with CFOs and finance directors being the top attack targets.
In their 2017 Midyear Security Roundup: The Cost of Compromise report, Trend Micro said cybercriminals continued to use schemes such as bogus invoices or supplier swindles, and employ keylogger malware or HTML pages in phishing emails to spoof employees.
Trend Micro revealed that CFOs were targeted the most by the 3,000-plus instances of CEO fraud aka Business Email Compromise (BEC), followed by other employees charged with handling financially sensitive information.
The United States received the majority of attempted BEC attacks, with 30.96 percent, followed by Australia, with 27.4 percent. The United Kingdom was the target for 22.46 percent of BEC, with Norway and Canada targeted substantially less, at 4.88 percent and 3.43 percent, respectively.
"Employee training on common BEC methods goes hand in hand with a holistic security solution in defending enterprises from a variety of BEC attacks," Trend Micro said. "From small businesses to large corporations, enterprises can become unwitting victims in the multibillion-dollar scam that is BEC."
Trend Micro researchers reported that cybercriminals spoofed the CEO email address the most, with CFOs and finance directors being the top attack targets.
In their 2017 Midyear Security Roundup: The Cost of Compromise report, Trend Micro said cybercriminals continued to use schemes such as bogus invoices or supplier swindles, and employ keylogger malware or HTML pages in phishing emails to spoof employees.
Trend Micro revealed that CFOs were targeted the most by the 3,000-plus instances of CEO fraud aka Business Email Compromise (BEC), followed by other employees charged with handling financially sensitive information.
The United States received the majority of attempted BEC attacks, with 30.96 percent, followed by Australia, with 27.4 percent. The United Kingdom was the target for 22.46 percent of BEC, with Norway and Canada targeted substantially less, at 4.88 percent and 3.43 percent, respectively.
"Employee training on common BEC methods goes hand in hand with a holistic security solution in defending enterprises from a variety of BEC attacks," Trend Micro said. "From small businesses to large corporations, enterprises can become unwitting victims in the multibillion-dollar scam that is BEC."
Can Your Domain Be Spoofed?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO fraud", penetrating your network is like taking candy from a baby.
Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy, and often a shocking discovery.
Find out now if your email server is configured correctly, our tests over the last 2 years show that 82% of servers fail to handle spoofed emails correctly. Get your Domain Spoof Test:
https://info.knowbe4.com/domain-spoof-test-chn
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO fraud", penetrating your network is like taking candy from a baby.
Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy, and often a shocking discovery.
Find out now if your email server is configured correctly, our tests over the last 2 years show that 82% of servers fail to handle spoofed emails correctly. Get your Domain Spoof Test:
https://info.knowbe4.com/domain-spoof-test-chn
VEVO Data Breach Caused by LinkedIn Phishing Attack
A Vevo spokesperson told Gizmodo that the company “can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure.”
The OurMine hacker squad has claimed responsibility for the breach. They also hijacked WikiLeaks’ DNS, took over HBO’s Twitter account, and last year they took over Mark Zuckerberg’s Twitter and Pinterest accounts.
Vevo is a joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner Music Group, and Google’s parent company Alphabet Inc. Over 3 TB worth of internal files have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive.
OurMine typically uses social engineering to hack people because, well, it can. The group’s primary goal is demonstrating to companies that they have weak security. In this case, the hackers managed to compromise an employee account for Okta, the single sign-on workplace app.
And again, this is a textbook example of how stepping employees through new-school security awareness training can prevent horrendous cost, lost time, and class-action lawsuits. Full story at Gizmodo:
http://gizmodo.com/welp-vevo-just-got-hacked-1813390834/amp
A Vevo spokesperson told Gizmodo that the company “can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure.”
The OurMine hacker squad has claimed responsibility for the breach. They also hijacked WikiLeaks’ DNS, took over HBO’s Twitter account, and last year they took over Mark Zuckerberg’s Twitter and Pinterest accounts.
Vevo is a joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner Music Group, and Google’s parent company Alphabet Inc. Over 3 TB worth of internal files have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive.
OurMine typically uses social engineering to hack people because, well, it can. The group’s primary goal is demonstrating to companies that they have weak security. In this case, the hackers managed to compromise an employee account for Okta, the single sign-on workplace app.
And again, this is a textbook example of how stepping employees through new-school security awareness training can prevent horrendous cost, lost time, and class-action lawsuits. Full story at Gizmodo:
http://gizmodo.com/welp-vevo-just-got-hacked-1813390834/amp
U.S. Govt Orders Purge of Kaspersky Products From its Networks
WASHINGTON (Reuters) - The Trump administration on Wednesday told U.S. government agencies to remove Kaspersky Lab products from their networks, saying it was concerned the Moscow-based cyber security firm was vulnerable to Kremlin influence and that using its anti-virus software could jeopardize national security.
In a statement, Kaspersky Lab rejected the allegations, as it has done repeatedly in recent months, and said its critics were misinterpreting Russian data-sharing laws that only applied to communications services. The whole story is at the KnowBe4 blog, with some observations at the end:
https://blog.knowbe4.com/u.s.-govt-orders-purge-of-kaspersky-products-from-its-networks
WASHINGTON (Reuters) - The Trump administration on Wednesday told U.S. government agencies to remove Kaspersky Lab products from their networks, saying it was concerned the Moscow-based cyber security firm was vulnerable to Kremlin influence and that using its anti-virus software could jeopardize national security.
In a statement, Kaspersky Lab rejected the allegations, as it has done repeatedly in recent months, and said its critics were misinterpreting Russian data-sharing laws that only applied to communications services. The whole story is at the KnowBe4 blog, with some observations at the end:
https://blog.knowbe4.com/u.s.-govt-orders-purge-of-kaspersky-products-from-its-networks
Interesting News Items This Week
Fears of Cybersecurity Threats Increase Projected to Ignite the Market:
http://www.financialbuzz.com/fears-of-cybersecurity-threats-increase-projected-to-ignite-the-market-876782
Antivirus is particularly bad at catching ransomware, one of the biggest new threats that companies face:
https://www.csoonline.com/article/3215866/endpoint-protection/the-best-enterprise-antivirus-kaspersky-leads-in-latest-tests.html
Metacert’s Paul Walsh on ICOs, phishing, and the future of fake news:
https://techcrunch.com/2017/09/14/metacerts-paul-walsh-on-icos-phishing-and-the-future-of-fake-news/
New wave of Aussie phishing scams impersonate AFP, Telstra, ATO, Spotify and GoVia:
https://www.arnnet.com.au/article/627325/fresh-phishing-campaigns-impersonate-afp-telstra-ato-spotify-govia/
NIST Releases the Second Public Draft of Special Publication (SP) 800-125A, Security Recommendations for Hypervisor Deployment is now available for public comment:
https://beta.csrc.nist.gov/publications/detail/sp/800-125A/draft
Fears of Cybersecurity Threats Increase Projected to Ignite the Market:
http://www.financialbuzz.com/fears-of-cybersecurity-threats-increase-projected-to-ignite-the-market-876782
Antivirus is particularly bad at catching ransomware, one of the biggest new threats that companies face:
https://www.csoonline.com/article/3215866/endpoint-protection/the-best-enterprise-antivirus-kaspersky-leads-in-latest-tests.html
Metacert’s Paul Walsh on ICOs, phishing, and the future of fake news:
https://techcrunch.com/2017/09/14/metacerts-paul-walsh-on-icos-phishing-and-the-future-of-fake-news/
New wave of Aussie phishing scams impersonate AFP, Telstra, ATO, Spotify and GoVia:
https://www.arnnet.com.au/article/627325/fresh-phishing-campaigns-impersonate-afp-telstra-ato-spotify-govia/
NIST Releases the Second Public Draft of Special Publication (SP) 800-125A, Security Recommendations for Hypervisor Deployment is now available for public comment:
https://beta.csrc.nist.gov/publications/detail/sp/800-125A/draft
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Bugatti Chiron World Record: Zero to 400 kilometers/hour to Zero in 42 Seconds. Holy $#!+, I want one! Watch it until the end, after the credits:
http://www.flixxy.com/bugatti-chiron-world-record-zero-400kmh-zero-42-seconds.htm?utm_source=4
- Awesome women and girls doing amazing gymnastics, wakesurfing, skydiving, rock climbing, juggling, soccer, bicycling, hoola-hoop, archery, skating and more:
http://www.flixxy.com/girls-are-awesome-2017.htm?utm_source=4
- Find out how The Flat 3rd Dimension, The Ames Room, Following Eyes, The Dress, Yes-No and other illusions can mess with your perception:
http://www.flixxy.com/10-mind-blowing-optical-illusions.htm?utm_source=4
- From the archives:: Amazing Optical Illusion. This optical illusion has the Internet baffled. How can these two tracks be of the same size?
http://www.flixxy.com/amazing-optical-illusion.htm?utm_source=4
- And another classic: A wooden ball plays Bach’s Cantata 147 in a forest just by rolling down a track. The sound you hear is the sound that was recorded during filming. Very crafty!:
http://www.flixxy.com/musical-wood.htm?utm_source=4 - Man's best friend makes our life more awesome! Super fun dog tricks:
http://www.flixxy.com/dogs-make-life-more-awesome.htm?utm_source=4
