CyberheistNews Vol 8 #9 2,000 Systems Down Due to SamSam Ransomware Infection at Colorado DOT

CyberheistNews Vol 8 #09
2,000 Systems Down Due to SamSam Ransomware Infection at Colorado DOT

The attack hit the Colorado Department of Transportation on February 22nd, encrypted files and demanded to pay the ransom in Bitcoins. Security officials shut down more than 2,000 employee computers while they investigated the attack.

According to the CDOT spokeswoman, the version of SamSam ransomware hit only Windows OS computers even though they were secured by McAfee antivirus.

“This ransomware virus was a SamSam variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night,” said David McCurdy, chief technology officer, Governor’s Office of Information Technology, in a statement.

CDOT has all data backed up and do not plan to pay the ransom. Attempts by the SamSam hacker group to blackmail the institution did not succeed.

Meanwhile, employees are forbidden from accessing the Internet until the problem is solved. Ransomware did not affect any critical services, such as cameras, alerts on traffics or variable message boards.

SamSam ransomware spread via RDP attacks in the past

SamSam, the ransomware used in this incident, first appeared two years back and has been used in targeted attacks only. The SamSam gang usually scans the Internet for computers with open RDP connections.

Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or try to boot them off their network.

The FBI has long asked companies and individuals affected by ransomware to report any infections via the IC3 portal so the Bureau can get a better grasp of the threat and have the legal reasons to go after such groups.

What to Do About It:
    • Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

    • An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.

UPDATE: SamSam ransomware virus keeps CDOT employees offline for fourth day:


Now *HERE* Is a Devious Combo Pretexting / Vishing / SMS Social Engineering Attack!

Someone on Reddit described how he was the victim of a very sophisticated social engineering attack. Wow, this is crafty. This is the story!: 

"I have different passwords for every website I log into, 2-factor authentication when possible; I thought I knew all the scams and could spot them a mile away. This one still got me. 

I was meeting a friend at a bar. Two drinks in I got a call from someone identified by my phone as Wells Fargo. I'm fully aware this could be spoofed, but it did not raise alarm bells yet. I was at a bar I did not frequent and have gotten calls from my bank before on suspicious charges that were legit, so I answered expecting this to be the case.

The person I spoke with said they were with Wells Fargo and they've identified fraudulent charges on my account but they need to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called, which is my first clue this is phishing). They asked me to read back to them the 6-digit number just texted to me to verify my ID.

Being two drinks in, slightly expecting what this was about, I had zero alarm bells going off. My bad, this was stupid of me. I read the number to them. They suggested it timed out and I needed to read another number they texted to me. Minimal time had passed, a mild spidy sense was tingling, but I still was not concerned enough to ask questions and read them a second 6-digit code.

This person then read off 5 recent charges on my account, 4 of which I recognized as legit and a 5th that was a $1000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and they said "no prob dude, we'll freeze your card and send you a new one". They even gave me the last 4 on the card it was coming from. I was appeased enough to continue (sadly).

Finally, they said they sent me one final 6-digit code to confirm that they were crediting my account back with the $1000 fraudulent charge. I just needed to read off the final code they texted to me. At this point things seem weird to me but they got me at a good time. I was 2 drinks in, was interrupted from hanging with a close friend I hadn't seen in months and was outside trying desperately to avoid the loud noise inside the bar but still dealing with traffic noise outside. I just wanted to be done with this. I read them the final code and they thanked me and hung up.

At this point, I see why my phone had been vibrating constantly through this call. I had 4 emails from Wells Fargo. 1) Your user name has been reset, 2) your password has been reset, 3) Welcome to Zelle! an awesome $$$ forwarding service, 4) You've just forwarded $1000!!!!!

I called Wells Fargo via the number on the back of my card. After being on hold for 45 min trying to get the fraud department, I start to tell my story only to have the call drop (I'm pretty sure they hung up on me). I called back and was on hold for 1 hour 20 min (my account has been compromised >2 hours by this time) to get a second person. He told me this was a scam they've been dealing with for 3 months and I needed to go into a branch with 2 forms of ID to deal with it. There was nothing he could do tonight.

TL;DR: Dude spoofed Wells Fargo when calling me on my cell, requested a reset of my user name, password and approval for $1000 transfer. I stupidly read off the confirmation numbers I received via text to him, he entered them into Wells Fargo website to approve all these requests. Wells Fargo has known their customers have been getting scammed for 3 months and didn't bother to warn anyone. I now have to go into a branch, hang my head and tell my shameful story to a person and beg for access to my account because someone else has control of it all night tonight."

Good lesson to be learned: Never, ever give any kind of confidential data to someone WHO CALLS YOU. Always call back to the number on the back of your card.

Let's stay safe out there.
Annabelle: The Terrifying New Ransomware Variant

A new ransomware variant called Annabelle has been discovered, which seems to have been designed to ‘show off the skills’ of the developer who created it, by being as difficult to deal with as possible.

The ransomware terminates numerous security programs, disables Windows Defender, turns off the firewall, encrypts your files, tries to spread through USB drives, makes it so you can’t run a variety of programs, and overwrites the master boot record of the infected computer with a boot loader.

Larry Abrahams at Bleepingcomputer said: "Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. Overall, this ransomware was developed to be a PITA and to show off the developer's skills rather than to actually generate ransom payments.

The good news is that this ransomware is based off of Stupid Ransomware and is easily decryptable. As it uses a static key, Michael Gillespie was able to update his StupidDecryptor in order to decrypt this variant." More and cleanup instructions at the KnowBe4 blog:
Webinar: Making Awareness Stick: Secrets to a Successful Security Awareness Training Program

Join our guest, Forrester Senior Analyst, Nick Hayes and KnowBe4's Chief Evangelist & Strategy Officer, Perry Carpenter, for this on-demand webinar "Making Awareness Stick: Secrets to a Successful Security Awareness Training Program" as they share results-focused strategies and practical insight on how to build a world-class program.

Key topics covered in this webinar:
  • Why awareness and training matters
  • Key data points to help make the case for awareness in your organization
  • Five secrets to making awareness work in 2018
It’s 60-minutes loaded with relevant information, great for your own fun and instructive lunch & learn! Watch Now:
Don’t Miss the March Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 7, 2018, at 2:00 PM (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 16,000+ organizations have mobilized their end-users as their last line of defense.
Register Now:
LAST CHANCE... Try the Weak Password Test for a Chance to Win a Nintendo Switch

Is everything you know about passwords wrong? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.

KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action.

Plus you’ll be entered to win a Nintendo Switch!

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!

This will take you 5 minutes and may give you some insights you never expected!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"I pay no attention whatever to anybody's praise or blame. I simply follow my own feelings."
- Wolfgang Amadeus Mozart

"People ask for criticism, but they only want praise." - W. Somerset Maugham

Thanks for reading CyberheistNews
Security News
Cryptojacking Scripts and Phishing Pages Could Soon Invade Your Word Documents

"Let's open that doc file and watch the Matrix again."

"Cryptojacking scripts that mine Monero via JavaScript code can also run inside Word files, security researchers have discovered.

This is possible via a new feature added to recent versions of Microsoft Word that allows users to embed internet videos inside Word files without having to inject the actual video file inside the document itself.

Users can copy-paste a video's iframe embed code inside a Word popup, and the video will appear in the document the next time they open it.

If they press the "Play" button that appears over the video's iframe, the video loads and plays inside a popup.

But security researchers from Israeli security firm Votiro have discovered that miscreants could leverage this video embedding system to add cryptojacking scripts with the videos, and mine Monero behind the user's back.

Word's video player is actually a browser in disguise

According to Votiro's Amit Dori, this is possible because of two reasons. The first is that Word allows the insertion of iframe embed codes from anywhere on the Internet, instead of restricting the video sources to a few whitelisted domains. Second is because the popup that plays the video is actually a headless Internet Explorer browser.

A crook can host a video on his own domain, but also make sure to load an in-browser cryptocurrency miner (cryptojacking script) alongside the video.

When users open boobytrapped Word files and play the video, the IE instance also loads the cryptojacker, which then starts to mine Monero and consume the user's CPU power. Here's proof-of-concept Word files that Bleeping Computer obtained from Votiro that do just that. Blog post with more technical background and screen shots here:
Cybersecurity Is 'Greatest Concern' at Senate Threats Hearing

For the top intelligence agencies in the US, technology has pushed aside terrorism as a top national security threat.

The leaders of six of those agencies, including the CIA, the NSA and the FBI, testified before the Senate Intelligence Committee on Tuesday, during its annual "Worldwide Threats" hearing. They discussed concerns ranging from terrorist attacks to nuclear strikes, but a major portion of the hearing was dedicated to discussing threats coming from technology.

Director of National Intelligence Dan Coats said in his opening statement that cybersecurity is his "greatest concern" and "top priority," putting it ahead of threats like weapons of mass destruction and terrorism.

"From US businesses to the federal government to state and local governments, the United States is threatened by cyberattacks every day," Coats said.

Those worries aren't new. In December, President Donald Trump issued a national security strategy document that described cybersecurity as a top priority, citing threats including hackers from criminal enterprises and from places like Russia, China and Iran.

That declaration came at the end of a long year awash in online security issues, from the WannaCry ransomware attack to probes into the hacking of critical infrastructure to revelations of Russian misinformation campaigns waged via social media. More at MSN:
Phishing Schemes Net Hackers Millions of Dollars From Fortune 500

Researchers at IBM Security warn of a current spike in business email compromise (BEC). This round is hitting bigger businesses, including members of the Fortune 500. In BEC fraud the criminals either hijack or impersonate an email account belonging to a trusted party. That trusted party is often an executive.

The criminals then send an email to finance, accounts payable, or some other appropriate office. That email directs the recipient to transfer funds to a bank account the criminals control. They take over or impersonate a trusted user’s email account to target companies that conduct international wire transfers, and trick accounts payable personnel into wiring money into bank accounts under their control.

Companies that use the SWIFT funds transfer system are favorite targets of the fraudsters. The remedy is a mix of sound policy and sound training. Don't let employees think that an executive will email them with instructions for a wire transfer. Once such a transfer has gone through, it's unlikely the victimized company will recover its funds. Help Net Security has the story:
SWIFT Fraud Prompts SWIFT Phishing

The SWIFT funds transfer system used by banks worldwide has been the target of large-scale theft over the past two years. The Bangladesh Bank was hit in 2016, and just two weeks ago a regional lender in India, City Union Bank, sustained a similar attack. There are two lessons to be drawn from the fraud.

First, on February 6th City Union Bank noticed it was unable to receive acknowledgment messages from SWIFT because the printer they used to connect to the SWIFT network was out. They misread the outage as a simple printer problem. In fact it was induced by malware.

By the time they restored service on February 7th, they had lost approximately a million-and-a-half dollars to fraudulent transfers. So system outages should always arouse suspicion of an attack. Second, the fraud has spawned a new round of phishing attempts.

Comodo Threat Research Lab has found emails circulating to businesses with documents attached that purport to concern a SWIFT "wire bank transfer to your designated bank account." The usage and grammar of the emails are sketchy, but an unwary employee, primed to be concerned about anything involving SWIFT, might be induces to open them anyway. If they do, they will infect their system with the Adwind remote access Trojan.

Adwind is used by criminals to establish persistence in a victim network and prepare it for future attacks. Alert your employees to the SWIFT-themed spam, and remind them that social engineering often draws on current events to achieve greater plausibility. Comodo has an account of their research here:
Tax Season Scams

Tax season is scam season, for businesses as well as individuals. It's a good time to give your employees a refresher on the threat of social engineering. They may receive phone calls from people who claim to be the Internal Revenue Service. The callers are scammers. The IRS won't cold call you out of the blue.

Nor will the IRS ask for your credit or debit card, demand payment on the spot, or threaten to turn you over to the local police. Employees should also stay alert for bogus websites that look very much like legitimate sites they may have reason to access at this time of year. The telltale clues are usually in the site's URL.

A bogus site may be misspelled in a typosquatting effort to catch a user who accidentally types the wrong characters. The fake site may be close, but have a different top-level domain: .com instead of .gov, .org instead of .com, etc. Or the phony site may use a homograph of the real one, or a character that looks like a letter but isn't: a vertical stroke, for example, instead of a lowercase "l." And, of course, this is a good time to brush up on phishing awareness.

At least remind people that the IRS won't use email to communicate about refunds or charges. See the story in the Times Herald-Record for an accountant's quick rundown of the risks:
Almost Half of All Login Attempts Are Fraudulent

Akamai has a disturbing study out. Their Q4 2017 State of the Internet report claims that almost half, 47%, of all online login attempts are "malicious." The sectors most often attacked are hospitality (82%), technology (57%), and retail (36%).

If anything, observers think Akamai may have erred on the conservative side: the actual fraction of malicious attempts may be even higher than they conclude. Credential theft is very widespread, and the unfortunate habit users have of reusing usernames and passwords across multiple sites makes the problem worse, tending to increase users' vulnerability to credential fraud. TechRepublic has the story here:
Catphish and Honeypots

Another campaign using fictitious profiles in social media has been uncovered.

Fake people with real pictures are seeking to connect with the unwary on Facebook. The catphish profiles are designed to simulate attractive young women who express an interest in the target, usually a man who ought to know better.

The goal of this particular campaign seems to have been installation of spyware into the victims' devices. Since the campaign's exposure the profiles identified as phony have been taken down, but the threat of this form of social engineering persists. The attack worked like this.

Flirtation established a connection on Facebook. At that point the catphish would move to the second stage and suggest that the victim download an Android Kik messenger to their phone. This would enable the couple to have more private, more secure conversations. The Kik app was in fact malicious, a spyware payload.

The victims were induced to modify their security settings to complete the download. At least three catphish, "Rita," "Alona," and "Christina" were operated as a kind of school, commenting on each other's posts and amplifying their fake sisters' messages. Newsweek has a useful brief account of the episode:
What Our Customers Are Saying About Us

"Stu-Thanks for the email. Through the polite persistence of Virginia Simpson and after many months of receiving your warnings and security news, we enrolled with KnowBe4. In healthcare IT, I am constantly reminded of the many security threats that are out there.

It has been nice to get your updates on what is happening with security risks. I’ve been able to use your emails (almost word-for-word) to warn our staff and educate them about potential malware threats not only to help protect our company computer network but also to educate them for their own home computer usage.

Jackie Maines provided great support to get us setup for training and phishing campaigns. In January, we launched training using the course “2018 Kevin Mitnick Security Awareness Training - 45 Min”. I received multiple praises from the executive team and staff of the quality of the training course.

Initially, people were reluctant to do another 45 minute training, but once they started the training, they found it to be entertaining, very interesting and somewhat scary (in a good way). I had multiple requests from staff to be able to share this at home with their families. Jackie was able to provide me a training solution for home usage.

One final note - our initial phishing clickers was 13.8% last Fall. After the above security awareness course was done, our latest phishing test campaign clickers are down to 2.9%. Education works!

I’m very happy and pleased with the support and quality of the KnowBe4 suite of products and more importantly, the KnowBe4 support team. Keep up the great work.

Have a great day. - R.A., VP Technology
Interesting News Items This Week

Inside North Korea’s Hacker Army - The regime in Pyongyang has sent hundreds of programmers to other countries. Their mission: Make money by any means necessary. Here's what their miserable lives are like:

How a #Bitcoin Transaction Works [InfoGraphic]:

Survey Shows Young UK Adults Lack Cyber Security Awareness:

Never knew the extent of the workforce at Bletchley. Story about the women who ran the mass decryption machines known as "bombes" running with the Enigma machines:

Lawmakers worry about rise of fake video technology | TheHill:

Supreme Court Won't Review CareFirst Data Breach Case:

10 Must-Know Cybersecurity Statistics for 2018:

Cyber crime costs global economy $600B annually, experts estimate:

Why Security Policies, Social Engineering and Password Management All Matter:

Spam and Phishing Techniques Effective, Finds Kaspersky:

Anatomy of a Russian Information Warfare Campaign. Cost of Troll Farm: $15 Million. Impact: Priceless:

Know How to Avoid Cyber attacks by Minimizing Human Error:

Preparing for Malicious Uses of AI:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews