CyberheistNews Vol 10 #24 [Heads Up] Remote Work Isn’t Good for Corporate Security. 30% of Organizations Have Been the Victim of Phishing Scams Since the Lockdown

CyberheistNews Vol 10 #24
[Heads Up] Remote Work Isn’t Good for Corporate Security. 30% of Organizations Have Been the Victim of Phishing Scams Since the Lockdown

Now that we’ve had some time to allow employees to work from home, security vendors have had time to quantify just how secure your organization really is.

Lots of new data is now just coming out of the woodwork demonstrating some of the harsh realities of having employees work from home without proper security in place.

According to new data from software information hub Capterra, in their Remote Work Survey 2020, employees are doing anything but practicing good security:
  • 23 percent always share password between personal and work accounts
  • 33 percent have a single password they use across sites
  • Only 15 percent have strong passwords
It may be that employees aren’t being properly prepared with only 24 percent of organizations having dedicated security staff where that person is known to employees. Although, according to the report, 64 percent of remote workers have received security awareness training. But, with nearly a third of employees falling victim to phishing scams (which nearly half – 45% - were COVID-19 related), the training may not be continual in nature – which is critical to create a security culture and a vigilant mindset on the part of the employee.

Proper security awareness training keeps employees mindful about their role in corporate security and the need for good security practices to be put into place. With continual training, employees can be made aware of the need for improved password hygiene and how to be looking for scams that take advantage of current events.

Remote workers aren’t coming back to the office on the short term, for as far as we can tell. It’s time to put an additional protection layer in place through educating your remote employees.

Blog post with links:
Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Don't click phishy links. Everyone knows that. But are your end users prepared to quickly identify today's tricky tactics being used by the bad guys? Probably not. Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques to entice your users into clicking and putting your network at risk. You need to stay a step ahead of the bad guys.

Join us TOMORROW, Wednesday, June 10th at 2:00 PM (ET) when Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, shows you how to become a rogue URL expert.

He’ll dive deep into the latest techniques and defenses to share:
  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks, and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe
Find out what you need to know to keep your network protected and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, June 10 @ 2:00 PM (ET)

Save My Spot!
Foreign States Attack the Trump and Biden Campaigns With Phishing Emails

It's starting to feel a lot like 2016. Dan Goodin at Arstechnica was one of the first to cover Google's Threat Analysis Group on Twitter. He said:

"State-backed hackers from Iran and China recently targeted the presidential campaigns of Republican President Donald Trump and Democrat Joe Biden, a Google threat analyst said on Thursday.

The revelation is the latest evidence of foreign governments attempting to gain intelligence on US politicians and potentially disrupt or meddle in their election campaigns. An Iran-backed group targeted the Trump campaign, and China-backed attackers targeted the Biden campaign, said Shane Huntley, the head of Google’s Threat Analysis Group on Twitter. Both groups used phishing emails. There’s no indication that either attack campaign succeeded.

Huntley identified the Iranian group that targeted Trump’s campaign as APT35, short for Advanced Persistent Threat 35. Also known as Charming Kitten, iKittens, and Phosphorous, the group was caught targeting an unnamed presidential campaign before, Microsoft said last October. In that campaign, Phosphorous members attempted to access email accounts campaign staff received through Microsoft cloud services. Microsoft said that the attackers worked relentlessly to gather information that could be used to activate password resets and other account-recovery services Microsoft provides.

Continued at Arstechnica:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us for a 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, June 17 @ 2:00 PM (ET)

Save My Spot!
Prediction: Ransomware Attacks to Spike as Employees Return to the Office

Because of the rapidly changing nature of ransomware attacks and the mass numbers of workers at home, anti-malware vendor Emisoft believes we’re going to see a rise once work returns to normal.

Ransomware is a numbers game: launch enough attacks and a percentage of them will return revenue back to you. This rings true regardless of whether attacks are targeting specific organizations or are part of a mass emailing of millions of email addresses. But, according to security researchers at Emisoft, we’re seeing a lull in successful ransomware attacks because of the pandemic.

Here’s the thinking: Ransomware attacks function in stages. The first stage is reconnaissance, where the initial infection checks to see if the compromised endpoint is valuable enough to launch a full ransomware attack. We’ve seen infostealer malware collect all kinds of information; this gives you an idea of how granular a cybercriminal can be before having the initial malware contact a C2 server to download the ransomware payload. So, with 61% of remote workers using personal devices, it makes sense that cybercriminals are holding off completing the attack, as only holding a single device for ransom isn’t profitable.

Once employees return to the office – at least 41% of employees intend to – the idea is that they will resume working on their corporate devices (the ones connected to every other corporate device on the network). This is a far better-looking prospect if you’re a cybercriminal intent on using ransomware to make money.

Emisoft also warns of the return of corporate devices back to the corporate network, stating network segmentation for these endpoints should be in place to minimize the impact of any dormant ransomware waiting to run once back at the office.

They also recommend employees be enrolled in security awareness training, as two-thirds of employees received no training in the last year. This will dramatically help lower the likelihood of successful attack should cybercriminals attempt to re-infect the business endpoint belonging to the same victim user who fell for an attack while working at home on their personal device by sending them another phishing email in the future.
How Many of Your Users’ Credentials Are Compromised? Find out for a Chance to Win a Nintendo Switch!

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Bad guys are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface. Plus, if you’re in the US or Canada, you’ll be entered for a chance to win a Nintendo Switch*.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro (EEC). EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of new breach databases.

EEC Pro now leverages one of the largest and most up-to-date breach data sources to help you find even more of your users' compromised accounts that have been exposed in the most recent data breaches - fast.

Get your complimentary EEC Pro report in less than 5 minutes! It’s often an eye-opening discovery. You are probably not going to like the results...

Get Your Report Now:

*Terms and Conditions apply.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check this out. Ransomware Gangs Now Have Teamed up and Formed an Extortion Cartel. Yikes:
Quotes of the Week
"Violence as a way of achieving racial justice is both impractical and immoral. I am not unmindful of the fact that violence often brings about momentary results. Nations have frequently won their independence in battle. But in spite of temporary victories, violence never brings permanent peace."
- Martin Luther King, Jr., Minister and Social Activist (1929 - 1968)

Thanks for reading CyberheistNews

Security News
Old Excel 4[.]0 Macros Bypass Your Filters and Slip in Malware Payloads

Researchers at Lastline warn that attackers are increasingly utilizing Excel 4[.]0 macros to deliver malware while avoiding detection by security products. Excel 4[.]0 (XL4) macros were introduced in 1992, one year before Excel started using the VBA macros that are still widely used today.

However, modern versions of Microsoft Office still support XL4 macros, and attackers have realized that many security vendors haven’t placed enough focus on these macros. The researchers have observed thousands of malicious email attachments using this method since the beginning of February.

“We found that roughly every 1-2 weeks, a new wave of samples emerged, each more evasive and sophisticated than the last,” they write. “Each of these waves appeared to build on its predecessor, extending its functionality by introducing new techniques on top of what already was being used. The size of these clusters suggest that these samples are being generated with some sort of toolkit or document generator, as these samples resemble one another too closely to not be related.”

The researchers explain that both defenders and attackers are still grappling with the possibilities presented by XL4 macros.

“This technique will likely remain relevant, and join its successor (i.e., VBA macros) as a widely used technique to weaponize document files,” the researchers write. “This technique does not rely on a bug, it is not an exploit, but it simply abuses legitimate Excel functionality.

These macros can be set to auto-execute, and run as soon as a workbook is opened if macros are enabled. As this is somewhat uncharted territory, malware authors and researchers are still exploring the depths of possibilities and capabilities of weaponizing this attack technique.”

Lastline’s researchers conclude that this problem isn’t going away any time soon, and security vendors are still playing catch-up.

“Excel 4[.]0 macros continue to prove their value to attackers, providing a reliable method to get their code to run on a target,” they write. “In many environments, Excel worksheets with macros are used too heavily for legitimate business purposes to disable or blacklist, thus analysts and security vendors will have to get used to consistently updating tooling and signatures as attacks continue to evolve.

Excel 4[.]0 macros provide a near endless list of possibilities for malware authors and are evolving, becoming more sophisticated each day.”

Malicious macros have been one of the leading causes of malware infections for many years, and attackers continue to use this method because it still works. New-school security awareness training can stop these attacks in their tracks by teaching employees the risks of enabling macros in a document.

Lastline has more:
Phishing for Supermarket Deliveries

Scammers are exploiting the increased demand for online shopping by setting up spoofed supermarket websites, Teiss reports. Researchers at Mimecast recently found thirty websites impersonating Tesco, eleven spoofing Asda, and ten imitating Amazon. The sites are designed to steal credentials, payment card numbers, and personal information.

Elad Schulman, VP of Brand Protection at Mimecast, said these sites are part of a continuous cycle in which scammers attempt to stay ahead of hosting providers and security companies. Phishing sites can be identified and taken down very quickly, but scammers can set up new websites even faster.

New phishing sites are constantly going online, and they stay up long enough for people to fall victim.

“Impersonating brands online is a boon for hackers: there are no rules preventing anyone from registering an online domain that looks just like a legitimate brand’s domain name and creating a lookalike that resembles the original,” Schulman said.

“Subtle differences can easily go unnoticed, fooling unsuspecting customers who will simply enter their credentials as usual. In addition, brands often have no idea their name and likeness has been exploited by a copycat; and even when they do, it only takes minutes for criminals to take down their own spoofed websites and create another one elsewhere.”

In addition to supermarkets, Tiess says delivery companies are being widely impersonated. The attackers are using fake login pages designed to steal email credentials by asking users to select their email provider from a list of partner services.

Users need to be aware that scammers have tailored their attacks to take advantage of pandemic-related shutdowns and remote work environments. Security technologies have gotten much better over the years, but attackers have been able to keep pace. Phishing attacks are still widespread, and technical defenses will always be one step behind attackers who target human weaknesses.

Teiss in the UK has the story:
Human Performance as a Risk Factor

Most organizations don’t place enough focus on the human elements of cybersecurity, according to Stephen A. Wilson, Dean Hamilton, and Scott Stallbaum from consulting firm Wilson Perumal & Company.

In an article for MIT Sloan Management Review, the consultants explain that the right technical defenses are essential, but most successful cyberattacks rely on human failures.

“Without addressing this issue of human performance, a vicious cycle perpetuates,” they write. “As companies bring on board new technologies — each one potentially addressing an emerging threat — they also add more corresponding people and processes. As this continues, the interactions between technology, processes, and people pile up, and the level of complexity increases geometrically.

At some point, this complexity overwhelms the cybersecurity infrastructure and obscures emerging threats — until, weighed down by legacy systems, the business finds itself less agile than cybercriminals, and an attack occurs. In response, the business seeks out the technological patch for that specific threat, and the cycle repeats.”

The consultants say there are some observable attributes possessed by organizations that have strong security postures.

“Closing the human performance gap — embedding new behaviors and shared understanding as part of the culture and normal course of business — is no small undertaking, but it’s ultimately the best defense against cyberattacks,” the consultants say.

“And fortunately, an analog exists for addressing this type of risk and leveraging human performance as a critical layer of defense: the high-reliability organization (HRO), which we define as an organization that has a remarkably low number of mishaps consistently over a sustained period of time yet performs highly complex and inherently hazardous tasks.”

The consultants explain that HROs differ from other organizations in three ways. First, employees at these organizations are in “a state of hypervigilance and watchfulness for early danger signals.” Second, HROs are able to respond quickly when an incident occurs. Third, they learn from every incident and quickly share knowledge throughout the organization.

Additionally, employees in an HRO are knowledgeable about cybersecurity, which leads them to take security protocols more seriously.

“They understand how easily passwords can be compromised and the risks of unauthorized access,” the consultants write. “Because they recognize that cybersecurity is everyone’s job, they read and take seriously the warnings that the cybersecurity department sends out each week.”

Employees need to be a central part of an organization’s security posture. New-school security awareness training can address the human side of cybersecurity.

MIT Sloan Management Review has the story:
What KnowBe4 Customers Say

"KnowBe4 is a great partner. I’m glad to have learned of you when I did. I look forward to 3 more years of service. This past January we had our Safety and Soundness Exam from the Office of the Comptroller of the Currency. This occurs every 18 months. This past cycle we had a discussion about our phishing training.

When I told them that we use KnowBe4, the examiner’s eyes lit up. I tell folks all the time who we use, how efficient and useful the platform is, how successful we are with our testing, that it is reasonably priced, and how proactive you are in helping us use the platform to meet our needs. Take care. I look forward to hearing back from you."
- M.L., COO

"I appreciate you reaching out. We are very happy so far with all of the KnowBe4 offerings.

We are in a bit of an end of the fiscal year crunch with other projects so we haven't been able to take advantage of everything we wanted to yet (e.g. deploying Phish Alert Button and get PhishER rolling), but can't wait for the months ahead to dig in to this further.

Also, the customer support managers we have worked with and technical support have been fantastic. Great to interact with and very knowledgeable. No regrets at all in making the switch from your competitor."
- M.J., Senior Information Security Analyst

The 10 Interesting News Items This Week
    1. How to Forensically Examine Phishing Emails - Security Boulevard:

    2. Kaspersky IDs Sophisticated New Malware Targeted at Air-Gapped Systems:

    3. Windows 10 SMBGhost (WannaCry-like) bug gets public proof-of-concept RCE exploit:

    4. Office 365 to give detailed info on malicious email attachments:

    5. What is pretexting? Definition, examples and prevention:

    6. The Latest Ransomware Attacks Can Require a Data Breach Notification:

    7. Local, State Governments Face Cybersecurity Crisis:

    8. Hackers target Google Docs, Microsoft Sway to steal user credentials:

    9. Creeps give away money to harass recipients with abusive transaction descriptions on bank statements:

    10. How Low Will Cybercriminals Go?:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews