So one of my clients has finally taken heed to what i told them a long time ago about having domain admin rights on their day-to-day account. Perhaps this article i sent them (thanks ASB) scared them LOL It's a small place, 2 sites, about a dozen servers (w2012, Exchange, 2X, 3CX, Citrix, timesheets, etc...) and ~50 desktops They finally came to their senses and realized, running as a domain admin , just may not be in their best interest, hence my question; Is it better to;A) create specific accounts for these functionsorB) delegate ? The only AD functions they do are , create user/exchange accounts, password resets, account unlocking, the occasional kicking out of a hung Citrix/2X/TS session, and maybe a reboot of server here and there. TIA
From: [email protected] To: [email protected] Subject: RE: [NTSysADM] Fwd: FW: Heads Up! New Hybrid Ransomware Replicates Like A Virus Date: Tue, 9 Dec 2014 16:37:24 +0000 I am going to assume it installs in appdata like the rest and not worry about it. J From: [email protected] [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Tuesday, December 9, 2014 11:23 AM Subject: [NTSysADM] Fwd: FW: Heads Up! New Hybrid Ransomware Replicates Like A Virus Hopefully, it's not coming to a computer near you... ASB http://XeeMe.com/AndrewBaker Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… From: CyberheistNews [mailto:[email protected]] Sent: Tuesday, December 09, 2014 9:48 AM Subject: Heads Up! New Hybrid Ransomware Replicates Like A Virus Heads Up! New Hybrid Ransomware Replicates Like A Virus Email not displaying correctly? View Knowbe4 Blog. CyberheistNews Vol 4 #47 Dec 2, 2014 Heads Up! New Hybrid Ransomware Replicates Like A Virus Here is a powerful piece of ammo to get (more) IT Security budget. SophosLabs labs' blog reported about a new Ransomware strain with a difference - this one is a true self-replicating parasitic virus! They call it VirRansom. This new strain is a hybrid that combines CryptoWall-like functionality with active self-replicating virus infections of all files it can find. And like the cybercrime Reveton family of malware, it locks the PC's main screen demanding 0.619 Bitcoin to let you back in. Yikes. Let me quote Sophos for a moment: "Worms vs. Parasitics: Most worms leave you with one, or perhaps a handful, of infected files that weren't there before and need to be deleted. "Parasitic viruses, in contrast, may leave you with hundreds of infected files on each computer, or thousands, or more. If you leave even one of those infected files behind after a clean-up, the infection will start up all over again. "Worse still, the infected files can't just be deleted, because they are your own files that were there before the infection started. That makes cleanup much trickier." The good news: The file encryption is not as advanced as CryptoWall, as the key to decrypt the files is contained in the malware itself. Your antivirus should soon be able to decrypt the files and restore them, unless the bad guys are constantly changing the encryption keys in which case it may take a day or more before your AV catches up. The bad news: This is a full-fledged virus which will spread across your network and doing a less than perfect job on the disinfection can easily lead to reinfection of your whole network. CryptoWall-encrypted files that you can't or don't decrypt are harmless garbage forever, but you can delete them. With VirRansom, files that you don't decrypt are still recoverable, but also still actively infectious. It gets nastier all the time. You can expect a VirRansom 2.0 soon where they might implement "new features" like industrial-strength encryption like CryptoWall where you only get the decryption keys after payment, and things like infection of your email server, where emails are converted to a worm for maximum dissemination of their malcode. (Think about the legal ramifications of something like this.) You can mitigate these types of threats through both technical measures and enforcing security policy. First some technical approaches: · The very first thing you need to do is test the Restore function of your backups and make sure it works. And have a full set of backups offsite. · Start thinking about asynchronous real-time backups so you can restore files with a few mouse clicks. · Get rid of mapped drives and use UNC links for shared folders. · Whitelisting software, which only allows known-good executables to run, starts to look more attractive by the month. Looking at the security policy angle, it's time to enforce best practices, and one of those is of course prevent these types of infections to begin with, through effective 5-th generation security awareness training, as the infection vector is your end-user opening up an attachment or clicking on a link. Find out how affordable this is for your organization. Get a quote now: http://info.knowbe4.com/kmsat_get_a_quote_now Shipping Problem Phishing Attacks - Here Is How They Look Last CyberheistNews issue, we warned that Black Friday and Cyber Monday were behind us, and that criminal hackers have a "scam calendar" which focuses on major shopping events exactly like this. Here are 4 actual examples of these online e-commerce order or package shipment phishing attacks that have come in over the last week. The first one is a bogus Home Depot order that they want you to click on and make your PC into a botnet zombie. Images at the full blog post here: http://blog.knowbe4.com/shipping-problem-phishing-attacks-here-is-how-they-look How Was Sony Pictures Hacked? Kevin Mandia, who was hired as the forensics expert wrote in a letter to Sony's CEO that the breach was unprecendented, well-planned and carried out by an "organized group". It's the most destructive cyber attack reported to date against a company on U.S. soil. As Terabytes of data were exfiltrated, there will be a treasure trove of confidential data which will be leaked over the next weeks or months. But how was Sony hacked? The Grugg recently tweeted: "Well, pretty much every single hacked network in the news can be summarized: 'It started with an email...'" I would not be surprised if this was the case with Sony as well. While security experts have been able to test the wiper malware employed against Sony Pictures Entertainment, they say they have not yet exactly determined how the malware infected Sony in the first place. "My educated guess would be that someone was targeted [with] a spear phishing e-mail, which granted access to a system," Tom Chapman, director of the cyber-operations group at cybersecurity firm EdgeWave, tells Information Security Media Group. "The hacker(s) then escalated privileges and took control of the mail server and possibly the Active Directory. From there, the hackers owned the system." The attackers appear to have had an edge, in that they seem to be very familiar with Sony's network topology. "We have been investigating the attack and discovered new pieces of malware that are likely related to the same attackers," says security researcher Jaime Blasco, labs director of security management and threat intelligence vendor AlienVault. "From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony's network and even credentials/usernames and passwords that the malware uses to connect to system inside the network." The North Koreans are highly likely to blame. You might think that a country that has problems delivering enough electricity to its citizens would not be that sophisticated, but their hackers are trained by the Russians and the Chinese and Pyongyang runs some of its hacking operations out of a luxury hotel in nearby Shenyang, China. It is obvious that Sony's defense-in-depth security policy was deeply flawed in either incorrectly stating the right procedures or failing to enforce them. Not having the breach detection tools in place to spot terabytes of data leaving the building is another epic fail. More: http://www.cuinfosecurity.com/sony-hack-destover-malware-identified-a-7638 Warm Regards, Stu Sjouwerman You can read CyberheistNews online at our Blog! http://blog.knowbe4.com/cyberheistnews-vol-4-47-new-hybrid-ransomware-replicates-like-a-virus Copyright © 2014-2015 KnowBe4 LLC, All rights reserved. Our mailing address is: 601 Cleveland St. Suite 930, Clearwater, Florida, 33760
