CyberheistNews Vol 7 #43 EU to Declare Cyber-Attacks “Act of War” - USA Likely to Follow

CyberheistNews Vol 7 #43
EU to Declare Cyber-Attacks “Act of War” - USA Likely to Follow

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances."

This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added."

I'm expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.

The vast majority of Russia's attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.

Full blog post with links to sources:
2018 Is Likely to Be a Worse Year for Ransomware Than 2017

Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.

Ransomware Mutations Running Amok

You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.

Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren't script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.

RaaS Is for Newbie Cyber Crims

There is an area where amateur cyber "crims" do come in, and that's Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.

Sophos says that RaaS is growing in popularity on the Dark Web, and this year's Cerber ransomware is their example of a worrisome trend. Here's some of what it says in the report that specifically pertains to RaaS:

“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.

One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”

New "Marketing" Techniques

Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:
  • Decrypt two files for nothing
  • Decrypt a selection of files for 30.00 dollars
  • Have the ransomware itself removed for 20.00 dollars
  • Buy what they call immunity for 50.00 dollars
  • Get everything on the computer restored for 120.00 dollars
Ransomware Is Now Targeting Non-Win OSen

September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.

But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.

Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.

One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.

Healthcare Continues to Be a Target.

Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they're more likely to pay up as well.

Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that's where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.

ZDNet also has predictions about the nasty future of ransomware with four ways the nightmare is about to get even worse:

KnowBe4 blog Post with links to resources:
Don’t Miss the November Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, November 8, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform. See the latest features and how easy it is to train and phish your users.
  • New Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 13,500+ organizations have mobilized their end-users as their last line of defense.

Register Now:
Bad Rabbit Ransomware Attack Was Hiding a Spear Phishing Campaign

During the attacks in eastern Europe with the Bad Rabbit ransomware, a more insidious attack was taking place in Ukraine under its cover, Reuters reported.

Serhiy Demedyuk, head of the Ukrainian state cyber police, stated that a number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread. Those campaigns intended to compromise financial information and other sensitive data.

“During these attacks, we repeatedly detected more powerful, quiet attacks that were aimed at obtaining financial and confidential information,” Demedyuk told the Reuters Cyber Security Summit in Kiev earlier this week. Full blog post:
How to Sell Cybersecurity to Your Executive Team

Scott Schlimmer wrote a great post at CSO about the constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line.

Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen.

Despite the headlines, growth-oriented executives tend to prioritize other expenses. Here is an excerpt with a link to the post at the end.

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"The truth is like a lion. You don't have to
defend it. Let it loose. It will defend itself."
- St. Augustine (354 - 430 AD)

"Most powerful is he who has himself in his own power."
- Lucius Annaeus Seneca - Philosopher, Statesman (5 BC - 65 AD)

Thanks for reading CyberheistNews
Security News
Gartner Positions KnowBe4 as a Leader in the Magic Quadrant for Security Awareness Computer-Based Training

KnowBe4 has been positioned by Gartner, Inc. in the Leaders quadrant of the Magic Quadrant for Security Awareness Computer-Based Training. Gartner's evaluation is based on completeness of vision and ability to execute.

We are very proud of this accomplishment.

We consider our positioning in the Leaders Quadrant by Gartner confirmation of our ability to innovate new technology-based paths based on real-world social engineering methods used by attackers. As the fastest-growing company within this market, our mission to train employees to make smarter security decisions within client organizations has been successful, enabling organizations with a limited budget, a chance to use world-class training and simulated phishing to improve their security posture and mitigate risk.”

Perry Carpenter, KnowBe4’s Chief Evangelist & Strategy Officer stated, “We are honored to be positioned in the Leader’s Quadrant. We believe that it is a direct reflection of our strong and consistent year-over-year growth, 13,500+ client organizations, rapidly growing toolset and content library, and our proven platform and methodology for delivering measurable results to organizations around the world. We look forward to pushing-the-envelope even further in 2018. 

To get your copy of the complimentary report, go here:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Dark Overlord Hackers Reveal Plans to Leak 'Hollywood Database Stolen From Top Studio'

Criminal hacking group The Dark Overlord is threatening to leak the internal client data of top Hollywood production studio Line 204, IBTimes UK has learned.

The seemingly international group of hackers, which recently targeted streaming giant Netflix and a London-based plastic surgeon's office, provided evidence that it had accessed the firm's customer database. It has shared information with IBTimes – including hundreds of contracts, files and client invoices.

"As with all of our friends who don't accept one of our handsome business proposals, we'll handle them appropriately by publicly releasing all their client data, documents, intellectual property, and other sensitive documentation," the group said via encrypted chat.

Based on one section of the database labeled 'CustomerFile', Line 204 clients have in the past included Apple, Netflix, Funny or Die, ABC, HBO, Hulu and many more. Another file – named "CustomerCard" – contained financial information, but it was firmly encrypted. Full Post:
Shame and Confusion Lead to Employees Paying Ransoms out of Pocket

Our Doug Olenick at SC Media reported on something quite surprising. This is the first time we have heard about this!

Whether out of shame for being victimized or confusion over what to do more than half of employees who fell victim to a ransomware attack decided to pay the ransom amount themselves, a recent survey found.

The study of 1,000 workers victimized by a ransomware attack, conducted by Intermedia, found that 59 percent paid the ransom out of pocket with 37 percent passing the cost along to their company. Intermedia is a leading cloud voice service provider, and the world's largest independent provider of Exchange email in the cloud.

Millennials were more likely to pay themselves with 73 percent reporting that they had done so, but not far behind are company executives with 68 percent saying they had also reached into their own pockets to meet they cybercriminals' demand.

The report cited two reasons behind the decision to absorb the cost. Shame and embarrassment certainly play a role in the person's choice to simply pay up and hopefully mitigate the damage, but lack of knowledge also plays a role as many companies do not tell their workers what to do when confronted by this situation.

“Organizations need to focus education efforts not just on what ransomware is, but what steps employees should take if they are impacted. Regular communication is especially important right now with new malware strains like BadRabbit posing as seemingly harmless Adobe Flash updates,” said Intermedia CTO Jonathan Levine.

If this is really true, IT might not even know that a workstation was infected, got decrypted and is back in production with remnants of malware all over it. Could very well be that Trojans and other remote control tools were left behind.

I suggest you create corporate policy that requires mandatory immediate reporting of ransomware infections so that IT can do their job!
Q3 2017 Witnessed 600% Rise in URL e-Mails Delivering Malware

The recently published Quarterly Threat Report by Proofpoint tells that malware-laced e-mails which deliver banking Trojans and ransomware programs increased during July-September 2017. Simultaneously, techniques of targeted attacks and social engineering became more sophisticated.

The volume of malware-laced e-mails rose 85% from the second quarter. The rise was mainly because of a large scale e-mail distribution that contained harmful URLs delivering malware. The scale can be measured with a 600% rise in volume from Q2 (April-June) as well as over 2,200% from last year.

The threat category on No.1 was ransomware being responsible for almost 64% of total e-mail attacks. Among the ransomware strains, Locky alone accounted for nearly 55% of the entire e-mail volume while over 86% of the total ransomware strains. More:
Britain’s Largest Airport Launches Investigation After USB Found on Street

This is a weird one. A USB drive was found and retrieved by a guy who brings it to the Sunday Mirror. It is full of secret UK files on Heathrow. The USB appeared to have legit classified info on layouts of airport and special quarters for VIPS etc.

However, this would also be a great way to introduce a backdoor. Typical social engineering. A double whammy if proper precautions against a malware package were not taken. The files included the following:
  • Maps indicating the exact locations of CCTV cameras along with a series of escape shafts found in the Heathrow Express rail line that links the airport with London Paddington station.
  • The types of identification that someone requires to access restricted areas.
  • The exact route used by the Queen when she uses the airport and what security measures she uses to get there.
This is disturbing, I just flew through Heathrow myself at that time. More at tripwire:
SANS Releases OUCH November 2017

They said: "We are excited to announce the Nov issue of OUCH! This month, led by Guest Editor Lenny Zeltser, we cover Shopping Online Securely. With the holidays coming up, this is the time when millions of people around the world shop online. It’s also the time when cyber criminals ramp up their game for online fraud. In this issue we cover how you can easily shop online safely and securely and make the most of all those great online deals. Share this edition with your family, friends, and coworkers. English Version (PDF)
Security Awareness Training Is a Team Effort

A security awareness program is a critical part of any security strategy. It is not enough to simply hold everyone in the organization accountable.

Chief information security officers (CISOs) must first train employees to practice proactive, conscientious security behaviors by convincing them that security affects them directly, not just the business.

Building Better Cybersecurity Instincts

While most people practice cybersecurity as a self-preservation instinct at home, they often take it for granted at work. This disconnect can be boiled down to ownership: People rigorously protect their prized possessions at home, but business assets feel like somebody else’s property and, therefore, somebody else’s problem.

Security leaders charged with training employees must demonstrate how one weak link in the company can compromise everyone’s privacy, not to mention the business’s bottom line. More at the KnowBe4 blog:
Students Angry Over Reyerson University Phishing Scam

Here is something entertaining. I had a good chuckle when I read this. Welcome to the real world.

"Students in the Faculty of Communication and Design (FCAD) are angry that the email they received regarding complimentary Adobe programs was the latest phishing scam in the school’s cyber security awareness campaign. Now, they’re calling on FCAD to provide them with the software.

A conversation about how students can fall prey to phishing emails came up between Brian Lesser, chief information officer of CCS, and another FCAD member, sparking the idea for the phishing emails. “Attackers will play on your need for things,” he said. “Students might need software.”

Lesser, who organized the cybersecurity awareness campaigns—which involves the phishing emails—said the rise in cyberattacks on Ryerson students has steadily increased in the past few years. Sending out an informational email on cybersecurity has minimal impact, according to him.

“It doesn’t garner enough attention, people don’t read past the first paragraph. You can’t just send people nice messages and make an impact.” The idea surrounding the fake emails was to provide real-world simulations of a cyber threat.

“It’s a valuable way to train people,” Lesser said. “I get that it can be frustrating, but I’d rather fool you than have you tricked by someone who’s going to upload malware onto your machine.”

However, some students still feel it triggered a contentious issue among FCAD. “I had a feeling it was spam,” said Allison Tubosa, a third-year media production student. “I’m one of those students who can’t afford Adobe so I thought that it was really mean.” Faculty do have access to Adobe suite under licensing agreement, not students.":
Thirty Percent of CEO Email Passwords Compromised in Breaches: Study

SecurityWeek reported about an interesting F-Secure study showing thirty percent of CEOs from the world's largest organizations have had their company email address and password stolen from a breached service.

F-Secure researchers checked the email addresses of 200 CEOs from the world's largest organizations against a database of leaked credentials. It notes that the 30% figure increases to 63% for tech companies. Yikes.

Given the continuing tendency for users to use simple passwords and reuse the same passwords across multiple accounts, the implication is that at least some of these CEOs are at risk of losing their email accounts to cyber criminals or foreign nation state hacking groups.

The bottom line is that CEOs and their companies need to take particular care in protecting their email account passwords. F-Secure's advice is well-known good password practice.

Here's a link to the PDF and stats per country, USA is 38%. You'll be surprised about some others. Good ammo for budget and it has CEO password advice from a white hat hacker:
Interesting News Items This Week

Survival of the Fittest: Why Locky Ransomware Is Back:

Office 365 Missed 34,000 Phishing Emails Last Month:

Toshiba's 'breakthrough' battery can charge in six minutes:

Ever heard of a graphite bomb (also known as the "Blackout Bomb" or the "Soft Bomb") which is a non-lethal weapon used to disable electrical power systems? Yikes:

Wait, Do You Really Think That’s a YouTube URL? Spoofing Links on Facebook:

Would you let Amazon unlock your door? Not me:

Silence – a new Trojan attacking financial organizations:

UK Data Protection Bill vs EU General Data Protection Regulation:

Trump Administration to Craft New Cybersecurity Plan. Strategy will mirror President Trump's cybersecurity Executive Order:

Need some ROI on new-school security awareness training? Hilton Reaches 700,000 dollar Settlement Over Two Data Breaches:

Researchers analyze 3,200 unique phishing kits:

DDE exploit explained .. Attachments, email discussed:

Latest Sofacy Campaign Targeting Security Researchers:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews