CyberheistNews Vol 10 #27 [Heads Up] How Slack Phishing Works - The Latest Tricky Attack Vector

CyberheistNews Vol 10 #27
[Heads Up] How Slack Phishing Works - The Latest Tricky Attack Vector

People need to be able to use their instincts in order to spot new phishing techniques, according to Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs. On the CyberWire’s Research Saturday podcast, Graves described a phishing technique that abuses webhooks in Slack to fool users into granting an attacker access to their Slack data.

A webhook is a feature that allows third-party apps to send messages to a specific Slack channel via a unique URL. Anyone can send a message to the Slack channel if they know this URL, so it’s important that the URL be kept secret. If an attacker discovers a leaked webhook URL, they can craft a phishing message and send it directly into a Slack workspace to trick a user into installing a malicious app. This app can then exfiltrate data from the targeted workspace.

Graves emphasized that this attack doesn’t have any visible warning signs, since the communication comes directly from Slack through a legitimate service.

“The only indication that exists would be the person's gut feeling that it doesn't seem right, that this app should not be requesting this level of data,” she said.

Graves said part of the solution is improved awareness around what attackers can do with certain information. “So, I think some people legitimately don't understand how much access an attacker can gain when credentials are leaked, and even more so when a webhook secret is leaked,” Graves explained.

“On the other side of it is understanding what you're giving third parties access to. So, knowing to read those OAuth scopes, understanding how the application that you're using might use that access. Like, it wouldn't make sense – to me, at least – for a webhook to need access to my documents.

So, that's something that they have to look over and have some sort of understanding around whether it's some self-learning, whether it's included in security awareness training or something like that.”

Graves noted that anyone can be fooled by social engineering, so companies need to ensure that users know when they should be cautious and ask for assistance before taking an action.

“But again, we've seen in similar attacks in the past that users can be easily tricked and that it's not stupidity,” she said. “It's not even ignorance. It's just that this is very new technology to a lot of people, and the prompts are not always clear, and there is a lot of small text about how they work. So I think that companies need to, I suppose, make as much effort as possible to help people understand the impact of their actions.”

Attackers will never stop coming up with new ways to dupe people into granting them access. New-school security awareness training can give your employees a healthy sense of suspicion to enable them to stop social engineering attacks.

The CyberWire has the story:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, July 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.

See how easy it is to train and phish your users:
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 33,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 8 @ 2:00 pm (ET)

Save My Spot!
[ALERT] A New Devilish Malware Worm Called Lucifer Is Targeting Your Windows Workstations

Palo Alto Networks’ Unit 42 Security experts have identified a malware worm called Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

This brand-new strain initially tries to infect PCs by bombarding them with a big list of known exploits, hoping to cash in on unpatched vulns. While patches for all these critical and high-severity bugs exist, the organizations infected by this new strain malware had not applied the patches.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto said last Wednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The exploits Lucifer is using include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).

After a successful exploit, the strain connects to its command-and-control (C2) server and is able to execute any commands on the fully pwned device. Some "features" allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2.

The malware is also capable of self-propagation with worm-like features.

The Threatpost site commented: "It scans for either open TCP ports (also known as port 1433) or open Remote Procedure Call (RPC) ports (also known as port 135). If either of these ports is open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

Please forward to your friends. Blog post with links continued here:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us Wednesday, July 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
  • NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, July 8 @ 1:00 PM (ET)

Save My Spot!
Cyber Crime Uses Adobe and Samsung Servers to Hide Their Phishing Attacks

Researchers at Check Point have observed a phishing campaign that, to avoid detection, abused servers belonging to Adobe, Samsung, and the University of Oxford. The attackers used several layers of deception to disguise their phishing emails as legitimate.

The phishing emails purported to come from Microsoft and informed recipients that they’d received a voicemail on their Office 365 account. If the user clicked the link in the email, they’d be redirected through a legitimate server before landing on a spoofed Office 365 login page designed to steal their credentials.

The redirection step was accomplished using an Adobe Campaign open redirect link belonging to Samsung Canada, meant for the company’s email campaigns. Open redirects enable anyone to craft a URL that will route a user through the server hosting the URL before sending them on to the specified website.

In this case, the attackers used the open redirect link from Samsung’s email campaign for Cyber Monday in 2018 and modified it to point to their phishing page.

“The technique of using Adobe Campaign open redirect was initially discovered in September 2019 on the domain belonging to Adobe itself,” the researchers write. “In the last few months, it’s been widely abused for phishing purposes. To evade detection, attackers abuse open and reputable Adobe Campaign servers to redirect potential victims to their own phishing websites.

This means that the link embedded in the phishing email is part of a trusted domain – one that unknowingly redirects victims to the phishing website.”

The attackers also managed to abuse the University of Oxford’s email servers to disguise the origin of the emails. “Using legitimate Oxford SMTP servers allowed the attackers to pass the reputation check for the sender domain,” Check Point says. “In addition, there was no need to compromise actual email accounts to send phishing emails because they could generate as many email addresses as they wanted.”

Finally, the phishing kit itself was hosted on a compromised WordPress site. It would generate a new directory for each visitor, as well as unique, obfuscated source code to avoid detection by security tools.

“The second layer of redirection is used to distance the final phishing page from the original email,” the researchers explain. “In this case, the attackers used several compromised WordPress sites which contain malicious redirect code. Introducing another redirection layer enables the attackers to circumvent security solutions that investigate the links within the email.

Thus the URL within the email points to a WordPress site instead of a suspicious-looking phishing page.” Attackers will never stop finding new ways to defeat security technologies. New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing emails that make it through your filters.

Check Point has the story:
[On-Demand] 10 Incredible Ways You Can Be Hacked Through Email & How to Stop the Bad Guys

Email is still the #1 attack vector the bad guys use. A whopping 91% of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware.

In this on-demand webinar Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, explores 10 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick.

Roger will teach you:
  • How silent malware launches, remote password hash capture, and how rogue rules work
  • Why rogue documents, establishing fake relationships and getting you to compromise your ethics are so effective
  • Details behind clickjacking and web beacons
  • Actionable steps on how to defend against them all
If all you were worried about were phishing attempts, think again!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Just For YOU. We just added 2 new training modules featuring Roger Grimes about data-driven defense:

PSS: Need to educate your C-level execs? Here are five cybersecurity books that everyone should —and can— read, recommended by the Wall Street Journal:

Quotes of the Week
"It is not because things are difficult that we do not dare,
it is because we do not dare that they are difficult."

- Lucius Annaeus Seneca, Philosopher, Statesman, Dramatist (5 BC - 65 AD)

"I am always doing that which I cannot do, in order that I may learn how to do it."
- Pablo Picasso, Artist (1881 - 1973)

Thanks for reading CyberheistNews

Security News
Pyongyang's Phishing With Job Offers

An attack campaign with possible ties to North Korea’s Lazarus Group targeted aerospace and military companies in Europe and the Middle East with spearphishing attacks late last year, according to researchers at ESET.

The campaign, which the researchers call “Operation In(ter)ception,” used social engineering attacks on LinkedIn to trick employees into opening malware-laden documents.

“To initiate contact, they approached the targets with fictitious job offers using LinkedIn’s messaging feature,” the researchers write. “In order to appear credible, the attackers posed as representatives of well-known, existing companies in the aerospace and defense industry.

For each of the targeted companies we investigated, the attackers had created a separate fake LinkedIn account: one impersonating an HR manager from Collins Aerospace (formerly Rockwell Collins), a major US supplier of aerospace and defense products; the other posing as an HR representative of General Dynamics, another large US-based corporation with a similar focus. “

Interestingly, while the attackers’ primary goal was espionage, ESET observed one case in which the attackers used a victim’s email account in an attempt to conduct a business email compromise (BEC) scam. While BEC attacks are usually associated with criminals rather than state-sponsored groups, North Korean cyber actors often conduct financially motivated attacks to generate revenue for their heavily sanctioned regime.

“Among the victim’s emails, the attackers found communication between the victim and a customer regarding an unresolved invoice,” the researchers explain. “They followed up the conversation and urged the customer to pay the invoice, however, to a different bank account than previously agreed, to which the customer responded with some inquiries.

As part of this ruse, the attackers registered an identical domain name to that of the compromised company, but on a different top-level domain, and used an email associated with this fake domain for further communication with the targeted customer.

The attackers did not respond to the customer’s inquiries and continued to urge them to pay. Instead of paying the invoice, however, the targeted customer reached out to the correct email address of the victim for assistance, thwarting the attackers’ attempt. The victim recognized something was amiss and reported the communication as an incident.”

Sometimes it’s espionage, and sometimes it’s fraud. Recognizing the motive can help recognize the attack. New-school security awareness training can provide your employees with the knowledge they need to thwart targeted social engineering attacks.

ESET has the story:
Survey Says...You've Been Pwned

Survey are enticing, and so are survey scams. But they’re easy to recognize if you know what to look for, according to Paul Ducklin at Naked Security.

Ducklin describes a typical survey scam that Sophos spotted recently. The scammers impersonate well-known brands and offer a reward to users that fill out a survey. Real companies use these surveys as well, but the rewards from a legitimate survey are very small, such as a coupon for your next order.

The fake survey asks generic, innocuous questions that could apply to any business, and allows the user to choose their answers from multiple-choice panels. Throughout this process, the site displays the text “38 visitors on this page,” and “6 rewards left” to induce a sense of urgency.

After completing the survey, the user is informed that they’ve actually won an expensive prize, such as a free iPhone.

At the final page, however, it’s revealed that the user will have to pay one dollar as a delivery fee before they can receive their prize. To do this, they’ll be asked to enter their name, address, and credit card information, which will be sent straight to the scammers.

Ducklin stresses that no matter how tempting the deal is, you should leave the site if you sense anything out of place. Even if you don’t see any warning signs, the moment a site asks you to enter any sensitive information should be your cue to leave.

“Remember, if you are taking a survey and you see anything that doesn’t add up – anything at all – then you need to get off the website right away before you get sucked into giving away any personal information,” Ducklin writes.

“Legitimate companies and genuine surveys should be clearly explained in advance, so if the goalposts move halfway through, you’re being scammed.” Ducklin adds that common sense, awareness, and level-headedness is usually all that’s needed to defeat these types of scams.

“There is no free iPhone,” he says. “Or Android, or tablet, or laptop. There just isn’t. Stores don’t hand out $1000 mobile phones in return for you telling them whether you think they should stay open later. They just don’t. Follow your head and not your heart.”

New-school security awareness training can help your employees recognize social engineering tactics and avoid falling for scams.

Naked Security has the story:
KnowBe4 Announcement: New Training Modules Added on Data-Driven Defense

We have exciting news to share! Two new modules have been released about data-driven defense, both featuring Data-Driven Evangelist Roger Grimes. Join Roger Grimes as he introduces the overall concepts of a risk-analyzed, data-driven computer defense, as conceptualized in his book, A Data-Driven Computer Defense: A Way to Improve Any Computer Defense.

These brand-new modules cover the following:
  • An Introduction to Data-Driven Defense: Roger discusses the basic principles behind a data-driven defense and what most companies get wrong about cybersecurity risk and why.
  • Data-Driven Defense: Hackers and Why They Hack: Roger discusses the different types of hackers and their motivations. If you’re going to fight hackers, it’s best if you understand why they hack and what they are after.
You are able to view both modules in the ModStore. Get no-charge access here:
The 10 Interesting News Items This Week
    1. This ransomware has learned a new trick: Scanning for point of sales devices:

    2. Black Hat Survey: Breach Concerns Hit Record Levels Due to COVID-19:

    3. Companies Name One of the Biggest Cybersecurity Threats: Their Employees - The Wall Street Journal:

    4. Really good article on security awareness in SC Mag:

    5. FBI warns K12 schools of ransomware attacks via RDP:

    6. Don't Fall Victim to These Common Social Networking Scams. By yours truly at Forbes:

    7. 10 (more) free security tools worth a look via @csoonline:

    8. Hackers abuse Samsung Canada, others, to launch phishing attacks:

    9. Ransomware operators lurk on your network after their attack:

    10. Ouch. BlueLeaks data dump exposes over 24 years of police records:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews