CyberheistNews Vol 9 #37 [Heads-Up] Are Your Servers Right Now Infected With Stealthy Lilu Ransomware? Thousands Are...

CyberheistNews Vol 9 #37
[Heads-Up] Are Your Servers Right Now Infected With Stealthy Lilu Ransomware? Thousands Are...

Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu).

Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only.

First reports date to mid-July, after some victims uploaded the Lilocked ransom note/demand on ID Ransomware, a website for identifying the name of the ransomware that infected a victim's system.

The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.

Infected servers continue to run normally... for now.

Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results.

However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results.

Once they kick this into gear and block the machines for ransom, this will be a bloodbath. Continued at the KnowBe4 blog with links:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW Wednesday, September 11 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 28,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW Wednesday, September 11 @ 2:00 pm (ET)

Save My Spot:
Alert Your Users About Calendar Scams and What to Do About Them

We’ve noted this particular scam before, but it’s continued to make a pest of itself, and so we bring it to your attention again. Scammers are abusing Google Calendar invites to send out unsolicited, spammy events, according to Rob Verger at Popular Science.

Attackers only need your Gmail address to send you an invite, and the event will be placed in your calendar by default. Verger notes that the spam itself is nothing new; the scammers are simply using a previously obscure technique to place it in front of you.

“While the location of the spam feels new, the behavior isn't,” he writes. “Bad actors have a long history of exploiting any avenue they can, from sending suspicious messages to your email address, to spammy notes sent via iMessage, to robocalls.”

You can block this behavior by going to your Google Calendar settings, then making your way to Event settings and switching “Automatically add invitations” to “No, only show invitations to which I have responded.” Next, locate the “Events from Gmail” option, and uncheck “Automatically add events from Gmail to my calendar.” Verger says to keep in mind that these changes will turn off legitimate automatic invites as well.

Hmmm, that's a rock and a hard place proposition. Google made a short video you can use to send to your users that shows how to do this *if* you decide to turn off event invites:
[Brand New Webinar] "Setting the Trap: Crafty Ways the Bad Guys Use Pretexting to Own Your Network" Featuring Kevin Mitnick

Today’s phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap. And pretexting is the key.

Whether it’s a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it.

Join us Wednesday, September 18th @ 2:00 pm ET for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you how the bad guys craft such cunning attacks. They'll dig into tactics for reconnaissance, target selection, creating a pretext, and launching an attack.

And more importantly, they will tell you what you need to know to protect your organization.

Kevin will also share new demonstration videos that will blow your mind. This is one webinar you can't afford to miss!

Date/Time: Wednesday, September 18th @ 2:00 pm ET

Save My Spot:
Watch out for Hurricane Dorian Phishing Scams. We Have Templates Ready for You.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Phishing emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites.

Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures. CISA has hits and tips on their website for the following:
  • Staying Alert to Disaster-related Scams
  • Before Giving to a Charity
  • Staying Safe on Social Networking Sites
  • Avoiding Social Engineering and Phishing Attacks
If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at

The best thing is to avoid becoming a social engineering victim in the first place, and step through new-school security awareness training. For KnowBe4 customers, we have ready-to send templates to inoculate your employees. We suggest to do this right away!
  • GoFundMe: Hurricane Dorian Relief Fund
  • CNN: LIVE UPDATE: Hurricane Dorian Changes Paths
  • Google: Hurricane Relief Funds
Here is the blog post with links to the CISA website:
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, TODAY, Tuesday, September 10 at 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, Tuesday, September 10 at 2:00 PM (ET)

Save My Spot!
Kevin Mitnick Explains and Shows the Latest Exploits You Need to Know About

Kevin shares a few exploits that are being used in the wild you need to know about. He demonstrates two exploits to get full control over a Windows environment. This is 11 minutes of how to play "NSA Operator", great for a break! :-D

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I write an editorial every month for SC Magazine about what we see in the wild. Here is the most recent one: "Bad bid: Malicious actors target government contractors":
Quotes of the Week
"A positive attitude causes a chain reaction of positive thoughts, events and outcomes. It is a catalyst and it sparks extraordinary results." - Wade Boggs, Athlete

"The key to success is going to bed a little smarter each day." - Warren Buffett, Investor

Thanks for reading CyberheistNews
Security News
[ALERT] Multi-Stage Phishing Attacks Are Targeting Your Financial Information

Trend Micro researchers have published details about a sophisticated phishing campaign they’ve named “Heatstroke.” The attackers behind Heatstroke go after victims’ private email addresses using multiple website redirections in order to bypass email filters and check that the victim is a genuine person.

The researchers analyzed two similar phishing kits that went after Amazon and PayPal users, and they found evidence suggesting that the same attackers plan to adapt the kits to target eBay, Google, Apple, Firefox, and other services.

Heatstroke’s infection chain begins with an attacker sending an email to a victim, asking them to verify their PayPal or Amazon account. If the victim clicks the link in the email, they’ll be taken to a benign first-stage website, which is able to pass through email security filters undetected. This website redirects the victim to a second-stage site, which checks that the victim is a real person, and not a security scanner or associated with law enforcement.

Next, the victim will be taken to the actual phishing site, where they’ll be asked to enter their email credentials, credit card details, and other sensitive information. This data is steganographically hidden in an image file and sent to the attacker’s email address. Once the information is sent, the victim loses access to the phishing page. Continued at the KnowBe4 blog:
U.K. Charity Workers Most At Risk From Phishing

Tessian report finds a large amount of U.K. charity workers aren't getting proper security awareness training. Michael Moore at ITProPortal wrote: "UK charities are leaving themselves exposed to phishing attacks due to a lack of proper security training, a new report has claimed.

Research from cybersecurity firm Tessian found that charity workers are some of the most likely to fall victim to online scams due to a lack of security knowledge.

Tessian found that just 11 percent of charity employees say they regularly receive training about cyber threats on email, and just over a third (37 percent) saying they have never had any training on spotting or dealing with email security threats.

This is despite the number of data breaches in the charity sector doubling over the last two years, with a recent DCMS report claiming that one in five charities experienced a cybersecurity breach last year - the vast majority of which resulted from a phishing email. Continued at the KnowBe4 blog:
Phishing for Cloud Providers

Attackers are going after cloud-based customer relationship management (CRM) providers in order to launch unusually convincing phishing campaigns, KrebsOnSecurity reports. Krebs learned of a recent campaign that targeted customers of United Rentals, the largest construction equipment rental company in the world.

The company’s customers received malicious emails from a third-party email marketing service that was authorized to send emails using United Rentals’ domain. Krebs explained that compromising a CRM gave the attackers the ability to imitate United Rentals through a legitimate portal, as well as granting them access to the company’s customer email list.

“Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains,” he wrote.

“However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.” Dan Higgins, United Rentals’ chief information officer, told Krebs that it appears an attacker used a CRM provider account to send malicious emails United Rentals’ customers.

“At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking Trojan,” Higgins said.

In this case, the CRM appeared to be Pardot, an email marketing platform owned by Salesforce, but a Salesforce spokesman told Krebs that the compromised account belonged to a third-party marketing agency that was using the Pardot platform. This account was not using multi-factor authentication.

In order to defend themselves against these types of attacks, organizations need to monitor the third-party services they use, as well as ensure that their own employees are resistant to phishing attacks. Employees of all levels and at all kinds of organizations can benefit from new-school security awareness training. KrebsOnSecurity has the story:
What KnowBe4 Customers Say

"Good morning Stu, I’ve meant to write this note many months ago but always got caught up doing something else. Please note that’s not a reflection of Nadia’s worth to me and our organization. She has been absolutely phenomenal in her ability to understand our needs and her assistance to me from our first day of working together to now has been exceptional. I can only hope she is a reflection of the staff at KnowBe4, I have worked with many vendors in my career and none with the understanding of their product as she understands yours. I’m truly satisfied and ecstatic that I chose your product for our organization and again, if she is a reflection of your staff you will enjoy many years of future success. Thanks so much."
- G.A., Vice President, Information Technology

KnowBe4 Fresh Content and Feature Update - August 2019

Tons of new stuff in Phishing landing pages, Phish Alert Button news, training content, and language updates. Check it all out here!
The 10 11 Interesting News Items This Week
    1. The role of a secret Dutch mole in the US-Israeli Stuxnet attack on Iran:

    2. Chinese tech firm Huawei says it was hacked by the United States:

    3. Why Fraudsters Are Flying High on Airline Loyalty Programs:

    4. A huge database of Facebook users’ phone numbers found online. 419M records. OUCH:

    5. Hackers get $4.2 million from pension fund for retired troopers:

    6. Monster.Com Goes Mum On Web Server Leaking Resumes And CVs:

    7. Seven Tips For A Successful Security Awareness Training Program:

    8. Top NSA cyber official points to ransomware attacks as key threat to 2020 elections:

    9. Hackers exploiting popular social engineering 'toolkits' to refine cyber attacks:

    10. SalesPharce: Hackers Exploit Salesforce, Phish Partners and Customers:

    11. BONUS: Kevin Mitnick Explains And Shows The Latest Exploits You Need To Know About:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews