CyberheistNews Vol 8 #46 [Heads-Up] New Hybrid Ransomware Strain Evades Detection by All but One Antivirus Engine

CyberheistNews Vol 8 #46
[Heads-Up] New Hybrid Ransomware Strain Evades Detection by All but One Antivirus Engine

IBM at their SecurityIntelligence blog reported something troubling. Researchers discovered a new strain of Dharma ransomware that is able to evade detection by nearly all of the antivirus solutions on the market.

In October and November 2018, researchers with Heimdal Security uncovered four strains of Dharma, one of the oldest ransomware families in existence. One of the strains slid past a total of 53 antivirus engines listed on VirusTotal and 14 engines used by the Jotti malware scan. Just one of the security scanners included in each of those utilities picked up on the strain’s malicious behavior.

In its analysis of the hybrid strain, Heimdal observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file that, when unpacked, directed victims to pay a ransom amount in bitcoin.

How Persistent Is the Threat of Ransomware?

The emergence of the new Dharma strain highlights ransomware’s ongoing relevance as a cyberthreat. Europol declared that it remains the key malware threat in both law enforcement and industry reporting. The agency attributed their conclusion to financially motivated malware attacks increasingly using ransomware over banking Trojans, a trend that it anticipates will continue for years to come. Europol identified this tendency despite a surge in activity from other threats like cryptominers.

Here are some suggestions to defend against these new hybrid ransomware strains:
New Study: Ransomware Attacks Surge 500% on Apple Operating Systems

This staggering growth in attacks on the MacOS signals that Macs are no longer safe.

We’ve all heard it from one or more users: “I run a Mac – they don’t get viruses.” The same has been said about iOS devices due to their locked down architecture.

In some ways, the statements used to be true; in previous years, malware creators were looking to do the most damage possible, and so choosing Windows, still the most common-used business operating system made sense.

But today, the focus for cybercriminals is targeted attacks on specific industries, companies, and job titles, leveraging social engineering tactics, all in the name of gaining enough trust, access, or intel to steal data or money. But in the case of ransomware specifically, to accomplish this criminal organizations need OS-specific ransomware.

That means today Macs and iOS devices are targets too.

According to backup provider Datto’s State of the Channel: Ransomware Report, 9% of MSPs have seen ransomware on both MacOS and iOS devices. This is a 500% increase from last year. The increase indicates that every operating system is susceptible to attack.

And most organizations have a group of users that use Macs, usually the creative types. So, it’s official – all of your users, regardless of operating system, are potential targets of ransomware. Blog post with links:
KnowBe4 Recognized as a Leader in the 2018 Gartner Magic Quadrant for Security Awareness Computer-Based Training for Second Year in a Row

KnowBe4 has been positioned by Gartner, Inc. in the Leaders quadrant of the 2018 Gartner Magic Quadrant for Security Awareness Computer-Based Training for the second year in a row. Gartner’s evaluation is based on completeness of vision and ability to execute.

We are very proud of this accomplishment.

We consider our positioning in the Leaders Quadrant by Gartner confirmation that once again our vision and ability to execute are top-notch in the security awareness training market. We believe, as the fastest-growing company within this market, our mission to enable employees to make smarter security decisions every day within client organizations has been successful, enabling organizations to use world-class training and simulated phishing to improve their security posture and mitigate risk.

Perry Carpenter, KnowBe4’s Chief Evangelist & Strategy Officer stated, “We’re honored to once again be positioned in the Leader’s Quadrant. We have had incredible year-over-year growth, 21,000+ client organizations, positioning our company as a continued leader in the security awareness training space. We are consistently developing or acquiring fresh new content adding to our ever-growing library of training materials to continue delivering high quality, valuable content to our customers.”

To get your copy of the complimentary report, go here:
[Disclaimer] Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna G. Huisman, 13 November 2018
CISOs and CEOs in Jail? Senator Proposes Hard Time for Leaders Who Ignore Privacy and Cybersecurity

Thursday, November 15 I was in Washington DC, roaming the halls of Capitol Hill and making the case for new-school security awareness training to Congressmen and staffers of Senators. Living in Florida, it was a shocker to have to wade through *snow* between buildings in my Birkenstocks! :-D

While I was there, I was made aware of the following: "There is talk in Washington D.C. that failure to uphold either privacy or cybersecurity could land corporate leadership in jail—for decades. And by corporate leaders, we mean Chief Executive Officers, Chief Privacy Officers, and Chief Information Security Officers.

U.S. Senator Ron Wyden (D-Oregon) has just proposed a bill that would correct what he calls "corporations’ lax cybersecurity and poor oversight of commercial data-sharing partnerships...." Here is the link to the SecureWorld article:

And Friday 16th, President Trump signed a bill that creates the Cybersecurity and Infrastructure Security Agency. The bill, known as the CISA Act, reorganizes and upgrades the National Protection and Programs Directorate (NPPD), a program inside the Department of Homeland Security (DHS), as CISA, to a standalone, more powerful federal agency in charge of overseeing civilian and federal cybersecurity programs.

It may help, but don't get your hopes up. As IT pros, we did not sign up for this, but today we actually find ourselves in the trenches of a cold cyberwar. More:
KnowBe4 Modstore Release: Captain Awareness Has Arrived and Is Here to Help

The KnowBe4 Courseware Team is excited to announce the release of the first six 2-minute episodes in a new comic book style animated series: Captain Awareness.

These micro-modules cover topics such as: GDPR, Triumph Over the Reuse of Passwords, Securing Mobile Devices, Being a Human Firewall, Staying Vigilant with USB Drives, and Working Securely From Home. Nineteen additional micro-modules will follow.

You're invited to come check them out yourself, you can see them all by creating a free preview account on the KnowBe4 ModStore, and browse the world's largest library of 700+ security awareness items while you are there: More at the blog:
Scam of the Week: Black Friday & Cyber Monday Alert

We have been warning against these types of scams for years and the bad guys are at it again. The team at RiskIQ summarized it pretty well this time:

"Ever the opportunists, threat actors set up their operations where the money is; and in the case of the Black Friday and Cyber Monday phenomena, it’s e-commerce. According to Adobe Digital Index, in 2017, online shoppers stuffed e-commerce cash registers with more than $19.6 billion in sales through the Black Friday weekend—a more than 15 percent increase over 2016.

"With more people than ever poised to partake in this year’s November shopping frenzy, attackers will capitalize by using the brand names of leading e-tailers to exploit users looking for Black Friday deals and coupons by creating fake mobile apps and landing pages to fool consumers into downloading malware, using compromised sites, or giving up their login credentials and credit card information."

I suggest you send this reminder to your users. You're welcome to edit, copy/paste:

"It's Holiday Season for the bad guys too! But not the way you might think. They go into scam-overdrive mode. Black Friday and Cyber Monday are the busiest on-line shopping days and they are out to get rich with your money. So what to look out for?
  • At the moment, there are literally thousands of fake sites, looking just like the real thing. Don't fall for it. Make sure the site you go to is the real one. Type in the address or use your bookmark, do not click on links in emails with special offers. And while we're at it...
  • Watch out for alerts via email or text that you just received a package from FedEx, UPS or the US Mail, and then asks you for some personal information. Don't enter anything.
  • Don't download fake mobile apps that promise big shopping savings, and be very wary of online discount coupons. Think Before You Click!
So, especially now, the price of freedom is constant alertness and willingness to fight back. Remember to only use credit cards online, never debit cards. If you think you might have been scammed, stay calm and call your credit card company, nix that card and get a new one. Happy Holidays!"
This alert is also at the KnowBe4 blog, and has additional resource links:
Live Demo: Simulated Phishing and Security Awareness Training

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us, Wednesday, December 5th, 2018, at 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 21,000+ organizations have mobilized their end-users as their human firewall.

Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out the *new* position that KnowBe4 has in the new Gartner Magic Quadrant!
Quotes of the Week
"There are no constraints on the human mind, no walls around the human spirit, no barriers to our progress except those we ourselves erect." - Ronald Reagan

"Our progress as a nation can be no swifter than our progress in education. The human mind is our fundamental resource." - John F. Kennedy

Thanks for reading CyberheistNews
Security News
Russian APT Comes Back to Life With New US Spear-Phishing Campaign

A Russian state-sponsored cyber-espionage group has come back to life after a one-year period of inactivity with a relative large spear-phishing campaign that has targeted both the US government and private sector.

The hacking group is known in infosec circles as Cozy Bear, APT29, The Dukes, or PowerDuke, and is infamous because it's one of the two Russian state hacking crews that hacked the Democratic National Committee before the 2016 US Presidential Elections.

"On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors," Adam Meyers, VP of Intelligence told ZDNet today.

"These messages purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website," he added. "Individuals receiving the emails worked at organizations in a range of sectors including in think tank, law enforcement, government, and business information services.

"Attribution for this activity is still in progress; however, the Tactics, Techniques, and Procedures (TTPs) and targeting are consistent with previously identified campaigns from the Russia-based actor COZY BEAR," Meyers said. More, and links at the KnowBe4 blog:
Will You Get Spoofed Over the Holidays? Find out for a Chance to Win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card (just in time for the holidays)!

Find out now if your email server is configured correctly, many are not!

Try to Spoof Me!
Poor Cybersecurity Habits Still Prevail

Over 1,600 employees surveyed by Vanson Bourne, an intelligence market research firm, showed an increase in poor cybersecurity habits in spite of increased cybersecurity awareness. This poor behavior has been compounded by the challenges and pace presented by the digital transformation.

75 percent of employees responding admitted to reusing passwords in both work and personal accounts.

The varying stages of digital evolution currently being experienced by organizations have made managing IT more challenging. The survey illustrates a workforce with little commitment to best cybersecurity practices.

This lack of commitment puts organizations at risk and heightens tension and frustration between IT, who want things secure, and employees who want a more efficient workflow.

Over half surveyed saw the IT department as a “source of inconvenience.” This is reflected in 31 percent admitting to installing and using software without consulting IT. Skirting the IT department is not usually done with malice, but this practice increases an organizations vulnerability.

The perception of IT as inconvenient has resulted in 13 percent of employees admitting they would not notify IT if they thought they were hacked.

Perhaps the most telling outcome from the survey is its exposure of a workforce that does not understand that everyone in an organization has a role to play in cybersecurity. Almost half of those surveyed, 49 percent, stated that IT would be to blame for a cyberattack.

With digital transformation and the use of cloud-based apps blurring the security perimeter, it is not just employee’s poor online hygiene putting organizations at risk. 48 percent of organizations taking part in the survey are using, or plan on using chatbots and AI personal assistants to increase efficiency.

When an organization develops a plan to blend technology with employee interaction, it can’t be us versus them. The culture developed needs to include an understanding that cybersecurity is everyone’s responsibility, combined with training and respect for the IT function as a necessity. Help Net Security has the story:
Phishing Attacks Rose by 30 Million in Q3 2018

Kaspersky Lab blocked 137 million phishing attempts in the third quarter of 2018, a 28 percent increase compared to Q2 2018. A report by the anti-virus company reveals that phishing attacks targeted 12% of Kaspersky’s customers around the world. More than a third of the attacks were directed at financial targets, including banks, electronic payment systems, and online stores.

The report’s findings are consistent with a global increase in phishing over the past several years. Kaspersky Lab’s anti-phishing system blocked 154 million phishing attempts in 2016 and 246 million attempts in 2017. Both numbers have already been far surpassed in the first three quarters of 2018, with this year’s prevented attacks reaching well over 300 million.

Kaspersky also highlighted several trends it observed during the quarter, including the way scammers are increasingly utilizing browser pop-ups. Pop-up phishing uses ambiguity about the source of a pop-up to trick victims who are visiting otherwise legitimate sites.

“It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto ‘partner’ sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process,” the report states.

“By default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button. The danger is that notifications can appear when the user is visiting a trusted resource.”

Other schemes observed by Kaspersky included phony job applications, spoofed news websites, and Instagram verification scams. The report also notes an increase in sextortion emails that include real details about victims, including their names, passwords, and phone numbers.

While technical defenses can stop some of these threats, social engineering attacks rely on human error and gullibility to bypass safeguards. Scammers are constantly honing their craft and coming up with new ways to manipulate people. Educating employees on social engineering tactics will significantly improve the overall security of your organization. More at the KnowBe4 blog:
Hackbusters - Where Can You Discuss All Things Social Engineering?

The KnowBe4 Hackbusters Forum is an online community dedicated to stopping the bad guys that use social engineering to hack your organization.

Our Hackbusters discussion forum is a moderated, spam-free forum primarily for KnowBe4 clients (but also inclusive of your peers interested in social engineering.)

HackBusters contains thousands of messages from KnowBe4 users and our staff. Forum members can post messages to the community or just read through existing threads and Q/A.

Topics: Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics.

We even have some fun by following the latest social engineering dramas on TV and in film. Our favorite is Mr. Robot. Rumor has it that we could see Mr. Robot season 4 in November! You're invited to join the discussion:
What KnowBe4 Customers Say

"Hi Stu! Thank you for asking. I am a very happy camper and pleased with the program. Hopefully will make believers out of that last 9% of users that I’m butting heads with right now. I’ve had numerous reports that the training has helped them tremendously. I had one of our partners call last week to tell me that he was able to spot an email from an associate of his that had her email hacked and tell her about it.

We were both tickled as this one is not tech savvy at all. PROGRESS! I am very excited about this project and Craig is awesome. He has been able to answer all of my questions and has been very helpful. I look forward to continue working with him. Have a great week!"
- B.T., IT Coordinator

"Hi Stu! Yes, we are very happy. Your KnowBe4 website is very intuitive and it appears that you’ve thought of everything that we would need and more. Your sales people who I talk to are very friendly and knowledgeable. They are on their A-game with helpful follow-ups. And your partnership with Kevin Mitnick is very impressive.

Our company culture here is very team-oriented, so I’m going to attempt to show your general training video hosted by Kevin to the company in webinar format this Thursday, even though it was obviously meant for one-on-one.

We’ll see how that goes. In any case, I’ve been a customer of yours starting with VIPRE back at Sunbelt, and we’re still happily using that product. Thanks for the great products and services over the years Stu!
- D.J., IT Director

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
KnowBe4 Wants to Know What Keeps You up at Night!

IT Pros today have lots of security concerns such as ransomware, external attacks, data breaches and compliance mandates. Some issues you have locked down tight, while others are making you crazy!

We want to know what aspects of IT security you have covered, and which ones have you worried sick!

In this fast, 5-minute online survey, we want to hear about what issues are of great concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several 500-dollar Amazon gift cards! (or equivalent in your local currency)

The 10 Interesting News Items This Week
    1. Fake fingerprints created by AI can imitate real ones in biometric systems:

    2. How better training, cybersecurity upgrades made one credit union safer:

    3. Law firms are increasingly investing in cybersecurity programs:

    4. Peerlist: "How to implement a Security Awareness Training program":

    5. The Sophistication of Organized Cybercriminals. Good article at Medium:

    6. Chinese Hackers Target UK Engineering Company - Report:

    7. Need a solid source of data for your phishing or social engineering? Just ask your state:

    8. Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency:

    9. Celebrate The Holidays! Here is a brand new free KnowBe4 "Safe Travels" training module:

    10. Japan's Cyber Security Minister Doesn't Use Computers. That’s one way to be cyber secure! LOL
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews