Cisco's midyear report released this week showed that CEO Fraud netted cybercrime five times more money than ransomware over the last three years.

The surprising highlight of Cisco's ninety page report was that cybercrime made $5.3 billion from CEO Fraud attacks --called business email compromise (BEC) by the FBI-- compared with a "mere" $1 billion for ransomware over a three-year stretch,

Organized Eastern European cybercrime is more and more taking the "time is money" approach, in this case billions, says Steve Martino, Cisco's chief information security officer. "What we are looking at is the continual commercialization of cyberattacks," Martino says, pointing out that is a major theme in the report.

Malicious ransomware takes time to develop and extensively test before any net Bitcoin comes into the wallet, compared to doing a quick bit of research on LinkedIn and crafting a spoofed spear phishing attack. CEO Fraud simply is faster to pull off. Moreover, your run-of-the-mill spray-and-pray ransomware attacks are often lower-dollar numbers.

Schooling Users on CEO Fraud and Ransomware

Cisco's Martino says targeted cybersecurity education for employees can help prevent users from falling for CEO Fraud and ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus email comes across the transit of the CEO asking for a funds transfer it can be detected, Martino says.

Regular software patching also is crucial. When spam laden malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized. "People focus on new technology, but forget about patching and maintaining the infrastructure," Martino observed.

And a balanced defensive and offensive posture, with not just firewalls and antivirus but also including measures to hunt down possible attacks through data collection and analysis, he adds.

Spyware Makes A Comeback

Cisco found that in the first half of this year, attackers altered their methods of delivering, hiding, and evading their malicious packages and techniques.

Fileless malware is popping up, which lives in memory and deletes itself once a device restarts, according to the report. As a result, it makes detection and the ability to investigate it more difficult.

Additionally, attackers are also making use of anonymized and decentralized infrastructures, such as Tor proxy services, to hid command and control activities.

Meanwhile, three families of spyware ran rampant, with Hola, RelevantKnowledge, and DNSChanger/DNS Unlocker affecting more than 20% of the 300 companies in the sample for the report.

Ironically, however, many companies and organizations underestimate or virtually dismiss spyware. "Spyware is being disguised as adware and adware, unlike spyware, does not create damages for a company," says Franc Artes, Cisco's Security Business Group architect. He adds that attackers are injecting spyware and other forms of malware into adware, since adware is a low priority for security teams.

Download Your CEO Fraud Prevention Manual

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.

Download The Manual Here:

https://info.knowbe4.com/ceo-fraud-prevention-manual

Warm regards,
Stu

Internet bad guys are increasingly trying to circumvent your spam filters and instead are targeting your users directly through their smartphone with smishing attacks, which are hard to stop.

The practice has been around for a few years, but current new scams are mystery shopping invitations that start with a text, social engineering the victim to send an email to the scammers, and then get roped into a shopping fraud.

These types of smishing attacks are also more and more used for identity theft, bank account take-overs, or pressure employees into giving out personal or company confidential information. Fortune magazine has a new article about this, and they lead with a video made by USA Today which is great to send to your users as a reminder. An Australian researcher also just published data to suggest cybercriminals are getting better results using the phone these days.

I suggest you send employees, friends and family an email with these two paragraphs about this Scam Of The Week, feel free to copy/paste/edit:

"Bad guys are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interest. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.

Always, when you get a text, remember to "Think Before You Tap", because more and more, texts are used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information. Here is a short video made by USA Today that shows how this works: https://www.youtube.com/watch?v=ffck9C4vqEM

Obviously, an end-user who was trained to spot social engineering red flags (PDF) would think twice before falling for these scams. The link goes to a complimentary job aid that you can print out and pin to your wall. Feel free to distribute this PDF to as many people as you can.

Let's stay safe out there,

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

After monitoring this new outbreak for 24 hours, I came to the conclusion we were dealing with cyber warfare, and not ransomware. Two separate reports coming from Comae Technologies and Kaspersky Lab experts confirm this now.

NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past. Note that Shamoon actually deleted files, NotPetya goes about it slightly different, it does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same.

Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who.

You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:

• It never bothers to generate a valid infection ID
• The Master File Table gets overwritten and is not recoverable
• The author of the original Petya also made it clear NotPetya was not his work

This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.

Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware."

