CyberheistNews Vol 8 #2 Scam of the Week: Fake Meltdown and Spectre Patch Phishing Emails

CyberheistNews Vol 8 #01
Scam of the Week: Fake Meltdown and Spectre Patch Phishing Emails

Here are some steps you can take to protect yourself against Meltdown and Spectre. Note that that the bad guys have jumped on this bandwagon with phishing attacks, so inoculate your users before that happens and strenghten your human firewall.

For the most part protecting your network comes down to applying the many patches vendors have been rolling out since the bugs broke into public awareness.

There are three of them, and technically they enable side-channel attacks and information theft as an unfortunate side effect of the chips having been engineered for speed and efficiency by performing speculative execution.

"Meltdown" (CVE-2017-5754) is a flaw that lets ordinary applications cross the security boundaries enforced at chip level to protect access to the private contents of kernel memory in Intel chips produced over the last decade.

The other two vulnerabilities are being called "Spectre" (CVE-2017-5753 and CVE-2017-5715), and these are more insidious and widespread, having been found in chips from AMD and ARM as well as Intel.

Spectre could enable an attacker to bypass isolation among different applications. Some early reports began to appear at the end of the first week in January that Meltdown was being exploited in the wild.

It's also good to remember that an incident like this not only presents you with a challenge, but also with an opportunity to raise awareness and shore up your security. Five things are worth noting:
    • First, vendors are working quickly to roll out patches. Microsoft and Google did so last Thursday, and they're not alone. Patch quickly but with discretion: not all anti-virus programs are compatible with the updates.
    • Second, your people may notice that some of the services they're accustomed to using seem to be moving more slowly. That may not be in their mind, and it may not be evidence of a problem, but rather a sign that those services, cloud providers in particular, are taking steps to mitigate the risk.
    • Third, be alert for social engineering scams related to the bug announcements. These follow most major cyber incidents, and Meltdown and Spectre will be no different. Remind your employees of your patching policies and notification practices, a link with ready-to-send email to your users is below. Reinforce with your people that they're the last line of defense.
    • Fourth, now that ARM, Apple and AMD processors are known to be afflicted with Spectre at least, remember that those chips are widely used in distributed, set-it-and-forget-it, Internet-of-things devices. The risk is likely to linger there longest.

    • And fifth, the disclosure suggests a human problem. Google found the flaws last summer and vendors have been quietly working to prepare fixes since then. The news broke suddenly, and before fixes were entirely ready, because Google determined that someone, somewhere, had begun to leak the news.
Here is some text you can copy / paste and send to your users. Perhaps combine this with the copy that explains the problem to your C-level and users:

KnowBe4 customers, there are 4 templates in the Current Events section I strongly suggest you send ASAP to inoculate your users against attacks like this.

  • Spectre and Meltdown System Update
  • Google Play/Android: Patch for Spectre and Meltdown Now Available
  • Apple/iPhone: Spectre and Meltdown Patch Available for All Apple Devices
  • Intel/Spectre/Meltdown: Test your device's vulnerability
How to Explain Meltdown and Spectre to Your C-Level and Employees

Meltdown and Spectre are CPU hardware design flaws that we techies understand. In a nutshell, Meltdown breaks the isolation between the user app and the OS, so the app can do a memory dump and steal any data in it. Spectre goes further. It breaks the isolation between apps. It's harder to exploit but harder to mitigate.

However, how to explain this to your C-level and end-users is another story.

The first thing to understand is that the vulnerable machine has to have malware running to exploit this vulnerability. And who are the most prone to let bad guys into their machine to start with? Right... users.

Another excellent reason to step them through new-school security awareness training immediately, because Meltdown and Spectre are going to be with us for a while.

So now, how to explain this to everyone in your organization? Here is a ready-to-send cut-and-paste template at the KnowBe4 blog:
Don’t Miss the January Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, January 10, 2018, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW See our latest feature: Security Roles with granular permissions
  • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 15,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:
10 Things You Shouldn't Include in Your Security Awareness Training Program

If you want to succeed with your organization's security awareness program, here are some of the top "faux-pas" you should be sure to avoid. Here are some of the errors we have seen over the years that you do not want to make.
    1. AVOID: Singling out employees that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on.

    2. AVOID: Sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions.

    3. AVOID: Sending the same phishing template and omit to randomize the templates to each employees, and running campaigns on predictable times like every Monday afternoon.

    4. AVOID: After the baseline, starting out with 5-star templates that are too difficult to identify.

    5. AVOID: Sending only phishing attacks and omitting stepping employees through their on-demand, interactive training.

    6. AVOID: Forgetting to emphasize that this program will also help them to keep their family safe online.

    7. AVOID: Forcing the program through your employee's throats, and omitting getting C-level air cover for the program and get as much buy-in from the get-go as possible.

    8. AVOID: Neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.

    9. AVOID: Not reporting the positive results to the stakeholders with graphics that show improvement.

    10. AVOID: Not having a good procedure / process that allows employees to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.
So, How to Do It Right the First Time?

IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. We’ve taken away all the guesswork with our new Automated Security Awareness Program (ASAP), and it's free:
[New] Live Webinar: Phishing Attack Landscape and Benchmarking

The most persistent security challenge you face today is bad guys social engineering your users. Phishing campaigns continue to be hacker’s No.1 preferred attack vector to get your unsuspecting users to download and install their malicious software.

Join security experts Stu Sjouwerman, CEO at KnowBe4, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst, for this live webinar “Phishing Attack Landscape and Benchmarking” as they discuss brand-new research based on what your users are clicking. Find out how you are doing compared to your peers with new phishing benchmarks by industry.

Key topics covered in this webinar:
  • The current phishing attack landscape
  • Most clicked simulated phishing attacks
  • Most common “In the Wild” reported phishing emails
  • Phishing benchmark data by industry
  • Actionable tips to create your “human firewall”
Date/Time: Thursday, January 18th at 2:00 pm EST

Register Now!
Book Review: A Data-Driven Computer Security Defense

Excellent book about InfoSec that has everything you need to know and nothing you don't. A Data-Driven Computer Security Defense: THE Computer Security Defense You Should Be Using by Roger A. Grimes, available on Amazon in print and Kindle editions.

Roger is one of the IT Security Pros that I know and have admired for years. He has a no-nonsense approach to InfoSec and his years of experience are captured in this very valuable book. I strongly recommend you read it!

Here is the link to Amazon - there should be a Kindle version as well.

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Do not take life TOO seriously. You will never get out of it alive." - Elbert Hubbard

"Being spiritual does not mean being dead serious. If you allow life to happen within you exuberantly, unbridled, you will touch the spirit." - Jaggi Vasudev

Thanks for reading CyberheistNews
Security News
Microsoft Word SubDoc Feature Abused to Steal Windows Credentials

The security research team at Rhino Labs, a US-based cyber-security company, has discovered that malicious actors can use a lesser-known Microsoft Word feature called subDoc to trick Windows computers into handing over their NTLM hashes, the standard format in which user account credentials are stored.

At the heart of this technique is a classic NTLM pass-the-hash attack, which has been known about for years. What's different, according to Rhino Labs, is the way this can be carried out, via a Word feature called subDoc that allows Word files " to load sub-documents from a master document.

"As this feature has not been recognized publicly as an attack vector for malicious actions, it is not something that is recognized by anti-virus software," Rhino Labs says, highlighting that none of the antivirus engines on VirusTotal detected Word documents weaponized via the subDoc method.

"This type of hack is ideal for spear-phishing campaigns aimed at high-value targets, such as enterprises or government agencies." More tech details:
Security Pros Waste 10 Hours a Week Due to Inefficient Systems

Over one-third of IT decision makers say their teams spend at least three hours a day on tasks that could be handled by better software. Additionally, the majority think the average cybersecurity professional wastes as much as 10 hours a week due to inadequate software.

The study, conducted by Widmeyer, which surveyed 751 IT decision makers from the U.S., U.K. and Asia/Pacific, also found that an overwhelming majority (88 percent) of respondents view insider threats as a dangerous and growing concern in defending their organizations.

“The proliferation and innovation of business-enabling technology combined with the speed of today’s advanced hackers to adopt and adapt to the latest technology is making it increasingly difficult – if not impossible – for security teams to evolve their rapid threat detection and response capabilities as quickly as their adversaries,” said James Carder, CISO and VP of LogRhythm Labs. More:
Top New Year’s Resolutions for CISOs: Improve Security Culture

CSO has a list of New Year’s resolutions for enterprise CISO which is a good read. They need to move closer to the business, improve staff productivity and modernize security technology infrastructure.

Their suggestion No. 1 was to lead the effort to make cybersecurity part of the organizational culture and we could not agree more.

IBM also suggested in their New Years resolutions to step up security awareness:

"The CISO should, with the full support of top leadership, oversee an organizationwide effort to step up security awareness activities. Training materials should be relatable, direct and relevant to enact a gradual shift toward a strong security culture with reminders, fresh ideas, games and, yes, the dreaded phishing test.

"This transition will not happen overnight, and there will be some pushback. But the days of writing passwords on sticky notes, sharing login credentials with office staff and practicing overall poor cyber hygiene, both at work and at home, need to end. CISOs should join forces with awareness evangelists to constantly remind staff members to follow security best practices."

Could not have said it any better myself!

Cloudy, With a Chance of Phishbait

Cloud documents are becoming increasingly popular vehicles for phishing attacks.

As software-as-a-service document sharing becomes more widely used, it's become a field for criminal activity. Consider Google Drive. It's an entirely legitimate service, but it can't be used naively.

Many employees, however, seem to do so, assuming that if something is staged in Google Drive or some other platform they've heard of, maybe used, it must be safe.

Unfortunately, no: Google Docs are being used by criminals to take advantage of the innocent and the unwary, and constitutes an expansion of your attack surface.

Protecting an enterprise against phishing via document sharing comes down to training, and fortunately the same sort of realistic, interactive training that works with email works equally well with Google Docs. See SC Magazine's account of the problem and the ways in which an organization can own it here:
The 5 Main Motives of Ransomware

It seems obvious: the goal is extortion, getting you to pay the ransom, right?

Sure, often it is. But ransomware has other uses, too: embarrassment, degradation of business operations, revenge, even the lulz. It can also, troublingly, serve as misdirection for other, more damaging attacks, and where you see misdirection, you see social engineering.

Organizations that sustain ransomware attacks shouldn't let themselves become so focused on the ransomware that they miss the other bad things going on behind the screen. So by all means prepare your organization for a ransomware attack by such sound practices as regular, weapons-grade backup.

But also include ability to recognize misdirection in your training. You very much want, unlike the Wizard of Oz, to get your people accustomed to looking for, and paying attention to, the man behind the curtain.

Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He wrote:

"When 2017 began, we knew that ransomware was going to be a major topic. However, who would have foreseen the impact of both WannaCry and NotPetya? His takeaway:

"In my experience in digital forensics, I have always been taught to follow two things when trying to understand cybercrime and that is to follow the motive or follow the money. Either or both will lead to the criminal.

In both WannaCry and NotPetya, it looks like the motive was not the financial part of the crime or that the payload and financial portion has been constructed by two different groups or cybercriminals.

When we look at the motives of those who use ransomware, it is usually the following:
    • Destructive – This means they do not care about the financial reward it is purely to cause disruption and fear. Of course, the cybercriminals may decide to take the financial takings if it is untraceable.
    • Financial Motivation – This is to get as much financial reward as possible and usually to ransom is a premium to get the data or access back.
    • Cryptocurrency Manipulation – Knowing that ransomware usually requires payment in the form of cryptocurrencies and that the value is derived from the number of wallets you could use ransomware to cause a significant increase in value. The best way to get away with the crime is to make money legally.
    • Disguise Real Motive – This is usually to hide the real crime. After committing a cybercrime and you need to hide your traces, what better way to do it is to cause disruption with a ransomware. While the world is racing to keep secure and reduce the impact, cybercriminals have escaped from the real crime, hiding traces of what happened. Make a disaster or catastrophe to cover tracks.

    • Misdirection – Like disguising, the real motive is similar to a trick used by magicians to get your eyes to focus on something else. I believe we have seen examples of this in the recent nation state attacks in which if you leave breadcrumbs that lead the investigators to focus time on another country when in fact it was attributed by another. This is quite common in cybercrime in the hope that time will prevent the true criminal from being found.”
I will leave you to consider what the real purposes of recent ransomware threats have been. However, remember it can also be a combination of multiple threat actors involved with different motives.

Remember: It is always important to step back and think if this was your crime how would you have done it. Sometimes it's crucial to be able to think and look at the world through the eyes a hacker or cybercriminal. Post at InfoSecIsland:
Outsiders Want to Act Like Insiders

Once attackers have used social engineering to get into your network, effectively they've become a malicious insider. That's their goal.

They're not hacking, for the most part, but rather conning their way in by manipulating users to give up their credentials. The human firewall is the most important one, not only because it's the most common point of attack, but because properly trained humans are able to spot and refuse a dangerous approach.

But they can only do so if they're trained. That training should cover the approaches the criminals use: the browser, of course, but also email, text, and phone calls. The point of training is to have been there and seen it before it hits you for real. That's just sound business practice.

Corporate Counsel has a chilling piece on how phishing costs the average large company $3.7 million a year:
Iranian Politics May Be Interested in You, Yes...You

You may not be interested in international politics and conflict overseas, but the parties to those conflicts may be interested in you. Iran is currently undergoing a period of significant civil unrest, and the country's government is cracking down hard on the Internet tools dissidents have been using to organize their protests.

Here's how it could affect your organization if you have partners or offices in the Middle East.

Iran's security services have shown over the last few years a greater capacity to conduct offensive cyber operations, and they're using that capacity now against individuals they suspect of having contact with opponents of the regime.

A threat group, "Infy," generally believed to operate on behalf of the Iranian government, is different from most espionage units in that it doesn't pursue defense or aerospace companies, but rather works quietly against individuals the regime thinks might pose a political threat.

Infy is regarded as a sophisticated operation, and its preferred tool is spearphishing. Caution your people, particularly any who have an interest in, or contacts with, people in the Middle East, to be particularly on the alert for out-of-the-ordinary emails, especially the ones that seem plausible.

The conflict in Iran is domestic, but it has regional implications, and dealings with people in, say, Saudi Arabia, the United Arab Emirates, or Israel could well put someone on Infy's radar. And it might be worth tailoring some of your training to the languages other than English your people do business in.

KnowBe4 offers interactive training and has phishing templates in wel over twenty languages. Read a timely warning of what Infy is up to here, in DefenseOne:
Interesting News Items This Week

School District strips a dozen servers down to bare metal and spends $314,000 for mitigation closes down computers for a month. Cause: Employee clicked on a malware laden Microsoft Word doc in a phishing email. New-school security awareness training is considerably cheaper:

Microsoft as the largest security company in the world and its entry into ransomware prevention:

Intel Says Major Security Flaw Affects Competitors AMD and ARM Too (Fortune) But the stock market has punished its share price:

Apple: All Mac Systems and iOS Devices Are Affected by Meltdown & Spectre Flaws:

Make 2018 your year of taking password security more seriously:

10 Cybersecurity Trends: What to Expect in 2018:

60 Cybersecurity Predictions For 2018:

Software security is hopelessly broken. Interesting post with some good reminders on secure coding:

Cybersecurity systems, as sophisticated as they are, are clearly not doing the job. And maybe they never will, given that in the end the effectiveness depends on users:

Data Breach Affected More Than 240,000 Homeland Security workers, IG Confirms. The breach also affected non-DHS employees who communicated with the department’s inspector general.

These psychedelic stickers blow AI minds:

Spear phishing attacks already targeting Pyeongchang Olympic Games:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews