CyberheistNews Vol 8 #29




CyberheistNews Vol 8 #29
Ransomware Mid-Year Update: It’s Worse Than Ever

We’re finally getting a look at how much ransomware attacks have been seen in the wild in the first half of 2018 – and the numbers are astounding.

Ransomware is alive and well.

SonicWall recently released a mid-year update to their 2018 Cyber Threat Report. In it, they cover increases in malware attacks, encrypted attacks, and cryptojacking attacks. But one of the most prominent attacks remains a constant threat – ransomware.

It feels like ransomware is old news - with so many stories in the news, and vendors claiming to have a handle on it, it’s natural to feel like it’s no longer a really-real threat. But the truth is ransomware is alive and kicking.

The SonicWall report brings to light the reality of just how serious you need to take the threat of ransomware:
  • A 229% increase in ransomware attacks year-to-date over 2017
  • 12 new variants of ransomware (including the new king called GandCrab)
  • 181.5 MILLION attacks this year alone (that’s nearly 100K attacks daily!)
The new criminal king of the hill GandCrab Ransomware is now rapidly adapting in real-time to security solutions offered by security vendors. GandCrab is a strain which targets mainly English-speaking countries. GandCrab is distributed via the RIG and GrandSoft exploit kits, as well as phishing attacks. The malware is operated in an affiliates program, with those joining the program paying 30%-40% of the ransom revenues to the GandCrab author. In return, affiliates get a full-featured web panel and technical support.

These days, cybercriminals are savvy operators looking for ways to use their “products and services” in ways that help them generate the greatest amount of revenue. The numbers above demonstrate the business of ransomware is stepping on the proverbial gas, seeing a bright future for their upcoming revenue targets.

This news highlights the importance of ensuring your users are as vigilant as ever. Maintaining a constantly elevated culture of security is necessary to reduce the attack surface within your organization. This is accomplished through frequent and effective new-school security awareness training used to both educate the user on methods and techniques used by bad guys, but also about security-minded browsing and email habits.

Check out the year-over-year graph and shiver, with links to the evil new GandCrab strain:
https://blog.knowbe4.com/ransomware-mid-year-update-its-worse-than-ever
Samsam Ransomware Infected Thousands of LabCorp Systems Via Brute Force RDP

It's all over the news. Steve Ragan at CSO has the best "executive summary":

"LabCorp, one of the largest clinical labs in the U.S., said the Samsam ransomware attack that forced their systems offline was contained quickly and didn't result in a data breach.

However, in the brief time between detection and mitigation, the ransomware was able to encrypt thousands of systems and several hundred production servers.

The wider public first learned about the LabCorp incident on Monday, when the company disclosed it via an 8-K filing with the SEC. Since then, as recovery efforts continue, the company said they're at about 90-percent operational capacity.

According to sources familiar with the investigation, the Samsam attack at LabCorp started at midnight on July 13. The LabCorp SOC (Security Operation Center) immediately took action after that first system was encrypted, alerting IR teams and severing various links and connections.

These quick actions ultimately helped the company contain the spread of the infection and neutralize the attack within 50 minutes. However, before the attack was fully contained, 7,000 systems and 1,900 servers were impacted. Of those 1,900 servers, 350 were production servers."

Below is a link to the whole story. Don't let this happen to you. Here are five things to do about this right away:
https://blog.knowbe4.com/samsam-ransomware-infected-thousands-of-labcorp-systems-via-brute-force-rdp
Scam of the Week: *Another* New CEO Fraud Phishing Wrinkle

So, here's a new CEO fraud phish: see these fresh screen shots from emails reported to us through the free KnowBe4 Phish Alert Button. Bad guys spoof the managing partner and CPA at an accounting & consulting firm and ask an employee for the "Cash/Bank Statement Reconciliation" for June of this year.