Cybersecurity has moved from tech to a CEO and Board-level business issue

You did not sign up for this, but today it is abundantly clear that as an IT pro you are have just found yourself on the front line of 21-st century cyber war. Cybersecurity has moved from tech to a CEO and Board-level business issue. I strongly suggest you have another look at your defense-in-depth, and make sure to:

Have weapons-grade backups
Religiously patch
Step users through new-school security awareness training.

Motherboard reported: "A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries.

On Tuesday, a wide range of private businesses reportedly suffered ransomware attacks. Although it is not clear if every case is connected, at least several of them appear to be related to the same strain of malware."

Motherboard continued: "The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.

"We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry's first hours," Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

"If you see this text, then your files are no longer accessible, because they are encrypted," the text reads, according to one of the photos. "Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

Raiu believes the ransomware strain is known as Petya or Petrwrap, a well-known type of ransomware. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers (Motherboard could not independently confirm this at the time of writing).

EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.

Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.

If You Have Not Done So Yet, Apply This Patch Immediately.

From what we have been able to learn, this new worm spreads through SMB jkust like WannaCry so when we're talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It'd only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the "MS17-010" security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Note, the patch is included in the Monthly Quality rollups.

Security researchers have discovered a new fileless ransomware in the wild, which injects malicious code into a legitimate system process (svchost.exe) on a targeted system and then self-destructs itself in order to evade detection by antivirus.

The nasty has been called SOREBRECT and unlike more generic "spray-and-pray" ransomware, it has been designed to specifically target enterprise systems in various industries.

SOREBRECT also takes pains to delete the infected system’s event logs and other artifacts that can provide forensic information such as files executed on the system, including their timestamps. These deletions deter analysis and prevent SOREBRECT’s activities from being traced.

This malicious code, after it has taken control of the machine, uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files. I am sure that Mark Russinovich is not happy about this!

Why PsExec?

“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive login session, or manually transferring the malware into a remote machine, like in RDPs,” Trend Micro says.

SOREBRECT Also Encrypts Network Shares

SOREBRECT also scans the local network for other connected computers with open shares and locks files available on them as well. “If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted,” researchers say.

In addition, SOREBRECT uses the Tor network protocol in an attempt to anonymize its communication with its command-and-control (C&C) server, just like almost every other malware.

Sorebrect Ransomware Spreads Worldwide

According to Trend Micro, Sorebrect was initially targeting Middle Eastern countries like Kuwait and Lebanon, but from last month, this threat has started infecting people in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.

This is not the first time when researchers have come across Fileless malware. Two months ago, Cisco's Talos researchers discovered a DNSMessenger attack that was completely fileless and used DNS TXT messaging capabilities to compromise systems.

In February, Kaspersky researchers also discovered fileless malware that resided solely in the memory of the compromised computers, which was found targeting banks, telecommunication companies, and government organizations in 40 countries.

Fileless malware is much harder to detect by antivirus than malware that first lies down a file on disk, and then does its dirty work. Kaspersky said: ""Unfortunately the use of common tools combined with different tricks makes detection very hard. In fact, detection of this attack would be possible in RAM, network and registry only."

What To Do About It

Below the best practices for securing your systems and network against SOREBRECT suggested by TrendMicro.

• Restrict user write permissions

• Limit privilege for PsExec

• Back up files

• Keep the system and network updated

• Deploy multilayered security mechanisms

• Foster a cybersecurity-aware workforce.

Trend Micro advised: "User education and awareness helps improve everyone’s security posture. Like other malware, ransomware’s points of entry is typically through email and malicious downloads or domains. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices."

We could not agree more. You need defense-in-depth and a human firewall as your last line of defense. Here is a free job-aid for your employees. It's a single page with the 22 Social Engineering Red Flags. They can print it and pin it to their wall. This is a link to a PDF that is hosted at HubSpot, where our website lives:

https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf?

Warm regards, Stu

Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity
company F-Secure, called the attack "the biggest ransomware outbreak in
history." This is a cyber pandemic caused by a ransomware weapon of mass
destruction.

FedEx Corp, Renault, Russian banks, gas stations in China, and Spanish
telecommunications firm Telefonica which reported 85% of their systems being
down as a result of a cyberattack earlier today, and ironically the Russian
Interior ministry has 1,000 machines encrypted. Even the German Railways
were infected.

Dozens of hospitals in the UK were shut down. Cybersecurity experts have long
used the phrase "where bits and bytes meet flesh and blood," which signifies
a cyberattack in which someone is physically harmed.

SUMMARY:

Yet unknown cyber criminals have taken an NSA 0-day threat and weaponized a
ransomware strain so that it replicates like a worm and takes over the whole
network using the SMB protocol. There is a 2-month old MS patch that needs to
be applied urgently if you have not done that already.

I suggest you immediately look into this and patch your systems before your
users fall for this phishing attack. Here is a blog post with all the
updated details, links to patches, background, workarounds if you cannot patch,
and the blog post is being updated close to real-time:

https://blog.knowbe4.com/ransomware-attack-uses-nsa-0-day-exploits-to-go-on-worldwide-rampage

On the same page is an option to download a no-charge tool to check if your
endpoint security software protects you against ransomware infections, the
tool is called 'RanSim'.

This is a bad one. Let's stay safe out there.

Warm regards,
Stu Sjouwerman,
Founder and CEO, KnowBe4, Inc.

On Friday, a Seattle Federal District Court judge sentenced 32 year old Roman Valerevich Seleznev to 27 years in prison for running a vast credit card and identity theft operation, selling millions of credit card numbers on the black market. This was the longest sentence handed down for hacking-related charges in the United States.

Seleznev’s schemes led to losses of at least $170 million. Among Mr. Seleznev’s victims were 3,700 financial institutions and 500 businesses around the world, including several restaurants in the Seattle area.

Seleznev is the son of Valery Seleznev, an outspoken member of the Duma, the lower house of the Russian Parliament, and a close political ally of Russian President Vladimir Putin.

Up to now, US law enforcement has had very little cooperation capturing and convicting Russians accused of hacking crimes. Russian cybercriminals can operate with impunity as long as they do not hack inside Russia itself. In return for that relative freedom, cybercriminals are often tapped to work for Russia’s intelligence agencies.

Next time, stay home

Only when Russian cyber criminals are dumb enough to travel outside of Russia that US law enforcement is able to detain them, most recently in Prague and in Barcelona. However, Secret Service officials say more than three dozen Eastern European hackers suspected in crimes remain out of reach.

Seleznev never traveled to any country that had an extradition treaty with the U.S. For more than a decade, the Secret Service tracked his movements around the globe but couldn't do anything about him.

Then Summer 2014, Seleznev and his girlfriend took a vacation in Maldives which doesn't have an extradition treaty with the U.S. either, but the US State Department convinced local authorities to help capture Seleznev anyway. He was arrested by Malidivian police at the airport on his way home and handed over to U.S. officials, who whisked him by jet to Guam and then to a federal prison in Washington State.

Seleznev wrote an 11-page letter (PDF) by hand to the court this year, admitting to and apologizing for his crimes.

“Today is a bad day for hackers around the world,” said Annette L. Hayes, the United States attorney for the Western District of Washington. “The notion that the internet is a Wild West where anything goes is a thing of the past.”

That's great PR of course, but the reality is that Vladimir Putin uses hackers for his own nefarious purposes, and will provide them air cover as long as they behave and go for a "staycation" instead of tropical islands.

During 2016, Ransomware exploded. It clearly became the biggest menace on the net, using phishing as it's No.1 infection vector.

Hundreds of ransomware strains competed for market dominance last year, but one was clearly dominant; Locky, costing victims over 1 billion dollars. However, a recent report of our friends at Malwarebytes showed that Locky has fallen off the face of the earth in Q1 2017, making way for the Cerber strain to become the new king of ransomware.

Malwarebyte's new Cybercrime Tactics and Techniques Q1 2017 report shows Cerber has totally taken over "the market", accounting for 90 percent of Windows ransomware. Note that ransomware accounts for 60 percent of all malware attacks on Windows.

So why has Cerber become the Apex Predator?

The success of Cerber is down to its features (robust encryption, offline encryption etc) combined with the adoption of a RAAS (Ransomware-as-a-Service) business model, where the malicious code can be modified or leased through an affiliate scheme. "It's also very easy for non-technical criminals to get their hands on a customized version of the ransomware," Malwarebytes reports.

Another factor contributing to the rise of Cerber is that those behind it are constantly upgrading it with new features and evasion techniques. Researchers at Trend Micro recently detailed how Cerber has gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

The Cerber strain, like most ransomware, is mostly delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload which is a social engineering tactic which is hard to protect against.

The Locky strain which was last year's number one, has dropped off the map due to a switch in tactics by the cyber gang behind the Necurs spam botnet. The Necurs network used to distribute Locky, but suddenly surged back to life last month to distribute fake stock tips for 'pump and dump' scams.

