CyberheistNews Vol 8 #13 City of Atlanta IT Systems Shut Down by SamSam Ransomware




CyberheistNews Vol 8 #13   |   March 26th., 2018
City of Atlanta IT Systems Shut Down by SamSam Ransomware

It was all over the major press. The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection.

Mayor Keisha Lance Bottoms expects city departments to open, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said "We can't speak to that right now. We will be looking for guidance from specifically our federal partners."

According to 11Alive, a local TV station, the infection was caused by the SamSam ransomware, a strain that's been very active at the start of this year, and had previously also infected the Colorado Department of Transportation. SamSam is also notorious for deleting Veeam backups. Full story with updates at the KnowBe4 blog:
https://blog.knowbe4.com/city-of-atlanta-it-systems-shut-down-by-samsam-ransomware
Why Social Engineering Works and How to Arm Yourself Against "Human Hacking"

Let me share some observations after 7 years of building KnowBe4 from scratch into a 100 million dollar company.

We train your employees to recognize social engineering attacks and not fall for hacker tactics that attempt to manipulate them into doing something against their and your interests. In short, we enable your employees to make smarter security decisions, every day.

But what is the basic mechanism behind social engineering? Why exactly does it work? How do you arm yourself against it?

Over the last 15 years, a lot of books have been written about this, and many experts have voiced their opinions. However, here is some hard-won experience from the trenches.

We all know that the bad guys go after your users—the weak link in IT security—because hacking humans is easier and faster than hacking software or hardware. Hacking the wetware can often be done in less than a minute.

OK, so exactly WHY is it so easy to hack the wetware?

Let's have a look at people's behavior in general for a moment and paint a picture in your mind. Two extremes: fully rational on the left and fully irrational on the right. In a business environment, which ideally is driven by both reason and competition, there is of course no pure black or white, these two extremes are really a gray scale and employees operate hopefully left from the middle.

Continue reading at the KnowBe4 blog, this is an essential 5-minute read:
https://blog.knowbe4.com/why-social-engineering-works-and-how-to-arm-yourself-against-human-hacking
US Disrupts 'Massive And Brazen' Iranian Phishing Scheme, DOJ Says

Friday morning the US Department of Justice announced that it had indicted Iran's Mabna Institute and nine of the individuals who work for it. The charges include conspiracy to commit computer intrusions, wire fraud, unauthorized access of a computer, and aggravated identity theft.

The Mabna Institute allegedly works as a contractor for Iran's Islamic Revolutionary Guard Corps. It has, Justice said in a Friday press conference, conducted a lengthy, years-long, and far-flung cyberespionage campaign against targets in some twenty-one countries, including the US. The campaign appears to have been directed toward the theft of technical information and intellectual property.

Some of the information Iran used; some of it Iran sold. The methods the Mabna Institute used in its campaign is interesting. They approached their harder targets by first compromising easier ones. The softer targets, university professors in more than three-hundred institutions around the world, were trawled with a very large phishnet.

Some hundred-thousand professors were send spear phishing attacks, and about eight thousand of them were caught. From those compromised individuals the hackers gained access to university credentials and databases. They then used what the FBI called "low and slow password spraying attacks" to move to harder targets in industry and government. More:
https://blog.knowbe4.com/us-disrupts-massive-and-brazen-iranian-phishing-scheme-doj-says
Business Email Compromise Can Be a Company Killer

The FBI in 2016 called business email compromise the "$3.1 billion dollar scam." By last year that scam had grown to $5 billion. It's on its way to reaching $9 billion. The stakes are enormous. Falling victim to business email compromise scam can be a company killer.

If an employee is led by a spoofed email to execute a large wire transfer of company funds, those funds are probably gone beyond recovery. Business email compromise attacks don't have the kind of signatures that lend themselves to detection and blocking by technical means.

The ultimate defense against social engineering of this kind is a workforce who have been educated to recognize the scams for what they are, and who are supported by sound security policies that the company's leaders endorse and follow. SecurityWeek has the story:
https://www.securityweek.com/preventing-business-email-compromise-requires-human-touch
Don’t Miss the April Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, April 4, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Industry Benchmarking feature enables you to compare your organization’s Phish-prone percentage™ with other companies in your industry.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 16,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:
https://attendee.gotowebinar.com/register/7031645529849350145?source=CHN
NEW: The 2018 Threat Impact and Endpoint Protection Report

In Short: Ransomware isn't going away and it's not slowing down.

Ransomware is a multi-billion dollar business with the number of new ransomware variants continuing to grow quarter-over-quarter. Despite the many security offerings available, organizations continue to fall victim to ransomware attacks.

For this brand new report, we surveyed businesses across all industries to find out what they're doing to defend themselves. We thoroughly examined who is at risk, what the scope and cost of an attack is, how organizations are protecting themselves from ransomware, and the effectiveness of their endpoint protection.

Find out what is really the best way to combat the threat of ransomware. The results might surprise you!
https://info.knowbe4.com/threat-impact-endpoint-protection
Please Help This Poor Victim of a Bank Audit

See the below email. Sender claims they need help to wire some money because their own bank account is under an internal bank audit. And they promise they will pay you back. Because, seriously, they will...

From: Lucille Walker <lwalker@tccsmd.org>
To:
Cc:
Bcc:
Date: Tue, 20 Mar 2018 23:34:23 -0400
Subject: How Are You Doing???


Please I have a small request to make to you. I have an agent in Hong Kong to settle a payment of $6,500 USD which is due for the goods I purchased and are ready for shipment, but unfortunately I can not send payment now because my company account is currently under internal bank audit which started yesterday.

This means I cannot withdraw or send funds until next week. Could you please help me make the payment of the amount to the agent? I promise to transfer back to you by next week.

Please reply me ASAP so I can send you the account details of the agent in Hong Kong.
- Lucille

Sure hon, right away ! ;-D

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The best way out is always through." - Robert Frost - Poet (1874 – 1963)

"The best way to resolve any problem in the human world is for all sides to sit down and talk."
- Dalai Lama (born 1935)



Thanks for reading CyberheistNews
Security News
LAST CHANCE... Try our Ransomware Simulator for a chance to WIN!

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s free Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.

Plus, you'll be entered to win an awesome 34-Inch Curved UltraWide LG Monitor. To make it even better, we’ll pick 3 winners!

RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros. Get RanSim!
https://info.knowbe4.com/ransim-sweepstakes-march-2018
Phishing as a Weapon in Information Warfare

"Guccifer 2.0" represented himself as a Romanian hacktivist when he doxed the Democratic National Committee during the last US election cycle. He gained access to the DNC's emails by social engineering.

And he claimed to be a disinterested investigator out to alert people to the dangers of "the Illuminati," the favorite bugaboo of fringe conspiracy theorists. It quickly became clear that Guccifer 2.0 wasn't who he claimed to be.

Now we know, however who in fact he was. Or rather, who they were: a team within Russia's GRU military intelligence service. Investigators were able to identify Guccifer 2.0 because Guccifer 2.0 got sloppy with their operational security.

They had been using a VPN service, VPN Elite. But on at least one occasion they forgot to initialize their VPN client. Their real IP address was disclosed, and that in turn revealed their physical address: a GRU facility in Moscow.

There are at least two lessons here. First, if you're using privacy-protecting services, do better with your opsec than Guccifer 2.0 did. Second, intelligence agencies use phishing as just another piece of tradecraft. They've always used social engineering to compromise and recruit. Now they do so by email. Ars Technica has the story:
https://arstechnica.com/tech-policy/2018/03/dnc-lone-hacker-guccifer-2-0-pegged-as-russian-spy-after-opsec-fail/
Business Email Equals Business Risk

Recent studies by Proofpoint and Clearswift highlighted the prevalence of email fraud. Business email compromise, as such fraud is generally known, need not carry a malicious attachment or link, or indeed any kind of attack payload at all. It relies for its success purely on misplaced trust.

The scammers impersonate the email of some trusted figure, usually an executive of the business under attack, and instructs the employee they contact to do something against the interests of the business. In the typical most immediately damaging cases, that will involve transferring funds to the scammers' account.

Training and, importantly, sound policies are the best ways to help employees avoid falling victim to such social engineering. See the story in Infosecurity Magazine:
https://www.infosecurity-magazine.com/news/email-fraud-is-a-top-business-risk/
Most Businesses Targeted With Email Fraud

Researchers at Proofpoint have found that fully 75% of surveyed organizations were hit at least once by email fraud over the last two years. 41% of the respondents said they'd been targeted more than once.

The people targeted were fairly well distributed across the businesses organization: 55% said their finance department had been phished, 43% said accounts payable was the affected department, 37% reported that the C-suite had been hit, and, in 33% of the cases, the specific individuals affected had come from the general workforce. SC Magazine has the story:
https://www.scmagazineuk.com/three-quarters-of-businesses-targetted-at-least-once-by-email-fraud/article/752778/
Top Ten Ways to Recognize Phishbait and Spit the Hook

Phishing is a con game for the internet. Infosecurity Magazine talked to some industry experts including us about what you can do to recognize when you're being phished. They distilled the recommendations into ten. First, do some awareness training for your employees. Make sure it includes realistic exercises that test people's wariness with simulated phishing.

Second, understand the different approaches phishers will use. Show them to your employees. They are, after all, the targets.

Third, technical defenses have their place. They're not a cure-all, but businesses should consider moving detection tools to the mailbox.

Fourth, don't neglect behavior analysis and profiling. These can help your business recognize phishing.

Fifth, use multi-factor authentication. There's no good reason not to. And it can save you a lot of trouble.

