CyberheistNews Vol 9 #19 [Heads-Up] Scary New MegaCortex Ransomware Strain Discovered That Targets Your Business Network

CyberheistNews Vol 9 #19
[Heads-Up] Scary New MegaCortex Ransomware Strain Discovered That Targets Your Business Network

Sophos has discovered a scary new strain of very sophisticated ransomware called MegaCortex. It was purpose-built to target corporate networks, and once penetrated, the attackers infect your entire network by rolling out the ransomware to all servers and workstations, using your own Windows domain controllers.

Sophos have detected infections in the United States, Italy, Canada, France, the Netherlands, and Ireland. It is certain many more countries will follow.

This is a fairly new strain, so not all that much is known yet about how the encryption works, how they are getting in, or if ransom payments are being honored.

How Megacortex Strikes

Sophos made an interesting additional discovery: if the Emotet or Qakbot Trojans have been present on networks that have also been infected with MegaCortex, that suggests that the attackers are paying Trojan operators for access to infected systems just like the RYUK strain.

"Right now, we can’t say for certain whether the MegaCortex attacks are being aided and abetted by the Emotet malware, but so far in our investigation (which is still ongoing as this post goes live), there seems to be a correlation between the MegaCortex attacks and the presence on the same network of both Emotet and Qbot (aka Qakbot) malware."

MegaCortex Uses Your Own Windows Domain Controllers

It is not 100% clear yet how the bad guys are gaining access to your network, but victims have reported to Sophos that the attacks originate from a compromised domain controller. On the DC, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker's host.

Using that shell, the attackers take over your DC and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec. The batch files seen by Sophos will terminate 44 different processes, stop 199 Windows services, and disable 194 services.

During the encrypting of a system, the ransomware will append an extension to file names, which in one case is .aes128ctr. This means that a file named marketing.doc would be encrypted and renamed to marketing.doc.aes128ctr. It is not known yet if these extensions are static or created dynamic with each infection. More detail, screenshots, and links to mitigation strategies at the KnowBe4 blog:
[NEW WEBINAR] Stay Out of the Net: Your Ultimate Guide to Phishing Mitigation

Spear phishing emails remain the most popular attack avenue for the bad guys, yet most companies still don’t have an effective strategy to stop them.

This enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more. Don’t get caught in a phishing net! Learn how to avoid having your end users take the bait.

Join us Wednesday, May 15, 2019 at 2:00 PM ET when Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will cover a number of techniques you can implement now to minimize cybersecurity risk due to phishing and social engineering attacks. We won’t just cover one angle. We’ll come at it from all angles!

Strategies include:
  • Developing a comprehensive, defense-in-depth plan
  • Technical controls all organizations should consider
  • Gotchas to watch out for with cybersecurity insurance
  • Benefits of implementing new-school security awareness training
  • Best practices for creating and implementing security policies
Date/Time: Wednesday, May 15, 2019 at 2:00 PM ET

Save My Spot!
Ransomware Attacks Jump 500% as Businesses Continue to Be the Prime Target

Malwarebyte’s latest Cybercrime Tactics and Techniques report exposes some trends indicating that 2019 is looking to be the year of the cyberthreat for businesses.

Businesses want to believe they are secure against cyber threats, despite the ever-changing landscape of players, methods, and techniques involved in cyberattacks. But, according to the latest data from Malwarebytes, that cybercriminal landscape is trying harder than ever to make your organization a victim.

According to the report:
  • Detections of threats over Q4 2018 in businesses rose 7% while consumer detections dropped 40%
  • Business detections year-over-year have increased 235%
  • Ransomware detections are up 500% over this time last year
  • Mac malware detections have increased 60% over last quarter
  • Vicious malware variant Emotet has seen a 200% increase in detections over the previous quarter
The uptick in attacks across the board means the likelihood of an attack getting through to your users is also increasing. That means it’s absolutely necessary to make the user be a part of your security strategy by enrolling them in continual security awareness tTraining.

The data shows attackers are getting serious and focused on making your organization their victim. Shoring up all aspects of your security – including your users – is going to be key to preventing downtime. More:
[On-Demand] 12 Ways to Defeat Multi-Factor Authentication

Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this on-demand webinar where he explores 12 ways hackers can and do get around your favorite MFA solution.

The webinar includes a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick, and real-life successful examples of every attack type. Roger will share ideas about how to better defend your MFA solution so that you get maximum benefit and security.

You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:
  • 12 ways hackers get around multi-factor authentication
  • How to defend your multi-factor authentication solution
  • The role humans play in a blended-defense strategy
This is great to watch over a lunch break, and may count toward your CPE credits. Watch this unique webinar by Infosec black belt Roger Grimes TODAY!
[May Live Demo] See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

Good news! We are excited to announce we have expanded our new KCM GRC product with the new Vendor Risk Management module. KCM now features four modules: Compliance, Policy, Risk, and Vendor Risk!

Join us, Tuesday, May 14th at 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's new KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and save tons of time when it's time for risk assessments and audits.
  • [NEW] Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, May 14th at 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Knowledge is not power, it is only potential. Applying that knowledge is power. Understanding why and when to apply that knowledge is wisdom."
- Takeda Shingen, Japanese Military Leader (1521 - 1573 AD)

"An investment in knowledge pays the best interest." - American - Politician (1706 - 1790 AD)

Thanks for reading CyberheistNews
Security News
This New Phishing Campaign From "FBI Director Wray" Is Hysterical

Our friend Larry Abrams who runs the Bleepingcomputer site had something highly entertaining: "We regularly write about phishing emails at in order to warn our readers about ongoing threats.

Many scam emails are well crafted and their associated phishing sites are spot on, but sometimes you see ones that are so ridiculous that you have no choice but to laugh.

Such is the case with a phishing email that states it's from "", has a subject of "Attension: Beneficiary", and pretends to be from "FBI Director Christopher Wray". This phishing email is not new, but someone must have restarted its campaign recently as it is starting to pop up again.

In the phishing email the "Director" states that the FBI is helping to coordinate the transmission of 10.7 million dollars to you through Bank of America. In order to move forward with this transmission, you must contact the assigned Special Agent via email.

Here is a screenshot and a breakdown of the six massive red flags, which are fun to share with your users. It does not have to be doom and gloom all the time:
Tech Support Scam Freezes Browsers

Trend Micro has found a new tech support scam that abuses HTML’s Inline Frame element (iframe) along with authentication pop-ups to freeze victims’ browsers by trapping them in a type of loop.

The web page imitates a Microsoft support page and presents users with two pop-ups. One offers a phony Microsoft support phone number, while the other prompts users to log in. When users click the “cancel” button on the login prompt, they’ll be sent back to the initial URL, which will trigger another pop-up.

This is achieved by setting the page’s showLogin as an iframe.

Trend Micro’s researchers think the scam is most likely distributed through advertisements. They emphasize that these scams rely on users’ fear arising from their seeming inability to recover their browsers.

“As has been highlighted in this new campaign, users can look out for suspicious characteristics of a webpage, such as unfamiliar URLs, pop-ups asking for authentication, or any sort of information and messages that raise panic and alarm,” they write.

In this case, users can close the browser from the task manager and then scan their systems for malware. New-school security awareness training can teach your employees to recognize the signs of these scams and remain calm when they encounter them. And remember, just close the browser. The scammers have got nothing on you. Trend Micro has the story:
[InfoGraphic] AUGH! Your Users Are Clicking on 50% of the LinkedIn Phishing Tests:

KnowBe4 Q1 2019 top-clicked phishing subject lines reveals LinkedIn messages to be most popular. Today, we revealed that simulated phishing tests that include “LinkedIn” in the subject line are clicked 50 percent of the time by users.

This percentage is significant as many LinkedIn users, particularly those with business development responsibilities, have their accounts tied to their corporate email addresses, increasing corporate risk of a phishing attack, ransomware breach or other social engineering-related threat.

Social media sites are also a hotbed for cybercrime. According to recent research from Bromium, cyber criminals are earning at least $3.25bn per year from social media-enabled cybercrime.

From the standpoint of a hacker, social media gives an all-access entry point into an organization because some social media accounts are tied to corporate email addresses. I cannot stress enough that employees need to be hyper vigilant about clicking on emails and links that come to their corporate email addresses.

Clicking to view a new job posting or to identify who has viewed your LinkedIn profile could easily open the gates to bad actors who want to cause damage to the organization.

Often people rely on what they think are trusted sources to protect their information but fall victim to social media scams and end up offering up sensitive information. They need to make the extra effort to protect themselves and be mindful of methods being used by the bad guys.

To best protect personal information and your organization, you have to have a defense-in-depth security strategy that includes training your users to spot phishing emails.

KnowBe4’s analysis of simulated phishing tests showed that half of users clicked on spoofed LinkedIn emails that included the following subject lines:
  • Join my network
  • Profile Views
  • Add me to your network
  • New InMail Message
Click here to download the full infographic. (PDF) Great to share with your users!
4 Ways CISOs Can Improve Their Organization’s Security Position

Understanding where your biggest risks are, and how cybercriminals take advantage of those risks help CISOs to build a better strategy to defend against, detect, and address threats.

The role of a CISO today is one that involves being pulled in many directions. Every day involves a new attack vector, compliance mandate, security policy, or potential breach, with the CISO tasked with somehow providing a vision and execution that will future-proof the organization’s security.

Jan van Vliet, VP and GM of EMEA Digital Guardian recently discussed some key concerns for CISOs that, while simple in concept, should be addressed because of their ability to have a significant effect on organizational security. Some of the concerns included:
    • Think like a cybercriminal – your security strategy should be based on the very methods hackers, scammers, phishers, etc. use to gain entrance to your endpoints, network and data. Microsoft has 288 pages of security recommendations you likely haven’t read. But guess who probably has? The cybercriminal. They’re studying your tactics. It’s time you study theirs.
    • Focus more on mobile – we’ve discussed the rise in attacks on mobile here before. It’s an attack vector that has the user the most susceptible to being conned on a device that provides the least functionality to discern if web pages, emails, and attachments are malicious in nature or not.
    • Extend security to your vendors – there’s a lot of discussion around supply chain security. But even those organizations without such a complex ecosystem need to be concerned about contractors and suppliers that have any kind of access to your data or network. Establishing security requirements of your vendors can make the difference between a vendor being a security asset or liability. Vendors are responsible for about half of all data breaches.

    • Emphasize user training – Many of the issues expressed or implied above can be mitigated in part or whole by educating the user via security awareness training to become a part of the organization’s cyber defenses. With users acting as another layer in the security strategy, a security culture begins to emerge that impacts interaction with every type of device throughout the organization’s entire ecosystem.
Whether you’re a CISO or simply someone concerned about information security, taking even these simple steps above can have a material impact on the quality and efficacy of your security strategy.
What KnowBe4 Customer Say

"Thank you for your email. Your team has been amazing to work with. We are stumbling a bit with some internal complexities, stigmas, union contracts and etc., but we're slowly working through those issues and growing our campaigns. Your product is making the execution quick and easy to communicate and carry out as we work through our internal complexity. I look forward to using it more comprehensively in the future. Thank you."
- W.M., IT Department

"Thank you for the onboarding email. We have been working with a few techs at KnowBe4 and have been fortunate enough to have Zach leading our deployment. While everyone has been fantastic and seemed to care about our deployment, Zach has worked with us on every aspect of our environment in detail, so felt like pros during the launch.

"With a similar employment history in dev cycles, security and networking, I have submitted some ideas for integration of your products that I think would help with adoption of your new PhishER service. Zach has not only listened, he helped to discuss and develop the ideas before submitting the requests on my behalf.

"Your entire support team is a credit to its founders and managers. Great Job and give Zach some Kudos for us."
- P.E., Director of Technology

"I’ve been very happy so far. I see your posts on Spiceworks quite a bit and have followed the company for a while now. When I got approval for security training, you were the first place I turned to. And, Dominique Altif, the customer success manager I’ve been working with, has been a huge help and has made the adoption an even greater experience. If I could interact with someone like her at every company, my days would be a 1000 time easier. Thank you for providing a great product and a great customer experience."
- H.M., Global Lead, Infrastructure & Security
The 10 Interesting News Items This Week
    1. GitHub-Hosted Malware Targets Accountants With Ransomware:

    2. SpaceX cuts broadband-satellite altitude in half to prevent space debris and reduce latency:

    3. Three out of five IT workers share sensitive information by email:

    4. 50,000 enterprise firms running SAP software vulnerable to attack:

    5. Putin Signs Controversial Internet Censorship Law

    6. Norsk Hydro puts cost of ransomware attack at 52 million dollars:

    7. DDoS attack hits electrical systems serving LA and Salt Lake, but power never went down:

    8. Hackers lurked in Citrix systems for six months:

    9. How to test whether your employees will fall for a phishing scam:

    10. Exploiting Google on the Cheap:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews