Category Archives: Cyber Threats

To stop phishing in play, rely on human intuition over technology

Playing to your strengths could be the key to keeping your business safe.Due to obvious financial motivations, banks have always been a primary target for cyber-criminals. But, as much as

The post To stop phishing in play, rely on human intuition over technology appeared first on The Cyber Security Place.

CISOs Hit the Bottle as Workplace Pressures Build

UK and US CISOs are facing burnout as they struggle to cope with escalating cyber-threats, insufficient budgets and a lack of engagement from the board, according to Nominet. The DNS security

The post CISOs Hit the Bottle as Workplace Pressures Build appeared first on The Cyber Security Place.

Could a shutdown ignite insider threats?

The 35-day government shutdown may be on a brief hiatus, but with the temporary deal to fund federal departments slotted to end on Feb. 15, many government workers are worried

The post Could a shutdown ignite insider threats? appeared first on The Cyber Security Place.

Why cybersecurity education matters

The shortage of qualified cybersecurity personnel is visibly apparent with the number of unfilled cybersecurity roles on the rise.Research shows cyber incidents have increased significantly since 2017 and according to a recent

The post Why cybersecurity education matters appeared first on The Cyber Security Place.

Cybercriminals increasingly taking aim at businesses

2018 has been the year when cryptominers first dethroned ransomware as the most prevalent threat due to a meteoric spike in Bitcoin value in late 2017, then slowly trailed off

The post Cybercriminals increasingly taking aim at businesses appeared first on The Cyber Security Place.

Social-Engineer Newsletter Vol 08 – Issue 111

Cyber Threats, Are You Trained to Deal with Them?

As every year passes, the cyber threat landscape continues to evolve and along with that, the need for cyber security awareness training to deal with them increases. This past year was no different. The change is that ransomware declined, crypto-mining has risen, and 92 percent of malware was delivered by email, according to a CSO article. It reported that fileless malware is replacing the old .exe files that were attached to emails. Fileless attacks exploit software already installed on the victim’s computer, such as executing in a browser plugin, MS Office macros, or exploit vulnerabilities in server programs to inject malicious code. The result of this shift in threats has resulted in 1,027 breaches and over 57 million records being exposed as of the October 31, 2018 Identity Theft Resource Center (ITRC) report. When you see the change and increase in cyber threats, how trained are you and your organization to deal with them? 

We see that the threats continue to advance in order to give the cyber criminals the ability to exploit the increased complexity and connectivity of critical infrastructure systems. In addition, cybersecurity risks continue to affect a company’s bottom line by driving up costs, negatively impacting revenue, causing harm to an organization’s ability to innovate, and to gain and maintain customers. With this constant evolution and risk comes a constant need for cyber security awareness training for an organization’s employees. But what makes for an effective training program that both the organization and employees can benefit from? One that will keep the company secure and give it an acceptable return on investment (ROI)? What about those individuals and organizations that can’t run a corporate cyber security awareness training program, what can they do to get training? 

Cyber Threats, Are You Trained to Deal with Them?

Who should receive training?

Training should be provided to anyone with access to the organization’s infrastructure. This includes new employees, longtime employees, executives, and contractors. If you allow someone access to your infrastructure, they need to receive regular training.  

Why are you doing it?

The way to approach creating a successful cyber security awareness training program is to start by establishing clear and definable goals. If you’re going to do training merely for the purpose of having it or just to check a box in an audit, it is not going to have any lasting benefit for anyone. You need concrete outcomes and it needs to be a part of a long-term plan. Change in security awareness will not happen overnight. 

The purpose of this training is to create a strong security culture that will breed employee engagement. In order for this to work it has to come from the top down, from the CEO all the way down the corporate ladder. To get the buy-in from the C-suite one company performed a team building exercise in which they split the executives into red and blue teams. In a gamified environment, one group performed a denial-of-service attack on the Domain Name Server (DNS) while the other had to figure out how to defend against it. (Sounds fun, right?) Once the executives are involved, all members of the organization will follow.  

Culture Shock.

Remember, making a successful cyber security awareness training program involves changing the culture of the organization into a security focused culture. Doing a CBT module once a year will not affect change, more is involved. If you were training to be a boxer or an MMA fighter would you depend on just watching videos before entering a match? Can you imagine the outcome? The same is with an awareness training program, real life exposure is needed, such as using a simulation program to send real phishing emails and to do vishing, in addition to doing CBTs.  

 Everyone in an organization has a stake in keeping it secure. So, even though one person may be the only one officially assigned the task of running the training program, one or more senior leaders need to champion the program. This will help build confidence in the program and make it more visible. You can even involve the communications and marketing teams to help you in creating material and messaging that is engaging and captivating to your audience.  

If one is going to influence change in behavior and culture and allow the training to have a lasting effect, post-training reinforcement needs to be established. Ongoing communications and content should be produced monthly not just once a year. So, build a catalog of content and available resources, build a portal where newsletters can be posted along with alerts and videos, and make the program fun.

What about the little guy?

Building a successful program takes time and resources. What should an organization do where resources are limited or for individuals where they don’t get the training from a corporate training program? Where time and resources are limited, start small and grow as your program gains credibility and more resources become available. Use small wins to demonstrate value. There are also plenty of free resources available. Use resources like the Social Engineering Framework that provides plenty of examples and psychological principles of social engineering attacks, and access to tools such as the Social Engineer Toolkit that can be used to test the human element in an organization.  Another free tool is the community edition of Lucy which can do basic phishing campaigns. If you want to test your network and your users, you can use the free tools from KnowBe4. Subscribe to industry newsletters, such as this one, and follow blogs such as the blog and the blog that discusses timely information on what is happening in the world of social engineering and how to be cyber security aware.   

As a community we can all do our part to help in getting cyber security awareness training to others. One thing I’ve done, to help in training others that may not get the benefits of cyber security awareness training at a company, is to openly discuss with friends and family about phishing, smishing, vishing, and all aspects of social engineering attacks that they need to be aware of. The result is that many will come and show me phish they received or tell me about a call they thought was “phishy”. As you get educated, spread the word to others and this will help everyone get some cyber security awareness training. 

Social engineering attacks will not be ending any time soon and they will constantly evolve. Therefore, we will always need regular cyber security awareness training to combat these attacks. Remember your training program needs to be adaptive when dealing with the ever- changing cyber threats and it needs to continue to train your organization how to deal with them. What is your program going to look like for 2019? Let us know. 

Stay safe and secure. 

Written By: Mike Hadnagy  


The post Social-Engineer Newsletter Vol 08 – Issue 111 appeared first on Security Through Education.

Evolution of Locky – A Cat & Mouse Game


In the on-going game of cat and mouse between cyber attackers and defensive internet security providers, the appearance of a new tactic from the Locky family of Ransomware comes as no surprise.

As we discussed in February this year, Locky targets victims through seemingly legitimate email attachments. Once the victim clicks on the attachment the malicious macro begins encrypting the users’ files.

Given the nature of this environment, security experts are constantly working on ways to stop Locky, coming up with solutions that will render it ineffective.

Distribution of the latest attack

In the latest development, cyber attackers have come up with new tactics to bypass security. The malware is still distributed via email attachments, but no longer uses a Trojan. These emails have varying names and subject lines to attract the victims’ attention and usually contain Zip files.

The Malware skips the downloader Trojan and gets the Locky variant in DLL format, and is then executed using Windows rundll32.exe. By using a script file as well as a DLL, instead of a Trojan and .exe, Locky is not immediately detected and blocked, and the Ransomware can begin its course.

To further ensure its success cyber attackers have given Locky an added fall-back mechanism, this means that the malware will still be able to complete its actions even in cases where it can’t reach command and control servers. The weak point in this is that the encryption key is the same for every computer.

These attacks appear to present in weekly waves and have already targeted victims in North and South America, and Europe, as well as attacks in Africa and Asia.


In order to protect yourself, security experts suggest setting up filters for script files that arrive via email, as well as ensuring your antivirus is up to date. Advanced solutions such as Panda’s Adaptive Defence allow for active classification of every running application by leveraging Endpoint Detection & Response (EDR) technologies. This means that you have a greater chance of defending your network against today’s advanced threats.

The post Evolution of Locky – A Cat & Mouse Game appeared first on

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures


People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.



Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages


Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.


Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.


Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.