CyberheistNews Vol 8 #1 [Heads-up] A New High Risk of Evil AI Attacking Employees With Ransomware



Cyberheist News

CyberheistNews Vol 8 #01
[Heads-up] A New High Risk of Evil AI Attacking Employees With Ransomware

Wall Street Journal reporter Kate Fazzini wrote a very useful warning in the dedicated WSJ Pro cyber security newsletter. If you need budget for 2018 security awareness training, I recommend you send this extract to your C-level execs:

"Ransomware, the threat that seemed to smash all other cybersecurity topics in 2017, is still evolving by the day, and experts said companies should expect more sophisticated attacks in the new year.

Highly targeted phishing attempts, possibly powered by artificial intelligence; greater risks to shutting down industrial operations; and an increasing regulatory burden on preventing ransomware attacks are all part of the picture companies will need to consider in 2018.

The evolution of ransomware campaigns has led to extraordinarily targeted phishing techniques that are only getting more precise, said Steve Bunnell, co-chair of the data security and privacy practice at law firm O’Melveny & Myers LLP.

Justin Fier, director of threat intelligence and analysis at cybersecurity company Darktrace Inc., said he expected an increase in targeted phishing in 2018 due to the criminal use of artificial intelligence.

“In 2018, we will start to see the emergence of sophisticated threat-actors harnessing AI,” he said. “Imagine a highly sophisticated piece of malware that leverages AI to mimic writing styles, review appointments, and send ‘directions’ for an upcoming meeting to the victim.”

In addition, Mr. Bunnell said: “The consequences of not being prepared are increasing,” including regulatory implications from the EU’s General Data Protection Regulation, which goes into effect in May.

The GDPR puts stricter requirements around how soon and under what circumstances companies will need to report breaches. Depending on the nature of a ransomware attack, companies may not know immediately whether data held for ransom is, technically, in the hands of criminals, making it more difficult for companies to know if the offense needs to be reported to regulators.

Overall, given its explosion in 2017 and low overhead for criminal groups, Mr. Fier said, simply, companies should expect they will be targeted by ransomware next year: “No company is out of scope for malicious intent, even if they think they have nothing worth stealing.”

Ransomware Gangs Are Moving From Bitcoin to Litecoin

Due to high Bitcoin transaction fees, ransomware crooks are moving to Litecoin where transactions fees are much lower. Tripwire blogged on December 26th about the future of ransomware in 2018 and the technical details driving that development. And oh, you might want to have a few Litecoin in a wallet somewhere, just in case.

Tripwire's Upshot: The ransomware attack surface is getting increasingly pervasive in 2018 and beyond and reaching into all facets of our connected life.

What to Do About It

"There is no way to completely protect yourself from this ransomware. If you are online, you are vulnerable and may at some point encounter it. Implementing a 3-pronged approach of Educate, Secure and Backup to tackling this issue head-on is the probably the optimal strategy:"

Here is what they said about education:

"Educate: If you run a business, your employees are your most vulnerable parties and those most likely to cause infection. But they are also your [last] line of defense. Education on ransomware and other viruses is not just a one-off workshop; it’s a continually reviewed and reinforced strategy that seeks to update everyone on the latest threats."

We could not agree more. And how are the bad guys going to do this?

Google's new text-to-speech AI is so good we bet you can't tell it from a real human anymore, just listen to these samples. The next frontier in highly scalable social engineering: direct phone manipulation by an AI. Yikes.
https://google.github.io/tacotron/publications/tacotron2/index.html
How Many of Your Users Are Ransomware Bait?

Did you know that many of the email addresses and identities of your organization are exposed on the internet and easy for cybercriminals to find? With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.

KnowBe4’s new Email Exposure Check Pro (EEC) identifies your at-risk users by crawling business social media information and hundreds of breach databases. This is done in two stages:
  • Does deep web searches to find any publicly available organizational data.
  • Finds any users that have had their account information exposed in any of several hundred breaches.
Get Your EEC Pro Report in Less Than 5 Minutes

We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.

Getting your EEC Pro will take less than 5 minutes and is often an eye-opening discovery.
https://info.knowbe4.com/email-exposure-check-pro-chn
Don’t Miss the January Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, January 10, 2018, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW see our latest feature: Security Roles with granular permissions
  • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 15,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:
https://attendee.gotowebinar.com/register/2337103611638023683?source=CHN
New 2018 Security Resolutions

KnowBe4 believes you can always get smarter, not just at the start of a new year, but year-round. Continuous learning and self-improvement is critical for everyone in your organization. Both IT pros and their users must stay updated on the latest security technology, exploits and social engineering tactics.

To help you with that, KnowBe4 will add a massive amount of fresh security training material in 2018, not just for users, also for IT pros.

We encourage you to set your 2018 security awareness training goals now, and use KnowBe4 to make them really happen throughout the year!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"A person who never made a mistake never tried anything new." - Albert Einstein, Physicist

"If we did all the things we are capable of, we would literally astound ourselves." - Thomas Edison, Inventor



Thanks for reading CyberheistNews
Security News
4 Years After Target, the Little Guy is the Target

Can you believe it's been 4 years since the Target data breach?

Brian Krebs says as big box retailers develop tighter payment security, hackers appear to be targeting smaller chains that may be less secure:

"Dec. 18 marked the fourth anniversary of this site breaking the news about a breach at Target involving some 40 million customer credit and debit cards.

"It has been fascinating in the years since that epic intrusion to see how organized cyber thieves have shifted from targeting big box retailers to hacking a broad swath of small to mid-sized merchants that accept credit cards."

If you aren't one of the Fortune 1000, you should read this:
https://krebsonsecurity.com/2017/12/4-years-after-target-the-little-guy-is-the-target/
InfoSec World 2018 Conference & Expo March 19-21, 2018 Orlando

InfoSec World is the “business of security” conference. To manage today’s threats, security practitioners must have the skills to be both a business partner and enabler, and have the technical expertise to prevent, detect and respond to security challenges. Head to Disney’s Contemporary Resort on March 19-21, 2018 and learn from the best. CyberheistNews readers receive 15% off the Main Conference or World Pass with discount code OS18-CHN at checkout! Disney’s Contemporary Resort | Lake Buena Vista, FL:
https://infosecworld.misti.com/
Chinese Hackers Target Think Tanks to Steal Military Strategic Info

Towards the end of 2017, Chinese cyber-spies have engaged in a hacking spree that targeted at least four US think tanks and an additional two non-governmental organizations (NGOs), researchers from US firm Crowdstrike revealed in a report published last week.

The attacks started in late October and were carried out in a similar manner, by infecting targets and deploying the Mimikatz credentials harvester and China Chopper web shell on affected servers.

Attackers collected the emails of employees, stole credentials, and deployed second-stage malware. Intruders also used malware to search and steal documents containing terms such as "china,” “cyber,” “japan,” “korea,” “chinese,” and “eager lion” (codename of a US military exercise).

Think tanks are the Holy Grail of nation-state groups.

"Think tank" is a term used predominantly in the US to describe organizations that perform research concerning topics such as social policy, political strategy, economics, military, and culture. More at Bleepingcomputer:
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-think-tanks-to-steal-military-strategic-info/
Lack of IT Staff Leaving Companies Exposed to Hacker Attacks

According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met.

“Demand is sky-high,” said Tim Holman, the chief executive of the cybersecurity consultancy 2-Sec. “The cost of dealing with cyber problems is only going to go up, insurance premiums will go up, the price of cleanups will go up.”

It is clear that this issue is going to be with us for the next several years. The problem is that you can't find InfoSec staff or if you can find them, they do not fit into your limited budget.

What you can afford though is educating your users and get fantastic ROI, and a much more secure network protected by your human firewall. Full article in The Guardian:
https://www.theguardian.com/technology/2017/dec/25/lack-of-it-staff-leaving-companies-exposed-to-hacker-attacks
Shocker: 84 Percent of U.S. Healthcare Providers Have No Cyber Security Leader

Eighty-four percent of U.S. healthcare providers don't have a cyber security officer, and only 11 percent plan to add one in 2018, according to a recent Black Book Research survey of 323 strategic decision makers at U.S. healthcare provider and payer organizations.

At healthcare payer organizations, the outlook is slightly better -- 31 percent have an established cyber security manager, and 44 percent plan to hire one in the coming year.

Just 15 percent of all responding organizations currently have a CISO in place.

"The critical role of medical facilities, combined with poor security practices and lack of resources, make them vulnerable to financially and politically motivated attacks," Black Book managing partner Doug Brown said in a statement. More:
https://www.esecurityplanet.com/network-security/84-percent-of-u.s.-healthcare-providers-have-no-cyber-security-officer.html
Ghost Users Haunt Your Organizations' Network

While most IT pros that also wear their organizations' security hat understand that they need to protect active users, inactive "ghost" users are easily overlooked. Rounding up inactive user and service accounts is an important part of digital hygiene, especially when those accounts can be compromised and used for social engineering current members of an organization's team.

It's good to make users aware of this risk. Let employees know that it's right and proper to ask questions like, "Funny, why is Joe asking me for this password?" "Didn't Francine retire six months ago?", "Odd—why are Luke and Leia all of a sudden working on Shanghai time?" See a discussion of ghosts-in-the-machine at Infosecurity Magazine:
https://www.infosecurity-magazine.com/opinions/inactive-accounts-key-sensitive/
Business Email Compromise Hits Businesses Large, Small, and International

John Kahlbetzer, founder of the Twynham Agricultural Group and one of the wealthiest men in Australia, has been the victim of a business email compromise scam. His assistant followed instructions in an email she took to be from the 87-year-old multimillionaire and transferred a million dollars to an account belonging to a British man, David Aldridge.

The problem of course is that the email was bogus.

The email's address was close to Mr. Kahlbetzer's, but no cigar: it was one character off, and unfortunately the assistant didn't spot the tell. The case has been litigated in a British court, an unspecified settlement having been reached on December 15th.

Aldridge is said to have spread the money around several different accounts, and that it's somehow wrapped up in a request from his girlfriend of four years, one Nancy Jones, who assured him it was legitimate, and that she had arranged to receive the cash so she could settle her parents' death duties, thus enabling her and Mr. Aldridge to move in together.

So Aldridge says he's a victim here, too, and was acting for the best of motives. The problem with this, according to Kahlbetzer's attorneys, is that Aldridge has apparently never met Ms Jones, and has no real reason to think Ms Jones even exists.

This story is therefore something of a twofer: it's very much about a business email compromise, and it may be about a catphishing romance scam, too.

Here is Lesson One: train people in your organization not only to be alert for impersonation scams, but also not to transfer funds on the strength of just an email.

Lesson Two: if you've never actually met the person you're in love with, you might not want to undertake complex high-dollar-value transactions on their behalf. We have no wish to rain on Cupid's parade, but please, kids, be sensible. See Bloomberg's discussion here:
https://www.bloomberg.com/news/articles/2017-12-15/how-one-of-australia-s-richest-men-lost-1-million-to-email-scam
Why Phishing Alone is Not Enough Awareness Training

Marie White Founder, CEO & President, Security Mentor makes an excellent point in an article at InfoSec Magazine:

"Over the last several years, phishing simulations have become seen as the equivalent to security awareness training. The result is many organizations are only providing phishing simulation to their employees, and not security awareness training. This trend is a dangerous one, one that may actually lead to greater insecurity.

Why? Organizations are now focusing on only the single threat vector of phishing, admittedly a very serious one, but still one of many.

Cyber-criminals aren’t oblivious to this trend either. They know that leaves the door open for many other types of attacks, or exploitation of vulnerabilities, such as posting of sensitive data to the cloud, mobile device loss or theft, vulnerabilities in IoT-connected devices, social networking over-sharing and over-trusting, and the list goes on and on.

I’ve even heard one security vendor say that you only should do phishing simulation and training on one or two other topics, because that is all employees will remember. That’s good news for cyber-criminals because it leaves other doors open to them."

We could not agree more.

You need an integrated platform that allows you to deploy training of all types, combined with frequent social engineering attacks using phishing, voice and text, and all other elements of a mature security awareness training program. More:
https://www.infosecurity-magazine.com/opinions/phishing-not-enough-awareness/

Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.

We’ve taken away all the guesswork with our Automated Security Awareness Program (ASAP). ASAP is a revolutionary new tool for IT professionals, which allows you to create a customized security awareness program for your organization that will show you all the steps needed to create a fully mature training program in just a few minutes. And there is no cost:
https://www.knowbe4.com/automated-security-awareness-program
Tech Support is Not Calling You

The winter holidays, from Chanukah through the Solstice, Christmas, and into the New Year, are prime time for help desk support scam calls. It's a familiar con: someone cold calls you, tells you they're with the "Microsoft" or "Windows" help desk, and that they've detected a problem with your computer.

They'll help you fix the issue if you give them your password, turn over control of your machine, etc. Of course, they're not, they haven't, and they won't. They're after your credentials, your identity, or your credit card.

This old scam has grown more sophisticated. The scam now often begins online, with a popup notifying you of a problem and voice overs that start to sound realistic and inviting you to call a number to get it resolved.

Alert your users: this too is a scam, and you'll find yourself on the phone with people who, by some reports, get more insistent and menacing by the minute. See Naked Security's sad reminder:
https://nakedsecurity.sophos.com/2017/12/18/watch-out-fake-support-scams-are-alive-and-well-this-christmas
Tricky Subscription Traps

These sometimes operate in a grey zone, neither clearly legal nor obviously illegal. The London-based consumer advocacy group Citizens Advice finds that subscription traps are becoming an increasing problem as we've grown accustomed to making purchases easily online.

Citizens Advice finds that average costs to a given consumer of inadvertent, usually hard-to-cancel subscriptions are running around £50 a month in the UK, and other countries are probably experiencing comparable losses.

You may think you're buying one thing, one time, only to find that you've committed to some recurring charge for TV services, software subscriptions, gym memberships, or the like. Often you may have signed up for a free trial, only to find that you have to opt out at the end of the period.

(And the possibility of opting out will be distinctly downplayed. Don't expect the "free-trial offeror" to blow a horn and remind you that your time's up. The conscientious and reputable ones will, but even otherwise legitimate vendors can't be relied upon to give you an honest reminder.)

Better to avoid signing up for recurring charges. The Telegraph has an overview:
http://www.telegraph.co.uk/money/consumer-affairs/subscription-traps-eveything-need-know-do-drop-unwanted-service/
What Happens to Stolen Credentials?

They may be—like the Get-Out-of-Jail-Free card in Monopoly—"kept until needed or sold." There's a thriving black market in account credentials.

KrebsOnSecurity looks at one particular criminal darknet site: Carder's Paradise, where cyber mafias wholesale their wares on a consignment basis to other criminals. It's a crook-to-crook marketplace with many of the features of a business-to-business one.

One of the more successful wholesalers in the "Seller's Paradise" section has made some $288,000 this year. There are other things for sale at Carder's Paradise besides credentials: credit information, even "fullz," that is, a dossier of all the information on someone you need to commit complete identity theft.

There are many lessons to be drawn from this look at the dark web. Here are two of them: don't reuse passwords, and use multifactor authentication. Read the whole thing here:
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/
Interesting News Items This Week

Fake Bitcoin Wallet Apps Removed from Google Play. Don't fall for that one:
http://www.securityweek.com/fake-bitcoin-wallet-apps-removed-google-play

FBI Software for Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say:
https://gizmodo.com/maybe-russia-is-hacking-the-fbi-and-stealing-our-biomet-1821588406

Webroot acquires security awareness training platform. We are always happy to see tiny players being snapped up by AV companies. It legitimizes the space. A rising tide lifts all boats, especially big ones like ours:
https://www.prosyscom.tech/webroot-acquires-security-awareness-training-platform-launches-own-service-for-msps-and-businesses-prosyscom-tech/

Russian Antivirus Tech Bad News for Everyone in the UK:
https://www.newsmax.com/sambocetta/fcc-kaspersky-uk/2017/12/28/id/834105/

Global ransomware damage costs predicted to exceed $11.5 billion annually by 2019:
https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/

Here is a list of cybersecurity industry thought leaders where "yours truly" is featured together with "shark tank" Robert Herjavec, and the infamous John McAfee. LOL:
https://cybersecurityventures.com/contributors/

Hackers leak WhatsApp screenshots and intimate photos of WWE Diva Paige. The ultimate clickbait. Don't fall for this kind of honeytrap:
http://securityaffairs.co/wordpress/65223/hacking/diva-paige-data-leak.html

That game on your phone may be tracking what you’re watching on TV. Dang!:
https://www.nytimes.com/2017/12/28/business/media/alphonso-app-tracking.html

10 things in cybersecurity that you might have missed this year, and there are some doozies:
http://www.zdnet.com/article/10-things-in-cybersecurity-that-you-might-have-missed-this-year/

Microsoft Office Docs New Vessel for Loki Malware:
https://www.darkreading.com/attacks-breaches/microsoft-office-docs-new-vessel-for-loki-malware/d/d-id/1330678

Two Romanians Charged With Hacking Police CCTV Cameras Before Trump Inauguration:
https://thehackernews.com/2017/12/police-camera-hacking.html
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews