09Oct

Ransomware Attacks Will Keep Getting Worse

October 9, 2020By 0 comment

It may be time for organizations to stop paying the ransom when they sustain a ransomware attack, according to Caleb Barlow, CEO of CynergisTek. On the CyberWire’s Hacking Humans podcast, Barlow discussed the recent tragic case of a woman in Germany who died after the nearest hospital sustained a ransomware attack, forcing her ambulance to divert to another hospital twenty miles away. While the crooks in that case stopped the attack after being informed that they’d hit a hospital, Barlow said criminals will continue evolving their tactics and targeting critical systems to extract a ransom.

Late last year, for example, ransomware gangs began exfiltrating victims’ data before triggering the ransomware. This allows them to demand a ransom in exchange for not publishing the data, so the victim will be pressured to pay even if they’re able to restore from backups.

Barlow thinks the next evolution will be criminals targeting the integrity of data, in addition to availability and confidentiality. In the case of a hospital, this could have life-threatening implications.

“This is just going to continue to get worse,” Barlow said. “And what I keep cautioning people on is the new thing to worry about isn’t that they lock up your data, it’s not that they release your data – it’s that they change your data. And I don’t think most security systems are monitoring what appears to be legitimate access to data if somebody changed it. That’s the thing we really need to prevent against. And there are ways to prevent this….Imagine if I change data in the supply chain. Imagine if I change data in a healthcare record. All of a sudden, I break all of the trust in that system. I don’t have to change all of the data. I just have to show I can change one record, and no one can trust any of the data.”

Barlow said the increasing sophistication and damage caused by these attacks has changed his opinion on paying the ransom.

“When this first started, these ransomware demands were like $500,” he said. “And I would tell clients all the time, look, you know, law enforcement’s going to recommend you don’t pay it. It’s five-hundred bucks. Pay it. Move on. It’s just – you know, worst-case scenario, you’re losing five-hundred bucks. And I was saying the same thing when it was $10,000. And you would occasionally find me saying the same thing when it was $100,000. Well, now it’s in the millions. Now these are real numbers.”

Even more importantly, he added, these attacks are growing more dangerous.

“But what we also have to realize now is there’s kinetic implications,” Barlow said. “And this is becoming rampant. This isn’t an occasional issue. This is going to happen to everybody. The only way to stop this – and I’m a firm believer in the way to stop cybercrime is to change the economics for the bad guys. Well, unfortunately, the only way to change the economics for the bad guys is to forbid paying a ransom.”

Ideally, however, organizations should endeavor to prevent these attacks in the first place. New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize phishing attacks and follow security best practices.

READ MORE
08Oct

Healthcare Sector Still Sustains Phishing Campaigns

October 8, 2020By 0 comment

No one should take too seriously the high-minded things criminals sometimes say about how they’re restraining themselves during the pandemic, and that they’re going to avoid hitting hospitals and biomedical research organizations. If anything, attacks on such targets have increased in recent months, and phishing is the usual approach.

The goal of the phishing attacks is financial: the attackers are extortionists. Healthcare organizations are attractive targets for many reasons, among them being the importance of data availability to their work, their relatively deep pockets, and their complicated networks that present a large and varied attack surface. Health IT Security describes four recent and ongoing campaigns that afford good examples of the techniques in use against the healthcare sector.

The first of these involves message quarantine phishing. In this attack, an employee receives a message that spoofs an organization’s email service. The bogus notification says that several emails have failed to “process properly,” and that the recipient should review the quarantined messages to confirm their validity. The prospect of deletion suggests urgency.

“This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers at Cofence explained. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” Should the user click, they’re spirited to a login page designed to harvest their credentials.

The second is a zero font attack, which conceals malicious code in ways that serve to evade security controls that would otherwise intercept them before they reached the target’s in-box. Researchers at INKY explained: “Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding. If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match. This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.”

The third campaign involves the venerable Agent Tesla remote access Trojan (RAT). Gangs are actively distributing the RAT in COVID-19-themed phishing emails. It’s commodity malware traded in criminal markets. “Various tiers are available for purchase that provide additional licenses and different functionality,” Area 1 researchers explained. “However, in typical internet fashion, there is a torrent available on Russian websites. For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices. This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.”

And, fourth, there are nation-state actors engaged in similar financially motivated phishing expeditions. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned that North Korean operators continue to use their KONNI RAT against targets in the healthcare sector. Their technique has evolved into more closely tailored spear phishing, with phishbait designed to attract specific individuals. Spearphishing tends to be more persuasive than classic indiscriminate phishing through mass-mailed spam.

While the healthcare sector is currently receiving more than its fair share of attacks, other industries also need to be on their guard. The four techniques Health IT Security described all depend upon social engineering for their success. New school security awareness training can help organizations install a proper, healthy skepticism in their personnel.

READ MORE
07Oct

New Office 365 Phishing Attack Checks Your Stolen Credentials in Real-Time

October 7, 2020By 0 comment

Nothing says the bad guys are intent on stealing credentials like testing them while you participate in their phishing attack so they can verify the validity before letting you off the hook.

There are tons of stories where a fake log on to Office 365 is the punchline. But seldom do we see an attacker go the length to develop code that passes the compromised credentials over to Office 365 to check them out mid-attack.

According to the Threat Research Team at Armorblox, a new attack uses lots of well-known brands to aid in tricking users into giving up their Office 365 credentials. Using Amazon’s Simple Email Service to improve deliverability, the attack uses a payment remittance theme to get potential victims to click. A spoofed Office 365 logon page is offered up, but it’s one that passes any provided credentials to Azure Active Directory (AAD) behind the scenes, checks them and then either puts them back to the logon page (in the case of a failed logon) or over to a generic Zoom website page if validated.

The value of an Office 365 credential is pretty high for attackers; it can be used to commit brand and individual impersonation by taking over the compromised account, CEO fraud, business email compromise, infecting or scamming partner or customer organizations, and more.

Users need to be taught via Security Awareness Training to be highly suspicious of any emails that require authentication to Office 365 or any other cloud-based platform. While not all are malicious, it’s important to create an ongoing vigilance within the user so they can assist in helping make the organization more secure.

READ MORE
06Oct

Scammers are using Black Lives Matter as Phishbait

October 6, 2020By 0 comment

phishing campaign is using Black Lives Matter-themed phishing lures to trick people into installing malware, Yahoo reports. Adam Levin from Cyberscout told Yahoo that the phishing emails contain the subject line, “Vote anonymous about ‘Black Lives Matter.’” The email body states, “Leave a review confidentially about ‘Black Lives Matter.’ Claim in attached file.”

The attached file is a Microsoft Word document titled, “e-vote_form_3438.” If the user opens this document, they’ll see a slide telling them to click “Enable Editing” and then “Enable Content” in order to view the content. If these buttons are clicked, the document will be allowed to run a macro that will trigger the malware’s installation process. This is an extremely common tactic, but many people still fall for it.

Levin says the final payload in this campaign is TrickBot. TrickBot is a notorious and versatile commodity banking Trojan that’s used by both criminals and some nation-state actors due to its effectiveness. In addition to stealing passwords and financial information, TrickBot can spread to other computers and download additional malware such as ransomware.

Yahoo notes that since cybercrime is such a profitable industry, these attacks won’t be slowing down anytime soon.

“This particular TrickBot scam may be new, but malware scams are always rampant on the internet,” Yahoo says. “The statistics are staggering: by 2020, the global cost of malware attacks is expected to hit $6 trillion—yes, trillion—according to the cyber experts at Cybersecurity Ventures.”

Attackers always try to exploit hot-button issues and current events to trick people into making poor security decisions. As the US gets closer to its election in November, we can expect to see more scammers trying to take advantage of issues that people feel strongly about. New-school security awareness training can help your employees take a step back and think about what they’re doing, rather than impulsively clicking on a link or downloading a document.

READ MORE
03Oct

60% of the US Workforce Will Be Working Remotely by 2024 (and That’s a Problem)

October 3, 2020By 0 comment

The latest data from analyst firm IDC shows massive growth in the remote workforce in the coming years – something that puts organizations at greater risk for a cyberattack.

Everyone already knows that a material percentage of today’s workforce is doing so remotely as a result of COVID-19. But the projections found in IDC’s U.S. Mobile Worker Population Forecast, 2020–2024 paint a picture that, if not properly addressed proactively, will be a cybercriminal’s paradise.

According to the research, the number of mobile workers will increase from 78.5 million in 2020 to 93.5 million in the US in 2024 – an increase of nearly 20%. IDC breaks down the mobile workforce into two distinct categories:

  • Information Mobile Worker – these are typically those people working from a single location using a specific endpoint to access data, content and applications. Examples of IM workers include programmers, analysts, marketers, accountants and lawyers.
  • Frontline Mobile Workers – the users in this group are typically client-facing and distributed and can be working on a number of devices. Examples of these workers include nurses, store associates, and field technicians.

The challenge with growth in either group is two-fold. First, they’re not ready, as indicated by the lack of good password hygienethe lack of preparation for cyberattack. Second, they’re already under attack, as indicated by the amount of malicious content they interact with in email and on the web already and nearly two-thirds of them have already had a credential compromised.

Taking your workforce mobile/remote is an idea whose time has come. It’s just necessary that organizations put proper Security Awareness Training in place to ensure their mobile workforce understands the cyber-minefield they’re embarking into, the increased need for them to help protect the organization when mobile, and to always be vigilant when using corporate devices, applications, or data.

READ MORE
03Oct

Newly Relaunched ProLock Ransomware Seeks Ransoms as High as $3 Million

October 3, 2020By 0 comment

Seeing successful attacks as frequently as one per day, the creators of ProLock seek out larger organizations using the QBot trojan to infiltrate, spread throughout, and infect a network.

What starts as yet another phishing attack that uses a weaponized VBScript via Office documents turns out to be a far more invasive attack that brings operations to its’ knees and organizations considering reaching for their wallets.

According to security researchers at Group-IB, ProLock’s evolution from a failed prior iteration under the name PwndLocker has yielded a bit of malware so effective in its ability to perform network reconnaissance and lateral movement, its creators are big game hunting for organizations across both North America and Europe, looking to take down the largest of ransoms.

Now some good news.

Group-IB’s researchers have indicated that the phishing attacks used are “simple and straightforward” as seen in the email example below:

14d6458c0d68b72229f80114f7240046

There’s a really simple way to stop this ransomware from ever gaining control over your network: teach your users to not click on suspicious email links or attachments. This is easily done by enrolling them in new school Security Awareness Training that shows them what to look for, how to remain vigilant while doing their job, and how to keep from becoming the entry point for this and any other phishing-based attack.

READ MORE
02Oct

Global Ransomware Attacks Increase by 715 Percent as Cybercriminals Capitalize on the Pandemic Opportunity

October 2, 2020By 0 comment

The massive rise in frequency is a signal that cybercriminals are not only finding their ransomware campaigns successful, but are also seeing increases in ransom amounts.

The goal of any business is to build a product where you make a very healthy profit margin. Once you have that, you take it to market and continue to increase the reach of your sales efforts to see both revenue and profits increase annually.

This is exactly the same mentality cybercriminal enterprises have when it comes to ransomware – if it works, send it out to more people. If they’re willing to pay $1000, see if they will pay $5000, $10,000, and more. Recent data has shown that ransomware creators are doing both.

According to BitDefender’s Mid-Year Threat Landscape Report 2020, the first half of 2020 saw a 7x jump in the frequency of ransomware attacks when compared to the same time in 2019. The report shows that the distribution of attacks was relatively evenly distributed across the first six months of this year.

We’ve also seen ransoms jump by an average of 60 percent this year, signaling that cybercriminals are keenly aware of what the havoc they’ve wreaked is worth to an infected organization.

According to the Bitdefender report, both the pandemic and the shift to working from home play a significant role in the success rate of attacks, as users have their defenses down and have been overwhelmed by the unprecedented change in the way we all work and live. Half of remote employees simply aren’t prepared for the organization’s dependence upon them to be vigilant against cyberattacks including ransomware. New school Security Awareness Training provides an effective means to not only educate users on how the bad guys go about phishing and social engineering attacks, but also on how users can become and remain vigilant while doing their job – thus, lowering the threat surface for ransomware attacks.

With such a massive increase in the amount of ransomware attacks, organizations should assume that ransomware is only going to become more prevalent, pervasive, and profitable for the bad guys.

READ MORE
01Oct

Phishing Attacks Continue to Grow More Sophisticated

October 1, 2020By 0 comment

Both criminal and nation-state threat actors have “rapidly increased in sophistication” over the past twelve months, according to Microsoft’s Digital Defense report. Microsoft found that attackers are putting more effort into social engineering tactics, and they’re incorporating more familiar techniques like credential stuffing to maximize their effectiveness.

“Email phishing in the enterprise context continues to grow and has become a dominant vector,” the report states. “Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. Attack techniques in phishing and business email compromise (BEC) are evolving quickly. Previously, cybercriminals focused their efforts on malware attacks, but they’ve shifted their focus to ransomware, as well as phishing attacks with the goal of harvesting user credentials.”

Microsoft warns that attackers are automating their attacks in order to avoid detection,which results in millions of new malicious URLs being distributed each month.

“In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URL-based phishing threats (URLs set up for the explicit purpose of launching a phishing credential attack),” the report says. “These URLs were set up and weaponized just in time for the attacks and had no previous malicious reputation. We’re seeing approximately 2 million such URL payloads being created each month for credential harvesting, orchestrated through thousands of phishing campaigns.”

Microsoft notes that the number of COVID-19 themed phishing attacks has fallen in recent months, after spiking in March. This isn’t surprising: the attackers exploited the chaos and confusion at the start of the pandemic, then adapted their lures when things (sort of) began to settle down.

“Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information,” Microsoft says. “Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic.”

While attackers are constantly evolving their tactics to evade new defenses, Microsoft notes that most of these attacks are still fundamentally similar.

“Despite sophistication and diversity of the attacks, the methodology is often the same, whether the actors use large-scale attacks for financial gain or targeted attacks to support geopolitical interests,” the report says. “A phishing email can be a massive campaign targeting millions of users or a single, targeted email that represents a socially engineered marvel many months in the making.”

Likewise, Microsoft points out that organizations and individuals can thwart most cyberattacks by implementing basic security hygiene.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA),” Microsoft says. “Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”

New-school security awareness training can enable your employees to recognize phishing attacks and teach them how to proactively protect their accounts.

Microsoft has the story.

READ MORE
01Oct

Don’t Just Catch a Phish, Captcha One

October 1, 2020By 0 comment

Researchers at Menlo Security have identified a phishing site that uses three layers of visual captchas to evade detection by automated security crawlers. Captchas are brief tests on websites that ask you to enter a word or select a series of images to prove you’re not a robot. Almost everyone has encountered these, since they’re usually used by legitimate sites to filter out malicious or unwanted traffic from bots.

In this case, however, the attackers are using captchas to prevent good bots (i.e., bots that are designed to hunt down phishing sites) from accessing the phishing page. The researchers also note that the captchas have the added benefit of lending credibility to the phishing page, since users associate these tests with legitimate sites.

“Two important things are happening here,” they write. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

When a user first accesses the phishing site, they’ll be presented with the familiar “I’m not a robot” reCAPTCHA checkbox. After clicking this box, the user will be asked to select the correct set of images to proceed (for example, images with bicycles, street signs, school buses, and so forth). The user will have to solve three of these tests before they’re allowed to access the phishing page, which is a convincingly spoofed version of an Office 365 login portal designed to steal their credentials.

“Microsoft happens to be the brand that is most phished across our customer base,” the researchers explain. “This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.”

Attackers are constantly adapting their techniques to stay ahead of improved security technology. New-school security awareness training can give your employees the knowledge they need to avoid falling for these attacks.

Menlo Security has the story.

READ MORE
30Sep

Organizations Working From Home Opens Wider Target for Cybercriminals

September 30, 2020By 0 comment

With so many people working from home, more attackers are adapting their strategies to focus on employees as a way to bypass organizations’ defenses, FCW reports. During a webcast hosted by Venable, several Federal and industry experts discussed the challenges associated with remote work, particularly in organizations that previously required physical modes of identification.

Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency (CISA), said attackers are increasingly using fake social media accounts and phone calls to trick employees into handing over their credentials or installing malware.

“Those attacks are shifting everywhere traditional network security controls are not located,” Connelly said. “Many attackers are actually calling employees and encouraging them to log on to those fake pages and then grabbing their credentials from those pages.”

Connelly added that it’s much harder to defend against phishing attacks on social media when employees are working from home.

“How do you put security controls around a social messaging app?” Connelly asked.

Wendy Nather, Head of Advisory CISOs at Duo Security, explained that many previous security assumptions are suddenly no longer applicable.

“Because we’re not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can’t use,” Nather said. “If somebody calls the help desk, how are you going to verify them if they can’t walk over and show you their CAC [Common Access Card]?”

Likewise, Ross Foard, a senior engineer at CISA, said well-established forms of authentication in the government are hard to transfer to a remote environment.

READ MORE