Now, it's not immediately clear what the bad guys could do with the data from such a statement, but this may simply be a first step of a one-two punch that is meant to establish credibility. The next step would be a malicious request for salary payment records like a pay stub that allow the bad guys to change bank accounts for direct deposit salary payment to accounts they control.

Here is another variant, one where the employee seems to be willing to comply...Augh! And a brand new payroll phishing scheme using the ADP portal. I have added a blurb you can copy & paste to send to your employees:
https://blog.knowbe4.com/there-is-another-new-ceo-fraud-phishing-wrinkle
Don’t Miss the August Live Demo: Simulated Phishing and Security Awareness Training

Old-school security awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, August 1, 2018, at 2:00 p.m. (ET) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users.
  • NEW Upload any Policy and roll it out as a training module for compliance.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting, with great ROI.
  • Delegated Permissions, now part of the Security Roles feature, allows you to create custom admin roles for Target Groups in your organization.
Find out how 19,000+ organizations have mobilized their end-users as their last line of defense.

Save My Spot! https://attendee.gotowebinar.com/register/5122186360735511555?source=CHN
Going to Black Hat in Las Vegas This Year? Get Your Free Book Signed by Kevin Mitnick!

Check out all the activities KnowBe4 will be doing at Black Hat:
    • Get your free book signed by Kevin Mitnick: Drop by KnowBe4’s Booth #1428, at the Kevin Mitnick Book Signing. Meet the ‘World’s Most Famous Hacker’, get a signed copy of his new book: Wednesday, August 8, 5-7pm at KnowBe4’s Booth.
    • Enter to Win a 34” LG Curved UltraWide Monitor: Join us to see a short demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. You’ll also get your light-up "Axe to Grind with Ransomware” swag!

    • Learn the 11 ways hackers get around your favorite 2FA solution: Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, during the session “11 Ways to Defeat Two-Factor Authentication”, on Wednesday, August 8th, 4:10pm in Oceanside F. You'll learn about the good and bad of 2FA, and become a better computer security defender in the process.
https://www.blackhat.com/us-18/sponsored-sessions/schedule/index.html#11-ways-to-defeat-two-factor-authentication-11973
What Would You Like to Ask Kevin Mitnick About Social Engineering?

Here's your chance. Late August we'll do a live webinar with Kevin, and he asked me to find out what questions you have for him regarding social engineering, so we can cover them in this new flavor of webinar which we will do once a quarter.

Here is the link to SurveyMonkey. This should take less than 1 minute!

https://www.surveymonkey.com/r/AskKevinMitnick

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one
more time."
- Thomas A. Edison

"Ambition is the path to success. Persistence is the vehicle you arrive in." - Bill Bradley



Thanks for reading CyberheistNews
Security News
Effective Social Engineering Matters More Than Zero-Days

There's an interesting criminal campaign in progress against government targets in Ukraine. Note that we usually first see them there, and then they spread out to Western Europe and the US.

It's not particularly advanced from a technical point of view. It doesn't rely on zero-days. And the actors behind the campaign don't seem to have a high level of technical skill.

However...

They've shown considerable skill in picking their targets, using commodity malware, and baiting their phish-hooks with the kinds of document titles likely to attract a bite.

ESET researchers have analyzed three remote access tools used against government agencies in Ukraine. The tools are "Quasar," "Sobaken," and "Vermin." ESET describes the campaign as "criminal espionage" using RATs to access and exfiltrate sensitive files from government systems.

Quasar is an open-source remote access tool easily found on GitHub. Sobaken is closely related to Quasar, but in its case the commodity malware has been modified to have a smaller footprint by removing some functionality to leave room for additional evasive and anti-sandboxing techniques.

Vermin is a custom backdoor that first appeared in 2016. Like Quasar and Sobaken, it's written in .Net, with its code protected to some extent against analysis through the use of commercial or open-source protectors.

None of the three RATs are particularly sophisticated, but they're effectively constructed and intelligently deployed. They're spread principally by social engineering, with the payload typically carried by a maliciously crafted document transmitted as an attachment to an email. Full story:
https://blog.knowbe4.com/effective-social-engineering-matters-more-than-zero-days
FBI Warns That Business Email Compromise (CEO Fraud) is Now a Worldwide 12 Billion Dollar Scam

The FBI is again warning of the threat posed by business email compromise (BEC, aka CEO Fraud) and email account compromise (EAC). Together, says the Bureau, these have cost businesses $12 billion between December 2016 and May 2018.

That represents a 136% increase in reported losses worldwide. The scams have been reported in all fifty US states and in some one-hundred-fifty countries around the world. Small, medium, and large businesses have all been affected.

The attempts at theft depend upon compromise of a legitimate account or device. They often involve fraudulent wire transfers, but they can also simply target personally identifiable information, payroll data, or tax information.

The real estate sector has been heavily targeted recently

The real estate sector has been heavily targeted recently. Victims include not only real estate agents, but also title companies, supporting law firms, and, of course, property buyers and sellers. Victims often tell the FBI they've received spoofed e-mails requesting changes in payment details. If they bite on the scam, their funds are directed to fraudulent domestic accounts, from where they are quickly dispersed to both domestic and international destinations. Real estate scams have increased 1,100% from 2015 to 2017 with monetary losses for the same period increasing 2,200%.

All parties in real estate transactions are potential targets. It can be difficult to tell the difference between legitimate and fraudulent emails and calls. There's a great deal of information publicly available on real estate transactions, so scammers have considerable raw material to work with that can make their approach more plausible.

Organizations would do well to make BEC and CEO fraud topics of training for their employees. This applies to the real estate sector, of course, but any organization that handles money or personally identifiable information is in principle vulnerable. This is an area in which well-crafted and well-drilled security policies can make a big difference. If you suspect fraud, contact your financial institution within 24 hours and request a clawback of funds.

And then the FBI would very much like to hear from you. They're committed to helping the victims of this kind of crime, but if the amount is less than 1M, you will not find yourself at the top of the queue.

The Internet Crime Complaint Center (IC3) has the story:
https://www.ic3.gov/media/2018/180712.aspx
250K Dollar CEO Fraud in a Municipal Finance Department

Local, state, and Federal authorities are investigating a phishing attack that victimized the city of Alamogordo, New Mexico. One of the city's procurement officers received what appeared to be a legitimate email from an agent representing the Cooperative Education Exchange (CES), a New Mexico purchasing coop.

CES and the agent are legitimate, and the city does business with both of them. The email requested that the city change CES banking information and pay outstanding invoices to the new account. The recipient was convinced—the only sign there may have been something awry was that the email used an outdated version of the CES logo.

The procurement officer forwarded the request to Alamogordo's Finance Department, which dutifully changed the information and paid the $250,000 for which the city had been invoiced. They realized they'd been scammed when they received calls from real CES representatives asking about payment. Alamogordo of course thought it had already paid.

Note the two-step process this bit of social engineering followed. First the procurement officer was scammed, and then that official unwittingly passed the CEO fraud scam on to the Finance Department. The incident has been reported to the Office of the State Auditor, local police, and the FBI. It's unlikely the funds will be recovered.

As is usual in such cases, once the transfer has been made, the money is gone. Protecting an organization against such forms of business email compromise involves a combination of sound policy and effectively designed and delivered user awareness training. New Mexico State Auditor Wayne Johnson's advice is succinct, clear, and worth repeating:

"An email seeking to alter banking information should always be a red flag. Talk to your vendors, especially when they do something out of the ordinary, like send a change in banking information. It’s important to establish personal relationships so that finance staff can talk to people already known to them. There’s no excuse for not taking that extra step to make sure to prevent the theft of a quarter of a million dollars in public money.

The city of Alamogordo may be out a quarter of a million, but there's no reason your organization needs to follow suit. Interactive, new school security awareness training can help your employees recognize this kind of social engineering and spit the hook before the phishing attack is successful. The Alamogordo Daily News has the story:
https://www.alamogordonews.com/story/news/crime/2018/07/17/alamogordo-bilked-out-250-000-email-scam/794496002/
Report: 2018 Phishing by Industry Benchmarking

As a security leader, you’re faced with a tough choice. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods.

However, there’s an often overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

In this report, brand-new research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Do you know how your organization compares to your peers of similar size? Download this whitepaper to find out!
https://info.knowbe4.com/2018-phishing-by-industry-benchmarking-report
Microsoft Is the Brand to Spoof

Vade Secure says in its inaugural "Phishers' Favorites Top 25" that scammers are more likely to spoof a Microsoft email than an email from any other brand. Attacks on users of Office 365 via phishing emails that pretend to be from Microsoft have replaced Facebook on the leaderboard. Vade ranks the Top 25 attacks in order:
  1. Microsoft
  2. PayPal
  3. Facebook
  4. Netflix
  5. Wells Fargo
  6. Bank of America
  7. Docusign
  8. Dropbox
  9. DHL
  10. Apple
  11. Orange
  12. Adobe
  13. Google
  14. Credit Agricole
  15. Banque Populaire
  16. LinkedIn
  17. Alibaba
  18. Chase
  19. Yahoo!
  20. AT&T
  21. RBC
  22. BT
  23. Amazon
  24. USAA
  25. We Transfer
The researchers speculate that Office 365 is a lucrative target with a rapidly growing user community. New users are likely to be unfamiliar with the ways in which they might be contacted about a service. An organization that uses any of the Top 25 would do well to sensitize its employees to the risks of phishing from spoofed accounts.

Help Net Security has the story: https://www.helpnetsecurity.com/2018/07/18/phishers-impersonate-microsoft/.
Vade Secure's post may be found here: https://www.vadesecure.com/en/phishers-favorites-q2-2018/.
Real Passwords Give This Sextortion Scam Credibility

Inability to protect passwords has provided extortionists with a new opportunity for more credible scams. Recent extortion attempts have begun with an email telling a victim that the blackmailer has video showing the victim's use of an adult website.

The scammers say they have a split screen video displaying the adult site's contents alongside video of the victim. The extortionists demand payment in Bitcoin within twenty-four hours. If they're not paid, they say, they'll send the discreditable video to everyone in the victim's address book, which they claim to have compromised.

In all probability the extortionists have no video whatsoever. What they do have, and what lends credibility to the scam, is that the extortionists tell the victims, and show the victims, that they have one of the victims' passwords.

Some of the passwords may be old, but they're genuine, and the ploy may succeed in spooking people into paying. Observers think the extortion is probably generated automatically by scraping one of the many online sources of compromised credentials.

There are a few lessons any organization might advise its employees to take. Cover the lens of your device's camera when the camera's not in use. Don't reuse passwords, and change them if you have reason to believe they've been compromised. And, of course, don't open email attachments if they have not asked for them: KrebsOnSecurity has the story:
https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/
More Lessons From the Mueller Indictment

We’ve reviewed this before, but it's worth repeating: the indictment the US Department of Justice released Friday, July 13th, indicated convincingly that Russia's GRU intelligence service used spearphishing to compromise the Democratic National Committee and the Clinton campaign during the 2016 general elections.

The apparent ease with which spear phishing compromised a major political operation is a cautionary tale that any organization might take to heart. Political campaigns and parties are very much alive to the fact that they face opposition and yet found themselves open to compromise in the heat of a campaign.

Effective, new school, interactive training is invaluable in building a security culture. And, of course, it's unwise to neglect security fundamentals like two-factor authentication. Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/russia-indictments-up-election/

Send this to your legal eagles: 5 Tips for Legal Departments After Russian Hacker Indictment Around US Elections:
https://www.law.com/corpcounsel/2018/07/17/5-tips-for-legal-departments-after-russian-hacker-indictment-around-u-s-elections/
Have Your Users Made You an Easy Target for Spear Phishing?

Did you know that many of the email addresses and identities of your organization are exposed on the internet and easy for cybercriminals to find?

With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.

Our Email Exposure Check Pro (EEC) identifies the at-risk users in your organization by crawling business social media information and hundreds of breach databases. This is done in two stages:

First Stage Does deep web searches to find any publicly available organizational data.

Second Stage Finds any users that have had their account information exposed in any of several hundred breaches.

Your EEC Pro Reports We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.

Getting your EEC Pro will only take a few minutes and is often an eye-opening discovery. Get Your Free Report Now.
https://info.knowbe4.com/email-exposure-check-pro-chn
What KnowBe4 Customers Say

"We absolutely love the functionality of the phishing service. We are still in the beginning stages of measuring responses, looking at more individualized campaigns, and determining the best training practices for our firm, but the picture is not quite a bleak as we thought it was when we had an issue earlier this year before utilizing your service.

I just have to say thanks for really understanding what people need, and being honest and in your face about it. It’s what caught my attention. Someone actually saying what’s what instead of just trying to sell a product because “they” think it is the best, without really investing the time to truly design the best product for their audience.

I think about this constantly in the legal marketplace and the lack of truly good programs that support the firms well. It really shouldn’t be so hard should it?!?! Anyway, thanks for reaching out. Have a great day Stu!
- S.K. - Executive Director"



Today, your employees are frequently exposed to advanced phishing and ransomware attacks. Here are the Top 5 reasons why you need to deploy New-school Security Awareness Training in 2018:
  • Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately their time is money too. They are going after the human—the weakest link in IT security—and your last line of defense.
  • Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  • Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. GDPR is a good example, we have compliance training ready in 24 languages.
  • Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. Your organization must "scale security measures to reflect the threat".
  • Board members' No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web.
Your users are your last line of defense. Find out how affordable creating a "human firewall" is.

Get a quote for your organization now and be pleasantly surprised!
https://info.knowbe4.com/kmsat_get_a_quote_now
The 10 Interesting News Items This Week
    1. Another Hacking Scandal? Russians could be behind 'cyber caliphate'
      https://blog.knowbe4.com/another-hacking-scandal-russians-could-be-behind-cyber-caliphate

    2. The New King of Ransomware? Yop, and a nasty king it is...
      https://www.securityweek.com/grandcrab-new-king-ransomware

    3. irtual Case Notes: How I Nearly Fell for Email Trick Russians Used Against Clinton Campaign:
      https://www.forensicmag.com/news/2018/07/virtual-case-notes-how-i-nearly-fell-email-trick-russians-used-against-clinton-campaign

    4.  Cyber Axis of Evil is Rewriting the Cyber Kill Chain:
      https://www.securityweek.com/cyber-axis-evil-rewriting-cyber-kill-chain

    5. US Orgs Overly Optimistic About Cyber-Readiness:
      https://www.infosecurity-magazine.com/news/us-orgs-more-realistic-in-judging/

    6. GDPR Fueling Rise of PII Theft, Cryptomining Plateauing:
      https://www.infosecurity-magazine.com/news/gdpr-fuelling-rise-of-pii-theft/

    7. Magniber Ransomware Expands From South Korea to Target Other Asian Countries:
      https://www.bleepingcomputer.com/news/security/magniber-ransomware-expands-from-south-korea-to-target-other-asian-countries/

    8. Cyber Attack Trends: 2018 Mid-Year Report:
      https://pages.checkpoint.com/rs/750-DQH-528/images/cyber-attach-trends-mid-year-report-2018.pdf

    9. 2018 Credential Spill Report:
      http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf

    10. The 10 airports where your phone is most likely to get hacked:
      https://www.techrepublic.com/article/the-10-airports-where-your-phone-is-most-likely-to-get-hacked/
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


Domain Spoof Test Contest




Get the latest about social engineering

Subscribe to CyberheistNews