Cerber is more difficult to stop than Locky

"We've already observed evolution in its distribution mechanisms and it's likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities," Adam Kujawa, lead malware intelligence analyst at Malwarebytes, said.

"However it's hard to predict the exact modifications Cerber will make, the only definite is that it's not going away," he added.

They ended off with: "We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model."

At the moment, Cerber may be king of the hill, but if you look at the tumultuous history of ransomware, this won't last for too long. Either the Cerber mafia will withdraw on their own when the heat gets too much, or they will pivot to a new business model just like the Locky/Necurs gang just did. Third option: they'll get arrested like BitCryptor/CoinVault.

In any case, there will be another ransomware strain waiting in the wings to grab the No.1 slot, and at the moment it looks like Spora is the contender for the crown.

Better get ready and step your users through new-school security awareness training.

Warm regards, Stu

@mlnews or:

https://blog.knowbe4.com/scam-of-the-week-the-evil-airline-phishing-attack

Our friends at Barracuda run their Email Threat Scanner over hundreds of thousands of customer mailboxes and discovered a highly effective phishing attack that tricks a whopping 90% of the victims. You need to tell your users about this right away.

This evil airline phishing attack combines all "criminal best-practices" to steal credentials and drop malware on disk which is used to then further hack into your network.

The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.

The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear more authentic. Here is an example subject line:

Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30

“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks."

To start with, send this to all employees, no matter if they travel or not. Feel free to copy/paste/edit:

"There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed "From" email address that also looks legit.

"Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into our network.

"Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always.... Think before You Click!"

What To Do About It

Barracuda recommends the following. (Here at KnowBe4 we call it defense-in-depth but it is the same concept):

"Companies should use a multi-layered security approach to block this type of attack.

1. The first layer is sandboxing. Effective sandboxing and advanced persistent threat prevention should be able to block malware before it ever reaches the corporate mail server.
2. The second layer is anti-phishing protection. Advanced phishing engines with Link Protection look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
3. The third layer is employee training and awareness. Regular training and testing of your employees will increase their awareness and help them catch targeted attacks without compromising your internal network."
   We could not agree more.

If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step your employees through effective security awareness training. It will help you prevent compromises like this or at least make it much harder for the bad guys to social engineer your users. More than 9,000 of your peers are using KnowBe4.

I was at RSA 2017 in San Francisco last week, and apart from meetings with customers, VCs and the Press, I found a large amount of relevant security news. Out of the firehose of RSA data, I distilled the 7 urgent reasons why you need to create your "human firewall" as soon as you possibly can. Employees are your last line of defense and need to become an additional security layer when (not if) attacks make it through all your technical filters.

1. Ransomware heads the list of deadly attacks

SANS' Ed Skoudis said the rise in ransomware was the top threat. “We’ve seen this can bring down a whole network of file servers and we expect many more attacks”. His advice is that companies practice network security “hygiene” and limit permission for network shares to only those jobs that require it. And of course train your users within an inch of their lives.

2. Phishing leads the IRS dirty dozen of scams

The Internal Revenue Service rounded up some of the usual suspects in its annual look at the Dirty Dozen scams you need to watch out for this year. It should come as no surprise that the IRS saw a big spike in phishing and malware incidents during the 2016 tax season because the agency has been very public about its battle with this scourge.

3. CEO Fraud / W-2 Scams is their close second

Just this month the IRS issued another warning about what it called dangerous, evolving and very early W-2 scams that are targeting a widening swath of corporations, school districts and other public and private concerns. High-risk users in Accounting and HR need to be frequently exposed to simulated attacks using email, phone and text to inoculate them against these attacks.

4. Phone Scams

Your users need to be trained that when they pick up the phone, the person on the other end might be a criminal hacker that tries to manipulate them into getting access to the network. They impersonate "Tech Support" and ask for a password, or pretend to solve technical problems and compromise the workstation.

5. Your Antivirus is getting less and less effective

We all had the nagging suspicion that antivirus is not cutting it anymore, but the new Virus Bulletin numbers confirm your intuition. Virus Bulletin (VB) is the AV industry's premier "insider site", and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis.

Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it's often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash. The problem? Proactive detection rates have dropped from about 80% down to 67-70% over approx 9 months.

Now you might think that if AV does not catch it, your spam filter will. Think again. One in 200 emails with malicious attachments makes it through. That puts the potential for malware making it in your users' inbox into the millions… every day. Here is a blog post with the scary numbers.

6. The Internet Of Things

Your users need to understand the nature of connectedness. Both consumer and commercial devices are using wireless protocols to connect to each other and the internet, with vendors rushing products to market without proper security features. Your employees need to be trained to change the default passwords and disable remote access. If your organization has anything to do with critical infrastructure, users need to be aware of the risks and do fire drills so they are prepared for any kind of attacks against the IoT.

7. Over-reliance On Web Services

This break down in two different flavors. First, shadow-IT where employees completely bypass the IT department and create their own storage and services: an invitation to a host of vulnerabilities and data breaches that IT cannot control. Employees need to be enlightened about the dangers of shadow-IT and understand the risks. Second, web-apps and mobile apps are increasingly vulnerable to attacks while talking to third-party services. There’s no actual certainty that apps are connecting to the expected entity, or if a man-in-the-middle stepped in, stealing data, and possibly returning false information. This is a problem that developers need to solve with industry-strength handshaking and encryption protocols

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Get A Quote: https://info.knowbe4.com/kmsat_get_a_quote_now

Let's stay safe out there.

Warm regards,

Stu Sjouwerman,

Founder and CEO, KnowBe4, Inc

Guys,

We honor any and all "ask-off" requests. At the bottom of all our emails are unsub options and they work. If they don't - email me and I will fix that.

Also, you can email me personally at [email protected] if you want to get out of salesforce and/or the newsletter and we WILL get you off the list.

Warm regards,

Stu

@Dashrender You can always ask us to get off the list and we honor those requests right away! Warm regards, [email protected]

Why are organizations in the West subjected to relentless phishing and ransomware attacks? We need to go back in history for a bit to understand what caused this, and determine how we can best prepare ourselves.

First of all, let's look at planet Earth from the following perspective: It is an anarchy of nations. The United Nations has turned out to be a disappointing, ineffective, and corrupt mess. Credit where credit is due, the U.N. has done some very good work in certain corners. The Universal Declaration of Human Rights is a excellent example, but taken as a whole, the U.N. has mostly been paralyzed.

Now, let's go back to right after WWII. The cold war has started up, and there is a atomic arms race with mutually assured destruction as the only deterrent. Two superpowers at each other's throat with physical walls being built and the Iron Curtain coming down. I remember traveling with my parents passing CheckPoint Charlie from West- to East Berlin as boy, an unpleasant experience to say the least. Physical barriers were used to keep people both out and in, we have all seen the cold war spy movies, the images are vivid.

Fast forward 40 years.

The USSR fragments in 1991, and the Russian economy collapses. Communism implodes because that business model is not sustainable. At the time, there were roughly 800,000 official KGB agents in Russia. After the collapse, they spent ten years morphing into the FSB, all the while expanding and absorbing other instruments of power, including criminal networks, other security services, economic interests, and parts of the political elite.

The West loses it's arch enemy, starts enjoying peace and focuses less on NATO as their main defensive force against the USSR. The strong anti-USSR values that bind the West together no longer hold and the world order that America depends upon starts to come apart.

During those 40 years, the cold war has gone underground, it transforms to some degree in covert actions committed by both the CIA and the FSB, and overt actions like propaganda campaigns by both sides which are very much going on today.

Former Soviet satellite states are disillusioned with the NATO and the west, and at the moment believe they have to fend for themselves -- or even having to defend their sovereign territory against Russian aggression like the Ukraine.

In Moscow, Vladimir Putin is playing the long game

In Moscow, Vladimir Putin is playing the long game and is leveraging this unraveling of the Western world order as fast as he can. He is trying to make Russia into a superpower again, and uses everything he can in his spook toolkit including the asymmetrical hybrid information warfare we see today.

The last two administrations have failed to see that the West is already at war, whether it wants to be or not. I am quoting Molyy McKew here, who has been an advisor to Eastern European governments: "It may not be a war we recognize, but it is a war. This war seeks, at home and abroad, to erode our values, our democracy, and our institutional strength; to dilute our ability to sort fact from fiction, or moral right from wrong; and to convince us to make decisions against our own best interests." Interesting that this last is one of the definitions of social engineering.

The current war is one of subversion more than domination. These shadow tactics are what the KGB starred in and what Vladimir Putin learned when he came up through the KGB ranks.

A large majority of Russians who were shocked by the economic and social hardships of the 1990s applauded Putin as the strongman who built a new security state, even though his Kleptocracy weakened the Russian economy and civic institutions. Looking at Russia today, it's a gas station with a flag on it, with an overblown police force and a criminal economy the size of Italy. Oh, and the world’s largest nuclear arsenal...

