CyberheistNews Vol 9 #12 Triton Is the World’s Most Murderous Malware, and It’s Spreading

CyberheistNews Vol 9 #12
Triton Is the World’s Most Murderous Malware, and It’s Spreading

In the summer of 2017, a petrochemical plant in Saudi Arabia experienced a worrisome security incident that cybersecurity experts consider to be the first-ever cyber attack carried out with “a blatant, flat-out intent to hurt people.”

The attack involved a highly sophisticated new malware strain called Triton, which was capable of remotely disabling safety systems inside the plant with potentially catastrophic consequences.

Luckily, a flaw in the Triton code triggered a safety system that responded by shutting down the plant. If it hadn’t been for that flaw, the hackers could have released toxic hydrogen sulfide gas or caused explosions. As a result, employees of the plant and residents of the surrounding area could have been killed or injured.

Triton is almost certainly the work of state-backed hackers. While Iran was the initial suspect, later reports indicate that Russia may have been behind the attack, using spear phishing attacks to take over the network.

Since Triton was first discovered, cybersecurity firms have uncovered more attacks involving malware with similar traits, designed to take over safety systems. Triton has not been spotted in other potentially destructive attacks, but cybersecurity experts believe it is only a matter of time before the murderous malware will rear its ugly head again. Read the full article in MIT Technology Review:
[World Premiere] See This New Netflix-Style Video Series From KnowBe4 - The Inside Man

We’re excited to announce the release of an innovative new security awareness video series called ‘The Inside Man’. In this new 12-episode video series, a compelling story, an incredible cast, and very high production values combine to create the coolest series ever streamed.

The Inside Man is KnowBe4’s first custom network-quality video series that delivers an entertaining movie-like experience for your users and makes learning how to make smarter security decisions fun and engaging. From social engineering and passwords, to social media and travel, The Inside Man reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.

Meet Mark... the star of the series who is working at his new job as an IT security analyst, but no one suspects that he’s already inside the company's most secure systems or that sinister forces are pulling his strings.

Will Mark complete his mission to bring down the company? Or will these new friendships with co-workers bring him out of the dark web and into the light?

Watch the ‘The Inside Man’ trailer and first episode to see how entertaining security awareness training can be!
[SCAM OF THE WEEK] Phishing Attack Warns About Boeing 737 Max Crashes And Infects Workstations

Large airline crashes tend to uniquely focus almost everyone's attention. Lowlife internet criminals are exploiting the fear connected to these incidents, and leverage it in phishing attacks.

A new campaign is underway that uses the recent Boeing 737 Max crashes as a way to infect workstations with both remote access and info-stealing Trojans. This new campaign was discovered by 360 Threat Intelligence Center, who posted about them on Twitter and include a VirusTotal link which shows the AV engines that catch it.

These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies will be affected by similar crashes soon, and in broken English "kindly notify your loved ones about the informations on these file".

The emails are coming from an email address at and have subject lines similar to "Fwd: Airlines plane crash Boeing 737 Max 8". They also contain a JAR file as an attachment with names similar to MP4_142019.jar.

Read more with screen shots and links:
[Heads Up] Ransomware V2.0 Is Set to Resurge as Your Insurance Now Pays Off the Ransom

Holy Smokes! Ransomware may be poised to return as a top scourge for companies, as more and more of them pay up—it's actually their insurance company that makes the payment—after an attack in an effort to minimize the cost of recovery.

In this new RSA Conference 2019 Threatpost video, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises.

According to Zelonis, a new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so. Here is a snippet from the interview:

Tara Seals: "Before we kick off our video interview here, you had mentioned that you’ve been seeing a trend of companies actually paying the ransomware when they get hit by an attack. So, I thought that could be a really interesting place to start our conversation if you wanted to tell me a little bit about what you’re seeing there."

Josh Zelonis: "Yeah absolutely. So one of the trends that I’ve been hearing about more and more is that insurance companies are actually starting to pay the ransoms because it’s costing them less than going and doing the remediation, going back to backups, which may or may not even exist. And so a lot of the time the incident response companies are being brought in to broker the transaction with the adversaries themselves in order to ensure that the payment is made and recovery is possible.

Now part of the problem, as you might imagine, is that this creates a market where it becomes more and more profitable to use ransomware as a method of attack against an organization. Primarily the reason why this is such a challenge is that we’ve been seeing ransomware [volume] tapering off in the last number of years, and now that it seems that we’re starting to create a market, I expect that we’ll see that turn around and start increasing again."

Now, many cyber insurance products have included cyber extortion coverage for years now. (Check if your policy does!) And there has been lots of discussion at conventions like Blackhat/Defcon regarding the question "does the purchase of cyber insurance increase the likelihood of an attack?".

From the perspective of the individual insurers it is hard to identify a correlation between the two. However, if cyber insurance were to become compulsory (such as workers' comp), or so widespread that practically everyone has it, there would be a ready market created for cybercrime. This is not an easy one to solve.

You can discuss this new topic "PAY or NOT PAY Ransomware" at KnowBe4's HackBusters Forum:
[TODAY] Top 5 IT Security Myths Your CISO Believes Are True... BUSTED!

Facts are facts… but what happens when IT security pros take myths at face value?

That got us thinking… what if we whip out our magnifying glasses, pull out the trench coats and use our research skills to differentiate fact from fiction? Join us for this interactive webinar where we’ll help you decide how to invest your time and money wisely, how to implement worthwhile defenses, and what holes to plug so your organization gets the best bang for your security budget buck.

Join us TODAY, March 19th @ 2:00 pm ET when Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, and Erich Kron, KnowBe4’s Security Awareness Advocate, as they uncover the truth behind the Top 5 IT Security Myths. They’ll be stating facts and slinging stats. Then YOU DECIDE whether each myth is confirmed or BUSTED!

Date/Time: TODAY, March 19th @ 2:00 pm (ET)

Save My Spot!
[March Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Wednesday, March 27th at 2:00 pm (ET), for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Wednesday, March 27th at 2:00 pm (ET)

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: "Hacking Humans" Is the 2019 No. 1 Podcast Covering Social Engineering! Check them out:
Quotes of the Week
"If you would be a real seeker after truth, it is necessary that at least once in your life you doubt, as far as possible, all things." - René Descartes, Philosopher (1596 - 1650)

"Three things cannot be long hidden: the sun, the moon, and the truth." - Buddha

Thanks for reading CyberheistNews
Security News
Passwords and Their Encryption Are Easy Prey for Cyber Criminals in Account Takeover Attacks

Passwords serve as the foundation for most security today. But security vendor SpyCloud have recovered over 3.5 billion credentials, demonstrating just how insecure they really are.

We’d like to think that in this day and age, users are aware that they need to use secure passwords. Putting aside cyberattacks focused on tricking users into providing credentials, the passwords themselves should be complex enough that they’re not easy to break.

But, according to SpyCloud’s Annual Credential Exposure Report, released last month, passwords (and their encryption) are anything but secure.

SpyCloud was able to recover over 3.5 billion credentials from over 2800 breached sources. They decrypted nearly 90% of all the passwords collected, yielding 2.3 billion plaintext passwords. According to the report, the cracking of the passwords was easy. The encryption methods used aren’t a challenge for the sophisticated software used by cybercriminals.

And to boot, the passwords themselves weren’t very secure – adding to the ease of decryption. Passwords like “12345”, “password”, “iloveyou”, and “qwerty” continue to top the list of the most commonly used. Continue at:
Bad Guys Use Slack and Github Trying to Backdoor Workstations

Hackers are using a new backdoor that communicates with the attackers via Slack, according to Lucian Constantin at CSO Online. The malware was discovered by researchers at Trend Micro, who believe it was used in a targeted info-gathering operation.

The backdoor is delivered in a watering hole attack launched from a website that posts articles about politics on the Korean Peninsula. When a user visited this site, the site would try to exploit a vulnerability in the Windows VBScript engine. This vulnerability was patched last year, so users with updated operating systems are safe from this attack.

When the exploit was successful, however, it would use PowerShell to download and execute a malicious DLL file on the user’s system, which would in turn download the backdoor. This malware then downloaded commands from GitHub, which enabled it to collect information and send it back to the attackers in a private Slack channel.

The malware collected information stored on the system, particularly relating to the victim’s communication activities on services such as Skype and Twitter.

A noteworthy aspect of the attack is the way it utilizes legitimate services to avoid detection. Slack and GitHub are both extremely common services within organizations, and are often whitelisted by security measures. They also use HTTPS, so the traffic they generate is encrypted and cannot be analyzed for suspicious behavior. Constantin notes that, while Slack has disabled the particular channel used in this instance, attacks that utilize highly configurable APIs of legitimate services are expected to continue.

“This will probably not be the last attack where hackers decide to abuse Slack's service,” he says. “The company provides APIs that can easily be used to integrate external applications with its service, and those applications can also include malware programs.”

Attackers will always find new ways to bypass technical security measures by manipulating people. New-school security awareness training is one of the best ways to fortify your organization’s security posture. CSO Online has the story:
Can You Be Spoofed? Find out for a Chance to Win a Stormtrooper Helmet Prop Replica!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada you'll be entered for a chance to win a First Order Stormtrooper Helmet Prop Replica*.

Try to Spoof Me!

*Terms and Conditions apply.
What KnowBe4 Customer Say

"I took over IT management of a company that needed some serious TLC on the security side. They didn’t have effective management of their e-mail system or user training and awareness of threats. I can harden the perimeter, but it can’t filter everything.

"KnowBe4 support is excellent with hands-on case managers, and I’m impressed by the array of phish testing templates and training materials.

"We went from a 50.6% phish-prone rate in our initial baseline test to 14.9% the following month after their first round of training modules. Great product and very easy implementation. I feel like we’re in a much better place with higher user awareness after just a short time." A.K., IT Manager

"It seems there could be some additional feature to help manage the situation when a training campaign deadline is reached (eg after 3 weeks), and there is a still a pool of people that have not yet completed it. Right now, it seems the only option is to manually extend the end date for the campaign to keep it alive." B.P., Engineering Director.

KnowBe4 Answer: You are right! We added code to make this much easier, here is the KB Article: "Campaign Setting: Allow Assignments to Be Completed After Due Date":
The 10 Interesting News Items This Week
    1. From Hacker To Would-be President. Beto O'Rourke Was a Member of Notorious Hacker Group Cult of the Dead Cow! Who'd-a-thunk:

    2. Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix:

    3. How the British Hit Back Against Online Russian Agitprop- The WSJ (Paywall):

    4. Fake CDC Flu Pandemic Warning delivers Gandcrab 5.2 ransomware:

    5. The Possibility Of A Cyber Pearl Harbor Remains Real, Says Former CIA Director:

    6. Phishing attacks: Half of UK organisations have fallen victim in last two years:

    7. Chinese Hackers Attack U.S. Navy, Report Says - The WSJ (Paywall):

    8. Spear-Phishing a Serious Threat to Law Firms:

    9. Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide:

    10. North Korean Hackers Behind $571M Crypto Heists Says UN Report:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews