CyberheistNews Vol 8 #35 New Evil PDFs Infect Machines With a Secret Backdoor and Exfiltrate Your Data Via Email

CyberheistNews Vol 8 #35
New Evil PDFs Infect Machines With a Secret Backdoor and Exfiltrate Your Data Via Email

The Turla threat group, certainly Russian-speaking and widely attributed to Russian intelligence services is back with a new scary phishing technique. These bad guys are sending emails with a malicious PDF payload that installs a hidden backdoor in the workstation.

The backdoor is a standalone dynamic link library that's able to install itself and interact with Outlook and other email clients. It exfiltrates data through email, which means that it evades detection by many commonly used data loss prevention products. The stolen data is enclosed in a PDF container, which also looks unproblematic to many security solutions.

As the ESET researchers who've tracked this latest evolution of Turla warned, there's no command-and-control server that can be taken down - the malware can be completely controlled via email, the data exfiltration can look entirely legitimate, and the ways in which the campaign modifies standard functions make it a stealthy and tough-to-eradicate infection.

The purpose of this malware is monitor to all incoming and outgoing emails from infected systems and to gather info about the sender, recipient, subject, and attachment name (if any). That data is then organized into logs that are sent to Turla operators.

The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. It will accept commands from ANY threat actor that is able to encode them in the right format in a PDF document.

If the email address to which the malware typically transmits stolen data is blocked, the hacker can recover control of the backdoor simply by sending a rogue PDF with a new C2 address.

This is really a nightmare you don't want to wake up to. Organizations should step their employees through new-school security awareness training which explains that the PDFs they're receiving may not be what they seem. Here is the infection map:
80% Spike in Business Email Compromise This Quarter

Business email compromise attacks (BEC) have spiked by 80% over the past quarter, according to a report by Mimecast. The security provider revealed that over the past three months it had blocked over 41,000 BEC attempts that went undetected by other vendors.

Additionally, Trend Micro released a report showing that BEC attacks—also known as CEO fraud—doubled in the second half of 2017 compared to the first half of the year.

Business email compromise takes place when employees of an organization are manipulated into transferring large sums of money from the organization to an attacker posing as the CEO or CFO. The attack usually starts with a successful spear phishing email that grants an attacker access to the organization.

Once inside, the attacker can spend months observing the internal operations and communications of the organization. After becoming familiar with the organization’s schedule and employees, the attacker spoofs an email from the CEO to one of the employees asking them to wire money to the attacker’s account.

The FBI stated that BEC has caused the loss of over $12 billion between October 2013 and May 2018. The best way to defend against BEC attacks, according to the FBI, is to use face-to-face or voice-to-voice communication. Additionally, requiring multi-factor authentication for payments can add a layer of security, particularly if one of the authentication methods is confirmation by phone call.

Finally, increasing employee awareness of email security can prevent an attacker from gaining access to the organization in the first place. Sound policies, and employees trained to follow them, can help block BEC before it starts.

Free CEO Fraud Prevention Manual Download

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim:
Missed the Incredibly Popular "Social Engineering Dirty Little Secrets" Webinar?

Almost 6,000 IT pros registered for the live version, but it's now available on-demand.

Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, along with Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, share social engineering insights and experiences.

Key topics covered:
  • How social engineering has changed over time
  • Some of the cleverest social engineering techniques
  • Common ways malicious actors find information to use in spear phishing campaigns
  • Psychology of a social engineering exploit and how an organization can protect its users
See it now, great for a lunch break and it may counts for credits:
See Ridiculously Easy Security Awareness Training and Phishing in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a 30-minute live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 20,000 organizations have mobilized their end-users as their human firewall.

Date/Time: Thursday, September 6, 2018, at 2:00 p.m. (ET)
Save My Spot!
Live Webinar: The Quantum Computing Break is Coming... Will You Be Ready?

Quantum computing is a game-changer and will have a huge impact on the way we do business, safeguard data, explore space, and even predict weather events.

Yet, some experts say in the not so distant future quantum computers will break existing public key cryptography forever.

On that digital day of reckoning, every stored secret protected by traditional public key crypto will be broken forever; including TLS, digital certificates, PKI, SSH, RSA, most wireless networks, VPNs, online financial transactions, and even bitcoin and blockchain. All of it made worthless in a second…

Join Roger Grimes, KnowBe4 Data-Driven Defense Evangelist, as he explores the way bad guys will be able to use more secrets against you than ever before, especially in increasingly sophisticated spear-phishing attacks.

Attend this exclusive event to learn what you can do to prepare.
  • Why quantum computing is different than traditional binary computing
  • How close quantum computers are to breaking traditional public key cryptography
  • What defenses you can deploy after public key cryptography is broken
  • How to prepare your users - your best, last line of defense
The quantum computing break is coming. Will you be ready?

Date/Time: Wednesday, September 19th at 2:00 PM (ET)
Save My Spot!
Come See Me Speak at the Wall Street Journal Small Business Academy October 16th

Join me at the Wall Street Journal Pro’s Small Business Academy event to equip your business with the skills to manage the mounting risks of cybercrime. By attending one or both days you will connect with peers, hear from experts, learn from practitioners and begin building your cybersecurity strategy.
    • Day One: Conference – Monday, October 15 A full-day conference where industry experts and the Wall Street Journal editors discuss cybersecurity challenges facing SMBs.

    • Day Two: Training – Tuesday, October 16 Dive deeper into the lessons from day one with hands-on training from accredited cybersecurity training partners, including the FBI-affiliated InfraGard San Diego.
Venue: Monarch Beach Resort, Dana Point, CA 92629. Register here:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Formal education will make you a living; self-education will make you a fortune."
- Jim Rohn -Entrepreneur (1930 - 2009)

"It is the mark of an educated mind to be able to entertain a thought without accepting it." - Aristotle

Thanks for reading CyberheistNews
Security News
Here Is a Way to Get Audits Done in Half the Time and Half the Cost

Join us for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and easy-to-use compliance management tool.

Save Your Spot! Choose the best date and time for you:

Wednesday, September 12th at 1:00 PM (ET)

Thursday, September 13th at 11:00 AM (ET)
Election Hackers Continue to Phish

Google has informed US Senator Pat Toomey that hackers with links to an undisclosed nation-state had sent phishing emails to accounts from the senator’s 2016 campaign. Google said the emails were likely exploratory, since they didn't contain malware or links to credential-phishing websites.

The targeted accounts had been dormant since the 2016 campaign, and Toomey isn't currently up for re-election.

Several weeks ago, Senator Claire McCaskill discovered that she had also been targeted by Russian-linked hackers in 2016. Microsoft’s seizure of suspected APT28 domain names revealed that hackers had attempted to infiltrate McCaskill’s network, as well as the networks of two other candidates.

Additionally, Microsoft revealed on Tuesday that it had discovered a new Russian-linked campaign targeting Republicans who had been critical of Russian President Vladimir Putin.

Organizations must be aware that nation-states, particularly Russia, but also North Korea, China, and Iran are directing attacks at both political parties for the purposes of both espionage and political disruption. Civil servants, candidates, their staffs, election officials, and, of course, voters, should be mindful of the reality that they may be targeted by these actors.

If you're a campaign considering security training, by all means do it in a properly coordinated way. There have been some embarrassing false alarms. New-school interactive training can help build a security culture in any organization. SecurityWeek has the story:
SEO Extortion by STD

A group is attempting to extort money from a company by threatening to destroy its online reputation. CheapAir, a flight comparison website, says it received an email in which a group calling itself “STD Company” threatened to give CheapAir thousands of negative reviews in order to manipulate the website’s position in search engine results.

The group claimed it would flood sites like TrustPilot and RipOff Report with these reviews, which would eventually drown out CheapAir’s legitimate website.

The group also said it would target the company on other forms of social media, including Twitter and Instagram. This would involve using a large network of bots on Twitter to create and retweet damaging tweets about CheapAir. STD has already started to post these tweets, some of which have been shared over 200 times by other bots.

Likewise, the group left a number of negative comments on CheapAir’s Instagram page. STD claimed that these tweets and comments were a foreshadowing of what would happen if CheapAir didn't send them 1.5 bitcoin (approximately $10,500).

CheapAir’s CEO Jeff Klee told Motherboard that his company would not pay the ransom, but he noted that the organization would have to spend a significant amount of time combating the activity.

The takeaway from this is that botnets and fake accounts can have damaging effects on third-parties, and organizations should take steps to reduce their impact. Motherboard found that many of STD’s social media accounts could be identified as fraudulent rather easily, due to a lack of profile pictures and original content.

Make your users aware of malicious SEO campaigns. Motherboard has the story:
Cyber Security, Like Healthcare Is All About People

Health care records have great inherent long-term value making them highly desirable targets for cyber criminals.

Proofpoint’s 2018 healthcare threat report revealed 40mn attacks in Q3 2017, against hospitals, clinics and health insurers. This report illustrates the importance of training and educating staff to understand and identify cyber threats as a best defense.

Cyberattacks on the health care industry are increasing at an alarming rate. Personal health data are being exposed and ransomware is disrupting essential health services and shutting down emergency rooms. Patients and staff are being defrauded by fraudulent emails.

Healthcare organizations learned hard lessons about ransomware because of the WannaCry attack, which touched 99 countries and over 200,000 victims. As a result, ransomware attacks increased from 4 million in 2Q 2017 to 17 million in 3Q 2017.

With just one click or malicious download, entire hospital systems can be brought down. Ransomware is particularly dangerous to healthcare systems since its effect is instantaneous, locking down systems critical to patient care.

The human factor is a weak security link. Nearly every cyberattack originates by targeting an individual. Cyber security, like healthcare is all about people. When it comes to healthcare, an industry where cyberattacks can result in a direct threat to life, cyber security plans need to include both technology and people as part of a multi layered defense.

Healthcare organizations should consider the ways in which interactive security awareness training can help them build a security culture. Healthcare Global has the story:
You're Invited to Participate in the Inaugural 2018 Security Awareness Training Deployment Trends and Usage Survey.

KnowBe4 is running its Inaugural 2018 Security Awareness Training Deployment Trends and Usage Survey. We’re polling IT and Security executives, admins and professionals like yourself on your firm’s experiences regarding key security issues such as training; security spending and how your organization is responding to still growing threats like phishing scams.

This is a multiple-choice survey with one Essay question. It should take you about 5 minutes to complete. ALL responses are confidential.

Anyone who completes the survey and includes their email address in the Essay question along with a comment is eligible to receive a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results.

The person who provides us with the best Essay comment will win a 100 dollar Amazon gift card. The results will be very interesting and will allow you to compare yourself with your peers.

Thanks in advance for participating in this survey! Here's the link:
What KnowBe4 Customers Say

"I’ve been very pleased with KnowBe4 so far. The sales team, implementation team, and CSM have all been excellent. I wish our results were a lot better, but the initial phishing campaign worked really well and I’m very happy with the training content.

It’s been very nice having follow up to make sure we are successful, a lot of companies just sell you the product and then are done until it comes time to sell you more. I’ve already made several recommendations to some of my peers around the area. Thanks, N.D., - IT Director

"Stu, we are very happy with KnowBe4. We’ve had quite the slow start, but it was entirely due to my workload. Steve Donze has been terrific in helping me get off the ground.

I’ve had several instances in offsite meetings where the name “KnowBe4” has come up and it’s reassuring that we’re in the right hands and on the right track. Thanks so much for reaching out. Regards, M.K., - IT Supervisor

PS, If you want to see KnowBe4 compared to other products in an objective, vetted platform that makes sure the reviews are fully legit, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Don't Miss This One - KnowBe4 Fresh Content Update & New Features August 2018:

    2. Examining the 2018 Cost of a Data Breach, here is how to calculate yours:

    3. Updated! This is a map of KnowBe4's 20,000+ customers Worldwide:

    4. Russian Trolls 'Spread Vaccine Misinformation' Online:

    5. WhatsApp: Mobile Phishing's Newest Attack Target:

    6. 10 Most Popular Certifications Needed for Cybersecurity Careers:

    7. Federal prosecutors indicted a 20-year-old man who built the Satori botnet:

    8. New Booz Allen Hamilton report advises companies to include printers in their overall security strategy:

    9. How to improve security without treating your users like criminals:

    10. Cybercriminals Changing Tactics as Seen in First Half Report:

    11. BONUS Links:

      KnowBe4 is The ONLY simulated phishing and awareness training platform that is SOC2 Type 2 certified:

      Save The Date For KB4-CON 2019! May 8-10 in Orlando:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • What's it like to work in information security? This sums it up better than words ever could. Awesome animation!:
    • This YouTuber used a 2.5-watt laser and a bunch of custom 3D printed parts to create a working replica of Nintendo Metroid Samus Aran’s iconic weapon:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews