CyberheistNews Vol 9 #1 Jan 2 [Heads-Up] North Korean Ransomware Attack Disrupts Major U.S. News Media

CyberheistNews Vol 9 #01
[Heads-Up] North Korean Ransomware Attack Disrupts Major U.S. News Media

It was all over the news. A server outage at a major newspaper publishing company on Saturday that prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun.

An early, unnamed source revealed they found files with a .RYK extension, and it looks like this might be a targeted ransomware attack using the specialized Ryuk ransomware family. This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency.

Unlike spray-and-pray ransomware, Ryuk is mainly used for tailored attacks very similar to SamSam, and its encryption scheme is specifically built for focused infections, such that only crucial assets and resources are encrypted in each targeted network, carried out manually by the attackers.

Reality Check: "It Is Very Hard to Keep a State-Sponsored Bad Actor Out of Your Network"

Security experts believe that the Ryuk crew targets and penetrates selected companies one at a time—charging exceptionally large ransoms—either via spear phishing, RDP connections, or other yet unknown penetration techniques. Ryuk is not decryptable at the time of this writing, and it is very hard to keep a determined state-sponsored "Advanced Persistent Threat" bad actor out of your network. You really need to practice defense-in-depth and even then...

Now, having said that, I admit it is in the early days and this attribution is more a gut-feel estimate rather than something proven by forensics. There are a lot of "false flag" operations going on, and someone else may have gotten hold of that code. Feels like N.K. though.

The infected publisher said in a statement Saturday that: “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.”

Any organization today needs to have weapons-grade backup procedures in place to restore production systems that have been compromised. I'm sure that they are doing exactly that, there are some IT heroes pulling all-nighters out there I'm sure. Also, it could mean they decided not to pay the ransom, good for them!

Ryuk-HERMES Similarities Are Clear as Daylight

The connections are pretty obvious, shown by Check Point researchers which recently analyzed the two ransomware strains. They pointed at clear similarities between past Hermes strains and current Ryuk samples, which share large chunks of code:
  • The function that encrypts a single file is almost identical
  • Ryuk and Hermes use the same file marker for encrypted files
  • The check for the file marker is also identical
  • Both whitelist similar folders (e.g. “Ahnlab”, “Microsoft”, “$Recycle.Bin” etc.)
  • Both write a batch script named “window.bat” in the same path
  • Both used a similar script to delete shadow volumes and backup files
Ryuk versions for 32-bit and 64-bit systems were discovered, suggesting the ransomware can infect all types of systems, new and old alike. But there are also some differences. The main one is that Ryuk comes with a huge list of apps and services it shuts down before infecting a victim's systems.

"The ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stop on a list of predefined service and process names," Check Point researchers explained in a report. This is one nasty piece of malware.

Six Things That You Can Do About It Right Now
    1. ) Educate Users – put them through security awareness training so they never click the link, fall for the scam, open the attachment, etc. that allowed any ransomware to run in the first place!

    2. ) Weapons-Grade Backups – any data that’s worth protecting (which includes specific critical endpoints) should be backed up regularly and the restore function tested frequently to make sure you actually have that backup.

    3. ) Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.

    4. ) Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

    5. ) An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.

    6. ) I would add to that using 2-factor authentication for any and all remote logins is a must-have safety measure in place at this point in time!
Note that there are forums on the dark web where compromised RDP accounts are for sale for little money, so the above measures are pretty important.

NOTE: This is a developing story, we will keep the blog post updated:
Don't Miss the January Live Demo: Simulated Phishing and Awareness Training in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Identify and respond to email threats faster. Enhance your incident response efforts with the brand-new PhishER add-on!
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 23,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 9th at 2:00 pm (ET)

Save My Spot!
2018: The Year of the Data Breach Tsunami [INFOGRAPHIC]

Our friends at Malwarebytes wrote: "It’s tough to remember all of the data breaches that happened in 2018. But when you look at the largest and most impactful ones that were reported throughout the year, it paints a grim picture about the state of data security today.

The consequences of major companies leaking sensitive data are many. For consumers, it represents a loss of privacy, potential identity theft, and countless hours repairing the damage to devices. And it’s costly for companies, too, in the form of bad press and the resulting damage to their reputation, as well as time and money spent to remediate the breach and ensure customers’ data is well secured in the future.

But despite the well-known costs of data breaches, the problem of leaky data isn’t getting better. While there were a greater number of breaches in 2017, 2018 saw breaches on a more massive scale and from marquee players, such as Facebook, Under Armor, Quora, and Panera Bread. Cybercriminals stole sensitive personally identifiable information (PII) from users, including email and physical addresses, passwords, credit card numbers, phone numbers, travel itineraries, passport data, and more.

You’d think these problems would cause companies to be extra diligent about discovering data breaches, but that doesn’t seem to be case. In reality, companies rarely discover data breaches themselves. According to Risk Based Security, only 13 percent of data breaches are discovered internally.

To help people better understand the modern problem of data breaches, TruthFinder created this infographic. It clarifies the extent of the crisis using statistics from the Identity Theft Threat Center and Experian. Take a look at the infographic in this blog post to get sense of why 2018 was the year of the data breach tsunami."
"10 Incredible Ways You Can Be Hacked Through Email & How to Stop Them", a Roger Grimes Webinar

Email is still the #1 attack vendor the bad guys use. 92% of malware is delivered by email, but email hacking is much more than phishing and launching malware!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this webinar where he will explore 10 ways hackers can and do trick your users into revealing sensitive information or executing malicious files. Plus, he'll share a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick.

Roger will teach you:
  • How silent malware launches, remote password hash capture, and rogue rules work
  • Why rogue documents, establishing fake relationships and getting you to compromise your ethics are so effective
  • Details behind clickjacking and web beacons
  • Actionable steps showing how to defend against them all
If all you were worried about was phishing attempts, think again!

Date/Time: Wednesday, January 16th at 2:00 pm (ET)

Save My Spot!
Live Demo: KCM GRC - Get Your Audits Done in Half the Time

KCM GRC simplifies the challenges of managing your compliance, risk, and audit projects enabling you to efficiently manage GRC initiatives, and understand at a glance what items need to be addressed.

Join us on Tuesday, January 15th at 1:00 PM (ET), for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, January 15th at 1:00 pm (ET)

Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I'm super excited about the PhishER release. It's a brand-new KnowBe4 product that helps your team prioritize and manage potentially malicious messages reported by your users. Identify and respond to email threats fast!
Quotes of the Week
"Permanence, perseverance and persistence in spite of all obstacles, discouragements, and impossibilities: It is this, that in all things distinguishes the strong soul from the weak."
- Thomas Carlyle, Philosopher (1795 - 1881)

"Success is not a matter of mastering subtle, sophisticated theory but rather of embracing common sense with uncommon levels of discipline and persistence." - Patrick Lencioni

Thanks for reading CyberheistNews
Security News
Judge Calls for County Officials to Resign After Falling Victim to a 500K+ CEO Fraud Scam

Months after a classic fraud scam took Galveston County for 525 grand, County Judge Mark Henry is now asking for the County Auditor and Purchasing Agent to resign.

It’s one of the easiest scams to pull off – do a little homework and identify a contractor working for a business or government with lots of money, impersonate someone from the contractor’s accounting department, and send an email to the victim organization asking for a bill to be paid.

In the case of Galveston County, this is pretty much as sophisticated as it got. The scammer pretended to be working for Lucas Construction, a Houston company doing road work for the county.

And just as the CEO fraud is relatively easy to run, it’s usually just as easy to spot – a spoofed email address, poor writing skills, and the request to use alternate banking details. These red flags should put a halt to any requests for money and, at the least, require a phone call.

It this kind of thinking that has County Judge Mark Henry calling for County Auditor Randall Rice and County Purchasing Agent Rufus Crowder to be held responsible for the fraudulent electronic payment, and for their resignations.

The scammer created email accounts to pose as both county employee and a Lucas Construction representative. Using county forms, the request to change banking details was submitted… and processed. This caused all checks written to Lucas Construction to now be electronically transferred. The County had no process for validating banking details.

Anytime there is a change to how a vendor gets paid, it needs to involve both some form of verification of the banking change and, most importantly, a phone call to a known entity at the company requesting the change.

Unfortunately, cybercriminals don’t simply stick to wire fraud; they use any social engineering tactic possible to get your users to fall victim to their scams. Users in any role within the organization are at risk of malware attacks, ransomware, cryptojacking, and, yes, banking fraud.

Educating users with security awareness training is an effective way to elevate their sense of risk when interacting with email and the web, causing them to scrutinize anything that looks abnormal. There were signs that the Galveston attack was a scam; educating users to have a security-mindset and knowing what to look for could have made the difference.
You Must Know What You're Clicking on Even With MFA

By Roger Grimes, KnowBe4's Data-driven Defense Evangelist: "I’ve been in computer security for over 30-years and I’ve been giving presentations nearly as long. And in that time, no talk has been as popular as my 12 Ways to Hack MFA. I’ve given the presentation dozens of times to many thousands of viewers.

It was a standing room-only crowd when I gave it at BlackHat USA in Las Vegas this year, and I’m giving it again at this coming year’s RSA. If you’re interested in seeing it before then, do an Internet search on ’12 Ways to Hack 2FA Grimes’ and you are sure to get lots of opportunities to view one of the many previous presentations.

It seems to have hit a digital nerve with computer defenders and end-users alike. I think the reason it is so interesting is that it is surprising to many people that multi-factor authentication (MFA) does not protect you from hackers (including simple phishing) as much as you would think. If you don’t think understand how MFA can’t be easily phished around, please watch the video of Kevin Mitnick phishing around one of today’s most popular MFA solutions." Continued at the KnowBe4 blog:
Easy Hacker Targets: Bad Password, IoT Devices, and No 2FA. Let's Make It Harder in 2019!

Without proper security controls, compromising an IoT device is easy work for hackers, giving them access to potentially more than just the device. Let's make it harder for them in 2019!

We live in a world where people want to be more connected to the things they care about, have more control, and do so anytime, anywhere. It’s the reason why IoT devices like Nest cameras have become popular among consumers and small businesses.

But recent stories around the hacking of such devices highlights the need to ensure they are secure:

In one case, a family’s Nest camera used to monitor their baby was hacked, with the hacker scaring the family by stating he was in the room and was planning to kidnap their baby.

In another, a white hat hacker compromised a Nest camera and spoke to the camera’s owner warning him about how insecure the device was.

While the two examples are relatively benign, we have seen at least one story in the news of a casino data being breach occurring through a temperature control device for a fishtank. And with many smaller IT departments relying on easy-to-implement and manage security cameras, these Internet-accessible devices are the perfect entry point for external attackers looking for a way in.

When connecting these devices – both at home and in the workplace – consider the following guidance:
    • Limit External Access – In all cases mentioned above, the devices were accessible from the Internet. Requiring a VPN connection to access the network and then the device is one way of keeping preying eyes from getting to your devices.
    • Use two-factor authentication – Many IoT devices support two-factor authentication. Using 2FA eliminates a hacker’s ability to easily access your devices. In the cases of the Nest cameras above, it would have stopped the hackers from gaining control over the devices.

    • Use Unique Passwords – In one of the scenarios above, the user’s information on the web had been compromised, including the password he reused on multiple sites and his camera. Use different passwords for each site, device, application, etc. There are plenty of web-based and local password vault applications to help you keep track.
The reuse of passwords is not uncommon – according to LastPass’ 2018 State of the Password report, half of all employees reuse passwords across both home and work accounts. This puts the organization at risk. Users need to be educated using Security Awareness Training on proper password etiquette, password reuse, how to create secure passwords, and more.

We’re only going to see more IoT devices in the workplace and at home. Now is a good time to be thinking about properly securing these devices – regardless of where they are used - to ultimately ensure the security of the organization’s network and data. Blog post with links:
What KnowBe4 Customers Say

Someone at Spiceworks asked: "I know there are discussions of Company Phishing Campaigns and Security Awareness Training, curious what everyone uses other than KnowBe4. I have been delegated to shop around for something in the near future. I have already looked at King Phisher and Lucy, and continuing on to KnowBe4. I know there are a bunch out there. What does everyone else use?"

Here are some answers:

John4865: "KnowBe4 is an incredible value. So much so that I have not bothered to shop the competition."

SQLRage: "I can't speak for the competitors but KnowBe4 is very cheap for the impact that it has had on our company."

Rickmarvel: "KnowBe4 is a good option as user education is the key to defending against phishing attacks."

Harpy: "I personally use KnowBe4 now as I feel its easier to use, very good product and can highly recommend it. Before that point, we were using Wombat.

Dimforest: "Honestly... just save yourself the time and money and go with KnowBe4. It's the industry standard for a reason."

Denise5318: "Getting KnowBe4 was some of the best money I've spent here at the library."

Here is the whole thread (and poll with votes) on Spiceworks:

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. The Air Force targeted its own personnel to see if they could 'recognize and thwart' cyberattacks:

    2. You Must Know what you are clicking on even with MFA:

    3. Hackers Make a Fake Hand to Beat Vein Authentication: "Hacking Biometrics Not In Vein":

    4. Internal email account used to push phishing to compromise North Korean defector database:

    5. Massive Ad Fraud Scheme Relied on BGP Hijacking - Schneier on Security:

    6. How Russia’s military intelligence agency became the covert muscle in Putin’s duels with the West:

    7. Here's what happened in the world of AI in 2018:

    8. How fake-porn opponents are fighting back...with AI:

    9. Threatlist: Dark Web Markets See an Evolution in Q3:

    10. KnowBe4 Fresh Content Update & New Features December 2018:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • When you think something can't be done, remember EVERYONE thought the 4 minute mile was impossible. Well guess what Roger Bannister pulled off? Right:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews