CyberheistNews Vol 8 #7 [Heads-up] 2018 Winter Olympics Phishing Campaign Hides Evil Script in Image

CyberheistNews Vol 8 #07
[Heads-up] 2018 Winter Olympics Phishing Campaign Hides Evil Script in Image

According to researchers at McAfee, a new malware campaign is targeting organizations associated with the upcoming 2018 Winter Olympics in Pyeongchang, South Korea. This new technique is expected to make it into your users' inbox soon, so here is your heads-up.

The attack is being delivered via phishing emails disguised as alerts from country's National Counter-Terrorism Center, with malicious Word documents attached. Future attacks could be using any social engineering tricks.

Jonathan, from our friends at Barkly explained the technical background: "Once opened, the Word doc encourages readers to enable content. If they do, that triggers an embedded macro to launch PowerShell. Up to this point, this is nothing really new.

But here's where things get interesting...

Why this attack is different: What truly makes this campaign notable is its use of a brand new PowerShell tool called Invoke-PSImage that allows attackers to hide malicious scripts in the pixels of otherwise benign-looking image files, and later execute them directly from memory.

Why that's dangerous: Not only does hiding the script inside an image file help it evade detection, executing it directly from memory is a fileless technique that generally won't get picked up by traditional antivirus solutions.

No download necessary: Invoke-PSImage can be used to extract scripts from downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get a script embedded inside it to run on that machine.

In the case of this particular malware campaign, the image file is downloaded to the victim machine. Once extracted, the embedded script is passed to the Windows command line and executed via PowerShell.

This attack is another troubling example of how attacks are evolving away from using malicious .exe's.

In the past, we've seen many attacks abusing PowerShell follow a tried-and-true pattern:

Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script downloads and executes malware .exe payload

In these scenarios, traditional antivirus solutions have a chance of scanning and blocking the attack, but not until the very last step. Once the malware payload has been downloaded onto the device the AV might be able to block it, but only if the malware has been seen before and the AV has a signature it can refer to in order to identify it. In these scenarios, we've seen plenty of instances where the AV misses and the infection is successful.

This new malware campaign presents an even worse scenario in which the AV doesn't have that opportunity:

Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script extracts 2nd PowerShell script from image and executes it from memory > In-memory executed script gives attacker remote access and control

With no malicious executable file to scan, this attack can easily succeed unless other protections are in place. Here are a few things you can do to reduce your risk of attacks like this:
  • Train employees not to open email attachments from senders they don't know: They should be especially wary of Word documents that ask them to enable content/macros.
  • Enforce stricter macro controls: For starters, consider blocking macros in Office files downloaded from the internet.
  • Disable or restrict PowerShell: If PowerShell isn't being used for something vital on a machine, disable it. If it is being used for something vital, consider using PowerShell Constrained Language Mode. That will limit PowerShell to its most basic functionality and make many fileless attack techniques unusable."
We could not agree more! You need to create a security culture in your organization and these suggestions are important controls. This post is also at the KnowBe4 Blog, at the end it shows a great new way to create a security culture - at no cost:
The Two Most Important Ways to Defend Against Security Threats

Roger Grimes, Columnist at CSO nailed it: "Patching and security training programs will thwart attacks more effectively than anything else. You're already doing them. Here's how to do them better."

An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention.

It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do. You can spend less money and nothing you do otherwise will provide a better defense.

The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.

Change your security focus

Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
  • Unpatched software
  • Social engineering
  • Misconfigurations
  • Password attacks
  • Physical attacks
  • Eavesdropping
  • User errors
  • Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware. Read this article at CSO!
Security Awareness Training Market State of the Union

By Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer

We certainly live in fun times:
  • Barracuda acquiring PhishLine
  • Microsoft adding limited phishing simulation to Office 365
  • Yesterday’s announcement by Proofpoint acquiring Wombat Security Technologies
  • Rapid7’s addition of a new simulated phishing testing product, and a few other rumblings that I'm catching wind of from other vendors.
As a former Gartner analyst who has been tracking this market for several years, I’ve received a number of questions about my reaction to this current market dynamic.

My response is: we’ve been expecting this type of thing for a while now.

The security awareness computer-based training and simulated phishing market has been experiencing tremendous growth over the past few years. That growth was brought about by a perfect storm of conditions: the steady drip of security breaches traced to human error, the rise of business email compromise, the ransomware epidemic, and widespread and pervasive cybersecurity-related regulation that includes security awareness and training as a fundamental requirement.

In short: the security industry reached a crisis-point due to an over-reliance on technology to provide protection while neglecting the human element; and now the security industry is self-correcting by embracing awareness, training, and behavior management strategies.

So, what does this current dynamic mean for prospective customers in this market? Here’s my take in four points:
  1. Acquisitions always inject a bit of uncertainty into things
  2. Vendors trying to pivot the conversation back to a technology discussion
  3. Content must be continually updated and kept current
  4. Be wary if there is no real mention of training and awareness as a goal
The trend with many of the newcomers to our space is to use phishing susceptibility as a way of showing the human problem so that they can then try to solve it via their preexisting technology rather than really innovate around shaping behavior.

As such, we need to evaluate the new moves into this market based on the outcomes that the vendors are promising to their prospective clients. If you are evaluating new entrants to this market, be wary if there is no real mention of training and awareness as a goal or key aspect of the product. If not, then the features & functionality are likely focused on baselining and simply understanding your human-centric vulnerabilities without a path to remediation and behavior change.

The Upshot

I’m excited to see the simulated phishing market reach a critical mass where it is being embraced by the security technology market. It will be interesting to see how the dust settles over the next year or so. In the meantime, it is important that we don’t allow the noise and consolidation in this market to become a distraction from the main mission: to help employees make smarter security decisions, everyday." Full blog post with the above 4 points in more detail:
Live Webinar - Strains of CEO Fraud: Urgent Request for W-2s

Soon the news will be packed with W-2 phishing and CEO fraud, also known as "Business Email Compromise" attacks. The cost of these attacks against organizations totaled over 5.3 billion dollars.

Each year the U.S. Internal Revenue Service warns about these scams where internet criminals successfully combine W-2 and CEO fraud schemes, targeting a much wider range of organizations than ever before.

What's next and how can you protect your organization?

Join Erich Kron CISSP, Security Awareness Advocate at KnowBe4, for our webinar “Strains of CEO Fraud: Urgent Request for W-2s”. We will look at scary features of the new blended and current threats of W-2 phishing and CEO fraud, give actionable info that you need to prevent infections, and what to do when you are hit.

Key topics covered in this webinar:
  • Real world examples of W-2 and CEO fraud attacks
  • Latest attack vectors...and who's at risk
  • Proven methods to protect your organization with a “human firewall”
Date / Time: Wednesday, February 14, 2018, at 2:00 PM EST
Register Now:
Forrester Live Webinar: Making Awareness Stick: Secrets to a Successful Security Awareness Training Program

With 91% of data breaches being the result of human error, security leaders, auditors, and regulators increasingly recognize that a more intentional focus on the human side of security is critical to the protection of organizations.

However, organizations have been struggling with and debating the effectiveness of traditional security awareness and training.

Join our guest, Forrester Senior Analyst, Nick Hayes, and KnowBe4's Chief Evangelist & Strategy Officer, Perry Carpenter, for this webinar "Making Awareness Stick: Secrets to a Successful Security Awareness Training Program" as they share results-focused strategies and practical insight on how to build a world-class program.

Key topics covered in this webinar:
  • Why awareness and training matters
  • Key data points to help make the case for awareness in your organization
  • Five secrets to making awareness work in 2018
  • Open Q&A with Nick and Perry
Make this the year that you refuse to settle for mediocrity. Are you ready to go all-in?

Date/Time: Tuesday, February 20th at 2:00 pm EST. Register Now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"There is nothing impossible to him who will try." - Alexander the Great (356 - 323 BC)

"The limits of the possible can only be defined by going beyond them into the impossible."
- Arthur C. Clarke

Thanks for reading CyberheistNews
Security News
What Is “Reasonable Cybersecurity” and How Do Courts View It?

Send this article to your legal team, and your CEO. This is an important issue, because you may have insurance, and even perhaps a specific cyber insurance policy, but that does not mean you automatically have coverage if you lose large sums due to social engineering. This article shows the risks and you should follow the developments. First though, a definition you should know.

Shawn Tuma is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas.

In two very short videos, he explains what the courts view as “Reasonable Cybersecurity” and what your organization needs to have in place. Take 3 minutes and watch these two videos. You are going to be glad you did, because they have fantastic ammo to get budget. See them at the KnowBe4 Blog:

Fool Me Once: Insurance Coverage for Social Engineering Scams Under Judicial Review

How the trial courts decided recently

On July 21, 2017, the U.S. District Court for the Southern District of New York issued a decision in Medidata Solutions, Inc. v. Federal Insurance Co., holding that a wire transfer of nearly $4.8 million in connection with a social engineering scheme was covered under the Funds Transfer Fraud and Computer Fraud insuring agreements of a commercial crime policy. Federal has appealed this decision to the Second Circuit.

On Aug. 1, 2017, the U.S. District Court for the Eastern District of Michigan issued a ruling in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, finding no coverage under the Computer Fraud insuring agreement of a commercial crime policy for a wire transfer of approximately $800,000 in connection with a similar fraudulent impersonation scheme. American Tooling has appealed this decision to the Sixth Circuit.

Impact on availability of coverage

Aside from issues of policy construction and interpretation, an ultimate finding of coverage in either of these cases could gravely impact the availability of insurance coverage for those situations intended to be covered under a Computer Fraud insuring agreement (that is, a hacking situation whereby the fraudulent input of data or computer programs into an insured’s computer system directly causes the debit of money from the insured’s account) or a Funds Transfer insuring agreement (that is, when a fraudulent instruction is issued to a financial institution, purportedly by the insured, but in reality unbeknownst to and without the consent of the insured).

As many courts have noted, if coverage is triggered simply because a computer was used in the commission of a fraud, essentially all commercial fraud would be covered because computers are used in nearly every transaction in modern commerce. The scope of the Computer Fraud insuring agreement would become virtually limitless. That’s a result neither side of the debate should want.

Insurers would be forced to alter their wordings in the marketplace, significantly reduce available limits of liability, or perhaps not offer certain coverage at all, while policyholders would be faced with far fewer choices, astronomical premium costs, and uninsured risk.

I suggest you follow the Medidata and American Tooling cases with close scrutiny. A favorable outcome for the carriers in this litigation means a favorable outcome for all issuers and buyers of insurance in the future. Read the article here (registration required):
Reddit Spoof is Social Engineering

A bogus Reddit site was set up to trick users into providing credentials. This one showed up as a secure site in the browser, and it had a valid certificate. Both features could dupe the unwary into trusting it.

The ruse is typosquatting: the bad site is "Reddit [dot] co," not the legitimate "Reddit[ dot] com."

User awareness of URLs, and attention to what they're typing in their search bar, are the best protection. The fake site was harvesting credentials and has been taken down now.

If your organization's domain is attractive to spoofers, you might consider buying up variants of your domain that lend themselves to typosquatting.

Don't be embarrassed. You're not alone. The Office of the President of the United States uses "WhiteHouse [dot] gov." A few years ago an adult content sleaze purveyor took "WhiteHouse [dot] com.") Gizmodo has a good quick account:
Study Shows Which Phishing Attacks Most Successful

People are very predictable when it comes to designing phishing attacks that appeal to a potential victim with people most likely to click on messages concerning money.

A recent KnowBe4 study sent phishing test emails to roughly 6 million and found users were most likely to click on the mock phishing emails when they promised money or threatened the loss of money.

People were also likely to fall for phishing attacks appealing to their appetite offering free food or drinks, emails that evoked the fear of missing out on non-monetary opportunities and attacks that appealed to basic curiosity such as new contact requests or photo tags. Full article at SC Mag:
Crooks Tune Phishing Kits with Geolocation

Phishing kits are being tuned to the geolocation of the IP address they're "prospecting". Different countries use different data sets. A Social Security Account Number, for example, is something you'd only ask from an American.

If the victim is in Cyprus, then the phishers ask for the tax number. The new kits not only use geolocation and personally identifying information that supports narrow targeting, but they also used AES encryption in the browser to obscure their source code from static scanners and crawlers.

Victims also pass through checks against a black list. If it seems they're likely to be wise to the scam, and perhaps represent a threat to the criminals, they'll simply be directed to a 404-error page. If the victims pass through the checks, then they'll be asked for their information.

It's a sophisticated kind of credential harvesting. See the story in Help Net Security:
Technical Defenses Are Good, but Not Good Enough

Most ransomware victims (77%) were running up-to-date endpoint protection when they were hit.

Ransomware often arrives by phishing email, and email security programs let many malware payloads through. Organizations should train their employees to serve as an effective last line of defense.

And businesses that are hit once are prone to repeat reinfections. Don't get complacent once you're finished remediation, and don't assume that a technical fix will prevent reinfection if the vector was social engineering in the first place. Computer Business Review has the story:
New Trend in Phishing: Conversation Hijacking

Researchers see a new trend in phishing.

Hackers are inserting themselves into email conversations between parties known to and trusted by one another. Once in, they exploit that trust to trick users to open a malicious document that carries the Gozi Trojan as a payload.

Another highly tailored bit of social engineering to inoculate employees against. If an email exchange with a trusted party suddenly presents you with an unexpected and not particularly germane attachment, be suspicious and report it to the right people in your organization using the Phish Alert Button. More at the KnowBe4 blog:
Two Phishing Seasons Open This Week

The Winter Olympics opened late last week, and you can expect Olympic-themed phishing to continue for the duration of the games. Medal count updates, highlights, things like that will serve as phishbait. Phishing seasons often track major sporting events, especially ones that run over the course of several days or weeks.

Holidays are also phishing season, especially holidays that involve gift-giving and a lot of last-minute rushing. Like Valentine's Day, which comes this Wednesday. Consumer Reports has a good story of what the security sector sees brewing in social engineering attacks using the Olympics. Your truly is quoted:

SANS announced the Feb 2018 version of their great monthly awareness briefing:

"Okay, onto the February edition of OUCH!. For February we cover how to secure your mobile device. Peoples’ mobile devices have become the most important technology in their daily lives as we do just about everything with them. Learn how to make the most of your mobile device safely and securely in five simple steps."" Download them here:
New Tech Support Scam Freezes Browser

The familiar Microsoft help desk social engineering scam, usually initiated by a cold call to residential number, has been updated. Now the crooks don't call you. They get you to call them!

In its original form someone called and claimed to be from "Microsoft help desk," and then told the mark that they'd detected malware on your Windows computer. They'd remove the malware if you "let them take control."

In this new wrinkle, reported by Malwarebytes, the hoods reach you through your browser. They abuse an API, msSaveOrOpenBlob, to lock a page by repeatedly forcing the browser to save it to disk.

The hack then displays a dialogue box telling the victims that their machine has been blocked by their ISP. To recover, the victim is told to call "Microsoft Help Desk" for assistance.

Warn your users not to call. They should just kill the unresponsive page by forcing it to quit. For now this version of the scam affects only Chrome, but similar infections in other browsers are likely to follow. Story in Ars Technica:
Security Awareness Training for Election Officials

US midterm elections will be held this year with heightened concern about their cybersecurity. The most embarrassing incidents to hit during the 2016 elections were accomplished through phishing. More can be expected this year.

US elections are a state and local government responsibility. Those election officials should consider training and awareness for their officials and the volunteers who support them. Technical defenses have been shown incapable of stopping social engineering. Only trained and aware users can do that.

Southern California Public Radio has an account of some of the training being conducted during the run-up to the midterms:
The Expanding Role of the CISO: Seven Attributes of a Successful Security Leader

A recent Ponemon Institute report titled “The Evolving Role of CISOs and Their Importance to the Business” reaffirmed the notion that the role the security leader is becoming more critical, especially when it comes to managing enterprise risk, deploying security analytics and protecting Internet of Things (IoT) devices.

However, if chief information security officers (CISOs) wish to play a bigger role, they must not only have the necessary technical expertise and leadership skills, but also understand their company’s operations and articulate security priorities from a business perspective. Over at ITSecurityGuru:
What Our Customers Say About Us

"Hi Stu, Wow, thanks for checking in! We are very satisfied with the company, the people, and the product. We have our automated phishing emails sent out monthly with training automatically assigned and tracked.

Those features were exactly the reason we moved to KnowBe4 from PhishMe. Our employees have been very receptive to the simulations and training. They love telling me when they’ve caught a phish!

"As a whole, KnowBe4 has been so much better to work with. Everyone who I have been in contact with was very helpful and nice without being overbearing or pushy. I look forward to the innovation that future improvements will bring, and am happy with our choice to partner with KnowBe4 for our security education." — H.D., InfoSec - Medical Center.

Forrester TEI™ Study: Value of KnowBe4 Goes Beyond ROI

Read this study for an in-depth explanation of Forrester’s analysis and a detailed walk-through of KnowBe4's impact on our customer’s business. The resulting research paper assesses the performance of the KnowBe4 Platform. How does 127% ROI with a one month payback sound? Download now:
Interesting News Items This Week

Russian nuclear scientists arrested for allegedly hijacking supercomputer to mine Bitcoins:

40% Of Defense Contractors Fall For Phishing:

Are offsite ransomware backup tapes compatible with the GDPR?

Consumers prefer security over convenience for the first time ever, IBM Security report finds:

New Zero-Day Ransomware Evades Microsoft, Google Cloud Malware Detection:

T-Mobile sued after porting man's number to thieves who stole his cryptocurrency:

A Classic Scam Finds New Life Stealing Bitcoin on Twitter:

BrickerBot: Internet Vigilantism Ends Don't Justify the Means:

Water Utility in Europe Hit by Cryptocurrency Malware Mining Attack:

What is Cryptojacking and Why It's a CyberSecurity Risk:

New Mission For North Korea’s Hackers:

Leaky Amazon S3 Bucket Exposes Personal Data of 12,000 Social Media Influencers:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • FALCON HEAVY TEST FLIGHT. This one was by far the best in a long time. Seeing those two side boosters land in tandem was AWESOME at abt. 30 mins in:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews