CyberheistNews Vol 10 #26 Twitter Takes Down Over 32,000 Nation State Accounts Involved in Disinformation Campaigns

CyberheistNews Vol 10 #26
Twitter Takes Down Over 32,000 Nation State Accounts Involved in Disinformation Campaigns

Manipulation/disinformation campaigns are running rampant on social media and Twitter just took action -- again.

"Disinformation" is a form of propaganda honed into an art form by Russia. These days it's powered by bots and fake compromised accounts on social media. This week China, Russia, and Turkey were called out on the carpet by Twitter.

Unless you’ve been sleeping under a rock, you probably noticed that social media platforms are rife with conspiracy theories and political bots. Disinformation campaigns are an extremely effective tool. When used by Nation States they can be weaponized as a powerful propaganda tool. Propaganda experts mix in a just enough truth with the falsehoods to make the propaganda sound plausible.

The end goal is destabilization, confusion, and division meant to sow the seeds of mistrust among members of society -- a city divided. When this form of "societal" social engineering is practiced at a geopolitical level is advances the false narratives of an adversary.

Twitter's been steadily removing these types of accounts in waves and now another 32,242 bogus bot accounts from China, Russia and Turkey were culled. The main culprit this time around was ... China. According to Twitter, 23,750 accounts were taken down because they were “highly engaged” with users.

The Chinese campaign was targeted to a Chinese speaking audience and focused mainly trying to shape and manipulate positive opinions about China in the ongoing fight with between mainland China and Hong Kong which is fighting to retain its local political independence.

According to the Twitter blog, also taken down were Russian tweets from Current Policy, a Russian media website engaging in state-backed political propaganda within Russia.

“A network of accounts related to this media operation was suspended for violations of our platform manipulation policy, specifically cross-posting and amplifying content in an inauthentic, coordinated manner for political ends. Activities included promoting the United Russia party and attacking political dissidents.”

Although this was internal to Russia it continues to use disinformation as a tool to divide political and social attitudes across the globe.

Twitter also snagged 7,340 Turkish fake and compromised accounts being used to push and amplify political narratives favorable to the AK Parti supporting President Erdogan. Several compromised accounts associated with organizations critical of President Erdogan and the Turkish Government were found.

“These compromised accounts have been repeated targets of account hacking and takeover efforts by the state actors identified above. The broader network was also used for commercial activities, such as cryptocurrency-related spam. “

You can train yourself to spot these false narratives. And you should be training your employees to spot social engineering attacks by the bad guys.

If you want to learn more about how social media has become a propaganda playground for manipulating opinions we highly recommend that you read “Manipulated” written by Theresa Payton, a cybersecurity expert who served in the White House of the G.W. Bush administration.

"Twenty years ago the Russians had to recruit journalists to find people to disseminate something. Nowadays they just have to start a meme."
— John Schindler, former NSA analyst

Start reading "Manipulated", it's highly recommended. Here is a link to Amazon:
[TOMORROW] How to Combat the Fake News and Disinformation Being Used to Attack Your Organization

We live in an age of information, where it can be shared in an instant and spread like wildfire. Especially during the unprecedented times we are currently finding ourselves in, bad actors are taking every opportunity to use current events to not only prey on unsuspecting individuals' best intentions, but to weasel their way into your networks.

A global cold war is being fought in cyberspace, and IT pros like you are finding themselves in the trenches. With all of this going on, how can you equip your employees and protect your networks from a malicious attack?

Join Stu Sjouwerman, KnowBe4’s Founder and CEO, and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer for a deep dive into how the technology we rely on every day is being exploited to deliver powerful disinformation, misinformation, fake news, and other malicious exploits.

We’ll discuss:
  • How both facts and lies are weaponized
  • Types of delivery systems (email, social media, videos, deep fakes, and more)
  • What’s being done to address these trends
  • Tips to protect your organization and build your human firewall
Find out what you need to know to keep your network protected and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, June 24 @ 2:00 PM (ET)

Save My Spot!
[Heads Up] Australian Government and Businesses Hit by Massive Cyber Attack From ‘Sophisticated, State-Based Actor’ reported that "Australian Prime Minister Scott Morrison announced in an urgent press conference in Canberra, an ongoing, "large-scale" hack was being executed by a “sophisticated, state-based cyber actor”.

“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” Mr. Morrison told reporters.

“We know it is a sophisticated, state-based cyber actor because of the scale and nature of the targeting and the tradecraft used. Regrettably, this activity is not new. Frequency has been increasing.”

Mr. Morrison said the Australian Cyber Security Centre has been “actively working with targeted organizations to ensure that they have appropriate technical mitigations in place and their defenses are appropriately raised”.

Asked which nation was suspected to be behind the attack, Mr Morrison said the “threshold for public attribution on a technical level is extremely high” and that Australia “doesn't engage lightly in public attributions”.

“When and if we choose to do so is always done in the context of what we believe to be in our strategic national interests,” he said.

“What I can confirm is there are not a large number of state-based actors that can engage in this type of activity and it is clear, based on the advice that we have received, that this has been done by a state-based actor, with very significant capabilities.” Mr Morrison would not comment on whether China was behind the attack. “I can only say what I have said,” he said. An important part of these attacks were launched through spear phishing campaigns.

Key points from Prime Minister Scott Morrison were as follows:
  • We are seeing an exponential increase in cyber intrusion attempts, that they believe are State sponsored.
  • He reeled off targeted industries, there wasn't many that weren't on there...but Government is clearly underwater with this. A new Cyber Strategy to be released in coming months.
  • The PM emphasized that cyber attacks are ongoing, not new, and a constant threat.
  • No specific Government data breach to report at this moment
  • Today's announcements are all about increasing 'awareness' and he emphasized this twice....
The Minister for Defense Linda Reynolds listed the 3 things that organizations must do now:
  • Patch software and all web facing and email servers
  • Ensure you have MFA
  • Become a member of the Australian Cyber Security Centre
We can add to the above items that stepping your employees through new-school security awareness training is a must to improve awareness.

Post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, July 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 33,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 8 @ 2:00 pm (ET)

Save My Spot!
Microsoft on COVID-19 Themed Cyberattacks

Microsoft’s Threat Protection Intelligence Team has published a report providing a detailed look into the proliferation of COVID-19-themed phishing over the past several months. The researchers found that the timing of these attacks was often correlated with local news stories, the better to capitalize on peoples’ fears when tensions were highest.

In the UK, for example, COVID-19-themed phishing attacks peaked when the US announced a travel ban to Europe. The country saw another spike in these attacks when Prime Minister Boris Johnson was moved to intensive care, but the attacks leveled off after Johnson was discharged from the hospital.

South Korea saw a similar trend, with COVID-19 phishing peaking in May amid fears of a second wave of cases. “Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior,” the researchers write. “These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.”

Interestingly, the researchers present a graph showing that the global spike in COVID-19-themed phishing lures is “barely a blip” when viewed against the total number of phishing attempts during the same period.

This indicates that cybercriminals continued operating as normal throughout the crisis, but modified some of their lures to exploit current events. The researchers explain that this strategy is consistent with how cybercriminals have always functioned.

“Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims,” the researchers write. “Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents.

Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn ‘sellers’ to ‘cybercriminals’ and ‘customers’ to ‘victims.’”

Microsoft concludes that organizations should invest in cross-domain signal analysis, patch management, and user education to ensure all their bases are covered. Attackers will always be shifting their tactics to overcome new security measures. New-school security awareness training can help your employees stay informed about the evolving threat landscape.

Microsoft has the story:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform.

Join us Wednesday, July 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, July 8 @ 1:00 PM (ET)

Save My Spot!
Top 12 Most Common Rogue URL Tricks

Roger Grimes just published an awesome blog post: "It’s nearly impossible to find an internet scam or phishing email that doesn’t involve a malicious Uniform Resource Locator (URL) link of some type. The link either directs the user to a malicious web page or contains malicious instructions itself.

The goal is to execute malicious code or instructions in the user’s browser. This article will cover some of the most common malicious URL tricks and defenses against them.

Common Rogue URL Tricks

I’ve come up with 12 different types of URL tricks that scammers and phishers use to trick users into clicking on malicious links. They are:
  • Look-a-Like Domains
  • Domain Mismatches
  • URL Shortening
  • URL Character Encoding
  • Homograph Attacks
  • Overly Long URLs
  • Cross-Site Scripting
  • Malicious Redirection
  • Fake 404 Pages
  • Fake File Attachment Images
  • Rogue Digital Certificates
  • Password Hash Theft
Roger goes into each one with examples and ends off with a super handy PDF that summarizes as follows:

"The more you and your co-workers know about malicious URLs, the easier they can avoid them. I hope this short paper has been educational and useful. If you are interested in learning and/or hearing more details about rogue URLs, see the KnowBe4 webinar called Combatting Rogue URL Tricks at KnowBe4’s webinar repository. You can also download KnowBe4’s Red Flags of Rogue URLs PDF document, which is a great, quick handout for teaching your co-workers about some malicious URL tricks.

Blog post with links here. Warmly recommended:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Common sense is genius dressed in its working clothes."
- Ralph Waldo Emerson

"True genius resides in the capacity for evaluation of uncertain, hazardous,
and conflicting information."

- Winston Churchill

Thanks for reading CyberheistNews

Security News
We Still Haven’t Seen the Full Cyber Ramifications of the Pandemic

It’s difficult to get a full picture of the threat landscape until after cyberattacks have already taken place, according to Kurtis Minder, CEO of GroupSense. On the CyberWire’s Hacking Humans podcast, Minder explained that there’s typically a delay between the time an organization’s network is compromised and the time the breach is discovered.

The “dwell time” is the amount of time an attacker is active within the compromised network. In cases of targeted cyberattacks involving ransomware or data exfiltration, the dwell time is usually at least several months. In ransomware attacks, the dwell time often lasts up until the ransomware’s encryption process is triggered.

Minder pointed out that over the past few months there have been rampant COVID-19-themed phishing campaigns as employees have shifted to working remotely.

Phishing is one of the top ways attackers gain entry to a network, and these attacks are more effective when they use compelling lures and target frazzled employees.

“One of my theories on dwell time is you've got all of these ransomware and phishing campaigns that are leveraging the COVID pandemic that have been carried out over the last, let's say, thirty to forty-five days,” Minder said. “So if you think about the cyber dwell time of a threat actor inside someone's network, it depends on which report you read, but it's somewhere in the eighty- to eighty-five-day range, I guess is what people are saying now.“

Based on this observation, Minder believes we still haven’t seen the effects of these phishing campaigns because many of the attackers who have succeeded are still undetected within their victims’ networks. He suspects that within the next two months we’ll begin seeing many of these attacks become apparent.

Minder added, however, that even after the attacks take place, we still won’t hear about all of them because victims often don’t disclose these incidents.

“A lot of the ransomware stuff, for many years, goes unreported,” he said. “Almost like the scamming scenario, a lot of folks don't report it, especially if they are able to recover quickly with a backup. And a lot of times, sadly, the ransom just gets paid and no one talks about it. I think that number is going to be hard to quantify going forward. “

Every organization needs to assume they’ll be targeted by ransomware attackers or other cybercriminals. New-school security awareness training can enable your employees to thwart these attackers before they get in.

The CyberWire has the story:
When Security Takes a Backseat to Productivity

"We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change." -CIA's Wikileaks Task Force.

So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency's offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world's most secretive organizations, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.

Full link here:
Phony Data Theft, Like Phony Sextortion

Extortionists are sending phony threats to website owners informing them that their sites’ databases will be leaked unless they pay a ransom of between 1,500 and 3,000 dollars, BleepingComputer reports. The scammers claim to have discovered a vulnerability in the target’s website that allowed them to steal the victim’s entire “database,” and they say they’ll either sell or publish the data to destroy the site’s reputation unless the victim pays up within five days.

“We will systematically go through a series of steps of totally damaging your reputation,” the email says. “First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are.

Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do.

Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.”

These emails are effective because the threats are plausible, or at least difficult to completely disprove. The website’s administrator might not be able to determine if the vague claim is true before the deadline hits, and the threats to manipulate the site’s SEO standing would grab the attention of any website owner.

Additionally, many ransomware operators are now employing similar tactics by stealing data before encrypting it in place, and then using the stolen data as leverage in their ransom demands.

However, BleepingComputer points out that the emails don’t offer any evidence that the site was hacked. If the attackers had actually exfiltrated any data, on form they would prove it by sending a sample of the data, or pointing to the vulnerability they exploited.

This scam is similar to a common sextortion technique in which a scammer claims to have embarrassing webcam footage of the recipient. The recipient has no way of knowing for sure whether the claims are true, so they might end up sending the money just in case.

People who receive these types of emails should assume the claims are bogus, and searching the Internet can provide further reassurance. In this case, BleepingComputer links to multiple examples of people posting on support forums asking if the emails are legitimate, showing that the scammers are indiscriminately sending out the same email template to many website and blog owners in the hope that some will fall for the scheme.

Caving to these types of extortionists is never a good idea. Even if your site’s data was actually stolen, paying a ransom is no guarantee that the attackers won’t sell the data anyway, and there’s nothing stopping them from coming back for more money. New-school security awareness training can teach your employees to remain calm and seek out trustworthy advice when they’re targeted with these tactics.

BleepingComputer has the story:
BEC Isn't Back; It Never Left

Business email compromise (BEC) attacks aren’t new, but they’re growing increasingly effective, according to Zeljka Zorz at Help Net Security.

Zorz cites an article from BakerHostetler, in which two attorneys describe how BEC attacks work and why they’re so effective. The lawyers explain that BEC attacks involve targeted phishing attempts coming from spoofed or compromised email accounts.

These phishing emails are much more convincing than generic, untargeted spam because they appear to be coming from someone within or adjacent to the victim organization, such as from the accounting department.

“The email, of course, is not from the accounting department but from a fraudster,” the attorneys write. “Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails.

Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer.

But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.”

These attacks will continue to proliferate as security technologies improve, because they exploit human weaknesses rather than technical vulnerabilities. Zorz concludes that employees need to be educated about these attacks in order to defend against them.

“Employees who deal with payments should be taught about the danger presented by these emails, instructed on how to spot red flags, and regularly reminded to always verify all requests to change bank account information by calling a known telephone number for that customer, vendor or business partner (definitely not a phone number included in the email!),” Zorz writes.

“Finally, a business might be wise to these tricks, but it costs them nothing to raise awareness and educate customers and business partners by sending an email delineating all this information and good advice.”

New-school security awareness training can enable your employees to thwart attacks that bypass technical defenses.

Help Net Security has the story:
What KnowBe4 Customers Say

"I just wanted to take a moment to recognize John. He was incredibly knowledgeable, professional, and helpful throughout the entire process.

Your company seems more dedicated to customer support than the other vendors we evaluated and John was a perfect reflection of that commitment. There are a lot of great Security Awareness Platforms out there but the customer support experience really pushed you guys over the finish line.

I am really looking forward to using your platform to help improve our overall security posture within our business."
- S.D., Director of Solutions Engineering

"Hello Stu! I wanted to let you know how much our staff appreciated and enjoyed the Inside Man series. Who would have thought you could love security training as much as we did? Even our CEO came to my office and wanted to know when season 3 would be coming out because now she is at a cliff hanger and has to know what happens next!

I can’t help but to believe that you have raised the bar for our expectations on Security Training! I always promote KnowBe44 but now I can’t wait to tell my Credit Union peers about how much more fun and exciting security training can be with KnowBe4. Thanks again!"
- V.C., VP Operations

The 10 Interesting News Items This Week
    1. New Report from KnowBe4 looks at threats, anxiety and staying away from work amongst furloughed workers in the UK:

    2. Most security pros don't think governments can protect election infrastructure from cyberattacks:

    3. Google resumes its senseless attack on the URL bar, hides full addresses on Chrome 85:

    4. JDSUPRA: "Ransomware Attacks Continue Unabated in the Era of COVID":

    5. 46% of SMEs Sharing Confidential Files by Email During Lockdown:

    6. North Korea's state hackers caught engaging in BEC scams:

    7. Super secretive Russian disinfo operation discovered dating back to 2014:

    8. Cyber spies use LinkedIn to hack European defense firms:

    9. One in three Britons targeted by scammers since the start of coronavirus crisis, Citizens Advice reveals:

    10. Half of Security Professionals Had No Contingency Plan
      in Place for COVID-19:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews