CyberheistNews Vol 8 #39 [Heads-Up] Now in the Wild: New Super Evil Rootkit Survives Even "Nuke From Orbit" and HD Swap


CyberheistNews Vol 8 #39
[Heads-Up] Now in the Wild: New Super Evil Rootkit Survives Even "Nuke From Orbit" and HD Swap

This thing is a nightmare that escaped into daylight. The Russian GRU—aka Fancy Bear—probably was riveted reading the Wikileaks CIA Vault 7 UEFI Rootkit docs and built one of these motherboard-killers of their own, apparently weaponizing the existing LoJack commercial code to speed up the job.

This rootkit survives a reformat and OS reinstall—and even a hard-disk swap—because it lives in the system's flash RAM. The only way to get rid of this infection means going in and over-writing the machine's flash storage, not something for the faint of heart, provided you can even get hold of the right code. Imagine this monster being propagated with a 0-day worm like WannaCry. It gives you the shivers, right on time for Halloween.

What the Heck Is UEFI?

Remember BIOS? It got replaced with UEFI, which stands for Unified Extensible Firmware Interface. UEFI is a specification for the interface between a computer's firmware and its operating system. The interface controls booting the operating system and runs pre-boot apps.

This rootkit attack compromises the machine's UEFI. By re-writing it, the malware can persist inside the computer's flash memory, and that is why it survives "Nuke From Orbit" (that clip never gets old) and even hard disk swaps.

The last few years, the hardware community has introduced measures that do make it very hard for someone to make unauthorized changes at the firmware level. One example is Secure Boot, a mechanism that ensures only securely signed firmware and software can be booted up and run on a system.

Controls like Secure Boot are why InfoSec pros up to now generally considered UEFI rootkits as something more hypothetical, and that only state-sponsored actors are able to develop and use.

However, now that this spectre is out of the bottle, you can expect more UEFI rootkits rearing their ugly heads, possibly having advanced features like signature verification bypass.

Who Discovered This?

Security Firm ESET blogged about it a few days ago. They said: "UEFI rootkits are widely viewed as extremely dangerous tools for implementing cyber attacks. No UEFI rootkit has ever been detected in the wild – until we discovered a campaign by that successfully deployed a malicious UEFI module on a victim’s system."

ESET's analysis shows that Fancy Bear used a kernel driver bundled with a legitimate and freely available utility called RWEverything to install the UEFI rootkit. The driver can be used to access a computer's UEFI/BIOS settings and gather information on almost all low-level settings on it.

Here Are Two Things to Do About It
    1. Alexis Dorais-Joncas, security intelligence team lead at ESET said: "Organizations should review the Secure Boot configuration on [all] their hardware and make sure they are configured properly to prevent unauthorized access to the firmware memory. They also need to think about controls for detecting malware at the UEFI/BIOS level." You can say that again. They have a PDF that explains the problem in detail, and note that only modern chipsets support Secure Boot. The infection was running on an older chipset.

    2. The black hats behind this are known for their recent headlines about major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the Democratic National Committee (DNC) hack just before the US 2016 elections. So, these guys are not leaving Russia anytime soon, they probably have the indictment framed on their wall as a reminder.
That leaves spear phishing as their go-to strategy to penetrate targets. So, this is another excellent reason to step your users through new-school security awareness training, because social engineering is how these bad guys get into your network. Here is the updated KnowBe4 Blog post with all the links. Oh, and tell your friends:
[New InfoGraphic] For Your Users: "20 Ways to Block Mobile Attacks"

To start your National Cyber Security Awareness Month (NCSAM) here is a brand new goodie for your users to kick things off.

Very similar to our unique job-aid: Social Engineering Red Flags™ with 22 things to watch out for in email, we created an InfoGraphic about Mobile threats that you can send to all of them, or even print it, laminate it, and pin it on their wall.

There is a lot more material to come, so stay tuned for ready-made NSCAM kits. The InfoGraphic theme is: "Don't let your guard down just because you're on a mobile device. Be just as careful as you would on a desktop!" Get it here:
I Got Vished (And so Can Your Users)

Written by InfoSec pro and guest blogger Nick Cavalancia, Microsoft MVP

Hear one cybersecurity expert’s experience of missing the signs and getting duped over the phone. If it can happen to him, it can happen to you or your users:

“Vishing” is the art of “voice phishing” – a social engineering technique used to trick people over the phone to divulge information that a scammer can use.

This is my story of how I got vished, what they did “right”, what they did wrong, and what you can do to ensure your users never fall for this kind of scam.

The Setup

I was on my way to Microsoft Ignite this week and just as I arrive in my hotel room, I get a call from a “1-855” number. I answer and it’s “Paypal’s Fraud Department”. I’m asked if I setup Google Pay from a Samsung Galaxy X (I have a different brand of smartphone). I of course say no. I’m told once setup, criminals can simply hold up the phone to a terminal and pay for items against my PayPal account.

I asked which PayPal account (I have several) and they told me an email address that is associated with my personal PayPal account. So, they had my email and phone number.

I log onto my account on my phone and can’t see any inappropriate activity. I’m told I need to verify it’s me and that they are sending me a verification code. While I’m not worried about the potential fraud (as I know I’m not responsible for it), I’m still a little thrown about how someone got access to my account.

I read the “PayPal” person the code - my first mistake. I should have seen the signs right here – PayPal’s own text messages say the code is good for 10 minutes; the woman told me I needed to give it to her immediately as it expires in 60 seconds. (That was my first red flag)

The Break-In

While I’m in the PayPal app on my phone (she’s on speaker), I’m kicked out of my account and can’t log in. She tells me it’s probably the scammers and she’s trying to deactivate the Google Pay. I’m a security guy… I’ll just reset my password and they’re locked out. So, I do that on the fly. She tells me she’s getting an error on her end and that I should stay out of my account and asks for another verification code.

Then, the emails from the real PayPal start popping up in my notifications – “Password Reset”, “Google Pay Added”, etc. And THEN it hits me! AHHHHH! I CAN’T BELIEVE I FELL FOR THIS!!! Continued at the KnowBe4 Blog:
Phishing Attack on Office 365 Account Leads to 3 Million CEO Fraud

A phishing attack on an Office 365-account enabled a 3 Mil CEO fraud scam at an investment firm, Finnish antivirus company F-Secure reported on their blog.

One of the employees at the victim's office received a phishing email that looked like it was from DHL, and led to a fake site. The employee left their credentials and became a social engineering victim.

There was no 2-Factor Authentication enabled on the account. Unfortunately, this employee also used his email account to send payment data for a transaction.

The cyber criminals were monitoring his email and resent some critical emails, but with a "correction" to a new account number. In an attached Excel file they had changed the account number where the 3 million was supposed to be sent, which was done.

However, the language in the Excel attachment was so badly translated that red flags went up, although much too late. The investment firm was able to freeze the transaction at the very last moment, and found out that the employee account had been compromised. F-Secure commented that the bad guys almost got away with this one.

CEO Fraud Prevention Manual Download

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Copy and paste this link in your browser:

This is also available as a blog post, please send this link to anyone you think needs it:
Kevin Mitnick Weighs in on Facebook's Big Security Breach

It was all over the news, and CNBC interviewed KnowBe4's very own Chief Hacking Officer Kevin Mitnick (note the StreetCred box on the right). Here is what they said:

"Former hacker weighs in on Facebook's big security breach. Kevin Mitnick, computer security consultant and hacker, discussed recent reports that Facebook experienced a security breach that impacted about 50 million profiles.

It is too early to tell if the stolen information has specific data fields that can be used for highly personalized social engineering attacks, but you can count on the bad guys using this for credential harvesting attacks, with phishing emails arriving in the millions, claiming that you need to change your Facebook password. Here is the link to the interview on CNBC:
See Ridiculously Easy Security Awareness Training and Phishing in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a 30-minute live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 20,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 3, 2018, at 2:00 p.m. (ET)
Save My Spot!
KCM Live Demo: "Get Through Audits in Half the Time and Half the Cost"

Join us, Wednesday, October 10th at 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Find out you really can get through audits in half the time and half the cost.

Date/Time: Wednesday, October 10th, 2018, at 1:00 p.m. (ET)
Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The most common way people give up their power is by thinking they don’t have any."
- Alice Walker, Author

"No one has the power to shatter your dreams unless you give it to them." - Maeve Greyson, Author

Thanks for reading CyberheistNews
Security News
Holiday Threat No. 1: Evil Twin Domains With a "Trusted" SSL/TSL Certificate

As the holiday season approaches, cybercriminals are set to scam your users out of their personal money but also your organizational budget.

Online shopping fraud is rising in the double digits every year. How many of you buy hardware at NewEgg? Here is an example how you yourself could be a victim of this caused by organized cyber crime gang Magecart.

U.S. online retailer Newegg is a recent victim. They of course own the domain Magecart registered an "evil twin" domain called neweggstats (dot) com together with a legitimate certificate issued by Comodo.

The legitimate domain was compromised with a card skimmer and the fake domain was pointed to a server that received credit card information stolen from Newegg customers. If you have made purchases at NewEgg in the last six months I recommend you get a new credit card!

Your users can be scammed in a variety of ways. A very popular attack this time of year are phishing scams that promote fake last-minute deals on hot items, and use FOMO (Fear of Missing Out) social engineering tactics to trick users into entering their credentials and credit card info on fraudulent websites.

Evil Twin Domain Problem Is Rapidly Rising

Last Thursday, machine ID protection firm Venafi said the evil twin domains problem is rapidly increasing with an "explosion" of look-alike, fraudulent domains appearing online at the moment.

Venafi analyzed fake domains created to mimic the World's top 20 retailers, and found that not only is the number of fake domains rising, but many of them use a trusted TLS certificate. A look-alike domain address that only substitutes one—possibly punycode—character will very likely cause a recognition problem for your users.

Venafi stated that it is becoming "increasingly difficult" for consumers to identify fake domains from legit ones, especially when a trusted TLS certificate is thrown into the mix.

Domain Spoofing Is a Cornerstone of Social Engineering Attacks

"Domain spoofing has always been a cornerstone technique of web attacks that focus on social engineering, and the movement to encrypt all web traffic does not shield legitimate retailers against this very common technique," said Jing Xie, Venafi senior threat intelligence analyst.

"Because malicious domains now must have a legitimate TLS certificate in order to function, many companies feel that certificate issuers should own the responsibility of vetting the security of these certificates."

Venafi's research showed that 84% of fraudulent domains rely on free certificates, like the ones by Let's Encrypt. Clearly, that service is being abused to create a false sense of security for potential victims.

Venafi says that the total number of certificates issued for domains masquerading as legitimate, well-known retailers is over 200 percent greater than the number issued to authentic e-commerce platforms.
Find out If Your Domain Has an Evil Twin With the Brand-New Domain Doppelgänger Tool

Phishing is still the most widely used cyber attack vector, and criminal attack campaigns often use spoofed websites to deceive your users so they simply allow the bad guys take over your network.

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results to administer to your end users
This is a complementary tool and will take you only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here!
A Culture of Compliance is the Key to Effective Security Policies

One of the main problems security teams face is that they feel they're unable to enforce security policies. This is the conclusion of Justin Fier, Director for Cyber Intelligence and Analytics at Darktrace, as he expressed it in SecurityWeek.

Many factors contribute to this sense of futility, including employee complacency, inconsistent enforcement, and the complexity of modern technology. Many employees don’t fear breaking policies because the policies aren’t enforced. This creates an atmosphere where employees grow accustomed to getting their jobs done more efficiently by breaking the rules.

Then, when the rules are enforced, employees resent the security team for making their work more difficult. Inconsistent enforcement can also lead to a situation where the security team cannot enforce certain policies without appearing biased or incompetent.

For example, if an employee is punished for breaking a rule that other employees are known to break regularly, that employee will feel either unfairly singled out or just unlucky to be caught. And neither will feeling will help discourage other employees from breaking rules in the future.

Finally, the complexity of modern business networks can make them impossible to monitor without hindering productivity. BYOD, Cloud, and SaaS applications create a very large attack surface that may be too costly or too complex for a security team to protect.

Fier recommends two things that companies need to do in order to create a culture of compliance so that security teams can effectively enforce the rules and employees will adhere to them. The first is to ensure the company has a way to efficiently monitor employee activity.

The second is to shift security responsibility into the hands of every employee at the company. The best way to accomplish the first goal is by implementing monitoring tools that can identify security violations without raising privacy concerns.

Such tools can map out normal behavior for each employee and raise an alert when that behavior violates policy. This ensures that security incidents can be identified without reading employees’ emails or listening in on phone calls.

The best outcome of this practice is that it creates a culture in which employees know that they’ll be told if they break a rule, without making them feel they're being monitored intrusively.

That first goal is a step towards achieving the second goal of making every employee aware that they are directly responsible for the company’s security. Holding employees responsible for security violations will make them realize how important their actions are to the security of the organization.

Interactive awareness training can be extremely effective because it teaches employees the importance of policies while also showing them exactly how security incidents take place. And it can do so without becoming punitive, a culture of security is not a culture of fear. SecurityWeek has the story:
Reminder: In Spite of Windows Flaws, Hackers Prefer Social Engineering

Nearly half of hackers surveyed at the recent Black Hat conference in Las Vegas admitted easily compromising both Windows 8 and 10 in the past year.

In spite of the easy access through Windows, however, hackers stated their preferred method of entry to be social engineering.

The human element once again holds the key to a company’s cyber security. Training employees to think before they click while on the internet can turn what could be the weakest link into your organization's strongest last line of defense.

We recommend EVERYONE to review the 22 social engineering red flags to watch out for in any email. It might be a good idea to print out this PDF and pass it along to family, friends, and coworkers. Remember to always think before you click!
What KnowBe4 Customers Say

"Hi Stu, we have been very impressed with our experience with KnowBe4 so far! From the sales guys, to our on-boarding with Rachel Kennedy, we’ve been very impressed with the willingness to help and handhold as necessary. We’ve been phishing and training our users, but the KnowBe4 platform should make this a much better experience for us as admins and hopefully give our end-users some better skills to fight off the bad guys. We’re already eye’ing quite a few short videos on the ModStore to fill the gaps between our official “Annual” training.

Thanks for reaching out! Normally, I would be surprised to hear from the CEO of an organization like KnowBe4 as a new customer, but honestly, it just seems to fit in with the rest of KnowBe4 experience.""
- M.S., Information Systems Manager

"Hi there Stu, Thanks for checking in - we’re very happy with our training and phishing resources from you all (and our account manager over there has been very helpful). The tools are great! This is actually the second company where I’ve been utilizing your products and won’t be the last, I bet. Have been very happy to recommend it to my peers, seeing as we’re having a lot of success with it. Thanks for a great service :)"
W.A., Senior Director of Engineering

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Hacking Back: Simply a Bad Idea:

    2. Bossies 2018: The Best of Open Source Software Awards:

    3. How The Dridex Gang Makes Millions From Bespoke Ransomware:

    4. Uber will pay $148 million in connection with a 2016 data breach and cover-up:

    5. Port of San Diego Affected by a Ransomware Attack:

    6. Are passphrases the answer to long passwords? Latest Roger Grimes Column in CSO:

    7. Perimeter Defenses are Dead, So Now What?

    8. Russian hackers ‘Fancy Bear’ now targeting governments with rootkit malware that survives a reboot:

    9. 'Every cyberattack is related to geopolitical conditions,' says CEO of cybersecurity company FireEye:

    10. Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews