CyberheistNews Vol 10 #40 [Scary Stuff] A Chinese Antivirus Vendor Is Tied to a Decade-Long Hacking Spree

CyberheistNews Vol 10 #40
[Scary Stuff] A Chinese Antivirus Vendor Is Tied to a Decade-Long Hacking Spree

Members of the hacking group “APT41” were charged by the U.S. Department of Justice for hacking more than 100 victims globally with one of its members running AV vendor Anvisoft.

We all naturally assume that our antivirus vendors are the good guys. But this news of members of APT41 being indicted, according to a news release from the U.S. DoJ, highlights that if you’re looking at using a vendor that is not one of the major established players, you might be playing with fire.

The attacks included “supply chain attacks” where legitimate software providers were compromised and their code modified to facilitate further intrusions against the software providers’ customers.

One of the members charged, Tan DaiLin, was the subject of a 2012 KrebsOnSecurity investigation about his ties to whitelisted AV vendor Anvisoft. Despite this being brought to light, DaiLin and his cohorts continued for 7 years until being initially charged in August of 2019 and then again in 2020.

The Department of Justice release makes no mention of specific involvement of the AV software, but given APT41’s use of supply chain attacks, it makes sense that they would put the same code into Anvisoft’s product to facilitate access to customer networks.

Scary stuff. Here are four take-aways:
  • Stick with known AV players and not a “free AV”. You may end up paying for it dearly if you do. Or simply use Microsoft Defender, it's good enough today.
  • Same goes for point solutions from less-than-well-known vendors. APT41 compromised plenty of smaller software titles to gain their access.
  • The bad guys are working tirelessly to gain access to and control over your network. Have a layered security strategy in place to detect abnormally behaving software on your endpoints.
  • As always, use new-school security awareness training to create a strong human firewall and stop users from downloading malicious apps.
Your 2020 Ransomware Hostage Rescue Guide

Ransomware attacks are on the rise and are estimated to cost global organizations $20 billion by 2021. As ransomware attacks become more targeted and more damaging, your organization faces increased risk that can leave your networks down for days or even weeks. So, how can your organization avoid getting held hostage?

Join Erich Kron CISSP, Security Awareness Advocate at KnowBe4, as he looks at concerning features of new ransomware strains, provides actionable info that you need to prevent infections, and gives you tips on what to do when you are hit with ransomware.

In this on-demand webcast we will cover:
  • Why hackers are targeting your organization
  • What new scary ransomware strains are in the wild
  • Am I infected?
  • I’m infected, now what?
  • Proven methods of protecting your organization
  • How to create your human firewall
Don’t get held hostage and become a statistic.

Watch Now!
FBI: "Credential Stuffing Used Against Financial Services"

A security alert from the FBI warns that hackers are launching credential-stuffing attacks against organizations in the financial sector.

“Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises,” the alert said. “The victims included banks, financial services providers, insurance companies, and investment firms.”

The Bureau explains that these attacks take advantage of the fact that many people reuse passwords or slight variations of passwords for multiple online accounts.

“When customers and employees use the same email and password combinations across multiple online accounts, cyber criminals can exploit the opportunity to use stolen credentials to attempt logins across various sites,” the FBI says.

“According to a 2020 survey conducted by a data analytics firm, nearly 60 percent of respondents reported using one or more passwords across multiple accounts. When the attackers successfully compromise accounts, they monetize their access by abusing credit card or loyalty programs, committing identity fraud, or submitting fraudulent transactions such as transfers and bill payments.”

The alert describes some specific attacks involving credential stuffing, including one last year in which criminals compromised over 4,000 banking accounts.

“Between June and November 2019, a small group of cyber criminals targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts, according to a credible financial source,” the Bureau says.

“The cyber criminals then used bill payment services to submit fraudulent payments—about $40,000 in total—to themselves, which they then wired to foreign banking accounts. According to a 2020 case study on one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data breaches. Some of the credentials belonged to company leadership, system administrators, and other employees with privileged access.”

The FBI recommends that organizations implement a combination of technical solutions, policies, and education to combat credential stuffing attacks. For users, enabling multi-factor authentication and using unique passwords (preferably via a password manager) are two of the best steps they can take to protect their accounts. New-school security awareness training can help your employees avoid falling victim to these attacks. Story:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, October 7 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 34,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 7 @ 2:00 PM (ET)

Save My Spot!
[Heads Up] The Top Five Alarming Approaches to Extortion

People should familiarize themselves with common forms of extortion in order to avoid falling victim to these attacks, according to Amer Owaida at ESET. Ransomware might be the most well-known form of digital extortion, but Owaida offers a useful summary.

“The basic premise is that your device will be infested by ransomware using one of the various tactics hackers employ, such as duping you into clicking on a malicious link found in an email or posted on social media or shared with you through a direct instant message,” he explains.

“After the malware makes its way into your device: it will either encrypt your files and won’t allow you to access them, or it will lock you out of your computer altogether, until you pay the ransom. It is also worth mentioning that some ransomware groups have added a new functionality; a form of doxing wherein they traverse your files looking for sensitive information, which they will threaten to release unless you pay them an additional fee. This could be considered a form of double extortion.”

A second form of extortion is related to this last point: hackers can simply steal your data and threaten to publish it unless you pay a ransom. While ransomware groups have recently adopted this tactic as well, a data breach alone can be devastating to an organization.

Two more forms of extortion are sextortion and sextortion scams. Sextortion is traditional blackmail conducted via the Internet. These schemes often begin on dating platforms with the attacker catfishing the victim in order to obtain sensitive photos. In a sextortion scam, meanwhile, the attacker is bluffing.

In many cases, the scammer will send out emails en masse informing recipients that a hacker has obtained embarrassing footage of them via their webcams. If the scammer sends out enough of these emails, at least some of the recipients will fall for the ruse.

A fifth type of extortion involves launching DDoS attacks against an organization until the victim pays a ransom. These attacks can go on for days, potentially costing the targeted organization hundreds of thousands of dollars.

In all of these cases, victims should avoid paying the ransom. Not only will paying an extortionist fund further criminality, it also puts you on their radar as someone who’s willing to pay. “There are multiple steps you can take to lower the risks of ending up in the crosshairs of cyber-extortionists,” Owaida concludes. Story:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, October 7 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • NEW! Assign additional users as approving managers to review task evidence before a task is closed with tiered-level approvals.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, October 7 @ 1:00 PM (ET)

Save My Spot!
2020 Gartner Market Guide for Security Awareness Computer Based Training

Gartner just published a Market Guide Report on the Security Awareness Computer-Based Training Market in late July as a replacement to the Magic Quadrant.

The Gartner Market Guide provides an in-depth analysis of the Security Awareness Computer-Based Training market and “includes vendors that can offer a holistic and complete platform to effectively manage all aspects of a cohesive security awareness training program.

Note, they have four primary groups, represented in Tables:
  1. Security Awareness Program Platforms
  2. Security Awareness Content Development and Delivery Systems
  3. Phishing Simulation Testing and Remediation/Response Platforms
  4. Security Awareness Training as a Managed Service
It is interesting to see which vendors are recognized in which table, because many would fit in more than one category. You should check out this complimentary report:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Your Complimentary National Cybersecurity Awareness Month Resources Kit is now live on our website, Get it here:

Quotes of the Week
"Always believe in yourself. Do this and no matter where you are, you will have nothing to fear."
- Hayao Miyazaki, Film Director (born 1941)

"It takes courage to grow up and become who you really are."
- E. E. Cummings, Poet (1894 - 1962)

Thanks for reading CyberheistNews

Security News
Employees Shouldn't Be Afraid of Admitting to Security Mistakes

Organizations should encourage their employees to disclose security missteps as quickly as possible, according to Tim Sadler, co-founder and CEO of Tessian. On the CyberWire’s Hacking Humans podcast, Sadler explained that mistakes are inevitable, but there are steps an organization can take to mitigate their impact.

“The people control more sensitive data than ever before in the enterprise,” Sadler said. “So there’s customer data, financial information, employee information. And what this means is that even the smallest mistakes – like accidentally sending an email to the wrong person, clicking on a link in a phishing email – can cause significant damage to a company's reputation and also cause major security issues for them.

So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches.”

An interesting finding of the report was that younger employees were five times more likely to admit to making a security misstep than older employees. 60% of eighteen- to thirty-year-old workers admitted to making such mistakes, compared to just 10% of employees over fifty-one years old.

Sadler speculates that this is partly due to the fact that older employees often hold more senior roles in the organization, and are therefore more reluctant to admit to a mistake for fear of compromising their position.

Sadler added that organizations need to foster a culture in which employees are encouraged to admit to security mistakes without fear of punishment. Not only does this create a more pleasant workplace environment, but it also gives your security team a crucial advantage: the faster a security incident is mitigated, the less time attackers have to cause damage.

“If you have a risk register or if you are responsible for taking care of these incident reports, if you don't see people reporting anything, it's usually a more concerning sign than you have people coming forward who are openly admitting to the errors they've made that could lead to these security issues,” Sadler said.

“It's highly unlikely that you've got nothing on your risk register – it means you've completely eliminated risk from your business. It's more likely that actually you haven't created the right culture that feels like it's suitable or acceptable to actually come forward and admit mistakes.”

New-school security awareness training can help your employees avoid falling for phishing attacks in the first place, but it can also teach them how to respond properly and quickly in the event that they do get fooled.

The CyberWire has the story:
Credential Stuffing to Stuff the Ballot Box

Advanced nation-state actors and petty criminals are both leveraging credential-stuffing attacks to hack into victims’ accounts, according to Byron Acohido, writing for Avast. Rather than trying to guess passwords by plugging in random combinations or common words, hackers can leverage the billions of leaked credentials available on the internet to achieve a much greater chance of success.

“Credential stuffing is a type of advanced brute force hacking. It involves the use of software automation to insert stolen usernames and passwords into web page forms, at scale, until the attacker gains access to a targeted account,” Acohido explains.

Acohido notes that Microsoft recently disclosed that Strontium (also known as Fancy Bear), a threat actor attributed to Russia’s GRU, is targeting hundreds of individuals and entities associated with the upcoming US election.

Fancy Bear is the same group that hacked John Podesta’s email account in 2016 via a phishing lure, and it now seems to be using credential-stuffing to overcome new defenses.

“As a public service, Microsoft has been tracking how Strontium has relentlessly carried on and is seeking to gain a similar foothold inside of Joe Biden’s campaign,” Acohido writes. “As you might expect, the Biden campaign progressed to using much more robust spear-phishing defenses.

In response, the Strontium crew has pivoted to using leading-edge credential harvesting and credential stuffing tools, disguised several ways. Microsoft’s analysts, for instance, documented how the Strontium crew has been routing automated attacks through more than 1,000 constantly rotating IP addresses, the better to help avoid detection....Over the past 12 months, Strontium has targeted more than 200 organizations affiliated with the upcoming election, including political consultants from the major parties in both the U.S. and Europe.”

Acohido concludes that organizations and individuals both need to take steps to address this threat.

“Credential stuffing campaigns will only continue to torch trust in the core systems we need to be able to rely on in order to help us get past this global pandemic as well as to democratically elect a president,” Acohido writes.

“There are plenty of free and low-cost security tools that can and should be brought to bear by state and local agencies dispensing Covid-19 aid and carrying out elections. And individual citizens have a responsibility to act as well.

We can give up some convenience in favor of more proactively controlling our online privacy and reducing our digital footprints.” There are steps users can take to make credential stuffing less effective. New-school security awareness training can teach your employees how to protect their accounts against these attacks by using strong, unique passwords and multifactor authentication.

Avast has the story:
What KnowBe4 Customers Say

"We are a new client and I just had my first experience with Michael Stadnyk in helping me set up our first production phishing campaign due to go next Monday morning.

I wanted to let both of you know that this experience exceeded my expectations!

My expectations going into this initial meeting were high. I not only needed to get acquainted with the UI but also set up our first campaign to go out no later than next Monday 9/28. This was critical to allow us to provide evidence of remediation to an audit finding citing our lack of formal phishing testing.

I honestly expected that this was going to be a demo style meeting and that I was going to need to constantly redirect Michael to make it more practical so that we could set up our first campaign on this call. I did NOT have the luxury of time and we were booked for only 30 min.

Michael quickly identified the unique need and adapted his overview to allow us to:
  • Do a test to ensure the KnowBe4 domain was whitelisted,
  • Actually help me set up our first campaign, and
  • Point me to the csv template I would use to upload the list of email addresses (we chose to not use AD integration at this time).
Michael also spent 20 extra minutes in helping us achieve this objective.

As stated above this experience exceeded my expectations and I wanted to let you know that Michael is a great asset to your company!"

- P.R., Sr. Dir. Enterprise Risk Management
The 11 Interesting News Items This Week
    1. Microsoft Says Hackers Actively Targeting Zerologon Vulnerability:

    2. Dark Overlord hacker pleads guilty:

    3. Russian hackers use fake NATO training docs to breach govt networks:

    4. German Experts See Russian Link in Deadly Hospital Hacking:

    5. Facebook wipes out Chinese, Filipino misinformation campaigns:

    6. The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails:

    7. Defending Against Deepfakes: From Tells to Crypto:

    8. Instagram bug allowed taking over the App via malicious image sent to device:

    9. Organizations suffer outbound email data breaches approximately every 12 working hours:

    10. FBI and CISA Alert: Foreign Actors and Cybercriminals Likely to Spread Disinformation Regarding 2020 Election Results:

    11. BONUS: Build security by expanding cyber awareness. Article by yours truly in SC Mag:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews