CRYSIS Ransomware Is Back And Uses RDP Brute Force To Attack U.S. Healthcare Orgs

So, what’s next for the Trump administration’s handling of health data privacy and security issues now that the 100-day milestone has been reached?
So far, despite the overall anti-regulatory tone of the new administration, it appears that enforcement of HIPAA is moving along at the same or perhaps even a slightly more aggressive pace than what was taken by the Department of Health and Human Services under the Obama administration.

“Congress established OCR to adapt to new technology – and to protect it.”

In one of his first speeches, Roger Severino, who last month took on the job of director of HHS’s Office for Civil Rights, promised to keep HIPAA privacy and security enforcement a top priority.

“I came into this job with an enforcement mindset,” Severino said on April 27 during a session at the Health Datapalooza conference in Washington, according to HealthcareITNews. “Congress established OCR to adapt to new technology – and to protect it.”

Resource Hungry

But will that mindset continue? A lot likely depends on the resources OCR gets for fiscal 2018. The staff has been stretched thin in recent years, especially as OCR has been digesting the findings of more than 200 HIPAA compliance audits of covered entities and business associates. Plans to launch a smaller number of more comprehensive audits in early 2017 have already been delayed until later this year. And who knows if that will even happen?

Privacy attorney David Holtzman, the vice president of compliance at security consulting firm CynergisTek who formerly was a former senior policy adviser at OCR, notes that so far this year, in terms of enforcement actions taken by OCR, the agency could break its aggressive record of 2016, which included 12 settlements and one civil monetary action – not to mention the relaunch of audits.

“OCR has continued its stepped-up enforcement of the HIPAA privacy, security and breach notification rules. Thus far in 2017, the agency has announced negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million,” he says.

“In all but one of these cases, organizations have also been saddled with multiyear corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016, in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.”

But it’s still unclear how the Trump administration will handle bigger-picture health data privacy and security issues.

“I believe it is important to distinguish between broader policy decisions and the day-to-day operations of the department’s mission,” he says. “While we have not seen evidence of how administration policy on health data security and privacy issues will develop, there is ample evidence that it is business as usual in OCR’s administration of the HIPAA privacy and security standards.”

Beyond HIPAA

While meeting HIPAA compliance requirements doesn’t necessarily equal the kind of robust security efforts needed to effectively safeguard data – including data that goes beyond patients’ protected health information – OCR’s recent enforcement ramp-up likely will help nudge security laggards out of their complacency.

But it’s also important to remember that the OCR enforcement actions we’re seeing have been in the works for years. Looking ahead, will OCR be spending less time investigating major breaches that get reported now? Let’s hope not.

Here’s an updated look at the sobering breach stats: As of April 28, there were 1,921 major breaches affecting nearly 173.4 million individuals reported to OCR since September 2009, according to HHS’ “wall of shame.” And to date, OCR has issued 47 HIPAA settlements and two civil monetary penalties.

So, while there’s been an a slight uptick in the number of enforcement actions taken by OCR over the last year or two, the reality is that there are still slim odds that you’ll end being smacked with a financial penalty related to a breach.

And the odds could grow even slimmer if OCR finds itself with a barebones budget for fiscal 2018. President Trump has proposed big cuts to HHS’ overall budget for the next fiscal year beginning on Oct. 1, and he has also instructed federal agencies to plan reducing their workforces near term.

In the meantime, OCR likely will keep picking and choosing cases for settlements that highlight common mistakes entities make in safeguarding patient information. Plus, the HIPAA enforcement agency will continue to release guidance that addresses confusing and critical security and privacy issues.

Hopefully, the healthcare sector will continue to learn from these cases and guidance and make it a higher priority to bolster their overall risk management programs to better safeguard all data against evolving threats.

[contentblock id=95 img=gcb.png]


[contentblock id=96 img=gcb.png]


Attackers Unleash OAuth Worm via 'Google Docs' AppThe malicious Google phishing email. (Source: Cisco Talos)Score another one for social engineering.

See Also:2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

A malicious app named “Google Docs” by attackers has been making the rounds, attempting to trick Google users into logging in and giving the app access permissions to their account.

The phishing campaign began with an email to victims from an address they likely would have recognized, according to multiple analyses of the attack that have now been posted online by security researchers. But the campaign quickly turned into a worm, as users authorized the bogus app in droves, allowing it to spread to their own contacts.

Although Google neutered the attack shortly after it appeared, the technology giant – believed to boast about 1 billion users – said that about 0.1 percent of its users were affected. In other words, roughly 1 million individuals may have fallen victim to this phishing campaign.

“This attack was notable due to the sheer volume and velocity at which it was executed,” security researchers Sean Baird and Nick Biasini from Cisco Talos say in a blog post. “What started as a trickle of emails quickly became a deluge resulting in a prime area of focus on Twitter and in the security community. Due to its relentless nature it got everyone’s attention.”

How It Works

Here’s how the attacks begin: A user receives an email containing an “Open in Docs” button, which, when clicked, redirects the user to a legitimate Google site, requesting that they allow an app called “Google Docs” to “read, send, and manage your email” as well as to “manage your contacts.” If users click “allow,” the malicious app – and by extension an attacker – gains access to all of those features.

The malicious Google phishing email. (Source: Cisco Talos)The tricky part of the attack is that the app – like so many other sites and services online – uses Google’s legitimate, OAuth-based log-in system, meaning that it’s up to users to spot that someone is trying to scam them. “This is a legitimate request and is part of a lot of applications that make use of Google as an authentication mechanism,” Baird and Biasini say. “The portion that is not normal are the permissions that are being requested.”

As is typical with any security control that relies on humans to effectively differentiate legitimate requests from scams, users predictably failed in droves.

Related phishing email volumes reported to Cisco over lifespan of the roughly two-hour attack (U.S. Eastern Time)Fortunately, Google neutered the attack not long after it began. “We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts,” the Google Docs team says in a statement released via Twitter, just hours after the attack was first spotted on May 3. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

We’ve addressed the issue with a phishing email claiming to be Google Docs. If you think you were affected, visit

— Google Docs (@googledocs) May 3, 2017

OAuth Worm

To be clear, Google wasn’t targeted with a phishing attack. “It’s not a Google ‘phish.’ It’s an OAuth worm,” says Sean Sullivan, a security adviser at Finnish security firm F-Secure, via Twitter.

The OAuth service named “Google Docs” requested permissions. (Source: Cisco Talos)

The attack centered on OAuth tokens provided by Google – other services also offer the feature – which allow a user to give a site or service persistent access to their Google account. One advantage is that users can then access the site or service without having to log in again. But that persistent access is regularly targeted by attackers, who create bogus apps and then send phishing emails to users, trying to get them to grant access. Such attacks also bypass two-factor authentication, because it’s the already authenticated user who’s granting access to the bogus app (see Hello! Can You Please Enable Macros?).

Thankfully, security researchers report, none of the “Google Docs” app attacks appear to have pushed malicious code onto victims’ PCs.

With any service that allows OAuth logins, security experts say users should regularly review which apps they’ve granted access. For Google users, visiting allows them to revoke permissions for any apps or sites that shouldn’t connect to their Google account.

Anyone who thinks they’ve fallen victim to an attack that targeted their OAuth credentials should also change their password, security experts recommend. But they note that doing so alone – without revoking permissions – won’t immediately block attackers’ access to their account, since existing OAuth tokens don’t get regularly invalidated.

Email Address Harvesting

While the May 3 “Google Docs” app attack campaign has not been traced to any individual or actor, and no one has claimed credit, this was likely just an opening move.

“The goal of this attack is likely two-fold. This instance acted as a potential proof-of-concept for a convincing Google phish via OAuth,” Cisco’s Baird and Biasini say. In addition, they note that attackers could have quickly harvested massive amounts of contact information from the Gmail accounts of anyone who gave access rights to the “Google Docs” app.

It’s not yet clear if stolen information has been put to use, says John Wilson, field CTO at email security firm Agari.

“While we haven’t seen reports of fraud yet, the cybercriminals who launched the attack have access to all of the victims’ emails until the app is disabled,” Wilson says in a blog post. “With that access, the criminals can use your identity to scam co-workers or relatives, reset your bank account password and steal money or harvest information to steal the victim’s identity. There are an infinite number of ways a cybercriminal can monetize this kind of access.”

When in Doubt: Don’t Click

Cisco’s Baird and Biasini says that based on the effectiveness of this attack, more are sure to follow, and it’s unclear if Google will be able to successfully shut them all down before more damage gets done.

Their main message to anyone who uses a service that relies on OAuth is to cultivate healthy amounts of skepticism and paranoia.

“Users must be very careful what they click on, particularly when it involves passwords or granting permissions or access of some kind,” the Cisco researchers say. “If in doubt, reach out to the sender of the attachment or link using a means other than email to verify the integrity of their email.”



[contentblock id=95 img=gcb.png]


[contentblock id=72 img=gcb.png]



PROVIDENCE, R.I. — Cybercriminals held a Providence law firm hostage for months by encrypting its files and demanding $25,000 in ransom paid in Bitcoin to restore access, according to a lawsuit filed in U.S. District Court.

Moses Afonso Ryan Ltd. is suing its insurer, Sentinel Insurance Co., for breach of contract and bad faith after it denied its claim for lost billings over the three-month period the documents were frozen by the ransomware infection.

According to the lawsuit, during the time their files were inaccessible, the firm’s 10 lawyers were left unproductive and inefficient — amounting to $700,000 in lost billings.

After paying the Bitcoins, the firm then had to re-negotiate those terms after the initial key to de-crypt their files failed to work. They had to purchase more Bitcoins in exchange for other tools to recover their documents.

Ransomware Develops Into “Valet Thievery” Driven By Phishing Attacks

Attackers are tailoring their demands to their victims, in essence making it a brand of “valet thievery,” said cyber expert Doug White, director of forensics, applied networking and security at Roger Williams University. They might demand $800 from a household, and push that sum into the thousands if they realize they’ve hit a law firm or hospital, White said. They key to the infections are phishing attacks that use social engineering to trick an employee to open a malicious attachment.

It’s a crime, too, that is vastly underreported, law enforcement agencies say. “The shame of it keeps it from being reported,” White said, as businesses don’t want to sully their image or reveal weakness. “Usually they just pay them off. It’s the cost of doing business.”


Moses Afonso Ryan Ltd. is not alone in falling victim to such a crippling attack. Police departments, town halls, law firms, accounting firms and individuals have been hit across Rhode Island, according to Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit.

Protecting a network involves everyone in it from a janitor to the CEO

“I never tell anyone to buy the ransomware key because it’s sponsoring illegal activity,” Alfred said. He added: “You have to back-up the data beforehand. That’s what you have to do. You’re not going to get that data back. Even if you pay, you might not get the key.” Protecting a network involves everyone in it from a janitor to the CEO, he added.

Dana M. Horton, representing Sentinel Insurance in the lawsuit, also did not immediately respond to an email and a phone call seeking comment. The company has not yet filed a response in U.S. District Court.

White questioned whether the law firm’s suit would succeed, saying it would “open a giant can of poison worms” for the insurance industry. Alfred, too, emphasized that cyber security insurance is a growing field. “Everybody is going to be insuring their data,” Alfred said.

Heads-Up: Cyber insurance Does Not Pay Out For Human Error

You need to read the fine print in your cyber insurance policy if you have one, or if you are negotiating one. These policies normally do not cover incidents caused by human error, they only pay out for software-related vulnerabilities. This is a gotcha you need to be aware of, because your organization might have a false sense of security.

Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit is right. You do need to step all employees through new-school security awareness training, from the mail room to the board room!

Full story at Providence Journal.


[contentblock id=72 img=gcb.png]


America was the victim of 34 percent of global ransomware infections in 2016, while only being 4.4 percent of the world’s population.

The “why” is clear; a whopping 64 percent of Americans are willing to pay to get their files back, as opposed to only 34 percent of victims worldwide, per Symantec’s 2017 Internet Security Threat Report.

Surprisingly, Symantec’s results show paying ransom doesn’t guarantee universal results as just 47 percent of global victims who paid up in 2016 reported getting their files back, which is in direct contradiction with our own experience, where we helped dozens of victims with a 95% successful return of all their files.

Note, these were organizations at their wit’s end who found us on the internet and needed help to get their files back after an employee opened an infected attachment, not existing KnowBe4 customers calling us about our Ransomware Guarantee.

Newly discovered ransomware families jumped last year from 30 in 2015 to 101 in 2016. The number of new variants of existing ransomware code, however, dipped. “It suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

Infections of consumers at the house counted for 69 percent, but Symantec found that that some attackers are executing more sophisticated attacks against businesses, where they silently penetrate the network, move laterally and then encrypt all machines at the same time.

The ransoms themselves also skyrocketed, climbing 266 percent last year, from an average of 294 dollars in 2015 to 1,077 dollars in 2016 helped by a Bitcoin price which is over 1,300 dollars at the time of this writing. The report also showed that attackers have begun customizing individual ransom demands based on the type of data and the volume of files that were encrypted.

Symantec Report Confirmed by Verizon, SANS and NTT

Verizon’s vendor-neutral 2017 Data Breach Investigations Report (in which KnowBe4 participated as a data source) found that ransomware levels in 2016 were up 50 percent over 2015 figures. Verizon also found that the types of attacks targeting organizations vary from sector to sector. For instance, manufacturing has the lowest median level DDoS level, but the highest level of espionage-related breaches.

The SANS 2016 Threat Landscape survey reported: “Phishing and spearphishing were among the top ways threats enter organizations, which setup a perfect storm for ransomware to blossom. 75% of threats entered via email attachment, 46% malicious link. User education alone is not sufficient. At a corporate level, perimeter protections, including email screening and ext-gen firewalls can reduce the volume of malware that can trip up an end user. From there, the endpoint needs every advantage to remain secure – behavior based malware detection, whitelisting, access control and appropriate network segmentation.”

The growing threat was further confirmed by more research from NTTSecurity: 2017 Global Threat Intelligence Report which found that 22 percent of all global incident engagements were related to ransomware, more than any other category of attack.

Of the ransomware attacks observed via NTTSecurity’s intelligence network, 77 percent were concentrated among four industries – business and professional services (28 percent), government (19 percent), health care (15 percent), and retail (15 percent).

Half of all incidents affecting health care organizations involved ransomware. “This may indicate that attackers have identified health care institutions as a vulnerable target more willing to pay ransom than other sectors,” their report noted.


[contentblock id=74 img=gcb.png]


'Can You Hear Me?' Scam Hooks Victims With a Single Word


Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail.

That’s the operational security advice being promulgated to Americans by the U.S. Federal Communications Commission in response to an ongoing series of attacks designed to trick victims into uttering a single word.

The FCC says in a March 27 alert that the scam centers on tricking victims into saying the word “yes,” which fraudsters record and later use to attempt to make fraudulent charges on a person’s utility or credit card accounts.

“The scam begins when a consumer answers a call and the person at the end of the line asks, ‘Can you hear me?’ The caller then records the consumer’s ‘Yes’ response and thus obtains a voice signature,” the FCC warns. “This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.”

Fake Tech Support

This isn’t the first time that fraudsters have “weaponized” the telephone.

Scammers have long phoned consumers, pretending to be from a government agency such as the Internal Revenue Service. Another frequent ploy is pretending to be from the support department of a technology firm, such as Microsoft or Facebook, and then trying to get victims to pay for bogus security software meant to fix nonexistent problems on their PC (see Researcher Unleashes Ransomware on Tech-Support Scammers).

Authorities have made some related arrests. Last year, Indian police arrested 70 suspects as part of an investigation into a fake IRS call center scam.

Also last year, the FTC announced a $10 million settlement with a Florida-based tech-support scheme, run by an organization called Inbound Call Experts, also known as Advanced Tech support. The FTC and the state of Florida said the organization ran “services falsely claiming to find viruses and malware on consumers’ computers.”

Researchers Study Scammers

In a recent paper, “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams,” researchers at the State University of New York at Stony Brook described how the tech-support version of these scams work, as well as how they might be disrupted by targeting the infrastructure on which scammers rely.

Screenshot of a technical support scam that mimics a Windows “blue screen of death” to increase its trustworthiness. (Source: “Dial One for Scam”)

“Scammers use specific words in the content of a scam page to convince the users that their machines are infected with a virus,” the researchers say.

The Stony Brook researchers designed a tool called ROBOVIC – for robotic victim – that found that of 5 million domains that it successfully connected to during a 36-week period beginning in September 2015, it logged 22,000 URLs as serving tech-support scams, connecting to a total of about 8,700 unique domain names.

But those 22,000 different web pages used a total of only 1,600 phone numbers, of which 90 percent were connected to one of four VoIP services: Bandwidth, RingRevenue, Twilio and WilTel.

The researchers also phoned 60 scam telephone numbers to log the social engineering tactics – aka trickery – used by scammers. The researchers found that on average, scammers waited until 17 minutes of a call elapsed before offering their services in exchange for money. Most would offer support packages that ranged from a one-time fix to multi-year support, with costs ranging from $69.99 to $999.99. Scammers would typically offer multiple options, then try to persuade victims to pick the middle-priced one, the researchers found.

Freelance attacks appear to be rare. “Through the process of interacting with 60 different scammers, we are now convinced that most, if not all, scammers are part of organized call centers,” the researchers write.

Fake Support is Lucrative

These attacks are relatively easy to launch, inexpensive to run, potentially very lucrative and show no signs of stopping.

Peter Kruse, head of the security group at Danish IT-security firm CSIS, this week warned via Twitter that multiple websites were pretending to be related to the technical support group from Czech anti-virus software developer Avast and urging individuals to call one of the listed phone numbers.

Needless to say, these numbers don’t lead to Avast, which develops free security software that’s used by many consumers. Instead, the numbers go to call centers tied to fraudsters. Avast has repeatedly warned that this a well-worn scam, with attackers often claiming to be connected to Avast, Dell, Microsoft, Symantec or other technology firms.

Advice for Victims

There’s no way to prevent criminals from running these types of scams.

But law enforcement and consumer rights groups have long urged victims to file a report, even if they didn’t suffer any financial damage as a result.

For anyone targeted by the “yes” scam, the FCC recommends immediately reporting the incident to the Better Business Bureau’s Scam Tracker and to the FCC Consumer Help Center. The FCC’s site also offers advice on tools for blocking robocalls, texts and marketing calls.


Anyone who thinks they may have been the victim of phone scammers, for example, by paying for fake tech support, can file a fraud report with their credit card company.

Authorities also recommend they report the attempt to relevant authorities, such as the FBI’s IC3 Internet Complaint Center or to the U.K.’s ActionFraud. Law enforcement agencies use these reports as a form of crowdsourcing, helping them secure funding to battle these types of scams, as well as take them down.


Provided by Data Breach Today

[contentblock id=71 img=gcb.png]

By now, I’m sure we’re all familiar with the infamously insecure Internet of Things (IoT).

If it isn’t routers, web cameras and maybe even printers feeding into the Mirai botnet – the malware that delivered the most powerful distributed denial of service (DDoS) attack in recent history – then it’s a home automation kit from WeMo that could have let attackers get at its Android app and spy on phones.

Belkin has already issued a firmware update to fix the vulnerability.

But the bug finders – Invincea Lab researchers Scott Tenaglia and Joe Tanen – told Forbes that it’s possible to completely kill the update process on already infected devices, meaning that no fix can ever be delivered.

They’re planning to talk about that hack at Black Hat Europe in London this week.

They’ll also be detailing another vulnerability: an old-school SQL injection bug in WeMo remote management interfaces that could lead to getting root – as in, near-total control – of a device.

SQL injection is a popular technique for attacking websites. In this case, the website isn’t on some server somewhere out on the internet but is, rather, an interface provided by the device that allows users to control it (your router probably works the same way).

SQL injection is a very common and very serious form of attack that just refuses to die.

The databases targeted by the SQL injection attack contain rules that control the home automation devices, such as when to turn off a crockpot or specifying that a motion detector device turn on the lights between sunset and sunrise.

The researchers’ talk, scheduled for Friday, is titled Breaking BHAD: Abusing Belkin Home Automation Devices.

They said that the hacks are possible thanks to “vulnerabilities in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DoS attacks without rooting the device”.

The WeMo app lets the user assign names to their devices. Before the vulnerability was fixed, the researchers said an attacker on the same network could change that device name to include malicious JavaScript code.

Tenaglia gave ComputerWorld’s SecurityWeek this attack scenario:

The attacker emulates a WeMo device with a specially crafted name and follows the victim to a coffee shop.

When they both connect to the same WiFi, the WeMo app automatically queries the network for WeMo gadgets, and when it finds the malicious device set up by the attacker, the code inserted into the name field is executed on the victim’s smartphone.

Invincea Labs first reported the flaws to Belkin on 11 August. Belkin responded the same day and confirmed the vulnerabilities, Tenaglia told eWEEK.

The firmware update for the SQL injection vulnerability went live on Tuesday, said Leah Polk of Belkin. She told Forbes:

Users will see a firmware update notification when they open their app.

We’ve heard about WeMo device vulnerabilities before. In February 2014, IOactive reported that the Belkin devices could be remotely commandeered using the firmware update mechanism.

The day after the news came out, Belkin responded by saying that the issues had already been fixed.

This is one more example of how IoT insecurity so often amounts to vendors not treating their things sufficiently like computers.

Belkin has reacted swiftly to address vulnerabilities, but in this day and age, should we still be confronted with familiar and easily prevented flaws such as SQL injection?

Here once again is a summary of Chester Wisniewski’s take on what’s needed to secure the IoT, from his article about debunking some Mirai botnet myths:

What’s needed is industry standards and best practices, including thoroughly testing devices for security issues before shipping them to consumers, abiding by best practices and making sure that there is a clear mechanism for patching bugs – and that mechanism must include notifying the owner of the device.

[contentblock id=92 img=gcb.png]

[contentblock id=72 img=gcb.png]

Having your network locked down to a need to know bases creates a good feeling for security professionals, but one day someone in your company hosts a meeting with an outside vendor. This outside vendor needs access to the internet during the meeting. An instant feeling of panic rushes over you because you didn’t plan for this situation. How do you provide internet service for guests at your company, without compromising your networks treasures? The following are several different options to look into before making a decision. Some of these will apply to smaller companies, but it is better to hear all the options before going forward.

Create a VLAN (Virtual Local Area Network)

Creating a VLAN to separate out guest access from employee access is a viable solution for enterprise level companies, to effectively partition out your network the broadcast traffic needs to be sent to its own appropriate VLAN ports on your switches. This is essentially creating a secure channel that is only specific to traffic over the selected ports. This method is one of the best, cost efficient ways to satisfy a guest account internet connection.

Create a second network

By creating a separate network for guest you can fully ensure that they will not have access to information that they shouldn’t. This can be accomplished fairly easily for smaller companies but it may be a bit more of a challenge at the enterprise level. By connecting additional routers off of your main router, you can specifically dedicate them for guest login. Both parties will be connecting to the same network, but based on the routers configuration, you can set it to only allow basic internet options for guests.

Install a wireless network just for your guests

This last option is a more expensive one, but it is fool proof. Creating a whole new network just like yours with a different password to confirm separation. This approach will require you to purchase access points and possibly a wireless LAN controller based on the size of your company. If you are a smaller company, connecting your new access points to your existing modem should suffice. If you find yourself in need of a separate wireless LAN controller to create a new partition, the Cisco 2100 series is a great starting point as it can manage up to 6 access points.

No matter how you do it, it is important to create that separation between your business and the general public. Keeping guests off your internal network as best as possible will better protect your company from unwanted data leaks, compliance troubles and network breaches. It is a smart option to implement this and it would be silly not to as most of the time it is a cost efficient change to make the adjustment. In the long run, the expense and effort it would take is worth the damage that could be done by attackers if you allow unregistered accounts access to your internal network services.

[contentblock id=74 img=gcb.png]

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo’s network and potentially the email messages and private information of as many as 1.5 Billion people.

The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI Russian major Dmitry Dokuchaevindicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations.  (The FSB is the successor to the KGB). 

Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld

One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.

The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of  the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.

Here’s how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened. Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.

It was all over the press, but CSO had the best story about, with more detail, background and even video:

We all thought that evil genius Evgeniy Bogachev had retired at the Black Sea with his tens of millions of ill-gotten gains after he became the FBI’s #1 Most Wanted cybercriminal. Well, perhaps he ran out of money.evgeniy-mikhailovich-bogachev.jpg

CryptoLocker is back big time. Researchers have spotted a sudden resurgence this year, specifically identifying clusters of attacks in Europe and the U.S.

For people new to the ransomware racket, Russian cybercrime gangs tend to test and debug their campaigns in Europe, and then attack America in full force. CryptoLocker is ransomware’s still very potent granddaddy, and pioneered this highly successful criminal business model in September 2013, hundreds of copycats followed

In a blog post our friend Larry Abrams from BleepingComputer wrote that the strain — also known as Torrentlocker and Teerac — started its comeback toward the end of January 2017, after being quiet the second half of 2016.

Larry pointed to stats from the ID-Ransomware website which show CryptoLocker infections jumped from a just handful to nearly 100 per day to more than 400 per day by February.


He also confirmed CryptoLocker’s recent tsunami with Microsoft’s Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. The phishing emails are designed to look secure and official because they are digitally signed, but it is all just social engineering to trick the recipient and get them to open attached .JS files that download and install CryptoLocker.idr-chart.jpg

Check Point Software Technologies confirmed with SC Media that its researchers also observed a sudden rise in CryptoLocker attacks. The phishing emails attempt to trick recipients into opening a zipped HTML file. “The HTML contains JS file, which pulls a second JS file from an Amazon server, which executes the first one on memory,” said Lotem
Finklesteen, threat intelligence researcher at Check Point.

“Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed. The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany,” said Finklesteen.

Ransomware as a global threat

Microsoft’s Malware Protection Center blog stated: “Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters. Here is their geographic distribution chart. 




For help in stopping Ransomware in its tracks contact us today, 317-939-3282


[contentblock id=72 img=gcb.png]


rdp-attacks-2017.png Picture Courtesy Trend MicroRemember the CRYSIS ransomware? The attacks started up again, mostly targeting US healthcare orgs. using brute force attacks via Remote Desktop Protocol (RDP).

The number of attacks has more than doubled in volume in January 2017 over that same timeframe in 2016. This most recent wave included a wide variety of sectors worldwide, but the U.S. healthcare sector was hit the hardest.

Security researchers at Trend Micro observed that the same cyber mafia that perpetrated the 2016 CRYSIS attacks are behind this recent wave of ransomware attacks, evidenced by the very same file names and malware placement as were used earlier.

The problem: User accounts with weak credentials, open RDP ports

The bad guys try to log in to the system using common username and password combos, and once the system is accessed they return multiple times to quickly compromise the machine. Trend Micro found that these repeated attempts were generally successful in a matter of minutes.

A typical infection goes through the following steps. An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

Once he purchased or gained access to a computer by brute-forcing the RDP connection with basic username-password combos, the attacker downloads and then manually executes a version of the Crysis ransomware on each of the hacked computer.


In one case it was observed that CRYSIS was deployed six times, packed in different ways on a single endpoint within ten minutes. The attackers copied over several files and appeared to be experimenting with different payloads to find the best option.

Because there are no default restrictions on shared folders of clipboards, unless the network administrator applies controls, these features may be exposed to the internet and accessible by a malicious individual.

What To Do About It:

Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.

[contentblock id=73 img=gcb.png]

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282