CyberheistNews Vol 10 #22 [Scam of the Week] Microsoft Warns to Look out for This Massive Covid-19 Excel Phishing Attack




CyberheistNews Vol 10 #22
[Scam Of The Week] Microsoft Warns To Look Out For This Massive Covid-19 Excel Phishing Attack

Microsoft this week warned about a massive phishing attack that started on May 12. The campaign sends emails that look like they are from the "Johns Hopkins Center", and they have an Excel attachment that claims to be US deaths caused by the Coronavirus.

If your user opens that infected "Excel doc", the file downloads a macro and runs the NetSupport Manager Remote Admin Tool. This is actually a legit remote support product, but it can also be used for criminal purposes, specifically to download malware on a targeted device. When installed, it allows the bad guys to gain complete control over the infected machine and execute commands on it remotely.

In a series of tweets, the Microsoft Security Intelligence team outlined how this massive campaign is spreading this tool. The Excel document contains malicious macros, and will prompt the user to 'Enable Content'. Once clicked, the macros will be executed to download and install the NetSupport Manager client from a remote site.

"The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines," Microsoft tweeted.

Short Technical Background

In this particular attack, the NetSupport Manager client is masquerading as the legitimate Desktop Windows Manager and executable will be saved as the dwm {dot} exe file under a random %AppData% folder and launched. The bad guys will use the NetSupport Manager RAT to further compromise the user's machine by installing other malicious tools and scripts.

The NetSupport RAT used in this campaign further drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. It connects to a C2 server, allowing attackers to send further commands, Microsoft explained.

What to Do About It

If you have any users that infected their machines you should operate under the assumption that their data has been compromised and that the threat actor attempted to steal their passwords. It is of course also possible that the threat actor used the infected machine to spread laterally throughout your network as a preparation for a full-network ransomware infection. Depending on the circumstances and your configuration, do a network-wide scan to prevent lateral penetration.

Whatever COVID ruse is being used, your users will wind up with either infected workstations at the house or in the office, giving out personal information or unleashing ransomware on your network. Give them a heads-up that especially now they need to stay on their toes with security top of mind.

I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.

"This week, Microsoft warned about a massive phishing attack that looks like it is from Johns Hopkins University and has an Excel attachment which claims to have stats about the number of coronavirus deaths in America. If you open that attachment and click on 'Enable Content', it will download software that allows cybercriminals to take over your computer and steal confidential information. So don't open any Excel files from Johns Hopkins! NOTE: there will be more scams like this, so please remember to always Think Before You Click!"

For KnowBe4 Customers, there are now 64 different Coronavirus-themed templates you can use to inoculate your users against this type of attack.
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, May 27 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, May 27 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2319638/06AA55E46F099ADDA80F5426240C9AB9?partnerref=CHN3
The Three Pillars of the Three Computer Security Pillars

This is a Guest Column by Roger Grimes. KnowBe4's Data-Driven Defense Evangelist.

Much of the world, or at least the United States, is coalescing around the NIST Cybersecurity Framework. It’s a pretty good one to follow out of the many dozens that have been proposed over the decades. My only major problem is that it doesn’t tell you which controls matter more than others.

For example, since social engineering and phishing account for 70% to 90% of all malicious breaches and unpatched software accounts for 20% to 40% of attacks, I wish the framework’s recommendations spent far more time on those two issues and related controls.

At the very least, every cybersecurity plan should first model the most likely risks and then map the proposed and implemented controls against the most likely threats first and best. It’s insane that the majority of cybersecurity defenses essentially put the cart before the horse and just start mapping out controls without any real consideration of what the actual risks are. But I digress…and I wrote a whole book on the subject, A Data-Driven Computer Defense.

Even if the NIST Cybersecurity Framework isn’t perfect, it’s nice to get some general agreement about which framework to model our own security policies around. But in order to think about what I need to do and propose, I like to consolidate as much as possible.

The NIST Cybersecurity Framework has five pillars – Identify, Protect, Detect, Respond, and Recover. That’s too many for me to remember and map to.

Three Security Defense Pillars

When I think about computer security defenses, I have three control objectives in my head:
  • Prevent
  • Detect
  • Recover
I want to prevent bad things from happening to an environment I manage. If bad things get past my preventative controls, I want early warning and detection of those things to mitigate damage. And I have to recover from the attack and figure out how to prevent it next time. Everything in my planning looks at computer security using these three pillars of security defenses.

When I learn of a risk or threat, I first ask myself, what is the true severity of the risk? One-quarter to one-third of all risks are ranked by someone as High/Critical. Considering that we have well over ten thousand different risks each year, that equates to thousands of supposedly high-risk threats we need to respond to.

And it’s just not true. The average organization gets threats that try to exploit one to two dozen different types of risks each year. The most likely ones are the ones you need to mitigate first and best.

CONTINUED:
https://blog.knowbe4.com/the-three-pillars-of-the-three-computer-security-pillars
[Live Demo] Prepare Your Organization to Work From Home More Securely With Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense especially when working from home.

Join us Wednesday, June 3 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content including 300 training resources on work from home scenarios.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 32,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, June 3 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2374887/73F0BF8C068D55B7A953A4AC1B35E8E5?partnerref=CHN1
Scammers Exploit Rollout of COVID-19 Contact-Tracing Apps

An SMS phishing campaign is telling people they’ve come into contact with someone who’s contracted COVID-19, Computing reports. The UK’s Chartered Trading Standards Institute (CTSI) warned that the text messages try to scare recipients into handing over their personal information.

“Someone who came in contact with you tested positive or has shown symptoms for Covid-19 & recommends you self-isolate/get tested,” the messages say.

The messages contain a link to a website that asks the user to enter personal details. The scammers then use this information to attempt to commit identity theft or break into victims’ bank accounts.

The UK is testing a contact-tracing app on the Isle of Wight and plans to release the app nationally later this year. CTSI’s Lead Officer Katherine Hart said these types of scams can be expected to increase as contact-tracing apps are rolled out.

“We have witnessed a surge in COVID-19-related scams since lockdown began,” Hart said. “This evidence is yet another example of scammers modifying their campaigns as the situation develops. I am especially concerned that scams themed around the contact tracing app are already appearing, even though the official NHS app has only been released in a limited testing phase on the Isle of Wight.

These texts are a way to steal personal data and may put the bank accounts of recipients at risk. If anyone receives texts or other kinds of messages like this, they should not click on any accompanying links, and report them to Action Fraud.”

People are more likely to pay attention to these scams since they take advantage of plausible scenarios that could happen to anyone. The scams are even more compelling because people are concerned about their health and the safety of their loved ones.

New-school security awareness training can teach your employees to remain calm and level-headed when faced with scams designed to scare them.

CONTINUED:
https://blog.knowbe4.com/scammers-exploit-rollout-of-covid-19-contact-tracing-apps
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!

Join us Wednesday, June 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, June 3 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2374840/046A2EF31FBF6D67B3308CDF31932299?partnerref=CHN1

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc


PS: Robert Lemos has a thought-provoking article at Dark Reading that you will probably like:
"Security & Trust Ratings Proliferate: Is That a Good Thing?":
https://www.darkreading.com/attacks-breaches/security-and-trust-ratings-proliferate-is-that-a-good-thing/d/d-id/1337893
Quotes of the Week
"A man sees in the world what he carries in his heart."
- Johann Wolfgang von Goethe (1749-1832)

"The only real failure in life is not to be true to the best one knows."
- Buddha (563 - 483 BC)



Thanks for reading CyberheistNews

Security News
Preying on the Unemployed

An SMS phishing campaign has been exploiting the COVID-19 crisis by spoofing the website of a job placement agency, the New York Daily News reports. The scammers set up a website that convincingly spoofed a legitimate site belonging to ABS Staffing Solutions, then sent out texts with a link to the site.

The website asked victims to enter sensitive personal information, which would be sent to the scammers. The fraudsters would also contact the victims to draw them into more targeted scams.

ABS Staffing Solutions’s CEO Ariel Schur told the Daily News that she learned of the scam when people started messaging her asking if the jobs were legit.

“Whoever the scammer is would send a text message from a 1-800 number, and there was no number to text back. It would just relay that we have an immediate opportunity,” she said. “The text message would have the dummy link, and I’m sure multiple people just clicked on it and adhered to whatever information was requested.”

The site’s hosting provider has taken the site down, but the scammers are apparently still active. Schur said she’s still getting questions from job seekers about suspicious text messages offering non-existent jobs.

Schur added that at least one person—a woman in Florida—fell for the scam, and handed over her Social Security number, date of birth, and address. After this, the scammers contacted the victim and told her she’d been hired as an executive assistant at a real property management firm in New Jersey.

They then tricked her into transferring her own money to a phony client. The victim didn’t realize she’d been scammed until she received her first paycheck (sent by the scammers), and the check bounced.

People should be suspicious about any unsolicited communication, particularly if it asks them to do something like visit a website or open an attachment. They should dismiss such messages as scams if they’re offering something that seems too good to be true. New-school security awareness training can teach your employees to avoid falling for these types of social engineering tactics.

The New York Daily News has the story:
https://www.nydailynews.com/coronavirus/ny-coronavirus-scam-phishing-job-placement-unemployed-personal-info-20200509-ophxfnhp2beivfgfpvc46d66p4-story.html
Training Is Necessary to Thwart Creative Criminals

Cybercriminals are constantly thinking of new ways to outsmart people online, according to Neill Feather, Chief Innovation Officer and co-founder of SiteLock.

On the CyberWire’s Hacking Humans podcast, Feather discussed how cybercriminals are taking advantage of coronavirus-related product shortages. One example he cited was criminals setting up scam sites that purport to sell things like hand sanitizer and toilet paper.

They’re then abusing search engine optimization to push their sites to the top of search results. When consumers can’t buy these products from a familiar online retailer like Amazon, they search the Internet for another source and end up on the scammer’s site.

“I think, you know, one thing that this current crisis really proves to us is that there's no shortage of creativity in the cybercrime market,” Feather said. “Wherever there's a financial incentive for people to attempt these types of cybercrimes, they're going to get creative as they can. So, you know, from our standpoint, as a provider of security services and products, you know, we are always looking for, you know, new attempts and new attacks out there. I'd love to say that we have a 100% solution. I think with the amount of creativity and the amount of changes and the millions of new variants that are happening every day, there's, unfortunately, no 100% solution out there.”

Feather added that organizations can tackle this problem by layering their defenses to reduce the chances of an attack succeeding.

“What is useful, though, is trying to attack it from as many different avenues as possible,” he said. “So, protecting your digital assets, protecting your employees and, you know, making sure that you are staying as far ahead of the curve as you can, as a business owner, will help mitigate that risk.

I would just advocate for folks to be careful out there and make sure that they're educating themselves.”

He also stressed that organizations need to understand how important their employees are in preventing breaches. “One of the things that I think gets missed sometimes is how frequently, for a small business, employees are at the center of breaches,” Feather said.

“One stat I've seen recently is about two-thirds of breaches that involve small businesses were caused by an employee or a contractor's negligence. So making sure that your employees are up to speed and trained is just a really important thing that's often overlooked because there's so much else going on.”

Employee education is a necessary component of any organization’s defense-in-depth strategy. New-school security awareness training can turn your employees from potential risks into security assets.

The CyberWire has the story:
https://thecyberwire.com/podcasts/hacking-humans/99/transcript
Biases People Take Home With Them

Employees will naturally follow their cognitive biases unless organizations proactively engage them in security processes, according to Georgia Crossland, a Ph.D. researcher at Royal Holloway’s Centre for Doctoral Training in Cyber Security.

In an article for Infosecurity Magazine, Crossland describes two common cognitive biases that can increase an organization’s cyber risk. The first is optimism bias, and the second is fatalistic thinking.

“Optimism bias is sometimes used interchangeably with ‘overconfidence’, and refers to the phenomenon whereby individuals believe they are less likely than others to experience a negative event,” Crossland says. “This particular bias is said to transcend age, race and gender....

A recent poll of 2000 remote workers by Promon revealed that 77% said that they weren’t worried about security while working at home. This also extends to organizational contexts, where individuals believe their own organization to be at relatively lower risk to information security threats than other competitor organizations.”

Fatalistic thinking, meanwhile, is when employees content themselves with the idea that cyberattacks will occur no matter what they do, so there’s no point in worrying or wasting time and effort on preventative measures.

“Fatalistic thinking refers to an outlook where individuals may believe they have no power to influence risks personally, as risks are controlled by external forces,” Crossland says. “In information security, this might mean believing there is nothing you can personally do to prevent a phishing attack, because you’re going to fall victim to a phishing attack anyway.

Or believing that everything is ‘hackable’ and so there’s little point in protection efforts. This feeling may augment with home working, as employees are distanced from usual organizational support.“

Crossland explains that while these two mindsets seem incompatible with each other, a person can simultaneously “be optimistic about their own risk and believe that they have no power to reduce the risk anyway.” She adds that there are ways to overcome both of these biases if people are aware of them.

“It may help to take a ‘human as a solution’ approach to information security,” she writes. “In information security, humans are often viewed as the biggest issue. Therefore, efforts are made to exclude and control them. This removes the opportunity for individuals to contribute to their organization’s cybersecurity.

It is really no surprise individuals demonstrate perceptual biases if they are made to feel like the weakest link. Instead, organizations should learn from and involve employees in information security.”

Crossland adds that organizations should be mindful of these biases when they provide training for their employees.

“Understanding biases may also help organizations tailor information and training,” she concludes. “Training people to understand and cope with the risk should be at the forefront. Especially in the case of fatalistic thinking, organizations might endeavor to remove fear appeals as a method for communication, and increasing feelings of morale and employees’ abilities to cope with threats.”

These biases arise when people are scared or feel as if there’s nothing they can do. New-school security awareness training can give your employees a realistic idea of the threats they face and the measures they can implement to protect themselves.

Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/next-gen-infosec/biases-perceptions-threats/
What KnowBe4 Customers Say

"We just had the demo with our customer and were seriously impressed with Charlie Hollinrake.

His structure was fantastic, lead onto everything very smoothly, giving enough information on each piece without lingering too long on anything that it became boring.

He had lots of information about every question that was asked off the top of his head, including some about a few very niche questions. Very impressed, as was the customer.

I think because of how he presented it, the customer is now interested in the diamond package that you offer, and he’s considering the second. He was extremely engaged with the customer had there were lots of opportunities for questions.

He gave a real life example of a phishing email using my email address which I thought was really effective too. I think the customer thought so too.

Overall a really stellar job. The customer even said at the end how impressive the de
mo was and was keen to get to the next steps!
Would you be able to let Charlie’s manager know of what a great job he did?"

- C.B., Security and Networking Specialist



"Quick feedback: PhishRIP IS AMAZING and it fills the gap in my e-mail security that I’ve had for a long time."

- C.A., IT Support Specialist

The 10 Interesting News Items This Week
    1. Iran Struck First. Israel Retaliated Massively. Behind the Cyber War Rattling the Middle East:
      https://www.haaretz.com/israel-news/.premium-iran-struck-first-then-israel-retaliated-behind-the-cyber-war-rattling-the-mideast-1.8858292

    2. [BRAVE] GitLab runs phishing test against employees - and 20% handed over credentials:
      https://siliconangle.com/2020/05/21/gitlab-runs-phishing-test-employees-20-handing-credentials/

    3. This Service Helps Malware Authors Fix Flaws in their Code:
      https://krebsonsecurity.com/2020/05/this-service-helps-malware-authors-fix-flaws-in-their-code/

    4. Fraudulent Unemployment, COVID-19 Relief Claims Earn BEC Gang Millions:
      https://threatpost.com/fraudulent-unemployment-covid-19-relief-claims-earn-bec-gang-millions/155925/

    5. FICO Survey Shows 21% of People Reuse Five or Fewer Passwords on Multiple Services:
      https://www.fico.com/blogs/fico-digital-banking-study-security-and-authentication-digital-world

    6. Cybersecurity makes World Economic Forum’s top 10 Covid-19 global fallout list:
      https://www.scmagazine.com/home/security-news/news-archive/coronavirus/cybersecurity-makes-world-economic-forums-top-10-covid-19-global-fallout-list/

    7. REvil hackers continue to wrack up high-profile targets with ransomware attacks:
      https://www.darkowl.com/blog-content/revil-hackers-continue-to-wrack-up-high-profile-targets-with-ransomware-attacks

    8. Chinese hackers suspected of stealing details of 9 million easyJet customers:
      https://www.bbc.com/news/technology-52722626

    9. COVID-19 contact tracing text message scams:
      https://www.consumer.ftc.gov/blog/2020/05/covid-19-contact-tracing-text-message-scams

    10. 60% of Insider Threats Involve Employees Planning to Leave:
      https://www.darkreading.com/risk/60--of-insider-threats-involve-employees-planning-to-leave/d/d-id/1337876
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews