CyberheistNews Vol 10 #28
60% of Organizations Are Hit by Cyberattacks Spread by Their Own Employees 
The "unwitting participant" appears to be alive and well, based on new data from security vendor Mimecast. With employees being the source of attack surface expansion, what’s an org to do?
When you think of cyberattacks, the assumption is that it’s a simple matter of “the bad guy sends an email, the user gets fooled, the user clicks malicious content, and the badness happens.” But the State of Email Security 2020 report from Mimecast sheds some light on some of both the how and why attacks are still successful.
According to the report:
According to the report, it’s a problem-riddled combination of issues involving your people, processes and technology. In essence, the lack of sufficient presence of all three play a role.
From the report:
But, because 7-10% of malicious emails make it through your filters, it’s equally as important to ensure users are continually educated using security awareness training. By doing so, you will improve your organization’s security posture, and keep users from participating in the spread of malicious emails.
The "unwitting participant" appears to be alive and well, based on new data from security vendor Mimecast. With employees being the source of attack surface expansion, what’s an org to do?
When you think of cyberattacks, the assumption is that it’s a simple matter of “the bad guy sends an email, the user gets fooled, the user clicks malicious content, and the badness happens.” But the State of Email Security 2020 report from Mimecast sheds some light on some of both the how and why attacks are still successful.
According to the report:
- 51% of organizations have been impacted by ransomware in the last 12 months
- 58% saw phishing attacks increase
- 60% have seen an increase in impersonation fraud
- 82% have experienced downtime from an attack
According to the report, it’s a problem-riddled combination of issues involving your people, processes and technology. In essence, the lack of sufficient presence of all three play a role.
From the report:
- 60% of orgs have experienced their own employees being responsible for spreading a malicious email (People)
- 55% of orgs don’t provide security awareness training on a regular basis (Process)
- An average of 41% of orgs don’t have a system in place to monitor for and detect malicious content in emails (Technology)
But, because 7-10% of malicious emails make it through your filters, it’s equally as important to ensure users are continually educated using security awareness training. By doing so, you will improve your organization’s security posture, and keep users from participating in the spread of malicious emails.
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, July 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.
See how easy it is to train and phish your users:
Date/Time: TOMORROW, Wednesday, July 8 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2439681/925D004197E678DDCC946A93B31C24D9?partnerref=CHN3
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, July 8 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to Security Awareness Training and Simulated Phishing.
See how easy it is to train and phish your users:
- Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
- Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
- Advanced Reporting on 60+ key awareness training indicators.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: TOMORROW, Wednesday, July 8 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2439681/925D004197E678DDCC946A93B31C24D9?partnerref=CHN3
Elections in Russia Mean 16 More Years of Job Security for InfoSec Pros
In a referendum, Russian voters have overwhelmingly backed a ploy by President Vladimir Putin to rule until 2036.
With 50% of polling stations reporting, preliminary results showed that 76% of voters on Wednesday approved the package of some 200 constitutional amendments that include a revision to reset the clock on the current limit of two consecutive presidential terms. That would allow Mr. Putin to potentially run two more times after his current tenure in office expires in 2024, keeping the former KGB boss in the Kremlin until 2036 when he would be 83 years old.
Blog post with links and related backgrounder how Putin is using the net to "divide and conquer":
https://blog.knowbe4.com/elections-in-russia-mean-12-more-years-of-job-security-for-infosec-pros
In a referendum, Russian voters have overwhelmingly backed a ploy by President Vladimir Putin to rule until 2036.
With 50% of polling stations reporting, preliminary results showed that 76% of voters on Wednesday approved the package of some 200 constitutional amendments that include a revision to reset the clock on the current limit of two consecutive presidential terms. That would allow Mr. Putin to potentially run two more times after his current tenure in office expires in 2024, keeping the former KGB boss in the Kremlin until 2036 when he would be 83 years old.
Blog post with links and related backgrounder how Putin is using the net to "divide and conquer":
https://blog.knowbe4.com/elections-in-russia-mean-12-more-years-of-job-security-for-infosec-pros
See How You Can Get Audits Done in Half the Time at Half the Cost
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!
Join us TOMORROW, Wednesday, July 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
Save My Spot!
https://event.on24.com/wcc/r/2439682/58CC9CFF88DA458F08828606604A4E42?partnerref=CHN3
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!
Join us TOMORROW, Wednesday, July 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it's time for risk assessments and audits.
- NEW! Demonstrate overall progress and health of your compliance and risk management initiatives with custom reports.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
https://event.on24.com/wcc/r/2439682/58CC9CFF88DA458F08828606604A4E42?partnerref=CHN3
[Warn Your Webmaster] A "Secure DNS" Scam: An Upgrade That's a Downgrade
A phishing campaign is targeting website owners with convincing, personalized emails that purport to come from WordPress, Naked Security reports. The emails claim that WordPress is upgrading the recipient’s domain to use DNSSEC (Domain Name System Security Extensions).
The message has minimal spelling and grammatical errors, and it contains real explanations (copied from ICANN’s website) of what DNS and DNSSEC are. Naked Security notes that many website operators will most likely have heard of DNSSEC, and they probably know that it’s a good security measure.
“On the other hand, you’ve probably never set up DNSSEC or used it directly yourself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers,” Naked Security says.
“In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea. So we can understand why some recipients of this scam might click through in order to learn more.”
The emails contain a link that’s tailored to each recipient. In Naked Security’s case, the link said, “Click here and activate DNSSEC to nakedsecuritysophoscom.” If the recipient clicks the link, they’ll be taken to a phishing page that convincingly spoofs a WordPress login page. The page specifically says “Admin Area” to convince the user to enter their administrative credentials, which will be sent to the attackers.
While this scam was tailored to WordPress users (since Naked Security is hosted on WordPress), Naked Security found an image directory on the phishing site that contained the banner logos of 97 other hosting providers, including Akamai, HostGator, Linode, Magento, and Microsoft. The link in the email is customized so that users of different hosting providers will see the login page specific to their provider.
Naked Security has the story:
https://nakedsecurity.sophos.com/2020/06/29/beware-secure-dns-scam-targeting-website-owners-and-bloggers/
A phishing campaign is targeting website owners with convincing, personalized emails that purport to come from WordPress, Naked Security reports. The emails claim that WordPress is upgrading the recipient’s domain to use DNSSEC (Domain Name System Security Extensions).
The message has minimal spelling and grammatical errors, and it contains real explanations (copied from ICANN’s website) of what DNS and DNSSEC are. Naked Security notes that many website operators will most likely have heard of DNSSEC, and they probably know that it’s a good security measure.
“On the other hand, you’ve probably never set up DNSSEC or used it directly yourself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers,” Naked Security says.
“In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea. So we can understand why some recipients of this scam might click through in order to learn more.”
The emails contain a link that’s tailored to each recipient. In Naked Security’s case, the link said, “Click here and activate DNSSEC to nakedsecuritysophoscom.” If the recipient clicks the link, they’ll be taken to a phishing page that convincingly spoofs a WordPress login page. The page specifically says “Admin Area” to convince the user to enter their administrative credentials, which will be sent to the attackers.
While this scam was tailored to WordPress users (since Naked Security is hosted on WordPress), Naked Security found an image directory on the phishing site that contained the banner logos of 97 other hosting providers, including Akamai, HostGator, Linode, Magento, and Microsoft. The link in the email is customized so that users of different hosting providers will see the login page specific to their provider.
Naked Security has the story:
https://nakedsecurity.sophos.com/2020/06/29/beware-secure-dns-scam-targeting-website-owners-and-bloggers/
[WEBINAR] Hackers Exposed: Kevin Mitnick Shares His Tradecraft and Tools to Help You Hack Proof Your Network
Months of quarantine, transitioning to work from home, economic uncertainty, social and political turmoil… it’s easy to see why your employees are amped up, tense and distracted. And the bad guys are preying on those vulnerabilities more savagely than ever.
Join us for this exclusive webinar where Kevin Mitnick, KnowBe4’s Chief Hacking Officer and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer dive deep into the strategies cybercriminals are using to raise the stakes.
In this webinar you’ll hear about:
Date/Time: Wednesday, July 15 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2469831/8CE34235D63ECB2355E0D55A998F15F6?partnerref=CHN1
Let's stay safe out there.
PS: Who *is* this Stu guy? Here is a new background interview with me, in the Tampa Bay Business & Wealth Magazine:
https://tbbwmag.com/2020/06/30/stu-sjouwermans-knowbe4-seeks-to-take-the-human-error-out-of-it-security/
Months of quarantine, transitioning to work from home, economic uncertainty, social and political turmoil… it’s easy to see why your employees are amped up, tense and distracted. And the bad guys are preying on those vulnerabilities more savagely than ever.
Join us for this exclusive webinar where Kevin Mitnick, KnowBe4’s Chief Hacking Officer and Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer dive deep into the strategies cybercriminals are using to raise the stakes.
In this webinar you’ll hear about:
- Router configurations that put WFH and hybrid home/office endpoints in danger
- New browser exploits that are making your employees more vulnerable
- Why you can’t trust your trusted senders (supply chain attacks)
- The ominous effects of several real-life ransomware attacks
Date/Time: Wednesday, July 15 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2469831/8CE34235D63ECB2355E0D55A998F15F6?partnerref=CHN1
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: Who *is* this Stu guy? Here is a new background interview with me, in the Tampa Bay Business & Wealth Magazine:
https://tbbwmag.com/2020/06/30/stu-sjouwermans-knowbe4-seeks-to-take-the-human-error-out-of-it-security/
Quotes of the Week
"In all affairs it's a healthy thing now and then to hang a question mark on the things you have long taken for granted."
- Bertrand Russell, Philosopher (1872 - 1970)
"Do you want to know who you are? Don't ask. Act! Action will delineate and define you."
- Thomas Jefferson, Principal author of the Declaration of Independence and 3rd US President
(1743 - 1826)
BONUS VIDEO QUOTE.
With everything going on at the moment this feels very relevant. Wise words of a great thinker - Bertrand Russell Video:
https://www.flixxy.com/bertrand-russell-message-to-future-generations.htm?utm_source=4
Thanks for reading CyberheistNews
- Bertrand Russell, Philosopher (1872 - 1970)
"Do you want to know who you are? Don't ask. Act! Action will delineate and define you."
- Thomas Jefferson, Principal author of the Declaration of Independence and 3rd US President
(1743 - 1826)
BONUS VIDEO QUOTE.
With everything going on at the moment this feels very relevant. Wise words of a great thinker - Bertrand Russell Video:
https://www.flixxy.com/bertrand-russell-message-to-future-generations.htm?utm_source=4
Thanks for reading CyberheistNews
Security News
Evading Antivirus Software With Evil Clippy
Attackers are using a tool known as “Evil Clippy” to obfuscate malicious macros and prevent them from being detected by most antivirus vendors, according to Avi Grafi from Votiro. On the CyberWire’s Hacking Humans podcast, Grafi described a recent phishing campaign that used this technique to deliver the Dridex banking Trojan via malicious documents.
“We found after analyzing the exact payload that it was an invoice with attached Excel spreadsheet,” he said. “That Excel spreadsheet's something that we never saw before because it actually contained a hidden payload, hidden Macro for any detection system out there that's trying to analyze that.
In fact, when you're running the standard tools in the industry, you get an error saying there's nothing there.” Grafi also noted that it took more than two days before the sample began getting flagged as malicious on VirusTotal, and the attackers can simply update their campaign with new samples that will go undetected.
“So, we found three different samples,” Grafi explained. “One was a UPS invoice that looked very genuine. Actually, when our team looked at that, they were struggling to understand whether this is a legitimate one or not. The ‘from’ address was perfectly forged. In fact, also when we looked at the email headers, we found that it went through one of the – potentially, we thought that it went from one of the UPS servers.
So the hackers put a lot of effort in mimicking a real, genuine – close-to-genuine experience. And this is one of the masterpieces I saw recently, to be honest.”
The CyberWire has the story:
https://thecyberwire.com/podcasts/hacking-humans/105/transcript
Attackers are using a tool known as “Evil Clippy” to obfuscate malicious macros and prevent them from being detected by most antivirus vendors, according to Avi Grafi from Votiro. On the CyberWire’s Hacking Humans podcast, Grafi described a recent phishing campaign that used this technique to deliver the Dridex banking Trojan via malicious documents.
“We found after analyzing the exact payload that it was an invoice with attached Excel spreadsheet,” he said. “That Excel spreadsheet's something that we never saw before because it actually contained a hidden payload, hidden Macro for any detection system out there that's trying to analyze that.
In fact, when you're running the standard tools in the industry, you get an error saying there's nothing there.” Grafi also noted that it took more than two days before the sample began getting flagged as malicious on VirusTotal, and the attackers can simply update their campaign with new samples that will go undetected.
“So, we found three different samples,” Grafi explained. “One was a UPS invoice that looked very genuine. Actually, when our team looked at that, they were struggling to understand whether this is a legitimate one or not. The ‘from’ address was perfectly forged. In fact, also when we looked at the email headers, we found that it went through one of the – potentially, we thought that it went from one of the UPS servers.
So the hackers put a lot of effort in mimicking a real, genuine – close-to-genuine experience. And this is one of the masterpieces I saw recently, to be honest.”
The CyberWire has the story:
https://thecyberwire.com/podcasts/hacking-humans/105/transcript
One Letter Away: Impersonation, Bitcoin, and Phishing Expeditions
KrebsOnSecurity reports that a phishing website has been impersonating the private messaging service Privnote.com in order to steal Bitcoin. The real Privnote is a free site that allows users to send encrypted messages that are automatically erased after being read.
The owner of Privnote contacted Krebs in February telling him that someone had created a copy of their site at the domain “privnotes[.]com.” The spoofed site contained a messaging service, but the messages were sent in plain text and could be read or modified by the site’s operators. And the bogus domain name was just one character off.
It wasn’t clear what the spoofed site’s intent was until Krebs found that it contained a script that would automatically replace Bitcoin addresses in messages composed by users with an address presumably controlled by the site’s owner.
Allison Nixon, chief research officer at Unit 221B, told Krebs that the nature of the site made it easier for this scam to remain undetected for months.
“Because of the design of the site, the sender won’t be able to view the message because it self-destructs after one open, and the type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said. “It’s a pretty smart scam.”
KrebsOnSecurity has the story:
https://krebsonsecurity.com/2020/06/privnotes-com-is-phishing-bitcoin-from-users-of-private-messaging-service-privnote-com/
KrebsOnSecurity reports that a phishing website has been impersonating the private messaging service Privnote.com in order to steal Bitcoin. The real Privnote is a free site that allows users to send encrypted messages that are automatically erased after being read.
The owner of Privnote contacted Krebs in February telling him that someone had created a copy of their site at the domain “privnotes[.]com.” The spoofed site contained a messaging service, but the messages were sent in plain text and could be read or modified by the site’s operators. And the bogus domain name was just one character off.
It wasn’t clear what the spoofed site’s intent was until Krebs found that it contained a script that would automatically replace Bitcoin addresses in messages composed by users with an address presumably controlled by the site’s owner.
Allison Nixon, chief research officer at Unit 221B, told Krebs that the nature of the site made it easier for this scam to remain undetected for months.
“Because of the design of the site, the sender won’t be able to view the message because it self-destructs after one open, and the type of people using privnote aren’t the type of people who are going to send that bitcoin wallet any other way for verification purposes,” Nixon said. “It’s a pretty smart scam.”
KrebsOnSecurity has the story:
https://krebsonsecurity.com/2020/06/privnotes-com-is-phishing-bitcoin-from-users-of-private-messaging-service-privnote-com/
What KnowBe4 Customers Say
Accolades from a Partner on our Portal: "Strange question... did you guys hire a company to produce your partner portal or was that done in house? It is one of the most intuitive and easy to use partner portals I have come across."
"Hey Ayla, I just wanted to send over a thank you for the recent time you have spent with us getting our KnowBe4 training and campaigns organized and enforced. Our meetings have been very beneficial and I very much appreciate all of your guidance!
- S.D., Director of IT Operations
"Behind every successful IT security operator is Ayla Hubbard. I love working with her and she makes me a HAPPY CAMPER! Thank you!"
- W.W., Information Systems Generalist
Here is the June Fresh Content Update: Including New Roger Grimes Video Series on Data-Driven Defense:
https://blog.knowbe4.com/june-content-update-including-new-roger-grimes-video-series-on-data-driven-defense
Accolades from a Partner on our Portal: "Strange question... did you guys hire a company to produce your partner portal or was that done in house? It is one of the most intuitive and easy to use partner portals I have come across."
"Hey Ayla, I just wanted to send over a thank you for the recent time you have spent with us getting our KnowBe4 training and campaigns organized and enforced. Our meetings have been very beneficial and I very much appreciate all of your guidance!
- S.D., Director of IT Operations
"Behind every successful IT security operator is Ayla Hubbard. I love working with her and she makes me a HAPPY CAMPER! Thank you!"
- W.W., Information Systems Generalist
Here is the June Fresh Content Update: Including New Roger Grimes Video Series on Data-Driven Defense:
https://blog.knowbe4.com/june-content-update-including-new-roger-grimes-video-series-on-data-driven-defense
The 10 Interesting News Items This Week
- The next cybersecurity headache: Employees know the rules but just don't care:
https://www.techrepublic.com/article/the-next-cybersecurity-headache-employees-know-the-rules-but-just-dont-care/ - Seller floods hacker forum with data stolen from 14 companies:
https://www.bleepingcomputer.com/news/security/seller-floods-hacker-forum-with-data-stolen-from-14-companies/?&web_view=true - Inside a ransomware attack: From the first breach to the ransom demand. Security researchers map out how a ransomware attack plays out over a two-week period:
https://www.zdnet.com/article/inside-a-ransomware-attack-from-the-first-breach-to-encrypting-a-network-in-just-two-weeks/ - Ransomware Gangs Don't Need PR Help:
https://krebsonsecurity.com/2020/07/ransomware-gangs-dont-need-pr-help/ - NSA to release advisory on VPN security amid telework boom:
https://fcw.com/articles/2020/07/01/johnson-nsa-vpn-advisory.aspx? - US Cyber Command says foreign hackers will most likely exploit new PAN-OS security bug:
https://www.zdnet.com/article/us-cyber-command-says-foreign-hackers-will-most-likely-exploit-new-pan-os-security-bug/ - 945 Websites Hacked – up to 14 Million Potential Victims:
https://lucysecurity.com/945-websites-hacked-up-to-14-million-potential-victims/ - Creepto Cash: personal data of thousands of users from the UK, Australia, South Africa, the US, Singapore exposed in bitcoin scam:
https://www.group-ib.com/media/creepto-cash-personal-data/ - StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure:
https://labs.bitdefender.com/2020/06/strongpity-apt-revealing-trojanized-tools-working-hours-and-infrastructure/ - Forged Emails and Messages by Iran’s Ministry of Intelligence and Its Cyber-Terror Unit:
https://www.ncr-iran.org/en/ncri-statements/terrorism-fundamentalism/forged-emails-and-messages-by-irans-ministry-of-intelligence-and-its-cyber-terror-unit/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Your Virtual Vacation #1: Expedition Everest, the Mission. Some virtual 360 views I've never seen before from these angles like the Glacier:
https://www.youtube.com/watch?v=KM6HWp_ik2c - Your Virtual Vacation #2: Nice little virtual tour in 360. This is Holland VR - The Zaanse Schans (8K 3D 360 Video):
https://www.youtube.com/watch?v=Qo_L9QIfHUs - Your Virtual Vacation #3: Kamchatka Awesome video of the Vulcan landscape:
https://www.youtube.com/watch?v=OaFmmd2Ium8 - We repeat this fave once a year in the 4th of July week. An explanation of the various forms of government and political systems, and why America is not a democracy, but a republic:
https://www.flixxy.com/political-systems.htm?utm_source=4 - World Record. Mount Everest AS350 B3 landing. Never knew a pilot was able to land on the Summit. Thought it was impossible due to the thin air!:
https://www.youtube.com/watch?v=WXNXSvnCtKA - Fun dept. Here's What the World's Cheapest Electric Car (900 bucks) Is Like to Drive:
https://www.youtube.com/watch?v=1GG1RC7GV0Y - Ever wonder what was going on below on wheels up or wheels down? Camera installed on landing gear:
https://youtu.be/tvJOMKd1KHs - Building the World's Thinnest Skyscraper:
https://www.youtube.com/watch?v=2STPr1Taaw8 - For Da Kids #1 - Pretty Girl Posing With a Humorous Seal. Who would not want to have a selfie with such a cutie?:
https://www.flixxy.com/pretty-girl-posing-with-a-humorous-seal.htm?utm_source=4 - For Da Kids #2 - A Bison Stampede in Yellowstone Park:
https://youtu.be/rpwqtxfCiPM - For Da Kids #3 - Budgie Talks To Owner To Stop Feeling Lonely:
https://www.youtube.com/watch?v=PctZo-Y19Fw
