CyberheistNews Vol 8 #25 [Heads-Up] Massive Downtime Caused by Bad Guys Killing Bank's 9,500+ Systems to Hide Stealing 10 Million Dollars via SWIFT

CyberheistNews Vol 8 #25
[Heads-Up] Massive Downtime Caused by Bad Guys Killing Bank's 9,500+ Systems to Hide Stealing 10 Million Dollars via SWIFT

A cyberattack against Banco De Chile (BDC)—that country's largest financial institution—bricked a hair-raising 9,000+ workstations and 500 servers. However, killing these machines was actually just to a cover trying to hide illegal transactions on the SWIFT network where banks transfer funds internationally.

After the dust settled, 10 million dollars was funneled off to accounts in Hong Kong.

On Sunday, BDC’s general manager Eduardo Ebensperger told Chilean media outlets that the late-May attack allowed the attackers to complete four separate fraudulent transactions before the cyberheist was discovered. The massive downtime caused by this wiper-attack will be an order of magnitude more expensive than the 10 mil that was stolen.

Here's the story with the root cause, scary details and suggestions to prevent this at the KnowBe4 blog:
“Peak Ransomware”: Incidents Are Declining, but Attacks Are Increasingly Disruptive

Earlier this week, researchers revealed that ransomware is no longer the most common email malware. According to a report from Proofpoint, banking Trojans took the top spot in the first quarter of 2018 for the first time in nearly two years.

But, speaking at a cyber security summit in London yesterday, Tim Jeffcoat of Datto, a business continuity solutions provider, warned that while we might have passed “peak ransomware”, the variants emerging now are more disruptive than ever before.

“We’re not seeing quite so many new variants of ransomware being developed and designed,” he told the audience of managing service providers. “But what has changed is the nature of the threats.”

Cyber criminals are going to greater lengths to ensure their attacks pay off. For example, they are increasingly posing as CIOs and CFOs in order to convince a victim to download a malicious payload, Jeffcoat explained.

“We are also seeing an increase in attacks lying dormant,” he added. “It gives criminals a backdoor into people’s IT systems where they can then understand – is this the right machine on the network that I want to encrypt?”

It’s not just the delivery method that is changing either. Jeffcoat cites the Bad Rabbit ransomware that deletes Windows backups. “We’re now also starting to see ransomware variants that are aware of external storage,” he revealed.

“What this all amounts to is it’s much harder to recover from a ransomware attack,” said Jeffcoat. Full story:
[Live Webinar] How Criminals Are Using Artificial Intelligence to Social Engineer Your Users

A new survey by Webroot shows that 86% of security professionals worry that Artificial Intelligence (AI) and Machine Learning (ML) technology could be used against them. That worry is well founded.

If we look at history, we are quickly reminded that all progress comes with unintended consequences. And, while there is a lot of societal good that can come from AI and ML, we also need to understand and prepare for the misuse and abuse of such technologies.

Join Stu Sjouwerman, KnowBe4’s Founder and CEO, and Perry Carpenter, Chief Evangelist and Strategy Officer, for "Fear the Machine: How Criminals are Using AI to Social Engineer Your Users."

We will take a fascinating dive into the shadowy world of how AI and ML are being weaponized today and what the next wave(s) of weaponization will likely look like.

This webinar will cover:
  • Cyber crimes using Artificial Intelligence and Machine Learning
  • The next wave of weaponization
  • How to protect your organization with a human firewall
Date/Time: Day after tomorrow, Wednesday, June 20th at 2:00 PM ET
You won’t want to miss this event. Save My Spot!
New Whitepaper: "How to Fortify Your Organization's Last Layer of Security"

People impact security outcomes, much more often than any technology, policy or process. Cyber security threats continue to proliferate and become more costly to businesses that suffer a data breach.

When it comes to combating these growing risks, most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognize the red flags in cyber breach attempts.

Learn more about the 5 recommended actions you can take to fortify your organization's last layer of security - your employees.

Download this new whitepaper now:
"The Top 20 Cybersecurity Experts to Follow on Social Media"

Scott Shober at Cybercrime Magazine wrote: "Cybersecurity now touches everyone. Our credit cards have been compromised, our identities stolen, and our private information on Facebook shared in secret.

"Let’s face it, nothing is 100% secure nor private. The media only tends to litter the headlines with sensational misinformation, only to correct or redact the news after readers and viewers have already lost interest.

"As a cybersecurity professional, I rely on guidance and indisputable facts and data that only top cybersecurity experts from the community can offer. While Twitter is a less than ideal platform for its security, politics and general bullying tactics, it does offer valuable, crowd-sourced opinions and insights direct from the keyboards of experts for free.

"Over the years, I have picked up so much more practical and actionable advice than I ever could share back myself. If you learn something, thank them, retweet and share what you have learned with your followers. Some of my picks are researchers, some hackers, some top influencers but all of them make for a worthy following."

I'm honored to be in this illustrious company. Follow us here:

And here are the best cybersecurity podcasts for this summer. Learn something new:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"It is not because things are difficult that we do not dare, it is because we do not dare that they are difficult." - Lucius Annaeus Seneca, Philosopher, Statesman, Dramatist (5 BC - 65 AD)

"Education is what remains after one has forgotten what one has learned in school."
- Albert Einstein, Physicist (1879 - 1955)

Thanks for reading CyberheistNews
Security News
Security: IT's the Human Element

Steven Lawton at SC Media wrote: "I was going through some old boxes recently and found a copy of the March 1996 issue of Digital News & Review, a magazine where I served as editor-in-chief.

One of my then-columnists, Rick Cook, wrote a story under the headline: How secure is Windows NT? Cook's position was that focusing on security built into hardware or software was useful, but the wrong place to start thinking about building a security strategy.

The right place was with the human component, not a technical one.

Cook's position is as valid today as it was 22 years ago. President Clinton at the time was said to have a sign in his office that said: “It's the economy, stupid.” (That's actually a busted myth. “The economy, stupid” was a campaign slogan Clinton used, but there was no sign.)

One could postulate that security staffers had a sign over their desks saying: “Data Security: It's the human element.” They would have been right then and they still would be right today. Social engineering and the human factor in the equation is still the primary source of security breaches."

We could not agree more! Full article:
Spear Phishing in Think Tanks

Phishing emails are often used by national intelligence services to install remote access Trojans or other espionage tools. One current campaign is directed against foreign policy think tanks.

The phishbait involves Chinese activities in various disputed regions and territorial waters. The emails themselves appear to be transmissions of serious policy studies by well-known think tanks like the Council on Foreign Relations or the Mercator Institute.

A close look at the email domains, however, shows that they're bogus imitations of the think tanks' genuine domains. This is a tried-and-true tactic. The slick visual look of a foreign affairs white paper is easy to simulate, and the senders are counting on the recipients' being too beguiled by the content to inspect the email address.

The content looks like a legitimate report or blog post, but behind the imagery is the QuasarRAT, a commodity remote access tool freely available on GitHub and other places. It may be a mundane tool, but it offers the attackers plenty of desirable functionality.

Veloxity, the security firm tracking the campaign, lists them:
  • AES encryption of network communication
  • File management
  • Functionality to download, upload, and execute files
  • Keylogging
  • Remote desktop access
  • Remote webcam viewing
  • Reverse proxy
  • Browser and FTP client password recovery
Veloxity has been tracking this particular campaign since March of this year. They attribute it to an Indian threat actor, variously called "Patchwork" or "Dropping Elephant."

The campaign is a timely reminder of two things. First, not-for-profits and academic institutions can be of considerable interest to intelligence services. Second, there are other capable cyber espionage operators out there beyond the usual Russian, Chinese, North Korean, and Iranian suspects.

This is a good case in which awareness can make the difference between compromise and security. Alert employees who've been trained to recognize the bogus approaches of social engineering can help protect an organization even from nation-state threats. Volexity has the story:
Here Is Your "Badness Index" of Top-Level Domains

Some top-level domains (TDLs) are notorious for being associated with dodgy content. With more than 1500 TDLs in use, hundreds of which were introduced only in the last few years, it stands to reason that not all of them are in fact equally up to good. Spamhaus has a list of the top ten worst: .men, .gdl, .work, .click, .loan, .top, .cf, .gq, .ml, and .ga.

Some, like .men, .work, .click, and .loan, are obvious. Others are associated with developing countries like Gabon (.ga). Symantec does twice as well, and offers a top twenty: .country, .stream .download, .xin, .gdn, .racing, .jetzt, .win, .bid, .vip, .ren, .kim, .loan, .mom, .party, .review, .trade, .date, .wang, and .accountants.

With some of these the suggested come-on is clear enough. Who wouldn't want to party, or win, or even be treated as a V.I.P.? Or you might want to get a loan, or stream something, or perhaps trade. Maybe if you're in Germany you'll respond to the call to do something now ("jetzt").

Anyway, these aren't a bad pair of lists to use to alert your employees to domains they might consider guilty until proven innocent. Symantec gave each of its top twenty a rating of at least 97% "shady," and those are very bad odds indeed. KrebsOnSecurity has the story:
25% of Employees Use the Same Password for Every Account

Employees may be a company's greatest asset, but they also remain the greatest cybersecurity risk, according to a Monday report from OpenVPN.

Despite an increased focus on security training, 25% of the 500 US employees surveyed report that they use the same password for every account, the report found. Another 23% of employees said they frequently click on links before verifying that they lead to a legitimate, safe website. OUCH. More at:
Training Employees to Think Infosec

Employers have come to recognize their staff as one of their biggest security risks. But in this case risk also represents opportunity.

First, the risk. Studies of data breaches reliably suggest that insiders cause some three-quarters of them, and a report by Veriato showed that 90% of cyber security experts felt their company vulnerable to attack from the inside.

And it's easy to see why employees present a risk. They have access to company information, after all, which is what criminals hope to steal. Some leaders have concluded, mistakenly, that all of this is reason not to involve employees in data security.

But there are at least four compelling reasons to turn this risk into an opportunity:
    • Social engineering goes beyond security tools. Human error can be the weakest link in an otherwise strong chain. So it pays to strengthen that link.
    • Social engineering manipulates people into acting contrary to their interests and the interests of their organization. Once a hacker has socially engineered an employee into submission, the hacker can gain all that employee's access. Security awareness training helps employees avoid common scams, protecting the individual and the organization.
    • Data security is the responsibility of everyone in the company. The 2012 Dropbox breach, for example, was attributed to employee negligence. The hackers used passwords employees had reused from the earlier LinkedIn breach. Sound digital hygiene, which can be taught and learned, can help mitigate this risk.

    • Finally, awareness training for employees has become a compliance requirement under any number of local, national, and international regulatory regimes.
Effective training programs tend to have these features in common:
  • They use varied techniques to reinforce lessons. They're not confined to "Death-by-PowerPoint" in a company breakroom once a year. They can include realistic, interactive simulations, varied with other instruments like classroom sessions, videos, discussions, newsletters, even posters.
  • They schedule training on a regular basis.
  • They enable employees with diverse learning styles to succeed.
  • They address, adequately, compliance issues, but they don't confine themselves to compliance.
Data security is important. Awareness training can help any organization make its employees more resistant to phishing and other forms of social engineering, and it can help build a culture of security. Infosecurity Magazine has the story:
Multilayered Phishing Hook

This is a good news / bad news story. The good news is that general awareness of phishing has risen to the point that people are now somewhat less likely to simply click on an obvious executable file.

The bad news is that the phishers have noticed this too, and they're using more multistage exploits in attacks.

There's an interesting current case of this in Russia. The victims are businesses engaged in repairing electronic devices. They're receiving spearphishing emails that pretend to be from Samsung. The payload is carried by an apparently legitimate Microsoft Office .xlsx file.

The file contains an exploit for the CVE-2017-11882 Microsoft Equation Editor vulnerability, and the execution is a complex, three-stage process. Ultimately the attackers install a version of the Monitor remote access Trojan, whose modules affect the victims' webcams and otherwise afford an opportunity to control their machines.

The spear phishing has many of the usual marks. For one thing, the emails are poorly written. Fortinet, whose researchers have been tracking the campaign, think the emails were produced by machine translation, certainly not by native speakers of Russian.

Awareness training can help remind employees to be wary not only of poor grammar, but also of the complexities of malicious attachments that may evade technical screening tools. SecurityWeek has the story:
[On-Demand Webinar] What Most Computer Security Defenses Are Doing Wrong and How to Fix It

Roger Grimes is one of the IT Security Pros that I have admired for years. He has a no-nonsense approach to InfoSec and his decades of experience were captured in a recent, very valuable book called "A Data-Driven Computer Security Defense."

Most companies have huge gaps in their computer security defenses and can be compromised at will by a determined hacker. The industry even has a term for it: “Assume Breach”.

It doesn’t have to be that way.

Join Roger Grimes, a 30-year computer security consultant and author of 10 books, for this on-demand webinar where he will explore the latest research on what’s wrong with current network defenses and how they got this way.

Roger will teach you:
  • What most companies are doing wrong, why, and how to fix it
  • An action plan to improve the effectiveness of your computer security defenses
  • How to create your “human firewall”
You will never think about computer security the same way again. Watch Now!
What KnowBe4 Customers Say

"Yes, I am are very pleased with KnowBe4. I have heard great positive feedback from our Administration as well. It has worked as a great education tool for our employees. Thank you."
- B.J. Information Systems Director
The 10 Interesting News Items This Week
    1. Engineers configure RFID tags to work as sensors:

    2. Train Your Employees to Think for Themselves in Data Security:

    3. Building a Strong, Intentional and Sustainable Security Culture:

    4. Phishing theft of $93G at clean energy agency went unreported for months:

    5. 10 Security Projects CISOs Should Consider: Gartner Analyst:

    6. Malicious Docker Containers Earn Cryptomining Criminals $90K:

    7. Microsoft reveals which Windows bugs it might decide not to fix:

    8. Exploit Kits Target Recent Flash, Internet Explorer Zero-Days:

    9. Bad guys make mistakes too. Trik spam botnet leaking over 43 million email addresses due to misconfigured server:

    10. Consider these three things when developing an insider threat program, experts say:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews