NOTE: This is a repost of something I initially posted to LinkedIn. I will be consolidating a number of older posts to my blog in the near future. Enjoy.

Have you ever seen someone make a bad decision in traffic, perhaps not paying attention while changing lanes or something similar, avoid an accident, then make up for it by driving like an idiot afterword? Often times this involves speeding up, weaving in and out of traffic and other less-than-careful maneuvers.

I see this happen a lot in my commute in the Florida traffic and often wonder why we as humans, after escaping or recovering from potential disaster, seem to recover by exhibiting even more risky behavior. Full disclosure here, I have been in these shoes myself and looked back at things wonder what I was thinking.

In my IT career I have seen this same phenomenon happen in incident response situations. A mistake is made during the response, and the individual overcompensates and makes poor decisions moving forward. The more the rope unravels, the worse things get.

Ransomware and CEO Fraud (aka Business Email Compromise or BEC) are certainly key concerns in today’s risk landscape. While preventing the incidents through user training is a core competency of my company and a proven method of defense, sometimes a person will accidentally click on the wrong thing. If this does happen, it is important to remain calm and not make the mistake of overcompensating. So what can you do to keep calm in these situations?

First, have a plan. If you make a plan when you are calm, it can keep you from missing steps or overlooking simple things. This plan should identify the risks and include preventative measures, like Security Awareness Training for phishing attacks, and actions in case things do happen.

Second is to have a plan for when you don’t have a plan. There will be times when the unexpected happens and you have not planned for it. The plan can be as simple as reminding yourself to calm down and assess the situation rationally, but should be written down somewhere as part of the process prior to the moment of panic.

Third, communicate clearly with others using as many facts as you can and make it clear when there are assumptions on the table. Your credibility is key to allowing leadership and your team to make correct decisions. It’s OK to mention theories, but make sure the audience knows it is just a theory until it can be proved. Don’t be the source of panic, but instead the voice of reason. This will help your entire team function better and keep you from recovering from one mistake just to make another one.

Keep these things in mind and you can keep cruising moving along in the fast lane.

 

 

 

This is just a reminder to be aware of what is and isn’t covered by your cyber insurance. I highly recommend that you speak with an agent and do a review of the coverages BEFORE it hits the fan. I recently learned that while notification can be the most expensive part of a breach, it’s often not covered by default in the policy. To add to that, cyber insurance is still in its infancy, so coverage is rarely standardized. Don’t blame the insurance companies for this as it’s a very new type of risk, it’s your job to know, with their help, what you are paying for.

 

Take for example the P.F. Chang’s breach. The $1.7 million cost of defense against customer lawsuits were covered, but the roughly $2 million in fees and fines imposed by credit card issuers to pay for notifications to cardholders, reissuance of credit cards, and other costs was not. It really pays to know what coverage you have.

 

 

 

 

 

Cloudflare had a memory leak, so if you went to any of the 5 million sites impacted between 09-22-2016 and 2-18-2017, your passwords, private messages, API keys, and other sensitive data may have been leaked. The list of affected sites is here:

https://github.com/pirate/sites-using-cloudflare

This is an interesting read if you want to see what happens with the Spora ransomware chat help. Looks like no chance to negotiate price, but you can get some time.

 

Click to access bitcoin-friction-is-ransomwares-only-constraint-f-secure-socs-2017-supplemental-appendix.pdf

So, as I go down the path of playing with MHN, I did an external scan of the Dionaea honeypot I recently put up and found that NMAP easily picked out the fact that it was running Dionaea. Since I am working on trying to capture some payloads, I knew I had to do something to disguise it better. I followed this post and was able to change it up. I may look in to building this in to the deploy package in the near future.

Now I wait.  🙂

Before:

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)

 

After:

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           ProFTPD 1.2.9
22/tcp   open  ssh           (protocol 2.0)
80/tcp   open  http?
135/tcp  open  msrpc?
443/tcp  open  ssl/https?
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s?
3306/tcp open  mysql         MySQL 5.0.54
5060/tcp open  sip           (SIP end point; Status: 200 OK)

Lockdroid is throwing out a new twist. What could possibly go wrong here? Think about how often you have been annoyed by trying to get a machine to understand your voice. Imagine that after you have been ransomed. You are really screwed if you are Scottish (language warning)! 🙂

 

As usual, things in the cyber social engineering and ransomware world are moving along hot and heavy. W2s are the hot topic for a lot of people right now as they are a hot item with the scammers. Watch yourself and keep your company safe. At least let them know that this is happening.

So, having said that, let’s start the recap!

Trend Micro Ransomware File Decryptor Covers a Decent Number of Strains

While not perfect, this is a nice little tool to have in the toolbox just in case. I haven’t tried it personally, but it is said to decrypt files infected from the list below. Keep in mind there are some issues with certain strains, such as CryptXXX V3 and CERBER, so be sure to read the instructions and notes before proceeding. Hopefully you will never need this, but if you do, good luck.

 

Phishing attack nabs hospital employees’ W-2 info

Citizens Memorial Hospital got hit with a W2 scam. This is really big this time of year folks. Be careful with sensitive information I have seen a number of orgs, many of them school districts, hit with the W2 scams this year. Protect this info please.

 

Bingham County Idaho taken down by ransomware

Another County has been taken down by ransomware. The ransom demand here is $25-$30k via Bitcoin or Western union.

“Every department in the county is affected in some way,” “Phone systems, computer systems, everything. Some departments are handwriting documents.”  says Bingham County Commissioner Whitney Manwaring.

The IT staff thought the infection had been cleaned up, but a redundant, backup server was infected again, leading to the county going offline. “We had all kinds of firewalls in place to prevent these kinds of things from happening,” Manwaring told EastIdahoNews.com. “To prevent this from happening again there will likely be several more firewalls and more training for staff using county computers.” More firewalls? Really? I’m not sure if this was misquoted by the press, or if the County Commish was just not familiar with the terms, but firewalls do very little to stop ransomware. Perhaps they are going to do a better job segmenting the network, and the staff training is a good idea though.

 

Watch Dogs 2 New DLC Has a Ransomware Storyline

This may be the first time I’ve seen ransomware in a video game. It’s kind of telling as to how mainstream it’s becoming. I can’t speak for the game as I’ve never played it, but the premise of a ransomware fueled story mission is interesting. For those that do play,  it’s supposed to be available March 23rd. Let me know how it is.

 

Office Inbox Receives 6.2X More Phishing And 4.3X More Malware Than Your Inbox At Home

While this doesn’t mean you should let your guard down at home, it does mean that attacks are focused on organizations more than individuals. Interestingly enough, Companies active in real estate were the most targeted with malware, where  organizations active in Finance, Entertainment and IT were the most targeted by phishing as of Q1 2017.

 

Names, SSNs and W-2s of current and former employees of Lexington Medical Center lost in data breach

The names, SSNs, and W-2s of current and former employees at Lexington Medical Center are the latest victims of a data breach. They say no patient information was lost and it appears the attack was on the orgs Peoplesoft database. This comes on the heels of a Lexington Co. School District suffering a breach in January where, once again, W2’s were lost.

 

Things are picking up on my Kippo server

I’ve been playing around with MHN (Modern Honey Network) and some honeypots this week. I appear to have got Kippo running OK on my home network and just bought a server at www.cloudatcost.com (for $17.50 to own it forever, it was a no-brainer) where I will add another node. I just knocked out a snort instance on the Kippo box and will wait to see if it reports. I find it fascinating how quickly things get scanned. If you have any tips or tricks for MHN or honeypots in general, let me know please.

 

Have a great week and stay safe out there!