Sixth, develop a multi-layered defense that includes behavioral analysis, mailbox profiling, automated forensics, and incident response.

Seventh, share threat intelligence.

Eighth, encourage your people to report suspicious emails.

Ninth, configure secure email and web gateways to filter URLs and block the most common malicious domains. And, finally, don't neglect the obvious: use anti-virus software and keep it up to date. Infosecurity Magazine's report may be found here:
https://www.infosecurity-magazine.com/magazine-features/top-ten-detect-phishing/
Training Customers for the May 25th GDPR Deadline

The approaching May 25th deadline for full GDPR implementation has focused the attention of business on the protection of personal data. Customer data, including credentials, paycard information, and other personally identifiable data, can be especially difficult to protect.

Those data are also valuable to cyber criminals. Holding such data is at some level inevitable, but businesses should be aware that this information puts a big target on their back. So minimize the amount of personal data you hold, and purge data that are no longer needed.

One easily overlooked risk is that businesses are increasingly being held liable for customer's own negligent practices. Password reuse is a good example. A business won't find it easy to know whether a customer has reused a password for their credentials on the business's site.

But most customers will be inclined to do so. And businesses have been held to account for losing customer data to credential stuffing attacks where the hackers simply try passwords compromised in some other breach that's completely unrelated to the business.

So it's in every business's self-interest to not only help educate their customers to such risks, but also to put policies in place that help them stay out of trouble. Requiring multifactor authentication on your site is one good step. See the story in HackRead:
https://www.hackread.com/how-to-keep-your-customers-safe-online-2018/
What Our Customers Are Saying About Us

"Thank you! Keep up the fantastic work you do at KnowBe4. I haven’t had one real complaint, yet, about training. I’m happy, my team is happy. And KnowBe4 will be happy when you cash the check!

KnowBe4 is a no-brainer option for companies like us — easy to implement, easy to manage, and most importantly it’s cost-effective risk management. KnowBe4 single-handled boosted our security posture in a big way.

I can’t wait to see subsequent phishing test results! KUDOS! I wish I could attend the KnowBe4-Con to meet some of the team, but I can’t make this time." Regards, H.R., Dir IT Operations


Stu, Just wanted to get back to you. Yes, we are happy using the Phishing tool and training modules. Our employees found the training to be fun, which was a good change for us.

The Phishing tool is a great piece of tech. Looking forward to continuing our relationship in the future. Regards, A.E., CISSP
Interesting News Items This Week

4 Ways Every Employee Can Play a Role in Their Company’s Security:
http://www.infosecisland.com/blogview/25048-4-Ways-Every-Employee-Can-Play-a-Role-in-Their-Companys-Security.html

Ukraine is a test bed for global cyberattacks that will target major infrastructure:
https://www.techrepublic.com/article/ukraine-is-a-test-bed-for-global-cyberattacks-that-will-target-major-infrastructure/

Flexera stops support Secunia Personal Software Inspector. This is too bad:
https://secuniaresearch.flexerasoftware.com/community/forum/thread/show/16037/psi_end_of_life

The 5 Latest Scam Emails You Should Avoid:
https://tech.co/the-5-latest-scam-emails-you-should-avoid-2018-03

Used to be there were 2 million. Now there are only 100,000 pay phones left in America, and 25% of them are in New York:
http://money.cnn.com/2018/03/19/news/companies/pay-phones/index.html

Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints:
https://www.forbes.com/sites/thomasbrewster/2018/03/22/yes-cops-are-now-opening-iphones-with-dead-peoples-fingerprints/#748b90b3393e

The Digital Disconnect: 70% of UK employees not equipped with necessary tools and training:
http://www.itsecurityguru.org/2018/03/22/digital-disconnect-70-uk-employees-not-equipped-necessary-tools-training/

IRS sees 60% increase in data thefts from tax pros:
https://www.accountingtoday.com/news/irs-sees-60-increase-in-data-thefts-from-tax-pros-and-warns-of-new-client-scam

ISTR 23: Insights Into the Cyber Security Threat Landscape:
https://www.symantec.com/blogs/threat-intelligence/istr-23-cyber-security-threat-landscape

Legacy Cybersecurity Defenses Won’t Stop Ransomware and Cryptojacking Threats:
https://www.webroot.com/us/en/about/press-room/releases/ransomware-and-cryptojacking-threats

Inside credential stuffing: a quick guide for government:
https://www.themandarin.com.au/90065-government-credential-stuffing/

What new email security standards mean for federal agencies:
https://www.federaltimes.com/opinions/2018/03/19/what-new-email-security-standards-mean-for-federal-agencies/

Administrator's Password Bad Practice:
https://isc.sans.edu/forums/diary/Administrators+Password+Bad+Practice/23465/

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


2019 National Cybersecurity Awareness Month Resource Kit




Get the latest about social engineering

Subscribe to CyberheistNews