Putin is operating on a very old, very successful principle that to keep your own group together, there is nothing better than having a mutual enemy. Putin wants the West to fragment and become as weak and broken as they perceive themselves to be.

Putin’s Russia needs the USA to be its enemy Number One

In short, Putin’s Russia needs the USA to be its enemy Number One. It's a war that needs to be won and its goal is an unstable new world of "all against all" where Putin can be a strong player. Keep in mind that it's a combined war machine, Russia's hard power and the technological, information, economic, cultural and criminal tools are all used toward this strategic objective. Here is where Gen. Valery Gerasimov's doctrine comes in. He's the chief of Russia’s General Staff. In his 2013 article, Gerasimov talked about the Russian military’s desire to hone its hacking skills as an extension of conventional warfare and political conflict.

It is also where the criminal hackers fit right in that harrass Western corporations and non-profits. They are all part and parcel of Putin's much larger campaign of destabilization. They are not going away any time soon.

There is one parallel between global geopolitics and IT security. Used to be in the early days with dumb terminals and no mobile devices that firewalls actually worked, similar to the Iron Curtain. But now with the traditional periphery gone and BYOD all over the place, firewalls are not that effective and the end-user really needs to be your human firewall.

That end-user needs to be trained to recognize social engineering attacks and efforts to manipulate them by highly sophisticated Eastern European bad actors.

There is something that can be done about this...

The vast majority of these attacks start with phishing. KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments. If you have a Platinum subscription you can even send them "vishing" attacks straight to the phone on their desk.

See it for yourself and get a live, one-on-one demo.

Request A Demo

https://info.knowbe4.com/kmsat-request-a-demo

Warm regards,
Stu Sjouwerman
CEO, KnowBe4, Inc.

Talk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

KillDisk was used in 2015 and 2016 when another gang, the Russian BlackEnergy cyber-espionage group, used the malware to attack and sabotage energy- mining- and media companies in the Ukraine. Bad guys have very active forums and they talk all the time so this probably how state-sponsored Russian hackers got their hands on KillDisk.

Until today, the KillDisk malware strain was only active in espionage and sabotage ops. Well, they are now moving in the ransomware racket with a bang: 222 Bitcoins ransom, which with the skyrocketing Bitcoin exchange rate is well over 200 grand. If you get hit with this and your backups fail, that gets very expensive.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

KillDisk was recently used against Ukrainian banks

Recent KillDisk attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots backdoor trojan via phishing attacks with malicious email attachments. TeleBots is an easy to recognize malware strain because it uses the Telegram protocol to communicate with its criminal owners.

Catalin Cimpanu at Bleepingcomputer said: "After collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to make the computer unbootable and also hide the intruder's tracks.

In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.

At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations."

Why did they add a ransomware feature?

It's easier to hide your tracks if KillDisk would pose as ransomware. You are basically talking a very profitable form of obfuscation.

The victim would assume they suffered an expensive ransomware infection, and wouldn't scan for the TeleBots trojan or other data exfiltration code. Victims trying to avoid bad PR would restore from backup or pay the ransom and move on. Meanwhile, back at the ranch they would still be robbed blind.

According to malware researchers at CyberX, the KillDisk ransomware component shows the following message on infected computers and asks for a huge ransom demand of 222 Bitcoin, well over 200 grand.

To unlock your files, you have to contact their customer support via an email and pay the ransom, and then receive your private RSA key that decrypts all your files.

The business model used here is not the spray-and-pray of the cheap ransomware. This gang goes for the high-end approach and demands a high price. Once you contact them through the email address, they will try to extort you threatening to dump sensitive files they stole via the TeleBots backdoor.

if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what your phish-prone percentage of your users is.

https://info.knowbe4.com/phishing-security-test-16

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

Sophos reported on one of the more scary ransomware strains I have seen lately. It's called Goldeneye and encrypts the workstation twice: both the files and the Master File Table (MFT).

It's a phishing attack with two attachments. One is a PDF and the other an Excel file. The Excel file contains a loader that pulls down all the malware. The PDF is the social engineering ruse that makes the user open the Excel file. If your user is untrained enough to open both attachments and there are crucial files on the local hard disk without a backup, you potentially get to pay ransom TWICE.

The spam email presents itself as a job application form to be filled out. It has attached an uninfected PDF with the application to get the process started, and in the PDF is a polite reference that the Excel file contains more details -- no explicit demand to open up the file... just business as usual.

Opening up the Excel file, you get a suggestion how to display the aptitude test. Sophos said: "The crooks don’t openly ask you to do anything obviously risky, such “Enable macros” or “Turn off the default security configuration”, but they do encourage you to make a change to your Office settings, something that Excel will invite you to do because the file contains what are known as Visual Basic for Applications (VBA) macros.

In fact, if you permit macros to run in this Excel file, you will quickly regret it: the VBA downloads a copy of the Goldeneye ransomware and immediately launches it." The VBA programming language used in Office macros is powerful enough to allow cybercriminals to control Word or Excel programmatically, but also to perform more general actions such as downloading files from the web, saving them to disk, and running them.

Yikes.

Once the Excel file is activated, all the malicious activity happens in the background, but when the encryption pass is done, there's a whole bunch of files left behind called: YOUR_FILES_ARE_ENCRYPTED.TXT which announce the infection:

Most strains of file-encrypting ransomware stop here, but Goldeneye's developer has experience in this field and does a double-whammy attack similar to their Petya / Misha strain and encrypts the Master File Table (MFT) of that machine as well.

Goldeneye works a bit different than the previous editions: it first encrypts the files, then performs the UAC bypass and the low-level MFT attack, then reboots and pretends doing a CheckDisk.

Once the “check” is finished, another reboot sounds the alarm with some dramatic ASCII art:

Pressing the Any Key gives you this:

In case you’re wondering why Sophos redacted the so-called personal decryption codes in the images above, the encryption is different for your files and for your MFT: the malware uses different algorithms and different keys each time.

In short, if you pay up to unlock your scrambled MFT so you can reboot into Windows, then, assuming the crooks actually send you the key, you’ll get back into Windows only to face the YOUR_FILES_ARE_ENCRYPTED.TXT pay page as well. If you don’t have any backup, you get to pay up 1.4 Bitcoins all over again. That's 2.8 total which starts to get very expensive.

How vulnerable is your network against ransomware attacks?

KnowBe4 has been working hard on something brand new. Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.

Here's how RanSim works:

• 100% harmless simulation of a real ransomware infection

• Does not use any of your own files

• Tests 10 types of infection scenarios

• Just download the install and run it

• Results in a few minutes!

RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye opening experience for many IT pros. NOTE: RanSim was created for Windows-based workstations running Windows 7 or higher.

Download Your FREE RanSim Now

https://info.knowbe4.com/ransomware-simulator-tool

Facebook, Google, and Twitter have recently been facing scrutiny for promoting fake news stories. Depending on your sources and who you believe, fake news played and is still playing a role in the 2016 presidential election.

However, fake news is misused in a number of ways, especially in an election season, and we have seen plenty of examples in the last few weeks:

• Propaganda, trying to influence opinion like RT.COM
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

Fake news and its malicious cousin "malvertising" are some of the most hard-to-spot types of social engineering attacks facing employees of both non-profits and for-profits.

“Fake news” can originate practically anywhere on the Internet through tweets, posts, digital images, video, and/or so-called "citizen journalist" sites where people can directly publish their content without fact-checking or any other kind of content-curation. And then there are the sites pretending to be legit news organizations but dedicated to only fake news. Here are a few examples:

Bipartisan Report
PoliticusUSA
USUncut
The Freethought Project
Politicalo / Newslo
DailyNewsBin
American News X
The Other 98%

This type of site is the most damaging. Their content is not monitored, un-curated, not fact-checked and can create a raft of problems for both the people who fall for that type of social engineering and the enterprise that is being targeted. A recent example is FitBit that saw its stock jump and then crash because of a fake news stock manipulation scheme.

In another variation of a fake news attack, scammers launch stories announcing the untimely death or injury of a key corporate executive or celebrity. A big one on the enterprise side was in 2009, when the CNN iReport site posted news that AT&T CEO Randall Stephenson was "found dead in his multimillion dollar beachfront mansion" under questionable circumstances. Recent fake news that Brad Pitt had committed suicide is fresh in memory.

In cases like stock scams, trading of these shares stops quickly, but the damage to the attacked company, and key partners and suppliers is done and the bad guys have gotten their ill-gotten gains. Fake news about M&A activity, clinical trials, product announcements, plant closings, earnings, executive appointment, product delays, partnerships, or headcount reductions might take only minutes to debunk, but can impact revenues, operations and business reputations for weeks.

Realistically, the only team in any organization who can deal with this type of attack is the security department but few organizations actively monitor for and defend against false news. It's a good idea to conduct an external threat audit across all threat sources, not just social networks, blog sites, wikis, discussion forums, and video sites, but also mobile app stores, online marketplaces, and domains. Organizations like BrandProtect and PhishLabs are a good place to start for a quote.

What To Do About It

How do you train your employees about this risk? It's one of the most pernicious social engineering attacks out there. Here is some suggested copy you can cut / paste / edit and send to your employees, friends, and family:

Facebook, Google, and Twitter have recently been accused of promoting fake news stories. Depending on your sources and who you believe, fake news played a role in the 2016 presidential election. However, fake news is misused in a number of ways:

• Propaganda trying to influence opinion
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

So, how do you protect yourself against this type of scam? The very first thing you need to do with any kind of internet message you see is this: CONSIDER THE SOURCE. Meaning you ask yourself the following questions: Where did this come from? Who wrote it? What is their agenda?

There are a large number of false, misleading, clickbait, and/or satirical “news” sources you need to watch out for. Here are 8 Tips to analyze news sources and make sure you do not fall for their scams:

• Avoid websites that end in “lo”, for example Newslo. These sites take pieces of accurate information and then packaging that information with other false or misleading “facts”.
• Watch out for websites that end in “.com.co” as they are often fake versions of real news sources, and strange or unusual domain names are a big Red Flag.
• If other known and reputable news sites are not also reporting on the story, that is a Red Flag.
• If it is an anonymous story and there is no known / trusted author, it's suspect.
• Some news organizations are letting bloggers post under their banner, but many of these posts are opinion and not facts, make sure you note the difference. (ex: BuzzFeed, Forbes blogs).
• If you are in doubt because of bad design or grammar/spelling, check their “About Us” tab or look them up on Snopes for verification of that source.
• If the story makes you upset or angry, it’s a good idea to keep reading about the topic using other sources to make sure the author wasn’t doing that on purpose (with potentially misleading or false information) to generate shares and ad revenue.
• It’s always best to read multiple sources of information to get a variety of viewpoints and perspectives, which allows you to spot bias in reporting and confirm information with other sources before you decide to take action.

To summarize, consider the source, double check if the data is correct using other reliable sources, and especially with "fake news"... Think Before You Click!

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
www.KnowBe4.com

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

We all know that two-factor authentication (2FA) is much better than just simple user/password credentials. However, there is a nasty spoofing trick that bypasses 2FA if the user does not pay attention. Warn your users that have 2FA-enabled accounts against this, which are usually key people with access to sensitive information.

• Using creds from the massive databases with tens of millions of credentials that have surfaced the last few weeks -- notably from LinkedIn, My Space and Twitter, or

• Sending a phishing email with a malicious attachment which installs a keylogger on the box and sends the credentials back to the hacker

Once they have the creds, here's the 4 steps how this scam goes down:

• The attacker sends the target a text message, spoofing the company that the target has an account with. The text states they have detected "suspicious" activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.

• The attacker logs into the account with the known credentials, which prompts the 2FA code to be sent to the target.

• The (worried) target tries to prevent a negative consequence and texts the code back to the attacker, but by doing that they give the hacker just the thing they needed to break into the account.

• The hacker now enters the victim's 2FA code, and they're in. The French would say: "Simple comme Bonjour".

So, I would send an email to your employees, friends and family who have any of their accounts protected with 2FA. Feel free to copy/paste/edit:

"There is a new scam you need to watch out for if you log into your accounts and have to wait for a text message on your phone to enter and only then log in. This more secure system is called "2-factor authentication". These two factors are:

• one thing you need to know -- your password
• one thing you have to have -- the text code on your phone

Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced -- yours may be one of them -- and they are using these for this scam.

They send you a fake (spoofed) text that looks like it's from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.

In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account!

TIP TO STAY SAFE

If your accounts are protected by 2-factor authentication, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.

Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.

Remember, Think Before You Click!"

I would send this right away to people in Accounting, HR, Legal, and C-level execs that have 2FA accounts set up for them.

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO of KnowBe4, Inc.
www.KnowBe4.com

Fascinating discussion. And yes, we provide an integrated platform for simulating phishing attacks and security awareness training. Cost: avg 10 bucks per user per year. www.KnowBe4.com

Warm regards, Stu

SAM is right: . They already are. They are a major force in new deployments. We have 9 people in our sales group, all running an HP chromebox, with Google apps. Totally Windows-free environment, with everything in the cloud.