CyberheistNews Vol 9 #42 [Heads Up] Virtual Hard Disk Images Containing Malware Are Ignored by Antivirus *and* Windows!

CyberheistNews Vol 9 #42
[Heads Up] Virtual Hard Disk Images Containing Malware Are Ignored by Antivirus *and* Windows!

This disturbing find by a CERT researcher demonstrates how attackers can encode malicious files within a Virtual Hard Disk (VHD) image that acts in the same way as a ZIP archive.

It’s common to have a phishing attack include a ZIP file as an attachment, only to have the potential victim double-click it, reveal its contents in Explorer, and double-click the enclosed (and malicious) file. In fact, it actually happened this year to me! (link below)

Now, with Windows, files retrieved from an online location are given a Mark of the Web – which tells the OS to give the file limited trust and handle it with caution. Files of a ZIP filetype fall into this category. Windows can pop up OS and Office warnings if it feels that the file could be malicious.

But CERT researcher Will Dormann found that VHD and VHDX files – which interact with the Windows OS in nearly the same fashion as a ZIP file are not treated in the same manner. Instead, Window assumes because it’s purportedly a disk image for a VM, it must be harmless (right?).

As shown in the 2:19 video linked below, files that the Windows OS treats and potentially hostile within a ZIP file aren’t when contained in a VHD. Dorman used the EICAR standard file to trip virus detection:

Phishing attacks using a VHD as a replacement ZIP archive could be the difference between your security solutions stopping an attack, and one that makes its way into your network.

Drop Files With the VHD Extension in the Bitbucket

While a VHD-based attack hasn’t widely been seen in the wild, Dormann’s findings are now available for every cybercriminal to use. Yikes. High time to put that VHD extension in your email filters and drop those in the bit bucket.

And to have "belt-and-suspenders", your users need to be your last line of defense, leveraging their knowledge gained through new-school security awareness training and have the wits to not click an attachment or link that looks suspicious in the first place. Forward this blog post to your friends please:
[NEW WEBINAR] Fake News and Deepfakes: Harmless Fun or the Future of Fraud?

We have all seen them. Fake news articles that get passed off as legit sources. Misleading memes. Entertaining videos that swap people’s faces. But what if these deception techniques were used against you to gain access to your organization? What if you receive a phone call or see a video from someone who sounds or even looks like your CEO, but it’s not really them?

Join KnowBe4 Security Awareness Advocates Erich Kron and Javvad Malik as they discuss the frightening advancement in digital deception techniques and the growing popularity of recent threats known as “Deepfakes”. Deepfake technology uses advancements in Artificial Intelligence (AI) and Machine Learning (ML) technology to create realistic videos and audio using free software and inexpensive hardware from home. By faking instructions from leadership, these videos and audio files can be used to take traditional phishing and vishing attacks to a whole new level!

Join us to learn about:
  • An overview and history of digital fakes
  • The use of free photo and video technology to create convincing fakes
  • Potential real-world uses cases
  • Impact of successful fakes on your organization
  • Security awareness and detection of digital fakes
  • Defending against fakes
Date/Time: TOMORROW, Wednesday, October 16 @ 2:00 PM (ET)

Save My Spot!
Chinese State-Sponsored Phishing

A sophisticated threat group is going after a variety of industries using spearphishing and an arsenal of malware, according to Nalani Fraser and Fred Plan from FireEye. Fraser and Plan recently joined the CyberWire’s Research Saturday podcast to discuss the activities of APT41, a suspected Chinese hacking crew with an interesting attack pattern.

APT41 is different from other state-sponsored espionage groups in that many of its activities are financially motivated, and it appears to work concurrently as a contractor for the Chinese government. Plan told the CyberWire that the hackers tailor their methodology and toolset based on the organization they’re targeting.

“But what's interesting is they don't really dig deep into their bucket of tools, you know, they don't really go deep into their arsenal unless they have to,” Plan said. “And so the demonstrated range of sophistication is highly variable from one victim to the next. And I think that's been really interesting about it.

