CyberheistNews Vol 10 #23 [Eye-Opener] More Than Half of Your Employees Cut Security Corners When They Work Remote

CyberheistNews Vol 10 #23
[Eye-Opener] More Than Half of Your Employees Cut Security Corners When They Work Remote

More than half of your employees are cutting corners with regards to cybersecurity while working from home, putting your organization at risk. The coronavirus pandemic has forced all of us to quickly adjust to remote working and new research shows that workers are taking more risks online and with data than they would at the office.

At the core of the coronavirus crisis looms the reality that most organizations did not prepare for a "black swan" scenario where all employees would be working from home for an extended period of time, says Richard Bird, the chief customer information officer at Ping Identity.

54% of employees say they find workarounds

New results of email security company Tessian surveying 2,000 American and British employees — as well as 250 IT decision-makers — found 35% of employees take company documents and data with them when they leave a job. Despite 91% of IT leaders trusting them to do so, 54% of employees say they find workarounds when security policies prevent them from completing tasks.

Another report provides similar results. The "Digital Guardian Data Trends Report," paints an increasingly dire picture for organizations with an increasingly mixed set of devices accessing their servers from home networks, and hard-to-monitor employee data security practices.

Employees copied company data to USB drives 123% more

According to the Digital Guardian report, covering financial services, manufacturing, healthcare, and other businesses, employees copied company data to USB drives 123% more than before the pandemic's onset, with 74% of that data marked as "classified." Data egress over email, USB, and cloud services leaped 80%, with more than 50% of that data marked as "classified."

Accompanying the spike in data copying is a 62% increase in malicious activity on corporate networks and servers, with a 54% bump in incident-response investigations. A related data point in Verizon's new 2020 DBIR report also states that financial gain drives 86% of data breaches, up from 71% in 2019.

According to Tessian's The State of Data Loss Report, some of the top reasons employees aren't completely following the same safe data practices as usual include working from their own device, rather than a company issued one, as well as feeling as if they can take additional risks because they're not being watched by IT and security.

In some cases, employees aren't purposefully ignoring security practices, but distractions while working from home – such as childcare, roommates and not having a desk set up like they would at the office – are having an impact on how people operate.

People will cut corners on security best practices when working remotely

Meanwhile, some employees say they're being forced to cut security corners because they're under pressure to get work done quickly. "People will cut corners on security best practices when working remotely and find workarounds if security policies disrupt their productivity in these new working conditions," said Tim Salder, CEO of Tessian. "But, all it takes is one misdirected email, incorrectly stored data file, or weak password, before a business faces a severe data breach that results in the wrath of regulations and financial turmoil."

At this point in time, you cannot afford not to step your users through new-school security awareness training. This is now a must. And a surprisingly affordable one. Get a quote and find out.
[Live Demo] Prepare Your Organization to Work From Home More Securely With Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense especially when working from home.

Join us TOMORROW, Wednesday, June 3 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content including 300 training resources on work from home scenarios.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 33,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, June 3 @ 2:00 pm (ET)

Save My Spot!
[Heads Up] Ransomware Damage Skyrockets as Ransoms Grew 14 Times in Just 12 Months

Last year was highly profitable for ransomware actors but with the prices we've seen recently, 2020 is likely to surpass it as actors continue to target large companies in key industries.

Phishing is also used regularly to gain initial access to a company's network. Normally, networks that distribute malicious emails like Emotet, Trickbot (Ryuk), or QakBot (ProLock, MegaCortex) are used to for access to the target network.

Among the most common intrusion techniques observed in incident response engagements, drive-by compromise via exploit kits (EKs), external remote services (mainly RDP), and spear phishing were at the top of the list.

Ransomware has become one of the most insidious threats in the past couple of years, with actors scaling up their operations to the point that the average ransom demand increased more than 10 times in one year.

There are well over a dozen operators in the ransomware-as-a-service (RaaS) game, each with a host of affiliates that focus on enterprise targets across the world.

Since the infamous GandCrab group called it quits in mid-2019, the ransomware landscape changed drastically. The RaaS model they introduced is now the norm, paving the way for professional attackers with a clear strategy to make money.

Huge jumps in ransom demand

The year-over-year evolution of the ransomware threat is visible in terms of the ransom demand as well as the tactics, techniques, and procedures (TTPs) used by the attackers running big-game ransomware operations.

In a new report, cybersecurity company Group-IB analyzed how this threat changed in just one year since 2018. They adopted a wide range of initial access vectors, increased their ransom demands, and started to steal files from victims before encryption for further leverage to force a payment.

According to the report, ransomware attacks in 2019 increased by 40% and the focus on larger targets drove the ransom price from $6,000 to $84,000, two of the greediest families being Ryuk and REvil (Sodin, Sodinokibi).

In 2020, though, the price has increased even more. Data from Coveware, a company that handles ransomware incidents, shows that the average increased in the first quarter of the year even more, to $111,605. Ryuk and REvil continue to be responsible for this increase in average ransom.

Tactics, techniques, and procedures

At the RSA security conference in February, the FBI also stated that RDP is the most common method ransomware actors use for access to the victim network.

"RDP is still 70-80% of the initial foothold that ransomware actors use," said FBI Special Agent Joel DeCapua.

More advanced ransomware actors relied on methods that gave them access to more valuable targets: supply-chain compromise, exploiting unpatched vulnerabilities in public-facing applications, or compromising managed service providers (MSPs).

From there, the attackers deployed their tools and moved to the next stages establishing persistence, escalating privileges (if needed), evading defenses, acquiring credentials, mapping the network, moving to valuable hosts, stealing files, and then encrypting them.

Group-IB's whitepaper details that even big-league players like Ryuk, LockerGoga, REvil, MegaCortex, Maze, or Netwalker used common intrusion methods such as RDP simply because the access to servers with an open port was easy to get from marketplaces.

Phishing is also used regularly to gain initial access to a company's network. Normally, networks that distribute malicious emails like Emotet, Trickbot (Ryuk), or QakBot (ProLock, MegaCortex) are used to for access to the target network.

Advanced actors extended their tactics to exploiting bugs in WebLogic Server (CVE-2019-2725) or Pulse Secure VPN (CVE-2019-11510); this was seen in REvil attacks.

12 ransomware operators have leak sites

At the moment, 12 ransomware operators have leak sites where they publish data stolen from victims, while others use hacker forums to share download links. Recently, though, at least one ransomware actor is taking their operation to another level. NetWalker ransomware group started looking for affiliates with network access to huge businesses.

See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!

Join us TOMORROW, Wednesday, June 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, June 3 @ 1:00 PM (ET)

Save My Spot!
Supreme Court “Summons” Is the Latest Phishing Attack Aimed at Stealing Your Microsoft 365 Credentials

Even the Supreme Court isn’t safe from brand impersonation in this scam intent on getting victims to click on a link to a supposed subpoena to attend a hearing.

There is no higher authority in the United States than the Supreme Court. So, it’s not entirely surprising to see a phishing scam pop up using the idea that the recipient victim is somehow unknowingly involved in a court case and is being summoned under penalty of law. Its' actual intent is to steal the victim’s Microsoft 365 logon credentials

I can’t fathom how any regular person would fall for this scam (as how many of us are involved in any court cases of any kind, let alone one being heard by the Supreme Court???) but I’ve seen worse scams that still managed to attract victims.

Researchers at security vendor Armorblox recently found this attack and offered up a few reasons why this attack is actually getting through to user’s Inboxes:
  • It’s only sent to a few people within an organization, rather than being a mass mail
  • It uses zero-day lookalike websites to spoof Microsoft 365 logon pages
  • It uses CAPTCHA technology to add legitimacy
  • Its use of the Supreme Court may have likely been outstanding enough to catch the eye of the potential victim
Attacks intent on compromising Microsoft 365 online credentials is nothing new. So users should be enrolled in frequent security awareness training that keeps them updated on various scams and attack types to help protect online credentials that cybercriminals can use to commit data theft, fraud, hold data for ransom, and more.
What To Do About BEC?

Funds transfer fraud, also known as business email compromise (BEC), is a much more widespread problem than it seems, according to lawyers at Ice Miller LLP.

The attorneys believe this type of CEO fraud is often underreported by the victims, so that even law enforcement doesn’t have a full view of the problem’s scope. Every organization should assume they will be targeted by this type of attack.

“Funds transfer fraud is a crime that leverages technical and social engineered attacks, over the internet or by phone, that involve fraudsters impersonating vendors, executives or banks to convince organizations to wire funds to accounts under the control of the criminal,” the lawyers explain.

These crimes usually involve multiple steps and the attack can potentially be thwarted at each one, either by an observant employee or by the organization’s security protocols. For example, an email-based BEC attack can be foiled by requiring employees to confirm the legitimacy of a fund transfer via a phone call.

Stopping funds transfer fraud in its tracks is important because, In many cases, the money is gone for good once it’s been transferred to the scammers. In cases where the funds can be recovered, however, the victims must act quickly. The lawyers say a comprehensive security program that includes employee training is the key to stopping these attacks.

“Building an integrated data security program, with training that ties to your company’s financial and internal controls, is the best approach to mitigate the risks that transfer fraud entails,” they write. “Done well, such an integrated enterprise risk management also helps to protect against other types of fraud and criminal conduct.

We caution, in particular, that organizations handling large sums of money and transactions, such as retirement plans, real estate companies, manufacturers and financial institutions, are prime targets for these types of attacks. The criminals often know a great deal about how these companies operate and once they succeed against one, they will replicate their attacks against others.”

New-school security awareness training can help prevent these attacks at the outset, and it can also enable your employees to thwart attacks that are in progress, or mitigate the ones that have already taken place.

Ice Miller LLP has the story:$12-billion-electronic-funds-transfer-fraud-pr/
Combating Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Don't click phishy links. Everyone knows that. But are your end users prepared to quickly identify today's tricky tactics being used by the bad guys? Probably not. Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques to entice your users into clicking and putting your network at risk. You need to stay a step ahead of the bad guys.

Join us on Wednesday, June 10th at 2:00 PM (ET) when Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, shows you how to become a rogue URL expert.

He’ll dive deep into the latest techniques and defenses to share:
  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks, and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe
Find out what you need to know to keep your network protected and earn CPE credit for attending!

Date/Time: Wednesday, June 10 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Here Are the 25 Hot Anti-Ransomware Companies to Watch in 2020:
Quotes of the Week
"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well."
- Voltaire, Philosopher (1694 - 1778)

"Nobody can give you wiser advice than yourself."
- Marcus Tullius Cicero, Philosopher, Statesman and Orator (106 - 45 BC)

Thanks for reading CyberheistNews

Security News
How to Thoroughly Deceive Someone

A large part of social engineering involves knowing your audience, according to Jonna Mendez, former Chief of Disguise for the US Central Intelligence Agency.

Mendez recently joined the CyberWire’s Hacking Humans podcast to discuss her career with the CIA and how the agency approached social engineering. Mendez explained that their strategy would depend on the target and the specific circumstances surrounding it.

“The first part of planning it, you have to know, what's the stage?” Mendez said. “Where are you going to conduct this thing? Where is this deception going to take place? Because a lot depends on that. And the other part of it is, who's your audience? Who are you actually trying to fool? Is it someone in a car behind you? Is it the gate guard where you have to go in and out of the embassy proper? Or is it a video camera in a parking garage?

So figure out who your audience is, what your stage is. And then you start understanding what you can get away with.” Mendez went on to describe the thought process that went into crafting a disguise for an undercover operative.

“So we always had in our mind that these were officers who were going to go out and meet someone,” she said. “And the person they met was going to write a memo for the record that said, I met with this person Tuesday afternoon, and this is what he looked like.

This is what he said his name was and this is what he looked like. He was married or he wasn't married. He smoked; he didn't smoke....And everything in that memo for the record should be wrong. That was our goal.”

Most organizations probably don’t have to worry about being infiltrated by attackers wearing CIA-grade disguises, but the same principles apply to all types of social engineering. As Joe Carrigan from the Johns Hopkins University Information Security Institute pointed out later in the show, these tactics are used in both malicious and benign attempts to influence human behavior.

“Every scammer considers their audience, whether their audience is every person in the world and they're just trying to filter down their audience or whether their audience is one person,” Carrigan said. “They are considering their audience, and that's something that's very important for everyone to remember about these malicious actors and anybody that's trying to – even a salesperson, right? A good salesperson considers their audience.”

New-school security awareness training can help your employees understand the mindset of an attacker in order to defend themselves against social engineering tactics.

The CyberWire has the story:
[NEW] 2020 Ransomware Hostage Rescue Manual

Free your files! Get the most informative and complete hostage rescue manual on ransomware.

The New 2020 Edition of this Ransomware Manual is packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware. You will also receive a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.

You will learn more about:
  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources
Don’t be taken hostage by ransomware. Download your updated 2020 rescue manual now!
More Phishing Campaigns Are Abusing Legitimate File-Sharing Sites

Researchers at Barracuda Networks are tracking phishing campaigns that use legitimate file or content-sharing sites in an attempt to steal users’ credentials. The attackers send phishing emails with a link to one of these sites, which are usually hosted on Google or Microsoft domains.

These links can fool email security filters and users themselves, since they belong to legitimate services. The researchers observed nearly 100,000 of these attacks between January 1st and April 30th, and found that 65% of the attacks used Google services such as,,, and

Some of the attacks use these services as a steppingstone to a real phishing site, while others use services such as Microsoft Forms to create a spoofed login page. Both of these techniques are crafty, but they can be thwarted if the user refuses to enter their credentials.

However, the researchers describe a third type of attack in which, instead of credentials, the malicious link tries to steal an access token.

“In this particularly nasty attack variant, hackers can get access to their victims’ accounts without stealing their credentials,” the researchers explain. “The original phishing email contains a link to what looks like a usual login page. Even the domain name in the browser window appears to match what users may expect to see.

However, the link contains a request for an access token for an app. After login credentials are entered, the victim is presented with a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.”

The researchers say the victim may not even be aware that they’ve fallen for this attack. “Attacks like these are likely to go unnoticed by users for a long time,” they write. “After all, they used their credentials on a legitimate website. Even two-factor authentication will do nothing to keep attackers out because their malicious app was approved by the user to access accounts.”

Barracuda expects to see this type of attack as likely to increase as criminals realize how effective it is.

Barracuda has the story:
Beware of Phony LogMeIn Security Updates

Researchers at Abnormal Security warn that a phishing campaign is trying to steal LogMeIn remote desktop credentials. The attackers are sending phishing emails that purport to come from LogMeIn, and they pretend to inform the recipient of an urgent security update.

The emails contain a link that appears to be a URL pointing to LogMeIn’s legitimate website, but this is actually anchor text (clickable text) posing as a URL, and the link behind it will take the user to a credential-harvesting phishing site that impersonates LogMeIn’s real sign-in page.

The researchers point out that, due to the current environment of pandemic-driven remote work, a fake security update is likely to be an effective lure for users of collaborative tools like LogMeIn.

“Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic,” they write. “Because of this, frequent updates have become common as many platforms are attempting to remedy the situation.

A recipient may be more inclined to update because they have a strong desire to secure their communications.”

Additionally, the researchers note that LogMeIn uses single sign-on (SSO) with its subsidiary LastPass, so the attackers may be trying to gain access to victims’ password managers, which could potentially grant them access to all of the victims’ credentials.

The researchers say they’ve seen a spike in phishing campaigns targeting collaborative platforms, and they attribute this trend to the shift to remote working conditions.

“We’ve seen an incredible uptick in collaboration software impersonations in the past month,” they write. “Most of these platforms are associated with other logins (like G Suite or Office 365 logins) and can be leveraged by attackers to gain access to or assault other accounts.”

Once an attacker has compromised one account within your organization, they can use that account to launch more targeted attacks against other employees. New-school security awareness training can create a culture of security within your organization, enabling your employees to identify phishing emails and instilling in them the importance of multi-factor authentication.

Abnormal Security has the story:
What KnowBe4 Customers Say

"Hope all is well. The more I think about how helpful your PhishER and PhishRIP are to us, I just wanted to let you know if you ever have potential customers wanting a reference I would be more than happy to tell them of our experience and how helpful your product is."

- D.D., IT Systems and Network Administrator

The 10 Interesting News Items This Week
    1. In '95, these people defined tech: Gates, Bezos, Mitnick and more:

    2. Turla APT Revamps One of Its Go-To Spy Tools:

    3. NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers:

    4. Google sees resurgence in state-backed hacking, phishing related to COVID-19:

    5. States plead for cybersecurity funds as hacking threat surges:

    6. FBI Officials Arrest Another Alleged FIN7 Gang Member:

    7. Is COVID-19 Making the Internet Sick?:

    8. Cyber defense agency found over 1,500 ‘malicious’ fake Canadian government COVID-19 websites:

    9. Google most popular brand to impersonate in phishing campaigns - report:

    10. German intelligence agencies warn of Russian hacking threats to critical infrastructure:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews