CyberheistNews Vol 7 #04
[ALERT] USB Sticks Could Infect Your Network With New Spora Ransomware Worm 
The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky".
Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.
Infection vector is email attachment with HTA file
Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file.
Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.
The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, resulting in the document being opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contains the actual payload.
Spora exhibits worm-like behavior using .LNK files
Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead.
Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive. These hidden files and folders are, with the standard folder options, not visible anymore.
Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.
Anyone bringing a USB stick to the office is now a possible ransomware infection vector.
Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone bringing a USB stick to the office is now a possible ransomware infection vector, as it could be they got infected at the house or on the road, or they found a USB stick and want to return it to the owner.
The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release. Blog post with links, heatmap and screenshots:
https://blog.knowbe4.com/alert-usb-sticks-could-infect-your-network-with-new-spora-ransomware-worm
The new Spora ransomware strain has now been dissected by more malware researchers and the team from G Data discovered that Spora uses an "innovative" way to spread itself via USB sticks. This strain is highly sophisticated and could become the "New Locky".
Spora has well-implemented encryption procedures that do not need a Command & Control server, a user-friendly payment site, choice of different “packages” that victims can opt for including immunity from future attacks, and Ransomware-as-a-Service capability.
Infection vector is email attachment with HTA file
Spora uses an HTA file with obfuscated VBScript code, and arrives in an email attachment with a ZIP file.
Once the user falls for the social engineering tactic and double-clicks the ZIP, the HTA file writes a JScript file called close.js to disk and executes it.
The JScript file in turn is a dropper for a Word document and an .exe file that are both written to disk and opened by close.js, resulting in the document being opened by Word or WordPad, but an error message is shown because the file is corrupt. Meanwhile back at the ranch, the .exe that was run has a seemingly random name hardcoded by the dropper but contains the actual payload.
Spora exhibits worm-like behavior using .LNK files
Ransomware that behaves like a worm has been spotted before with the ZCryptor strain, which uses the old autorun.inf, but Spora goes further than that, borrowing new technology from other malware which uses Windows shortcuts (.LNK files) instead.
Spora adds the hidden .LNK attribute to files and folders on the desktop, in the root of USB drives and the system drive. These hidden files and folders are, with the standard folder options, not visible anymore.
Spora then replaces Windows shortcuts with the same name and icon as the hidden files and folders. Those .LNK files open the original file to avoid raising any suspicion but at the same time execute the malware and the worm copies itself as hidden file alongside the .LNK files.
Anyone bringing a USB stick to the office is now a possible ransomware infection vector.
Simply navigating through the folders on your system or desktop using double-click will execute the worm. Using this strategy, it will not only spread to USB thumb drives, it will also encrypt newly created files on the system. Anyone bringing a USB stick to the office is now a possible ransomware infection vector, as it could be they got infected at the house or on the road, or they found a USB stick and want to return it to the owner.
The GData team noted that Spora deletes shadow volume copies and disables Windows error recovery and startup repair, but does not bypass User Account Control (UAC) yet, meaning at this point the user will be asked whether the malware is allowed to make changes. Wait for that to be fixed in a coming release. Blog post with links, heatmap and screenshots:
https://blog.knowbe4.com/alert-usb-sticks-could-infect-your-network-with-new-spora-ransomware-worm
New: Find out How Your Users Will React to Unknown USBs They Find!
Did you know? On average 45% of your users will plug in USBs... Find out now what your user’s reactions are to unknown USBs, with KnowBe4's new no-charge USB Security Test.
You can download our special "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. Add some old house keys to the drive and wait and see.
If an employee picks it up, plugs it in their workstation, and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.
Here's how your 7-day USB Security Test works:
https://info.knowbe4.com/usb-security-test-chn
Did you know? On average 45% of your users will plug in USBs... Find out now what your user’s reactions are to unknown USBs, with KnowBe4's new no-charge USB Security Test.
You can download our special "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. Add some old house keys to the drive and wait and see.
If an employee picks it up, plugs it in their workstation, and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.
Here's how your 7-day USB Security Test works:
- Fill out the form, no need to talk to anyone
- Instantly download "beaconized" Word, Excel or PDF files
- Copy to any USB Drive, label and drop it
- Reports on opens and if macros were enabled
- Takes just a few minutes to setup
https://info.knowbe4.com/usb-security-test-chn
How Effective Is Busting up Russian Cybergangs?
There is an interesting interview in SC Mag with Trend Micro Chief Cybersecurity Officer Ed Cabrera, who served 20 years in the United States Secret Service, including a stint as its CISO.
Quick summary: Local skimming operations that physically compromise credit card and financial accounts have been overtaken and outdone by international cybercrime mafias where attacks on endpoints, networks and cloud infrastructure are done remotely to compromise critical data for resale in the Russian underground or more lucratively to be encrypted and held for ransom.
Cabrera described Russia's cybercriminal underground as being by far the most mature of all Deep Web undergrounds having a true reputation economy not unlike what we see on the surface web.
"In order to break up theses these groups, law enforcement needs to act like a cybercriminal, sometimes assuming the identities of already established cybercriminals in order to gain information. Like with physical crime, you need a level of penetration into the criminal organization in order to get a foothold in the org.
“Just as in traditional organized crime investigations, confidential informants and undercover agents have to gain the trust of the group by committing or rather look as though they are committing criminal activity,” Cabrera said.
Yes, some are being taken down, probably a combination of their faulty operational security and misbehaving, falling out of Putin's grace. The majority of the Russian cybercrime mafias have Kremlin air cover and are allowed to do the crimes. More:
https://www.scmagazine.com/busting-up-cybergangs/article/632983/
There is an interesting interview in SC Mag with Trend Micro Chief Cybersecurity Officer Ed Cabrera, who served 20 years in the United States Secret Service, including a stint as its CISO.
Quick summary: Local skimming operations that physically compromise credit card and financial accounts have been overtaken and outdone by international cybercrime mafias where attacks on endpoints, networks and cloud infrastructure are done remotely to compromise critical data for resale in the Russian underground or more lucratively to be encrypted and held for ransom.
Cabrera described Russia's cybercriminal underground as being by far the most mature of all Deep Web undergrounds having a true reputation economy not unlike what we see on the surface web.
"In order to break up theses these groups, law enforcement needs to act like a cybercriminal, sometimes assuming the identities of already established cybercriminals in order to gain information. Like with physical crime, you need a level of penetration into the criminal organization in order to get a foothold in the org.
“Just as in traditional organized crime investigations, confidential informants and undercover agents have to gain the trust of the group by committing or rather look as though they are committing criminal activity,” Cabrera said.
Yes, some are being taken down, probably a combination of their faulty operational security and misbehaving, falling out of Putin's grace. The majority of the Russian cybercrime mafias have Kremlin air cover and are allowed to do the crimes. More:
https://www.scmagazine.com/busting-up-cybergangs/article/632983/
Live Webinar: Ransomware Hostage Rescue Guide
2016 was a “Ransomware Horror Show”. If you've been in the IT trenches over the past year, you've probably noticed that announcements of new ransomware strains are accelerating and there is no end in sight for 2017. In this webinar, we will cover the first 3 sections of the very popular KnowBe4 Ransomware Hostage Rescue Manual in depth.
Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “Ransomware Hostage Rescue Guide”, Thursday, January 26, 2017, at 2:00 PM EST. We will look at scary features of new ransomware strains, give actionable info that you need to prevent infections, and what to do when you are hit with ransomware.
Erich will cover these topics:
https://attendee.gotowebinar.com/register/8285286688435740418
2016 was a “Ransomware Horror Show”. If you've been in the IT trenches over the past year, you've probably noticed that announcements of new ransomware strains are accelerating and there is no end in sight for 2017. In this webinar, we will cover the first 3 sections of the very popular KnowBe4 Ransomware Hostage Rescue Manual in depth.
Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “Ransomware Hostage Rescue Guide”, Thursday, January 26, 2017, at 2:00 PM EST. We will look at scary features of new ransomware strains, give actionable info that you need to prevent infections, and what to do when you are hit with ransomware.
Erich will cover these topics:
- What new scary Ransomware strains are in the wild?
- Am I Infected?
- I’m Infected, Now What?
- Proven methods of protecting your organization
- How to create a “human firewall”
https://attendee.gotowebinar.com/register/8285286688435740418
Warm Regards,
Stu Sjouwerman
Quotes of the Week
"You are not a drop in the ocean. You are the entire ocean in a drop." - Jalaluddin Rumi
"Life is like a ten speed bicycle. Most of us have gears we never use." - Charles M. Schulz
Thanks for reading CyberheistNews
"Life is like a ten speed bicycle. Most of us have gears we never use." - Charles M. Schulz
Thanks for reading CyberheistNews
Security News
What Does a Plane Crash Have in Common With Ransomware?
"Unfortunately, in many industries, a conflict or disaster usually precedes change, such as a plane crash leading to tighter air traffic control policies. As ransomware and security threats increase and the fallout from such threats affects people on an increasingly deep level, we’re going to see consumers, IT pros, business leaders and legislators personally advocate for better security practices. Through data auditing and analytics, it’s possible to improve the security landscape for all involved."
These wise words were written by Paula Long, in an article that makes a point to include ransomware attacks in a structured Disaster Recovery plan. She points to four ways organization leaders, legislators, IT pros and non-technical staff members can work together to reduce ransomware threats in 2017:
http://virtual-strategy.com/2017/01/20/executive-viewpoint-2017-prediction-datagravity-get-ready-for-ransomware-in-2017/
P.S. I was interviewed at the CSO offices about Ransomware-as-a-Service. Here is the 5-minute video, scroll down to the end:
http://www.networkworld.com/article/3154832/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html
"Unfortunately, in many industries, a conflict or disaster usually precedes change, such as a plane crash leading to tighter air traffic control policies. As ransomware and security threats increase and the fallout from such threats affects people on an increasingly deep level, we’re going to see consumers, IT pros, business leaders and legislators personally advocate for better security practices. Through data auditing and analytics, it’s possible to improve the security landscape for all involved."
These wise words were written by Paula Long, in an article that makes a point to include ransomware attacks in a structured Disaster Recovery plan. She points to four ways organization leaders, legislators, IT pros and non-technical staff members can work together to reduce ransomware threats in 2017:
- CIOs and C-suite execs need to look at solutions holistically, not just as a set of point products
- CIOs and C-suite execs should focus on security education and action plans for all employees (we could not agree more)
- Ransomware recovery is about to become part of disaster recovery (DR) planning
- Cybersecurity is getting more personal than ever, but individuals won’t give up their private data without a fight
http://virtual-strategy.com/2017/01/20/executive-viewpoint-2017-prediction-datagravity-get-ready-for-ransomware-in-2017/
P.S. I was interviewed at the CSO offices about Ransomware-as-a-Service. Here is the 5-minute video, scroll down to the end:
http://www.networkworld.com/article/3154832/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html
9 Things You Need to Know About Healthcare Data Breaches
A new whitepaper from Protenus reveals data breaches not only harm an organization’s public image, they also cost exorbitant amounts of money. Titled “Cost of a Breach: A Business Case for Proactive Privacy Analytics,” the whitepaper details seven potential costs of a healthcare data breach.
Here are nine things to know about from Protenus' whitepaper.
http://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html
A new whitepaper from Protenus reveals data breaches not only harm an organization’s public image, they also cost exorbitant amounts of money. Titled “Cost of a Breach: A Business Case for Proactive Privacy Analytics,” the whitepaper details seven potential costs of a healthcare data breach.
Here are nine things to know about from Protenus' whitepaper.
- Breaches in the U.S. healthcare field cost 6.2 billion dollars each year. The average cost of a single data breach across all industries is 4 million dollars, according to a 2016 study from IBM and Ponemon Institute.
- Approximately 90 percent of hospitals have reported a breach in the past two years, and most breaches are due to employee error.
- When a healthcare organization experiences a breach, forensics costs added up to 610,000 dollars. After a breach, organizations often have to bring in compliance personnel and auditors to detail what information was breached.
- Breach notification costs 560,000 dollars on average. Overall notification costs — including reporting information to the media, notifying HHS and setting up a toll-free number and credit monitoring services for affected patients — can reach high totals.
- Costs affiliated with lawsuits average 880,000 dollars. Whether class-action or single-patient, breach-related lawsuit costs can add up, with those in the healthcare industry being even more costly.
- For each data breach, healthcare organizations average 3.7 million dollars in lost revenue. Data breaches often result in a loss of patient trust, which can spiral into millions of dollars in lost potential revenue. A report from the Ponemon Institute estimates healthcare organizations average 3.7 million dollars in lost revenue per data breach, but a report from Accenture estimates the cost could be as high as 113 million dollars.
- Healthcare organizations average 500,000 dollars in lost brand value after a breach. An organization's reputation can be severely damaged after a breach. Some estimates reach 50 million dollars as an average amount in lost brand value, but Protenus claims the actual lost value varies from institution to institution.
- The average HIPAA settlement fine is approximately 1.1 million dollars. This average is only increasing as HHS becomes more aggressive in enforcing HIPAA regulations.
- Post-breach cleanup costs average 440,000 dollars. Though cleanup costs after a breach differ between organizations, even purchasing new technologies and hiring new staff members can add up.
http://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html
New State of the Phish Report Shows Positive Trends, but End-User Risk Remains
Our friends at Wombat just announced the release of their 2017 State of the Phish Report, their third-annual look at how end users are recognizing and responding to phishing attacks, and what infosec professionals are doing to mitigate the risks associated with this perennial threat.
The excellent report compiles data from three sources:
The Volume of Phishing Attacks Appears to be Decreasing
Based on year-over-year comparisons, the infosec professionals they surveyed indicated that the volume of phishing attacks seems to be on the decline. This reported trend coincides with data from the Anti-Phishing Working Group’s Phishing Trends Report, 3rd Quarter 2016, which was compiled during the same general time frame that Wombat conducted their survey.
Here is a sample of what infosec pros told Wombat they experienced in 2016:
More Organizations Are Measuring Phishing Risk and Impact
Wombat said: "We’ve long extolled the values of measurement and analysis when it comes to gauging cybersecurity risks. Though there is more to managing a successful security awareness training program than tracking numbers, the ability to establish a baseline and evaluate progress over time provides clear benefits on multiple levels (strategic program planning, reporting to stakeholders, etc.).
"In this year’s survey, we were pleased to see that more and more infosec professionals are embracing the idea of tracking and managing end-user risk, as well as measuring the overall impact of phishing on their businesses:
Our friends at Wombat just announced the release of their 2017 State of the Phish Report, their third-annual look at how end users are recognizing and responding to phishing attacks, and what infosec professionals are doing to mitigate the risks associated with this perennial threat.
The excellent report compiles data from three sources:
- Tens of millions of simulated phishing attacks sent through their platform over a 12-month period (October 2015 through September 2016)
- More than 500 answers to a survey of infosec professionals across more than 16 industries
- More than 2,000 answers from an independent survey of 1,000 U.S. and 1,000 UK end users
The Volume of Phishing Attacks Appears to be Decreasing
Based on year-over-year comparisons, the infosec professionals they surveyed indicated that the volume of phishing attacks seems to be on the decline. This reported trend coincides with data from the Anti-Phishing Working Group’s Phishing Trends Report, 3rd Quarter 2016, which was compiled during the same general time frame that Wombat conducted their survey.
Here is a sample of what infosec pros told Wombat they experienced in 2016:
- 76% reported their organization had been victimized by a phishing attack (down 10% from 2015).
- Fewer respondents said the rate of phishing attacks is increasing (51% in 2016 vs. 60% in 2015), and 45% said the rate of attacks is decreasing.
- Nearly 10% fewer infosec professionals said they experienced a spear phishing attack (61% in 2016 vs. 85% in 2015).
More Organizations Are Measuring Phishing Risk and Impact
Wombat said: "We’ve long extolled the values of measurement and analysis when it comes to gauging cybersecurity risks. Though there is more to managing a successful security awareness training program than tracking numbers, the ability to establish a baseline and evaluate progress over time provides clear benefits on multiple levels (strategic program planning, reporting to stakeholders, etc.).
"In this year’s survey, we were pleased to see that more and more infosec professionals are embracing the idea of tracking and managing end-user risk, as well as measuring the overall impact of phishing on their businesses:
- 72% of respondents said that they assess the risk each end user poses to their organizations — a dramatic 64% increase from their 2015 survey.
- The top way infosec professionals determine end-user risk is by evaluating security awareness and training performance (48%).
- At 38%, “disruption of employee activities” was the most commonly cited negative impact of phishing attacks.
- Infosec professionals measure the cost of phishing incidents in multiple ways, including the following:
- Business impact from lost IP (41%)
- Loss of employee productivity (35%)
- Damage to reputation (8%)"
Now More Than Ever, Manufacturing Needs to Guard Against Cybersecurity Threats
Is improving cybersecurity at the top of your New Year’s resolution list? Perhaps it should be. According to “Cyber Risks in Advanced Manufacturing,” a report from the consulting firm Deloitte and the industry association Manufacturers Alliance for Productivity and Innovation (MAPI).
Read more about the new report titled Cyber Risks in Advanced Manufacturing by Deloitte which reveals that manufacturers are particularly vulnerable to cybersecurity threats because they are implementing new and emerging technologies on Supply Chain Quarterly:
http://www.supplychainquarterly.com/news/20170119-now-more-than-ever-manufacturing-needs-to-guard-against-cybersecurity-threats/
Is improving cybersecurity at the top of your New Year’s resolution list? Perhaps it should be. According to “Cyber Risks in Advanced Manufacturing,” a report from the consulting firm Deloitte and the industry association Manufacturers Alliance for Productivity and Innovation (MAPI).
Read more about the new report titled Cyber Risks in Advanced Manufacturing by Deloitte which reveals that manufacturers are particularly vulnerable to cybersecurity threats because they are implementing new and emerging technologies on Supply Chain Quarterly:
http://www.supplychainquarterly.com/news/20170119-now-more-than-ever-manufacturing-needs-to-guard-against-cybersecurity-threats/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Mathieu Bich performs an amazing, original magic trick, that even professional magicians Penn and Teller can't figure out:
http://www.flixxy.com/mathieu-bich-fools-penn-and-teller.htm?utm_source=4
- From the archives: One of many great commercials John Cleese did for Compaq Computer Corp in the mid '80s. Riot:
http://www.flixxy.com/compaq-portable-computer-john-cleese.htm?utm_source=4
- Man talks to sheep and they talk back. It seems he wasn't able to pull the wool over their eyes:
http://www.flixxy.com/sheep-protest-rally-in-new-zealand.htm?utm_source=4
- Many hours of preparation, 10 tables, stairs, countless balls and clubs were used for this greatest 'Rube Goldberg' pool / billiards trickshot of all time:
http://www.flixxy.com/amazing-rube-goldberg-pool-trick-shot.htm?utm_source=4
- How malware bypassing anti-viruses works: Cute little 2-second video. You are going to click and replay it!:
https://mobile.twitter.com/malwareunicorn/status/820452294269353984/video/1
- Cisco made a great video (4 minutes) that I honestly think everyone must see. It breaks down a complex ransomware attack. Picture this happening to your organization. Are you ready for it?:
http://bcove.me/eheqzm2v
- Cats and dogs enjoy trying to fit into small spaces. Cats love to hide and surprise you:
http://www.flixxy.com/if-it-fits-i-sits.htm?utm_source=4
- An amazing play by Mads Conrad-Petersen and Mads Pieler Kolding (Denmark) vs. Takeshi Kamura and Keigo Sonoda (Japan).
http://www.flixxy.com/amazing-badminton-play-at-the-world-superseries-2016-dubai.htm?utm_source=4
- Elon Musk: "One bit of advice: it is important to view knowledge as sort of a semantic tree -- make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the leaves/details or there is nothing for them to hang on to.” Here is how he explains in 2:48 mins:
https://youtu.be/NV3sBlRgzTI
- US Army's hoverbike takes flight:
http://newatlas.com/us-army-hoverbike-flight/47446/ - Watch a snowboarder survive an avalanche with an inflatable backpack:
http://boingboing.net/2017/01/20/watch-a-snowboarder-survive-an.html
