CyberheistNews Vol 9 #7 OUCH! Ransomware Attack Via MSP Locks Customers Out of Systems

CyberheistNews Vol 9 #07
OUCH! Ransomware Attack Via MSP Locks Customers Out of Systems

Earlier this week, an unidentified threat actor managed to launch a ransomware attack resulting in the encryption of between 1,500 to 2,000 endpoint devices belonging to users of a single US managed service provider (MSP).

The MSP was subsequently urged to pay a ransom of $2.6 million to have the systems unlocked.

The attacker managed the feat by exploiting a security flaw in a plug-in for VSA RMM, a software tool from Kaseya that is designed for the remote monitoring and management of servers and other computer devices. Like many MSPs, the targeted firm uses the software for client systems.

The attack has amplified existing fears over the possibility of large-scale cyberattacks on MSPs. Chris Bisnett of Huntress Labs, the cybersecurity company working with the MSP, stated that “everyone is looking at the attack and saying, ‘This could have been me.'”

This is a Connectwise vulnerability which was announced by Connectwise in 2017 and patched by Connectwise shortly thereafter. A small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly. It gets installed onto the Kaseya system as a way to connect the 2 together. Turns out this is a patching issue, which is one of the—only two— main root causes of compromise: social engineering and patching discipline.

Read more at DarkReading:
Today I Was Attacked Through An Existing Vendor Using A Real Email Thread

We have been dealing with a vendor of ours for on-hold messages for many years. I send them a Word file with the hold messages, their studio records them, and they send us a wave file back which we upload into the voice mail console.

So, this morning at 5 am I received an email from that vendor with an attached zip file, suggesting that was a new wave file for upload. While I have my first espresso waking up, I use an iPad Pro to handle my email and forwarded to my tech team at KnowBe4. I never looked at the Zip file. I should have known better and use the Phish Alert button instead.

Proceed With Caution

Luckily our tech team was a bit more awake at 9 am! When they came into the office, Jason walked up to me and said: "Hey, that Zip file has a Word Doc in it". That's when I realized the red flag and told him to proceed with caution. Next he said: "Hey, that Word File wants access to my contacts!"

We started to see a pattern. Next Jason comments :"Hey, the default language of that Word Doc is Russian!". At that point we knew enough and sent it to our internal team for analysis.

Yup, Malicious

Our Incident Response team came back after an hour and reported that the Word doc had a macro that executed PowerShell, grabbed a file with a fake extension, renamed it as an exe and executed it. It is identified as "MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in"

Once executed it joined a botnet and checked-in with this IP: (pyilgdamion [dot] city)

Virus total now has the payload sample after we submitted it:

Here is the simulated infection analysis:

Here are the steps from download to infection, your end user only needs to do the first three and the machine is compromised:
  1. Download zip, enter password.
  2. Open word doc
  3. enable macros
  4. downloads a file with .gas file extension
  5. renames file to a random name with .exe extension
  6. executes new .exe file sends HTTP get request to (C&C server)
Note: we have the decoded PowerShell command as well if anyone wants to play ;P


I’ve found that a good rule of thumb with password-protected ZIP files is that if the password is provided in the same email AND it’s a fairly simply one (e.g., password123 or 1234567), then it’s almost surely a phish.

I called the vendor to warn them that the account had been compromised. Their CEO told us that employee had passed away several years ago. And that if I received a zip file that I should not open it. Guess where I am going next time for my on-hold messages... not there!

Stepping your users through new-school security awareness training is a must these days to make sure your network is not taken over by the bad guys. Blog post with links and screenshot:
How Vulnerable Is Your Network Against Ransomware Attacks?

Bad guys are constantly trying to evade detection and come out with new strains of ransomware and now also cryptomining versions.

Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator “RanSim” gives you a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

This is complementary and will take you 5 minutes max.

RanSim may give you some insights about your endpoint security you never expected!

Download Now:
[Live Demo TODAY] KCM GRC with New Risk and Policy Management Modules

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! We have expanded the existing KCM product with new Risk and Policy Management modules, transforming KCM into a full SaaS GRC platform!

Join us for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • [NEW] Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, February 12, 2019 at 1:00 pm ET

Save My Spot!
Social Engineering Comes to Wikipedia

Attackers are selectively editing Wikipedia articles to lend credibility to tech support scams, according to Rob VandenBrink at the SANS Internet Storm Center.

The Wikipedia page for the SpyEye banking Trojan was changed in mid-December to include a typo-ridden paragraph which claims that only three tech companies can remove the malware, and that “Best buy, Geek squad, Office Depot will not be able to fix it at all.”

VandenBrink says that the scammer made these edits to convince victims that “only we can help you fix this (fake of course) infection you have on your computer.” The edit history of the Wikipedia user who made the changes shows that the account made similar edits to the “Macro virus” Wikipedia page, but those changes have since been fixed by other users.

Vandenbrink notes that it’s actually surprising that this technique hasn’t been utilized by attackers more often. Wikipedia articles are fairly easy for anyone to edit, and Wikipedia is often the first place many Internet users turn to when they want to quickly verify something that they’re unsure of. Continued:
[Live Webinar] Get an Insider View Into the Methods and Exploits of the World's Most Famous Hacker, Kevin Mitnick

Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, to uncover their most dangerous security flaws. Kevin’s experience as a security consultant and his vast knowledge of social engineering are part of what help you train your users to stay a step ahead of the bad guys. Wouldn’t it be great if you had insight into the latest threats and could find out “What would Kevin do”? Now you can!

Join us for this live webinar where Kevin and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will give you an inside look into Kevin’s mind. You will learn more about the world of penetration testing and social engineering with first-hand experiences and some disconcerting discoveries.

In this webinar you will:
  • See exclusive demos of the latest bad guy attack strategies
  • Find out how these vulnerabilities may affect your organization
  • Learn what you can do to stop the bad guys (What Would Kevin Do?)
It's sure to be an experience you won't forget!

Date/Time: Wednesday, February 20th @ 2:00 pm ET

Save your spot!

P.S. Attend the webinar live and you'll get a “What Would Kevin Do?” desktop wallpaper!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Constant kindness can accomplish much. As the sun makes ice melt, kindness causes misunderstanding, mistrust, and hostility to evaporate." - Albert Schweitzer - Humanitarian (1875 - 1965)

"The best way to resolve any problem in the human world is for all sides to sit down and talk."
- Dalai Lama (born 1935)

Thanks for reading CyberheistNews
Security News
Over Half of Companies Are Upping Spending on IT Security: eSecurity Planet Survey

Driven by fear of data breaches and new privacy regulations, such as Europe's General Data Protection Regulation (GDPR), large enterprises are spending aggressively on IT security measures, according to eSecurity Planet's newly released 2019 State of IT Security survey.

The survey found that 54 percent of companies will increase their IT security spending this year, and 30 percent will increase their spending by 10 to 20 percent or more.

The survey also found strong hiring demand for IT security staff, despite a global shortage of about 3 million cybersecurity pros. About 57 percent said their organizations are hiring security staff in the next 12 months.

"Writing about data breaches and vulnerabilities that occur on an all-too frequent basis, I'm often disillusioned about the state of cybersecurity," said Sean Michael Kerner, senior security editor for eSecurity Planet and its sibling publication eWEEK. "The 2019 State of IT Security survey gives me hope, as organizations are responding to the challenges and are not idly sitting by waiting for the next breach. More at:
Going to RSA in San Francisco This Year? Get your Free Book Signed by Kevin Mitnick at KnowBe4’s Booth# 4624 North

Check out all the activities KnowBe4 will be doing at RSA:

Get Your Free Book Signed by Kevin Mitnick: Drop by KnowBe4’s Booth #4624 North Hall, for the Kevin Mitnick Book Signing! Meet the ‘World’s Most Famous Hacker' and get a signed copy of his latest book.
When: Tuesday, March 5, at 4-6 PM

Enter to Win a $500 Gift Card: Join us to see a demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users to be entered for a chance to win a $500 Amazon Gift Card. You’ll also get your light-up "Axe To Grind With Ransomware” swag!

Reserve a Seat: Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, during the session “12 Ways to Hack 2FA”, on Friday, March 8th, at 9:50 am. You'll learn about the good and bad of 2FA, and become a better computer security defender in the process:
When Features Become Buggy

Attackers are exploiting a Gmail usability feature to carry out numerous fraudulent activities, including BEC scams, according to Ronnie Tokazowski, a Senior Threat Researcher at Agari.

Google ignores single periods in Gmail addresses, so if you send an email to your Gmail address with any variation of single dots between the characters, that email will still end up in your inbox.

For example, Tokazowski explains that if he created the email address, “bad.guy007[at],” Google will interpret that address as “badguy007[at]” Tokazowski adds that “this also means that b.a.d.g.u.y.007[at] and bad.guy.007[at] and[at] all direct incoming email to the same account.”

The problem with this is that the vast majority of other websites treat those dotted variations as distinct email addresses. As a result, attackers can create many different accounts on a single website that all use the same Gmail address, vastly increasing the efficiency of their attacks.

While the “dot trick” has been common knowledge for years, Agari researchers recently observed an uptick in malicious uses of the technique. Last year, they saw attackers using this tactic to submit fraudulent tax returns and Social Security benefit applications, apply for unemployment benefits, and abuse trial services to collect data for BEC attacks.

The researchers also saw attackers use the technique to successfully submit 48 fraudulent credit card submissions worth $65,000 in credit. Criminals are always finding ways to facilitate their attacks and scale their operations.

Employees need to be prepared to identify this malicious activity. New-school security awareness training can teach them the tactics and techniques to watch out for. Agari has the story:
Social Engineering and Red-Teaming Use VERY Similar Tactics

Social engineers and red-team operators both take advantage of the inherent biases in people and systems to bypass obstacles, according to Kelly Villanueva at SpecterOps.

Social engineers craft their stories, appearances, and profiles based on what people expect to see, while red-team operators design their phishing domains, websites, and emails with legitimate features to establish their credibility.

“Being an effective social engineer isn’t just being a good liar,” Villanueva says. “Great social engineers leverage bias to anchor ideas into their targets.” The more legitimate a social engineering scheme appears to be, the more likely it is to fool a target. Likewise, red-team operations attempt to appear as legitimate as possible in order to bypass detection mechanisms, as well as human observers.

“Whether we realize it or not, people make 35,000 decisions a day,” Villanueva says. “We don’t actively deliberate the majority of these decisions, and we can’t. If people thought about the short-term impact, unintentional consequences, decision criteria, etc. for all of our actions, we would be paralyzed by the tsunami of decisions. Instead, people group concepts and ideas.”

Whether he's literally right about the 35,000 decisions a day or not, we sure make a great many of them. And they do tend to influence our expectations in ways that open us to deception and exploitation. A culture of security is a mindful culture. Employees need to be trained to recognize potentially malicious activity, whether it comes from a human or through a computer.

New-school security awareness training can change human bias from a weakness into a strength by teaching employees to look for suspicious activity. SpecterOps has the story:
Chrome Helps Recognizing Typosquatting Scams

Google Chrome has a new feature that detects potentially misspelled URLs to popular sites and warns you before sending you to the wrong site, according to Danny Bradbury at Naked Security. The feature uses a site’s popularity and users’ site engagement scores to determine if it’s likely that a user typed the wrong URL.

It also displays the legitimate URL that it believes the user intended to visit. Bradbury says that the feature successfully identified most, but not all, of the misspelled variations of paypal[.]com that he tested.

Attackers often attempt to spoof popular sites by registering domains with similar URLs, either to take advantage of people who misspell the popular URL or to trick people into clicking a link that appears legitimate. Chrome’s new feature will help prevent these attacks, but it’s not foolproof.

Bradbury notes that experts at Google have, in the past, said that the URL system itself has serious security problems, and are discussing the feasibility of ways to fundamentally change the system.

For the foreseeable future, however, URLs will remain the norm, and employees need to beware of misleading addresses. New-school security awareness training can teach your employees how to watch out for and spot lookalike URLs when technical defenses fail to detect them. Naked Security has the story:

If you want to know what evil doppelgänger domains are out there for your own organization, use this no-charge tool to find out in less than 5 minutes:
Extortion Scam Exploits Breach Fears

I was hoping to receive one of these myself, and last week I got one! It used a password I used 8 years ago.

Sextortion scam emails are circulating which claim that a popular adult site has been hacked, allowing an attacker to record videos of users through their webcams, according to Lawrence Abrams at Bleepingcomputer. The attacker claims that these videos will be sent to all of the victim’s contacts unless the victim pays the equivalent of $969 to the attacker’s Bitcoin address.

The emails also include a victim’s old password obtained from a past data breach in an attempt to frighten the victim. Additionally, some of the emails contain links, supposedly leading to sample videos of the victim as proof of the attacker’s claims. These links have been known to install malware, such as ransomware, in past campaigns.

Bleepingcomputer observes that the Bitcoin address in the email has received eleven transactions, totaling $3,260, since the campaign began early last month. Past sextortion scams of this type have netted attackers more than $50,000 in one week, with no cost and very little effort expended on the part of the attackers.

Abrams notes that the extreme profitability of these scams means that they’ll certainly continue in the future. He stresses that the emails are fake, and the attackers are intentionally trying to scare you into acting irrationally.

The best advice to combat this scam is to tell your users to simply delete the emails without clicking on any links, or give them KnowBe4's no-charge Phish Alert Button so it gets deleted and forwarded to IR with intact headers. Story at Bleepingcomputer:
Feb 2019 SANS OUCH!

They said: "We are excited to announce February's edition of the OUCH! newsletter “Personalized Scams". This is a really important one as cyber criminals have changed tactics. Led by Guest Editor and SANS Instructor Lenny Zeltser, we show you how bad guys are now personalizing even the most common scams.

Cyber criminals can easily find personal information on millions of people, from our passwords and account names to birth dates and addresses. They are then using that information to personalize scams they send to millions around the world, making their attacks far more effective. Learn how these new attacks work, but even more important how to spot and stop them. Download and share OUCH! with family, friends and co-workers. Personalized Scams":
Get The Unique "2019 Security Threats and Trends" Survey Results *First*

Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months.

It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.

Anyone who completes the survey and includes their Email address in the Essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best Essay comment will win a USD 100 Amazon gift card.

Here's the link to the new 2019 survey:
What KnowBe4 Customers Say

"Hi Stu, I just have to say – I deal with a lot of vendors and their support channels – and you guys are second to none! I get replies/responses with accurate and useful info or with pre-emptive actions - within minutes!

KnowBe4 Training and the KCM are CORE InfoSec systems in our shop – and we never have to worry about getting support if we need it 😊 Thank you! Please share my gratitude." A.A., CISSP - Director of Information Security

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check the Gartner Peer Insights site, where KnowBe4 is a 2019 Customer's Choice:
The 10 Interesting News Items This Week
    1. Which Countries Have The Worst (And Best) Cybersecurity?:

    2. Almost 447 Million Personal Records Compromised By Hackers In 2018:

    3. [A must read] Vendor allegedly assaults researcher who disclosed vulnerability:

    4. The Threat 5G Poses to Human Health:

    5. Memo: Nation-State Malware Attack Could Cripple US:

    6. Hiding in Plain Sight: How Phishing Attacks are Evolving:

    7. WSJ: OKTA Single Sign On Yearly Numbers Show KnowBe4 Is No. 1 Most Accessed:

    8. New York’s DFS Cyber Deadlines Loom - And you can expect one of these in your state soon:

    9. DANG! Mail Attachment Builds Ransomware Downloader from Super Mario Image:

    10. Deloitte: Nation states, organized crime and angry employees threaten utility cybersecurity:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews