CyberheistNews Vol 10 #43 There's a Whole War Going On: The New HBO Film Tracing 10 Years of Cyber Attacks




CyberheistNews Vol 10 #43
There's a Whole War Going On: The New HBO Film Tracing 10 Years of Cyber Attacks

'There's a whole war going on': a new film tracing a decade of cyber-attacks was just released by HBO on October 16, 2020. It's the most powerful budget ammo I have found these last 10 years. There are quite a few reviews, but I liked the one in The Guardian the best, here is a short excerpt:

"In early 2010, scientists at a uranium enrichment plant in Natanz, Iran, watched their infrastructure malfunction at an unprecedented, inexplicable rate. Technicians inspected their equipment, but could find no explanation for why the plant’s centrifuges – machines to isolate the uranium isotopes needed for nuclear power – were spinning at irregular rates, and then failing.

Five months later, cybersecurity responding to a seemingly separate network malfunction in Iran inadvertently discovered the culprit: a malicious string of code which instructed computers, and the centrifuges they controlled, to vary in speed until their parts broke down, while simultaneously mimicking normal operator instructions, as if playing security footage on a loop in a heist movie. It was computer malware capable of physical, real-world destruction – the world’s first digital weapon, originating from US national intelligence.

Stuxnet, as the worm came to be known, marked a sea change in international relations – the first known time a country deployed an offensive cyber weapon to inflict damage rather than collect surveillance, and the precipitating event of The Perfect Weapon, a new HBO documentary on the past decade of insidious, troubling escalation of international cyberwarfare.

With Stuxnet, which is thought to have been developed by America’s National Security Agency as early as 2005, the United States “crossed the Rubicon”, David E Sanger, a longtime national security correspondent for the New York Times, says in the film. “The United States has basically legitimized the use of cyber as a weapon against another country against whom you had not declared war. It pushes the world into an entirely new territory.”

The Perfect Weapon, like Sanger’s book of the same name, traces in succinct, clinical style the Pandora’s box of chaos-sowing, digital tits for tats in the wake of the Stuxnet reveal, from hacks that garnered enormous and arguably outsized media attention – the leak of Democratic National Committee emails in the run-up to the 2016 election by Russian hackers, the 2014 Sony hack and its flurry of gossipy work emails – and lesser-known but still critical developments in what is essentially a multinational, virtual cold war.

“There’s a whole war going on right underneath our noses that is state-sponsored,” John Maggio, the film’s director, told the Guardian. “The actual act may be carried out by ‘criminals’, but they’re sponsored by states – by Iran, by North Korea, by China, by Russia, and by America against their adversaries.”

And guess who finds themselves in the trenches of this cyber cold war? Right, you got it, that's us in IT. Your organization simply cannot afford not to build a strong human firewall and this movie makes the case for you. Tell your C-level folks to watch it and increase your InfoSec budget!
https://www.theguardian.com/film/2020/oct/16/the-perfect-weapon-cyber-warfare-documentary-hbo
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, October 21 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, October 21 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2705411/AB79430793295307A42A5D8BA43B2866?partnerref=CHN2
Trends in Malicious Attachments Used in Phishing Emails

People need to be familiar with the types of malicious attachments used in phishing emails, our friend Larry Abrams at BleepingComputer writes. One of the most common methods of installing malware is via macros embedded in Microsoft Office documents.

These are disabled by default for security reasons, but attackers craft documents to trick users into enabling macros. Different commodity malware strains tend to use different techniques to convince people to enable macros. Threat actors using the Dridex Trojan, for example, frequently use documents that have very small or hard-to-read content, with a large banner telling the user to click “Enable content” in order to view the content clearly.

Emotet, on the other hand, is often distributed via documents that display an error informing the user that they need to enable content to gain access to the document.

The BazarLoader malware is often spread via phishing emails that contain a link to Google Docs or Google Sheets. If a user clicks the link, they’ll be asked to download what appears to be a Word document. This is actually an executable file that installs the malware directly.

These techniques aren’t exclusive to these strains of malware, but users can protect themselves as long as they know they should never click “Enable content” in an Office document.

While the use of macro-laden Office documents is extremely widespread and effective, Lawrence adds that attackers can also use files that execute automatically when they’re opened. “Finally, you should never open attachments that end with the .vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr extensions as they can all be used to execute commands on a computer,” Abrams says.

“As most email services, including Office and Gmail, block ‘executable’ attachments, malware distributors will send them in password-protected archives and include the password in the email. This technique allows the executable attachment to bypass email security gateways and reach the intended recipient.”

Blog post with Links:
https://blog.knowbe4.com/trends-in-malicious-attachments-used-in-phishing-emails
Lessons Learned: An IT Pro’s Experience Building His Last Line of Defense

This is the true story of an IT Manager who was tired of his users clicking everything and wanted to teach them a lesson… in a good way.

Join us as we talk with Tory Dombrowski, IT Manager at Takeform about his experiences and lessons learned while delivering a security awareness training program for his users. See how he has fun with phishing, how he creates allies in the fight against careless clicking, and why security awareness training is his organization’s best, last line of defense.

Tory and Erich Kron, KnowBe4's Security Awareness Advocate will dive deep to share best practices and creative ideas to inspire you and your own security awareness program.

In this webinar you'll hear:
  • Why it's so important to empower your users to become a "human firewall"
  • Ideas for gaining and maintaining executive support
  • The good, the bad, and the truly hilarious results of training and testing your users
  • Tips for success when implementing your own security awareness strategy
Date/Time: Wednesday, October 28 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2775221/1D3D03B4B9E950E0914FDBE24590E642?partnerref=CHN1
[INFOGRAPHIC] Q3 2020 Top-Clicked Phishing Subjects: Coronavirus-Related Attacks Still Prevalent

KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects, and 'in the wild' attacks .

Coronavirus-Related Phishing Subjects Are Still Prevalent

Phishing email attacks leveraging COVID-19 have been on every quarterly report this year, and they still made up 50% of the total in Q3 2020.

During this pandemic, we’ve seen malicious hackers preying on users’ biggest weak points by sending messages that instill fear, uncertainty and doubt. Our Q3 report confirms that coronavirus-related subject lines have remained their most promising attack type, as pandemic conditions weaken judgment, and lead to potentially detrimental clicks.

CONTINUED and Link to INFOGRAPHIC:
https://blog.knowbe4.com/q3-2020-top-clicked-phishing-subjects-coronavirus-related-attacks-still-prevalent-infographic
Which Users in Your Organization Put You at Risk? Find Out for a Chance to Win a JBL PartyBox Speaker

October is Cybersecurity Awareness Month, so it's a perfect time to fortify your human firewall. Start by identifying which users may be putting your organization at risk before the bad guys do.

Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen or weak passwords.

KnowBe4’s Password Exposure Test is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users so you can take action immediately.

Find out if your users are putting a big target on your organization’s back. Plus, if you're in the US or Canada, you will be entered for a chance to win a JBL PartyBox 300 Bluetooth Speaker*.

Find Your Password Exposure Risk:
https://info.knowbe4.com/password-exposure-test-ncsam-sweepstakes-2020

*Terms and Conditions apply.

Let's stay safe out there, with tens of millions working from home.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: 5 Cyber Security Awareness Month Tips for Cybersecurity Professionals:
https://blog.knowbe4.com/5-cyber-security-awareness-month-tips-for-cybersecurity-professionals

PPS: Microsoft 365 vs. Office 365: What’s the difference? Here is a post explaining that!:
https://blog.knowbe4.com/microsoft-365-vs.-office-365-whats-the-difference



Quotes of the Week
"At the center of your being you have the answer; you know who you are
and you know what you want."

- Lao Tzu - Philosopher (6th Century BC)



"Science cannot solve the ultimate mystery of nature. And that is because, in the last analysis,
we ourselves are a part of the mystery that we are trying to solve."

- Max Planck - Physicist (1858 - 1947)



Thanks for reading CyberheistNews

Security News
Sophisticated Mercenary Group Excels at Social Engineering

An extremely skilled group of hackers-for-hire dubbed “BAHAMUT” is using sophisticated social engineering tactics against a range of targets around the world, researchers at BlackBerry have found. The group has refined its tactics over time, and it adapts every time a security firm publishes research on its activities.

“BlackBerry assesses that BAHAMUT’s phishing and credential harvesting tradecraft is significantly better than the majority of other publicly known APT groups,” BlackBerry says. “This is principally due to the group’s speed, their dedication to single-use and highly compartmentalized infrastructure, and their ability to adapt and change, particularly when their phishing tools are exposed.”

The group now uses a streamlined framework for phishing that makes it very difficult to block these attacks.

“While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly,” the researchers write. “Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates.

This embrace of ever-fleeting infrastructure makes real-time detection all but impossible. Catching a window that is open only for a few hours on infrastructure that is constantly changing requires resources and luck that few network defenders, much less individual targets, could ever hope to possess.”

The group also does extensive research on its targets, and in some cases has used fake social media profiles to build trust with their victims. Notably, the researchers found that the hackers often knew the target’s personal email address, and avoided sending phishing emails to the victim’s corporate or government address.

“Throughout our analysis of their phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of information about their targets prior to phishing them,” they write. “This was clearly the result of a concerted and robust reconnaissance operation.”

BlackBerry concludes that BAHAMUT's patience, attention to detail, and commitment to operational security puts them far above most threat actors.

“In sum, BlackBerry finds BAHAMUT to be well above average in its social engineering,” the researchers write. “The group has truly impressive operational security that enables them to continue to attack despite numerous, repeated attempts to expose their operations.”

New-school security awareness training can help your employees defend themselves against these highly targeted social engineering attacks.

BlackBerry has the story:
https://www.blackberry.com/us/en/forms/enterprise/bahamut-report
The Market for Phishing Kits

Inexperienced cybercriminals can easily find places to buy phishing kits in the open, on the “surface web” (as opposed to the deep or dark web), according to Jan Kopriva at the SANS Internet Storm Center. Kopriva set out to see how many of these kits he could find for sale on popular websites, and was able to find more than a hundred on YouTube alone after a single search.

These YouTube videos offered demonstrations of the phishing kits’ functionality and pointed users to where they could purchase the kits.

“Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored - this wasn't mentioned in the video description so it was probably intended as a surprise bonus feature),” Kopriva writes. “For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100. The 86 ‘commercial’ phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.”

The kits spoofed a wide range of services, with Office 365, PayPal, Amazon, and Netflix appearing most frequently. Each of the offerings contained various functionalities, and some included tutorials for new scammers.

“Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium,” Kopriva says. “Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.”

Kopriva’s research demonstrates how easy it’s become for aspiring criminals to launch effective phishing attacks with minimal technical skills. New-school security awareness training can enable your employees to identify and thwart these types of attacks.

The SANS Internet Storm Center has the story:
https://isc.sans.edu/forums/diary/Phishing+kits+as+far+as+the+eye+can+see/26660/
What KnowBe4 Customers Say

"Stu, I just wanted to say, we have been using KnowBe4 for one year now and love the platform (I have been a fan for a long time) but we wanted to give some great praise to our Customer Success Manager (SMB) MichaelM. He has been great at helping us get the most out of our account.

We just got off of a 35-minute call and Michael was fantastic as usual helping us get our tier training configured and he also reviewed our other campaigns and pointed out several things we should change (which we did).

He also took a look at our PhishER settings and we made some changes there as well. Michael is a pleasure to work with and enjoys what he does and it shows in his work! We just wanted to make sure he is recognized!"
- S.S., IT Manager



"I just wanted to stop by and say that my company loves the "Don't Be Like Rick" series and we hope that there is more of this content coming! I just rolled out the last episode with Rick and the whole office is sad that this series has to end now. Rick and his "I thought I would make it in the corporate world" quote has become quite the running joke here."
- B.G., Security Administrator



"I have a busy schedule today, but thought I would take a minute to say hello, and tell you that I really enjoyed the Pesky Password presentation. I am in the process of transitioning out of ITOps and into DevOps, but we are updating our company password policy, the presentation was free, and definitely relevant.

I have to say I learned a lot more about hacking passwords in a single one-hour presentation than I could have imagined. Please thank Roger Grimes for a very informative presentation.

I know part of the reason you reached out involves sales. As I mentioned I am transitioning out of that area but if you would like to provide me with some details about your services and costs, I would be glad to pass them on to the new keepers of the keys."
- G.P. VP Strategic Technology. (Here it is on demand)
https://info.knowbe4.com/pesky-password-problem



"Hi Stu, I just want to tell you how great our customer success manager AylaH is to work with. She has given us more help in the few months we have had her than any others. She is a pleasure to work with. Please don’t take her away, but reward her for her great customer service. She is what all customer success managers should aspire to be!"
- H.M. AVP, DPO
The 11 Interesting News Items This Week
    1. NEW RECORD. CLOP Ransomware Demands $20 Million Ransom:
      https://blogs.infoblox.com/security/clop-ransomware-demands-20-million-ransom/

    2. Ransomware: Once you've been hit your business is never the same again:
      https://www.zdnet.com/article/ransomware-once-youve-been-hit-your-business-is-never-the-same-again/

    3. Ransomware operators now outsource network access exploits to speed up attacks:
      https://www.zdnet.com/article/ransomware-operators-buy-network-access-from-the-underground-to-speed-up-infection/

    4. Phishing in Troubled Waters: 3 Ways Email Attacks May Impact Elections:
      https://www.darkreading.com/edge/theedge/phishing-in-troubled-waters-3-ways-email-attacks-may-impact-elections/b/d-id/133917

    5. Fancy Bear Imposters Are on a Hacking Extortion Spree:
      https://www.wired.com/story/ddos-extortion-hacking-fancy-bear-lazarus-group/

    6. This Summer's Twitter Hack: 24 Hours From Phishing Employees to Hijacking Accounts:
      https://www.securityweek.com/twitter-hack-24-hours-phishing-employees-hijacking-accounts?

    7. Facebook, Twitter dismantle global array of disinformation networks:
      https://www.reuters.com/article/us-cyber-disinformation-facebook-twitter/facebook-twitter-dismantle-global-array-of-disinformation-networks-idUSKBN26T2XO

    8. FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft:
      https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html

    9. Anatomy of Ryuk Ransomware Attack: 29 Hours From Initial Email to Full Compromise:
      https://www.securityweek.com/anatomy-ryuk-attack-29-hours-initial-email-full-compromise

    10. Netsparker Research Finds Executive Overconfidence is a Security Risk:
      https://www.prnewswire.com/news-releases/netsparker-research-finds-executive-overconfidence-is-a-security-risk-301150481.html

    11. NEW RECORD. CLOP Ransomware Demands $20 Million Ransom:
      https://blogs.infoblox.com/security/clop-ransomware-demands-20-million-ransom/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews