CyberheistNews Vol 10 #52
[Heads Up] Recent SolarWinds MFA Bypass Attack Pushes the Limits 
By Roger Grimes
"Excellent, long-time, tech reporter Dan Goodin reported in Ars Technica that the recent SolarWinds’ supply chain attack involved hackers bypassing a popular multi-factor authentication (MFA) solution.
I summarize over 50 different types of attacks against MFA in my most recent book, Hacking Multifactor Authentication, which was recently selected by long-time security expert, Ben Rothke, as one of the top computer security books of 2020.
So, it surprised me that I hadn’t heard of or covered this exact type of attack. This attack was novel and new. The attack involved the hackers accessing compromised end-points and servers involved in the MFA authentication process.
I actually have a whole chapter on how compromised end-points can bypass MFA along with half a dozen examples, but how the specific attack was accomplished, using a compromised component that then generated session cookies, was new to me (and most people).
It shows the continuing escalation against MFA and how MFA isn’t the unquestionable security speed bump many proponents make it out to be. MFA does significantly mitigate many forms of hacking, substantially so. But there is a far cry between saying that and claiming that MFA makes hacking impossible or even unlikely."
CONTINUED AT:
https://blog.knowbe4.com/solarwinds-mfa-bypass-attack-pushes-limits
By Roger Grimes
"Excellent, long-time, tech reporter Dan Goodin reported in Ars Technica that the recent SolarWinds’ supply chain attack involved hackers bypassing a popular multi-factor authentication (MFA) solution.
I summarize over 50 different types of attacks against MFA in my most recent book, Hacking Multifactor Authentication, which was recently selected by long-time security expert, Ben Rothke, as one of the top computer security books of 2020.
So, it surprised me that I hadn’t heard of or covered this exact type of attack. This attack was novel and new. The attack involved the hackers accessing compromised end-points and servers involved in the MFA authentication process.
I actually have a whole chapter on how compromised end-points can bypass MFA along with half a dozen examples, but how the specific attack was accomplished, using a compromised component that then generated session cookies, was new to me (and most people).
It shows the continuing escalation against MFA and how MFA isn’t the unquestionable security speed bump many proponents make it out to be. MFA does significantly mitigate many forms of hacking, substantially so. But there is a far cry between saying that and claiming that MFA makes hacking impossible or even unlikely."
CONTINUED AT:
https://blog.knowbe4.com/solarwinds-mfa-bypass-attack-pushes-limits
[Last Chance] Will You Get Spoofed During the Holidays? Find out for a Chance to Win!
Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?
Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card*.
Find out now if your email server is configured correctly, many are not!
https://info.knowbe4.com/dst-sweepstake-holiday-2020
*Terms and Conditions apply.
Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?
Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card*.
Find out now if your email server is configured correctly, many are not!
- This is a simple, non-intrusive "pass/fail" test.
- We will send a spoofed email "from you to you".
- If it makes it through into your inbox, you know you have a problem.
- You'll know within 48 hours!
https://info.knowbe4.com/dst-sweepstake-holiday-2020
*Terms and Conditions apply.
[INFOGRAPHIC] 2020 Holiday Phishing Red Flags
Phishing attacks are definitely not slowing down this holiday season. According to Check Point, the first half of November showed an 80% increase in phishing campaigns relating to sales & shopping special offers.
It's more important than ever for you and your users to be vigilant of any potential suspicious activity. This helpful infographic is an example of an e-card "from a friend", a very common phishing email type seen around the holidays and the common red flags they might see in an email like this.
Here is the Infographic for download at the KnowBe4 blog, (no registration):
https://blog.knowbe4.com/infographic-2020-holiday-phishing-red-flags
Phishing attacks are definitely not slowing down this holiday season. According to Check Point, the first half of November showed an 80% increase in phishing campaigns relating to sales & shopping special offers.
It's more important than ever for you and your users to be vigilant of any potential suspicious activity. This helpful infographic is an example of an e-card "from a friend", a very common phishing email type seen around the holidays and the common red flags they might see in an email like this.
Here is the Infographic for download at the KnowBe4 blog, (no registration):
https://blog.knowbe4.com/infographic-2020-holiday-phishing-red-flags
Does Your Domain Have an Evil Twin?
Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.
Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.
With Domain Doppelgänger, you can:
Domain Doppelgänger helps you find the threat before it is used against you.
Find Your Look-Alike Domains!
https://info.knowbe4.com/domain-doppelganger-chn
Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.
Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.
With Domain Doppelgänger, you can:
- Search for existing and potential look-alike domains
- Get a summary report that identifies the highest to lowest risk attack potentials
- Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.
Find Your Look-Alike Domains!
https://info.knowbe4.com/domain-doppelganger-chn
New Security Doc for Your End-users: "The Iceberg"
Did you see our new "tip of the iceberg" security doc? Send this Public Service Announcement to your end-users. It is a great piece that was created based on the focus group feedback - trying to make this real for users that it happens more than you think...
Here is the Security Doc for download at the KnowBe4 blog, (no registration):
https://blog.knowbe4.com/new-security-doc-for-your-end-users-the-iceberg
Did you see our new "tip of the iceberg" security doc? Send this Public Service Announcement to your end-users. It is a great piece that was created based on the focus group feedback - trying to make this real for users that it happens more than you think...
Here is the Security Doc for download at the KnowBe4 blog, (no registration):
https://blog.knowbe4.com/new-security-doc-for-your-end-users-the-iceberg
Cyber CSI: Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today
Cybercrime has become an arms race where the bad guys constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network. Staying a step ahead may even involve becoming your own cybercrime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.
In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will show you how to become a digital private investigator! You’ll learn:
Watch Now!
https://info.knowbe4.com/phishing-forensics-chn
Cybercrime has become an arms race where the bad guys constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network. Staying a step ahead may even involve becoming your own cybercrime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.
In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will show you how to become a digital private investigator! You’ll learn:
- How to forensically examine phishing emails and identify other types of social engineering
- What forensic tools and techniques you can use right now
- How to investigate rogue smishing, vishing, and social media phishes
- How to enable your users to spot suspicious emails sent to your organization
Watch Now!
https://info.knowbe4.com/phishing-forensics-chn
NEW: Want to Discuss PhishER YARA Rules With Your Peers?
We've added a brand new section to KnowBe4's HackBusters. Hackbusters is already a great online community where you can discuss best practices around training your users to manage the ongoing problem of social engineering.
Now it's also a great community to discuss best practices around PhishER! This will include conversations around PhishML, Automated Actions, and even Yara Rule sharing!
Jump on and share your wisdom with your peers:
https://discuss.hackbusters.com/c/phisher/20
Let's stay safe out there:
We've added a brand new section to KnowBe4's HackBusters. Hackbusters is already a great online community where you can discuss best practices around training your users to manage the ongoing problem of social engineering.
Now it's also a great community to discuss best practices around PhishER! This will include conversations around PhishML, Automated Actions, and even Yara Rule sharing!
Jump on and share your wisdom with your peers:
https://discuss.hackbusters.com/c/phisher/20
Let's stay safe out there:
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: My new article on Forbes: "Eight Major Cyberthreat Predictions For 2021":
https://www.forbes.com/sites/forbestechcouncil/2020/12/14/eight-major-cyberthreat-predictions-for-2021/?sh=73243ab05bd3
Quotes of the Week
"When something is important enough, you do it even if the odds are not in your favor."
— Elon Musk
"It's fine to celebrate success but it is more important to heed the lessons of failure."
— Bill Gates
Thanks for reading CyberheistNews
— Elon Musk
"It's fine to celebrate success but it is more important to heed the lessons of failure."
— Bill Gates
Thanks for reading CyberheistNews
Security News
University-Themed Phishbait Angles for Students
Researchers at Zix have observed phishing emails sent from legitimate but compromised university email accounts, impersonating the university’s IT department. The emails notified users that their Office 365 password had expired, and directed them to click a link to keep their same password.
The link led to a spoofed Office 365 login page designed to harvest their credentials. “These email messages dissected above stood out to the Zix AppRiver team because they managed to successfully bypass sender verification checks such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC),” the researchers write.
“They also did not just simply spoof .EDU in the friendly-from/display address.” This incident highlights why users need to consider the circumstances and content of emails, rather than assuming the messages are legitimate because they come from a trusted account.
In this case, the format of the email’s text was strange-looking, with underscores between each letter, which could have tipped many users. Additionally, the link in the email led to a URL that didn’t remotely resemble an Office 365 site.
Many phishing emails are better-crafted than this one, however. The Zix researchers spotted a second email from a compromised university account that instructed recipients to click a link to upgrade their Outlook apps to the latest version.
This email contained slight grammatical errors, but was much more convincing than the first email. The link led to a phishing portal hosted on Google Docs, rather than to a suspicious-looking domain.
If a recipient is unsure if an email is legitimate, they can reset their password by going directly to their account in a web browser, rather than clicking on a link in an email. They should also call the university’s IT department to alert them of a potential phishing campaign using compromised university accounts.
New-school security awareness training can help your employees identify phishing emails and respond appropriately.
Zix has the story:
https://zix.com/resources/blog/december-2020/attackers-sending-out-phishing-emails-universities-official-edu
Researchers at Zix have observed phishing emails sent from legitimate but compromised university email accounts, impersonating the university’s IT department. The emails notified users that their Office 365 password had expired, and directed them to click a link to keep their same password.
The link led to a spoofed Office 365 login page designed to harvest their credentials. “These email messages dissected above stood out to the Zix AppRiver team because they managed to successfully bypass sender verification checks such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC),” the researchers write.
“They also did not just simply spoof .EDU in the friendly-from/display address.” This incident highlights why users need to consider the circumstances and content of emails, rather than assuming the messages are legitimate because they come from a trusted account.
In this case, the format of the email’s text was strange-looking, with underscores between each letter, which could have tipped many users. Additionally, the link in the email led to a URL that didn’t remotely resemble an Office 365 site.
Many phishing emails are better-crafted than this one, however. The Zix researchers spotted a second email from a compromised university account that instructed recipients to click a link to upgrade their Outlook apps to the latest version.
This email contained slight grammatical errors, but was much more convincing than the first email. The link led to a phishing portal hosted on Google Docs, rather than to a suspicious-looking domain.
If a recipient is unsure if an email is legitimate, they can reset their password by going directly to their account in a web browser, rather than clicking on a link in an email. They should also call the university’s IT department to alert them of a potential phishing campaign using compromised university accounts.
New-school security awareness training can help your employees identify phishing emails and respond appropriately.
Zix has the story:
https://zix.com/resources/blog/december-2020/attackers-sending-out-phishing-emails-universities-official-edu
Facebook Describes APT32 Social Engineering Campaign
Facebook’s security team has taken action against a phishing operation run by APT32 (also known as OceanLotus), a threat actor associated with the Vietnamese government. Facebook says the actor “targeted Vietnamese human rights activists locally and abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services with malware.”
Social engineering was a core component of the operation. The hackers made fake accounts on multiple social media platforms, including Facebook, which they used to gain the trust of their targets before sending them phishing links.
“APT32 created fictitious personas across the internet posing as activists and business entities, or used romantic lures when contacting people they targeted,” Facebook says. “These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers.
Some of their Pages were designed to lure particular followers for later phishing and malware targeting.” The threat actor also planted malicious apps in the Google Play Store, and used watering-hole sites to deliver malware.
“APT32 compromised websites and created their own to include obfuscated malicious javascript as part of their watering hole attack to track targets’ browser information,” the researchers write. “A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices.
As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download. Most recently, they used shortened links to deliver malware.”
Facebook has the story:
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
Facebook’s security team has taken action against a phishing operation run by APT32 (also known as OceanLotus), a threat actor associated with the Vietnamese government. Facebook says the actor “targeted Vietnamese human rights activists locally and abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services with malware.”
Social engineering was a core component of the operation. The hackers made fake accounts on multiple social media platforms, including Facebook, which they used to gain the trust of their targets before sending them phishing links.
“APT32 created fictitious personas across the internet posing as activists and business entities, or used romantic lures when contacting people they targeted,” Facebook says. “These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers.
Some of their Pages were designed to lure particular followers for later phishing and malware targeting.” The threat actor also planted malicious apps in the Google Play Store, and used watering-hole sites to deliver malware.
“APT32 compromised websites and created their own to include obfuscated malicious javascript as part of their watering hole attack to track targets’ browser information,” the researchers write. “A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices.
As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download. Most recently, they used shortened links to deliver malware.”
Facebook has the story:
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
KnowBe4 Multi-Language Support and Localization
If you’re familiar with KnowBe4, you already know that we have the most up-to-date training content library available. And you also likely know that we have the widest variety of content of any security awareness vendor. But did you know that we also lead the market when it comes to the breadth of our language support? Here’s a list of our top languages, with phishing and training content available to develop a comprehensive security awareness training program. Language localization for the KnowBe4 learner training interface is also available in select languages.
https://www.knowbe4.com/security-awareness-training-languages
Also, we have some exciting new Japanese content to share with you from new publisher Saya University that is now available in the ModStore. Although the content of this course targets a Japanese topic, there is actually an English US subtitled version available as well. The "Japan Pension Service Data Breach" is the first in a series of new content from this publisher with more coming soon!
If you’re familiar with KnowBe4, you already know that we have the most up-to-date training content library available. And you also likely know that we have the widest variety of content of any security awareness vendor. But did you know that we also lead the market when it comes to the breadth of our language support? Here’s a list of our top languages, with phishing and training content available to develop a comprehensive security awareness training program. Language localization for the KnowBe4 learner training interface is also available in select languages.
https://www.knowbe4.com/security-awareness-training-languages
Also, we have some exciting new Japanese content to share with you from new publisher Saya University that is now available in the ModStore. Although the content of this course targets a Japanese topic, there is actually an English US subtitled version available as well. The "Japan Pension Service Data Breach" is the first in a series of new content from this publisher with more coming soon!
What KnowBe4 Customers Say
"Stu, I have been working with StevenS these last few weeks to evaluate your cybersecurity training offering. I want to recognize his tireless efforts in working with us. It is rare that I find someone willing to take a call or conduct a demo after normal business hours. Not only does he take those calls but he’s enthusiastic about it.
He’s always committed to getting us with the information we need despite the chance that the deal gets moved to another rep based on account size. I’m grateful for his help. Happy holidays to you and the rest of the team at KnowBe4. "
- M.M., VP, Technology
"Stu, I have been working with StevenS these last few weeks to evaluate your cybersecurity training offering. I want to recognize his tireless efforts in working with us. It is rare that I find someone willing to take a call or conduct a demo after normal business hours. Not only does he take those calls but he’s enthusiastic about it.
He’s always committed to getting us with the information we need despite the chance that the deal gets moved to another rep based on account size. I’m grateful for his help. Happy holidays to you and the rest of the team at KnowBe4. "
- M.M., VP, Technology
The 11 Interesting News Items This Week
- Kevin Mitnick Interview with host Nancy Kacungira on BBC World Service about the latest updates on the SolarWinds hack:
https://www.youtube.com/watch?v=HzDADBZS6d4&feature=youtu.be - Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach:
https://www.geekwire.com/2020/microsoft-unleashes-death-star-solarwinds-hackers-extraordinary-response-breach/ - 85% of Employees Are More Likely to Leak Files Now Than Pre-Coronavirus:
https://blog.knowbe4.com/employees-are-more-likely-to-leak-files-now-than-pre-coronavirus - No One Knows How Deep Russia's Hacking Rampage Goes:
https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/ - Roger Grimes' latest book, Hacking Multifactor Authentication, was selected as one of the best computer security books for 2020:
https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4 - How U.S. agencies' trust in untested software opened the door to hackers:
https://www.politico.com/news/2020/12/19/how-federal-hack-happened-448602 - Cybercriminals Steal Millions by Spoofing Thousands of Mobile Devices:
https://www.securityweek.com/cybercriminals-steal-millions-spoofing-thousands-mobile-devices - CyberArk State of Remote Work Study: Poor Security Habits Raise Questions About the Future of Remote Work:
https://www.cyberark.com/press/cyberark-state-of-remote-work-study-poor-security-habits-raise-questions-about-the-future-of-remote-work/ - SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed:
https://www.washingtonpost.com/technology/2020/12/15/solarwinds-russia-breach-stock-trades/ - How to Understand the Russia Hack Fallout:
https://www.wired.com/story/russia-solarwinds-hack-targets-fallout - Cyber attack hits UK council searches and will take months to recover:
https://www.estateagenttoday.co.uk/breaking-news/2020/12/cyber-attack-hits-council-searches-and-will-take-months-to-recover
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- One of the best sci-fi scenes comes from the opening of the movie Valerian And The City Of A Thousand Planets:
https://www.flixxy.com/valerian-and-the-city-of-a-thousand-planets-opening-sequence.htm?utm_source=4 - GoPro Awards: Million Dollar Challenge Highlight in 4K:
https://www.youtube.com/watch?v=xhWbh2pZc1YF - "Best of the Year 2020 People Are Awesome":
https://www.flixxy.com/people-are-awesome-best-of-2020.htm?utm_source=4 - Jeb Corliss and Luigi Cani - Balls Pyramid Fly-by:
https://www.youtube.com/watch?v=cqQrWWpcT0I - This week's Virtual Vaca #1...Taiwan gorgeous in 8K!
https://www.youtube.com/watch?v=PB4gId2mPNc
- This week's Virtual Vaca #2 ...KUSHIRO Hokkaido Japan in 8K!:
https://www.youtube.com/watch?v=CNeakmoER7Q - Trike based electric- solar vehicle Aptera has launched:
https://www.youtube.com/watch?v=HNjUdTJjiNk - Did you know we have a very popular show on YouTube?
https://m.youtube.com/watch?v=yVwhoz2CTMU&feature=youtu.be - Extreme Speedflying - Insane Proximity Flying Short:
https://www.youtube.com/watch?v=DBMvpJpdtwE - B2 Stealth Bomber arrival at Fairford. Wow the noise is not -that- stealthy:
https://youtube.com/shorts/W8ciMqRz6rk - The perfect Formula 1 onboard doesn't exi... Oh wow:
https://twitter.com/RenaultF1Team/status/1337457366737055746?s=19 - In six years, Zoox has gone from dream to reality: a fully autonomous, all-electric, robo-taxi. Seen it in Westworld?:
https://www.youtube.com/watch?v=E1a0ox4T9tY - Meet the BMW Electric Wingsuit - the future of individual flying is now:
https://www.youtube.com/watch?v=qPIO4tdxYL0 - Pro R/C Car Driver Onboard GoPro Hero 8 Driving Action. Ryan Lutz at IBR Padova:
https://www.youtube.com/watch?v=ei5XQRW8aaE - The Largest Handwritten Family Tree in the World:
https://www.youtube.com/watch?v=JcSyvvreJKs - The $4000 Electric Car Dominating China:
https://www.youtube.com/watch?v=6Ytqr8T05OU - For Da Kids #1 10 minutes of pure cute baby animal bliss:
https://www.youtube.com/watch?v=NGC8IS4gjpM - For Da Kids #2 Smart Bird cries like an infant to get attention:
https://www.youtube.com/watch?v=VRbl0QE3KWA