So, like, you know, at one organization, for example, they'll just use a simple spearphish, and then they'll get in and they'll just use publicly available tools, and then that's good enough to achieve what they want.” Continued:
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, October 23 @ 2:00 pm (ET) for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, October 23 @ 2:00 pm (ET)

Save My Spot!
Ransomware Still Plagues Organizations Despite Feeling Prepared for an Attack

New data from security vendor AlienVault shines a light on the real state of ransomware, and how concerned IT organizations are with preparing for and dealing with an attack.

A recent article at AlienVault covered the results of a survey they took at this year’s Black Hat conference around ransomware and other security concerns. Some of the findings reflect that organizations may be overconfident in their ability to prevent attacks:
  • 69% say they are prepared (to varying degrees) for an attack
  • 17% of organizations have been the victim a ransomware attack
  • 42% are willing (again, to varying degrees) to pay the ransom
  • Ransomware ranked 5th in a list of 5 security concerns
While there’s no ability to cross-check the raw data, it’s concerning to see over two-thirds of organizations saying they’re “ready” and yet nearly one-fifth have been the victim of an attack (which I can only assume to mean ransomware has infected one or more machines on their network).

Respondents cited security solutions and backups as the two methods of ransomware preparation, with one-third of organizations having over twenty security solutions in place! At a high level, this sounds like organizations are taking the right steps to stop an attack, but it appears that ransomware attacks – which primarily start with phishing attacks – are still happening. Continued:
[NEW WEBINAR] A Former CIA Cyber Threat Analyst Shows You How to Make Your Organization a Hard Target

Having spent over a decade as part of the CIA’s Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She has seen first-hand how the bad guys operate, she knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yours a “hard target”.

In this exclusive webinar, find out why Rosa, now KnowBe4’s SVP of Cyber Operations, encourages organizations like yours to maintain a healthy sense of paranoia as she and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, walk you through the murky underworld of threats and exploits that your organization can't afford to ignore.

Get the inside (spy-)scoop on:
  • Surprising data collection techniques – both physical and cyber
  • The two easiest ways to break into any existing network
  • Hidden threats of social media connections
  • And how to prepare your end users to defend against them all
Date/Time: Wednesday, October 30 @ 2:00 pm (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: BOOK OF THE WEEK: Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today's Crypto.
Quotes of the Week
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure." - Marcus Tullius Cicero, Roman Statesman (106 BC- 43 BC)

"Truth, like gold, is to be obtained not by its growth, but by washing away from it all that is not gold." - Leo Tolstoy, Writer and Philosopher (1828 - 1910)

Thanks for reading CyberheistNews
Security News
[PODCAST] Understanding Social Engineering and Maintaining Healthy Paranoia

Recorded Future's Guest last week was Rosa Smothers, senior vice president of cyber operations at KnowBe4, where she leads KnowBe4’s federal practice efforts, including providing cybersecurity advisory services to civilian and military agencies within the U.S. federal government.

From her humble beginnings with a used 8-bit home computer, Rosa’s career experience includes over a decade in the CIA, leading cyber operations against terrorists and nation-state adversaries.

She served multiple tours overseas as a cybersecurity analyst and technical intelligence officer in the Center for Cyber Intelligence and the Counterterrorism Mission Center, and was highly decorated for her service. She’s a strong advocate and mentor for women starting their careers, and is a member of Women in Defense and InfraGard. Listen to Rosa at this great podcast!
Don’t Trust the Ransom Note

Ransomware operators commonly lie to trick you into paying the ransom, according to Fabian Wosar from Emsisoft. Wosar and his colleague Michael Gillespie are well-known for developing ransomware decryptors by identifying flaws in the malware.

On the CyberWire’s Hacking Humans podcast, Wosar explained how to react after your systems have been hit by ransomware. “The very first thing that is actually a little bit counterintuitive is to leave the ransomware alone, meaning don't delete the ransomware file that you double-clicked,” Wosar said. “And the reason being is quite simple…if we can't readily determine what kind of ransomware you got hit by, we will have to take a look at the actual file that you executed and that infected your system.

If you deleted that file or if you got rid of it somehow, then that process becomes way more difficult because, in that case, we would have to try to find the ransomware file ourselves....So it's totally fine to use antivirus software to quarantine the infection, but don't delete it and don't get rid of it entirely.”

Wosar explained that many ransomware developers are inexperienced and try to impersonate more advanced ransomware campaigns. As a result, the ransomware might be decryptable, even if it claims to be a well-known, sophisticated strain.

Alternatively, the ransomware may be broken, so paying the ransom won’t get your files back. “Now, the next step is you have to figure out what kind of ransomware you got hit by,” Wosar explained. “And don't trust the ransomware telling you its real name. There have been so many cases where there are copycats that try to imitate bigger and more professional campaigns.

For example, one of the biggest ransomware campaigns was CryptoLocker, for example. There have been so many ransomware [strains] that had nothing to do with CryptoLocker that just pretended to be CryptoLocker. So don't trust anything the ransom note says. Don't trust anything the ransomware may display to you.”

Instead of relying on information provided by the attackers, Wosar recommends using a service like ID Ransomware, which is run by Emsisoft researcher Michael Gillespie. The service can identify hundreds of strains of ransomware based on evidence collected from earlier infections, and it can let you know if there’s a decryptor available.

Knowing how to respond after a ransomware attack is important, but it’s better to prevent the malware from taking hold in the first place. New-school security awareness training can enable your employees to thwart these attacks by teaching them how to recognize phishing attacks. The CyberWire has the story:
One Million Leaders Prize: Fact or Fake News?

The Leaders Prize offers $1 million to the team that most effectively automates the News fact-checking process using artificial intelligence. This breakthrough will help people to know whether something they have seen online is accurate when its most relevant: before they read it. For more info:
What KnowBe4 Customers Say

"Stu, we have not met, but Jenni gave me your contact information as I wanted to pass on some feedback. We are a small County in Iowa but working our way up the IT maturity scale including maturing our security posture.

I wanted to give a shout out to KnowBe4 not only for the excellence I’ve seen in the solution itself but the attitude and culture I have experienced with Support and with Jenni. We do work with many vendors and KnowBe4’s openness to improvement and excellent customer service is among the best I’ve experienced.

I appreciate your partnership and assistance on our security “journey”. Please pass on to your team our appreciation and thanks."
- B.K., Director of IT

"Stu, I appreciate and commend Nadia Stefanaru as our CSM for the Security Awareness Training Platform. She is all the things we could ask for in that role: knowledgeable, capable, courteous, pleasant, and customer-focused.

I feel like I have a strong advocate for getting the best use of the tool and of our investment in it. We are a company with a somewhat atypical culture and she was bent over backward to help me succeed with the tool in that culture. You can be proud to be represented by people of her caliber."
- J.B., Security & Privacy Manager
The 10 Interesting News Items This Week
    1. PODCAST: "Understanding Social Engineering and Maintaining Healthy Paranoia":

    2. 5 reasons users hate cybersecurity awareness training, and how to make them love it:

    3. Feds arrest alleged members of international ATM skimmer ring:

    4. Google’s war on deepfakes: As election looms, it shares ton of AI-faked videos:

    5. How Gamification Can Improve Employee Cybersecurity Compliance:

    6. Don’t treat security awareness as a part-time job, says security expert:

    7. Ransomware victim hacks attacker, turning the tables by stealing decryption keys:

    8. Talk about a sophisticated social engineering attack!:

    9. Why CEOs Of SMBs Make Easy Cyber Targets:

    10. Many in Utilities Sector Expect Attacks on Critical Infrastructure: Survey:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews