CyberheistNews Vol 8 #10 Average Ransomware Attack Infects 16 Workstations, 5 Servers and 22 Users

CyberheistNews Vol 8 #10
Average Ransomware Attack Infects 16 Workstations, 5 Servers and 22 Users

Ian Barker at BetaNews wrote: "Security awareness training company KnowBe4 has released its 2018 Threat Impact and Endpoint Protection Report which shows organizations in manufacturing, technology and consumer-focused industries experienced the most ransomware attacks.

Mid-market organizations—those with 1,000 to 5,000 employees—have been hit the hardest with ransomware in 2017, with 29 percent experiencing a ransomware attack.

On average, 16 workstations, 5 servers and 22 users within an organization were affected in any given attack with an average downtime of 14 hours. The organizations suffering the most downtime hours were again mid-market and enterprise (5000+ employees) organizations.

The more critical the data is to an organization, the higher likelihood of the ransom being paid. 97 percent of organizations say that ransomware encryption impacted common Office-type files which included critical, sensitive and proprietary data.

While most organizations don’t pay the ransom, the ransoms ranged from $500 to $1 Million. Most bitcoin-related ransoms were 1-3 bitcoins, ranging from $600 to $11,000.

Organizations are, however, realizing the value in maintaining backup copies of their data, with 61 percent recovering server data from backups and 35 percent recovering workstation data from backups following an attack.

"While ransomware attacks are becoming more and more sophisticated, they are preventable. As the report shows, endpoint protection solutions help protect against a material percentage of malware, but don't actually put a stop to the threat," says Stu Sjouwerman, CEO of KnowBe4.

"It's only by adding continual testing and training of employees that organizations create their strongest security posture and see a significant decrease in both ransomware and external malware attacks. This shows a well-implemented security awareness training program makes an organization much less susceptible to an attack.

"As these threats continue to grow, it's imperative that organizations mobilize their last line of defense—their employees—to help protect against this threat."

What’s Truly Effective in Stopping Ransomware Attacks?

At the end of the day, the goal is to put the most effective solutions in place that will stop the most attacks. The list of solutions above reads like a “Who’s Who” of security staples. But are they successful in stopping both ransomware and other malware attacks?

As shown in the report, most of the solutions largely have a similar effectiveness rate of stopping all forms of malware. An average of 13% of organizations experienced a ransomware attack, and 25% of organizations experienced an external attack, regardless of the type of security software in place.

Adding Awareness Training Decreases Malware Infections by 37%

But it’s the addition of security awareness training and phishing testing that had the greatest impact. The organizations continually performing security awareness training, as well as periodically testing employees with phishing emails saw the lowest percentage of ransomware attacks (8%) and malware-based external attacks (14%) in the last 12 months.

In both cases, the addition of security awareness training and testing saw a 37% decrease in the success rate of malware versus those organizations simply relying on security software.""

The full report along with recommendations and graphs for improving security is available from the KnowBe4 website at no cost:
New Phishing Security Test - See How You Compare to Peers in Your Industry!

We've got something really cool for you: the new Phishing Security Test v3.0.

Sending simulated phishing emails is a fun and an effective cybersecurity best practice to patch your last line of defense… your users.

Find out the Phish-prone percentage™ of your organization with our updated Phishing Security Test that now includes New Industry Benchmarking. See where you stack up! Industry Benchmarking enables you to compare your organization’s Phish-prone percentage with others in your industry.

With Our Updated Phishing Security Test:
  • You can customize the phishing test based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. There is no cost.
Live Webinar: What Most Computer Security Defenses Are Doing Wrong and How to Fix It

Most companies have huge gaps in their computer security defenses, and can be compromised at will by a determined hacker. The industry even has a term for it: “Assume Breach”.

But it doesn’t have to be that way!

Join Roger A. Grimes, a 30-year computer security consultant and author of 10 books, for this live webinar where he will explore the latest research on what’s wrong with current network defenses and how they got this way. Roger will teach you what most organizations are doing wrong, why, and how to fix it. You’ll leave this webinar with a fresh perspective and an action plan to improve the efficiency and effectiveness of your current computer security defenses.

In this live webinar, Roger will teach you:
  • What most companies are doing wrong, why, and how to fix it
  • An action plan to improve the effectiveness of your computer security defenses
  • How to create your “human firewall”
Attend this webinar and never think about computer security the same way ever again.

Date/Time: Thursday, March 15th at 2:00 PM ET Register Now:
FBI Warns of Spike in W-2 Phishing but Two Central Texas Employers Fall for the Scam

The FBI has joined the IRS in warning that W-2 tax form phishing is on the rise.

The US tax filing deadline is now less than a month-and-a-half away, and tax-themed phishing is trending up. Compromised or spoofed emails purporting to be from a company executive are received by the human resources department. Those emails request W-2 information.

That's simply the lead-in to the scam's ultimate goals, which are usually one of the following: either collection of personal information on employees, fraudulent wire transfers of company funds, or both! The emails asking for W-2 information often contain the wire transfer request.

It follows that training against the kind of social engineering common in business email compromise (BEC) is valuable here as well. HR personnel should be unusually vigilant for phishing attempts during tax season. Here's the FBI advisory:

Two Central Texas Employers Fall for the Scam

AUSTIN (KXAN) — The W-2s of workers of two Central Texas employers were compromised in two separate phishing scams.

The Austin Diagnostic Clinic Association reported the 2017 W-2 and address information of employees were compromised on Feb. 27, thanks to an email attack. Patient information was not affected, according to Bob Presley, a compliance officer at ADCA.

“Based on the information we currently have, the only information that was compromised was that which is contained in a W-2 form and address information; there was no compromise of patient health information,” Presley said.

Separately, Rockdale Independent School District fell victim to a similar scam, in which all of its W-2s were also compromised.

Both groups reported the incidents to law enforcement and the IRS, and they are working with employees to get credit protection for those who were affected.

Last year, the IRS says more than 200 employers fell victim to the phishing scam, which translated into hundreds of thousands of employees who had their information compromised. The IRS says the Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community.

Step those high-risk users in HR and Accounting through new-school security awareness training.
How IT Admins Can Fight Mobile Number Port-Out Scams

If you are an IT admin, and you use your phone for 2FA of some privileged accounts, this is something you want to have a look at, and see if it can possibly be used to hack into your network or critical apps. For instance, if you or your SalesForce manager use TXT codes as a MFA to get in SalesForce, this is a possible risk. Brian Krebs describes the problem and suggests a solution.

"T-Mobile, AT&T and other mobile carriers are reminding customers to take advantage of free services that can block identity thieves from easily "porting" your mobile number out to another provider, which allows crooks to intercept your calls and messages while your phone goes dark. Tips for minimizing the risk of number porting fraud are available below for customers of all four major mobile providers, including Sprint and Verizon.""
Don’t Miss the March Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 7, 2018, at 2:00 PM (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Industry Benchmarking feature enables you to compare your organization’s Phish-prone percentage™ with others in your industry.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 16,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Constant kindness can accomplish much. As the sun makes ice melt, kindness causes misunderstanding, mistrust, and hostility to evaporate." - Albert Schweitzer, Humanitarian (1875 - 1965)

"Kindness is the language which the deaf can hear and the blind can see." - Mark Twain

Thanks for reading CyberheistNews
Security News
Apple Warning: Customers Phished with Bogus Subscription Cancellation

Apple is warning its customers of a new phishing campaign circulating in the wild. An email that appears to come from the company's App Store tells the recipient that they've got a free, one-month trial subscription to "YouTubeRed," which will automatically renew at the end of the trial period.

Since the monthly charge is high, $144.99, the recipient will probably immediately click the "Cancel subscription" link the email provides. When they do, they reach a page that asks them for the Apple ID credentials, their credit card, and other sensitive information.

All of this is a scam. Apple suggests that, if you haven't initiated the contact with them, any emails you receive that seem to be from Apple should be regarded as probably fraudulent.

And emails from Apple services will never ask you for information like your Social Security Account Number, answers to security questions like your mother's maiden name, your credit card number, or your credit card's CCV number.

See Mac Rumors for security advice:
FS-ISAC Phished

The Financial Services Information Sharing and Analysis Center (FS-ISAC), has sustained and contained a successful phishing attack. FS-ISAC is the financial services sector's principal cyber threat sharing forum. It's long-established and has a good reputation as a sophisticated consumer of risk intelligence.

One of its employee's accounts was compromised and used to run a larger phishing campaign against the ISAC's members. This is a good news / bad news story. The good news is that most of the ISAC people who received the second round of phishing emails recognized them for what they were and quickly reported them.

This shows that awareness training works, and FS-ISAC does have a security training program in place. The bad news is that the initial approach that tricked the first victim into giving up credentials wasn't particularly sophisticated.

It appears to have been a routine bit of retail social engineering, not even particularly targeted. See KrebsOnSecurity for the story:
The Woz Gets Scammed

You needn't be a noob to fall victim to online scams. Steve Wozniak himself, cofounder of Apple, says he was the gullible mark who fell victim to a Bitcoin fraudster. He lost seven Bitcoins (which now would be worth about $70,000) to a crook who paid Wozniak for the cryptocurrency with a credit card.

Once the Bitcoins were in the crook's wallet, the crook simply got a chargeback on his credit card and Wozniak was left with nothing. Once Bitcoins are transferred, the transfer is irrevocable.

That's not the case with credit card payments, and chargebacks are done frequently, especially with card theft running at its current high rates. If you're selling Bitcoin, don't accept credit cards. See Naked Security for the sobering story:
Phishing the Unphishable Yubikey

The Yubikey is a hardware token that provides a strong form of universal two-factor authentication (U2F). It's been widely regarded as impossible to phish, and indeed it usually is. But there's a problem. Chrome's WebUSB feature can be used to phish for Yubikey credentials.

As WIRED explained, "With a sufficiently convincing phishing site ... a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim's Yubikey, using the response it provides to unlock that person's account."

This kind of phishing is difficult to pull off. It's been seen so far as a proof-of-concept. It would probably appear in the wild only used by a sophisticated attacker working against a specific high-value target.

If you're concerned about falling victim to this subversion of U2F, then consider disabling WebUSB. Note that, again, a trained user would be a better defense against this attack than would the sophisticated token being overcome. It takes a user to fall for that "sufficiently convincing phishing site." WIRED has the story here:
Stay out of Botnets

We tend to think more about the danger botnets pose to us than we do about keeping our own devices from being roped into botnets that could be used against other targets. There is a large, relatively new, and unusually disruptive form of amplification attack going on in the wild. US-CERT has warned against how the open source memory caching protocol Memcache can be abused to amplify distributed denial-of-service attacks.

The vulnerability being exploited affects Memcached servers on which the User Datagram Protocol (UDP) is enabled. US-CERT takes the problem seriously. It's updated its advisory covering amplification attacks to include Memcache as a potential vector, and it notes that, in terms of Bandwidth Amplification Factor, Memcache exploitation is at least two orders of magnitude larger than other forms of amplification attack.

US-CERT explains UDP amplification as follows: "By design, UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless the application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker can easily forge the IP packet datagram (a basic transfer unit associated with a packet-switched network) to include an arbitrary source IP address.

When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected denial-of-service (DoS) attack." Memcache exploits are relatively new, but Arbor Networks thinks they will soon be available as commodity booter services.

Memcache by design has no access controls, and so in no case should a Memcached server be exposed to the Internet. Cloudflare recommends disabling UDP if you can possibly do so. The SANS Internet Storm Center suggests that blocking traffic from port 11211 would also be useful. Cyxtera has some advice on memcaching in their blog:
New Single-Sign-On Vulnerability

Duo Security has found a new kind of vulnerability affecting single-sign-on systems that use the Security Assertion Markup Language (SAML). Exploitation could permit users with authenticated access to authenticate the as different users without needing to know the passwords belonging to the victims they're impersonating.

This would give attackers an easy way of pivoting from one compromised user to other accounts on a network. Remediation is possible but complicated because there are so many different single-sign-on solutions in use, not all of which are equally vulnerable.

Duo observes that what you should do about the SAML vulnerability would depend upon your relationship with your vendor, and then sensibly recommends contacting said vendors for the right patch or mitigation. There are patches available: disclosure was coordinated with vendors. If you're using a single-sign-on system, check with your vendor for fixes. Duo's report is here:
Piper Jaffray Keeps Track: Breaches Were up 43.8% in 2017

"We conducted our analysis of breaches reported in the month of January and also have restated our 2017 analysis. There were 116 breaches in January, which was down 7.2% Y/Y. A total of 3.2 million records were exposed in the month of January, which was inclusive of one large breach (Jason's Deli). The restated results for 2017 show that breaches were up 43.8% Y/Y.""
How & Why the Cybersecurity Landscape Is Changing

DarkReading wrote: "A comprehensive new report from Cisco should "scare the pants off" enterprise security leaders. Cisco recently published its 2018 annual cybersecurity report. The study is far more comprehensive than previous surveys and includes threat research from its Talos group and a number of technology partners, along with a survey of 3,600 chief security officers and security operations managers from all over the world.

Highlights of the study include four key assertions:
  • Malware is becoming self-propagating.
  • Ransomware isn't only for ransom.
  • Adversaries are stepping up their evasion capabilities.
  • The Internet of Things (IoT) is becoming a significant threat vector.
The lesson of the report is that the bad guys are getting smarter, are creating more damage, and have more tools at their disposal. But the big issue for security professionals is what to do about it. Clearly, doing what you did before isn't going to protect your business.

If the hackers and threats keep evolving, so must an organization's security strategies. Here are four "no-brainer" recommendations:

And of course, step users through new-school security awareness training...
What Our Customers Are Saying About Us

Happy Customer: "The product is great and your staff is even better! Like everything in life there's challenges in each institution – but with the tremendous support by your staff we have met all the challenges." - CC, Sr. Info Tech Consultant

Happy Customer: "The KnowBe4 platform has been a god-send and really helped us overcome a regulatory issue with Security Awareness training that came up in the last 2 months. I am getting compliments from the board of directors and our general counsel." - RM, IT Ops
Interesting News Items This Week

Now here is something fun. Researchers Warn of Extraterrestrial Hacks:

New Incident Response Study Reveals More Than Half of Attackers Use Social Engineering to Target Organizations:

Business Email Compromise; The Secret Billion Dollar Threat:

Updated Securities And Exchange Commission Statement and Guidance on Public Company Cybersecurity Disclosures. This is the official PDF, send to to Legal:

Going Phishing; Countering Fraudulent Campaigns:

Ethereum Scammers Posing as Tech Celebrities Are Running Rampant On Twitter:

Ukraine police say they've rearrested cybercrime ringleader:

Everyone is a Spear Phishing Target:

Ransomware set to become more vicious in 2018:

This website is selling your usernames and passwords on the darknet. KnowBe4 featured on ABC TV:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Want to actually race a Tesla Semi? Subscribe to their newsletter and get entered. You can use my Tesla referral link, I drive a P100D:
    • How to Pick a Lock, example video with a transparent padlock:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews