CyberheistNews Vol 11 #02 [Heads Up] Was SolarWinds Really a Daisy Supply Chain Attack?

CyberheistNews Vol 11 #02
[Heads Up] Was SolarWinds Really a Daisy Supply Chain Attack?

The NYT just reported the next revelation regarding the SolarWinds hack. The Russian FSB may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic.

The NYT said: "Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies."

The exact software that investigators are examining is a JetBrains product called TeamCity, used by SolarWinds, which allows developers to test and exchange software code before its release. JetBrains is considered a predominant tool for developing software. Google, Hewlett-Packard and Citibank are among its customers, and the company is widely used by developers of Android mobile software.

JetBrains themselves blogged about this and said they have not been notified and not aware of this investigation. KnowBe4 is not using the TeamCity product, but this whole affair does bring to light the enormous third party vendor risk. Remember how antivirus company Kaspersky was penetrated and "owned" by Russian state-sponsored hackers?

Trusting your source code to three Russians seems to be an unacceptable risk these days. You need to truly start managing that risk. KnowBe4's KCM’s Vendor Risk Management module helps you manage your third-party vendor risk requirements.

KCM enables you to centralize your third-party risk management processes and helps you prequalify risk, assess your vendors, and conduct remediation efforts in your KCM platform. You can even set a frequency for how often your vendors are assessed, to continually monitor the associated risk. Get your live demo now.

Blog post with links:
[New Webinar] Malicious Browser Notifications: The New Phishing Attack Not Blocked by Your Current Cyber Defense

Cybercriminals have added a devious weapon to their attack arsenals - malicious browser notifications. And the worst part is they’re not blocked by any current cyber defense. These innocuous looking pop ups can wreak havoc on your network while remaining completely undetected.

They look more realistic than traditional phishing methods and are designed to trick your unsuspecting users. This is just the latest in a list of sneaky browser attacks the bad guys use to infiltrate your network.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist to find out what you need to know now about malicious browser attacks and how to stop them.

Attend this session to learn:
  • How legitimate websites are targeted to deliver these stealthy phishing attacks
  • Why browser notification phishing attacks bypass your cyber defenses
  • Other sneaky browser attacks the bad guys use to infiltrate your network
  • How to shore up your defenses and to protect against them all
  • Earn CPE credit for attending!
Date/Time: THIS WEEK, Wednesday, January 13 @ 2:00 PM (ET)

Save My Spot!
New Ransomware Attack Angle: Go After Top Execs to Extort Them Into Paying

ZDNet reported that ransomware gangs are prioritizing stealing data from workstations used by top executives in the hopes of finding and using valuable information to use in the extortion process.

A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain "juicy" information that they can later use to pressure and extort a company's top brass into approving large ransom payouts.

ZDNet first learned of this new tactic earlier this week during a phone call with a company that paid a multi-million dollar ransom to the Clop ransomware gang.

Similar calls with other Clop victims and email interviews with cybersecurity firms later confirmed that this wasn't just a one-time fluke, but instead a technique that the Clop gang had fine-tuned across the past few months.

[New Webinar] Discover 5 Major Threats to Your Digital Supply Chain and How to Reduce Your Vendor Risk

You’ve heard that vendor dependencies are ripe for malicious abuse and you have read the stories where vendors were used to exploit and infiltrate their customers. Your organization’s data is a valuable asset to its success, but this means it is also valuable to outside bad actors that want to infiltrate your network.

With so many third party support services, outsourcing, and regulatory requirements how do you manage compliance, vendor risk, and ensure your organization remains breach-free?

Join James McQuiggan, Security Awareness Advocate at KnowBe4, as he discusses five major threats to your digital supply chain. Find out why a Vendor Risk Management (VRM) program is a critical step to securing your organization from third-party services or vendor products.

You’ll learn:
  • Why it's essential to understand the risk your vendors pose and how to secure your data
  • Steps to design (or re-design) and implement a VRM program
  • Considerations to include in your VRM to secure your digital supply chain
  • How users influence the security of your organization’s data
  • How a GRC platform can support an organization's vendor risk management program
Plus, earn CPE credit for attending!

Date/Time: THIS WEEK, Thursday, January 14 @ 1:00 PM (ET)

Save My Spot!
PayPal Phishing: “Your Account Is Limited”

A PayPal smishing campaign is trying to trick users into handing over their credentials and personal information, BleepingComputer reports. The text messages state, “PayPal: We've permanently limited your account, please click link below to verify.” (Note, by the way, the poor command of English idiom.)

The link in the message leads to a phishing page that appears identical to PayPal’s login portal (although the URL is clearly different). If a user enters their credentials and clicks “Log In,” they’ll be taken to a second phishing page that asks them to enter their name, address, and bank account details. All of this information will be sent to the attacker.

BleepingComputer says users should be wary of any unsolicited text messages, especially if they contain a link. PayPal does limit accounts when it detects suspicious activity, but you can check the status of your account by going directly to instead of clicking on a link in a text message.

“Smishing scams are becoming increasingly popular, so it is always important to treat any text messages containing links as suspicious,” BleepingComputer writes. “As with all phishing emails, never click on suspicious links, but instead go to the main site's domain to confirm if there is an issue with your account.

The publication also offers advice for people who may have fallen victim to this attack, urging them to be on the lookout for future social engineering attacks that incorporate their personal information.

“If you received this text and mistakenly logged into your PayPal account or provided other information, you should immediately go to and change your password,” BleepingComputer says. “If you use that same password at other sites, change them there as well.

Finally, you should look out for other targeted phishing campaigns using the submitted data. BleepingComputer also suggests that you monitor your credit report to make sure fraudulent accounts are not created under your name.”

BleepingComputer has the story:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, January 20 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, January 20 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there:

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out the Current Hot 150 Cybersecurity Companies:

Quotes of the Week
"The true sign of intelligence is not knowledge but imagination."
- Albert Einstein

"The noblest pleasure is the joy of understanding."
- Leonardo da Vinci

Thanks for reading CyberheistNews

Security News
Fake Scandal Video Serves Malware

Researchers at Trustwave warn that a phishing campaign is attempting to deliver malware via a file titled “TRUMP_SEX_SCANDAL_VIDEO.” The file is a Java Archive (JAR) that will install the Qnode remote access Trojan.

Interestingly, the content of the phishing email itself had nothing to do with that filename, and instead tried to rope the target into an investment scam. The researchers believe the scammers are simply trying to capitalize on the recent US elections with the Trump-related filename.

Still, Trustwave says the malware aspect of the campaign was effective:
  • “To increase the chances of this threat being executed by the email recipient, the attachment name was based on a prominent figure, and a GUI indicating that the malicious JAR is a tool used in penetration testing.
  • “To evade detection, the malicious code of the downloader was split-up into different buffers inside the JAR. Also, the string “qnodejs” which can distinguish the files related to this threat was not used anymore.
  • “To challenge the existing remediations of this threat, the names of the other files it created and downloaded were changed and they are put into different locations, not inside the Node.Js installation folder.
  • “To deliver the final payload into the system, the infection chain was modified – the JAR directly downloads the payload.”
The researchers conclude that this campaign would probably only fool the most gullible people, although it could easily be made more convincing with some simple improvements.

“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” they write.

“The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways.”

Technical defenses won’t stop every threat, however. New-school security awareness training can teach your employees to avoid falling for clickbait and to never download untrusted files.

Trustwave has the story:
Signs of Inbound Ransomware

Organizations need to monitor for common signs of imminent ransomware attacks, according to Peter Mackenzie from Sophos. In an article for the Saudi Gazette, Mackenzie outlines five technical indicators that often precede a ransomware attack. These are signs that attackers are already in your network and are moving laterally or staging the ransomware before executing it.

These incidents usually begin after the attacker compromises a single device on your network, usually via a phishing email or a technical vulnerability like an exposed RDP port.

“Attacks typically start when an attacker gains control of one machine they can use as a foothold, from which they begin to profile the target organization: is this a Mac or Windows workstation; what’s the domain and company name; what kind of admin rights does the computer have,” Mackenzie writes.

“Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If you detect a network scanner, such as AngryIP or Advanced Port Scanner, query the admin staff to make sure they weren't responsible for leaving it there. If no one recalls using the scanner, it's time to investigate.”

Organizations should also monitor for legitimate software that can be abused by attackers. “Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, or PC Hunter,” Mackenzie says.

“These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.” The presence of the password-extraction tool Mimikatz on a machine is a serious indicator that an attacker is in your network. Security teams should also be watching for suspicious patterns of behavior that don’t have a clear explanation.

“Any detection happening at the same time every day, or in a repeating or regular pattern or tempo, is often an indication that something else is going on, even if malicious files have been detected and removed,” Mackenzie says. “Security teams should ask ‘why is it coming back?’”

Finally, you should watch for small test attacks, which may indicate the hackers are close to executing their primary attack.

Of course, the easiest way to prevent a ransomware attack is to stop the hackers from entering your network in the first place. New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to recognize phishing emails and other social engineering attacks.

The Saudi Gazette has the story:
What KnowBe4 Customers Say

"I just wanted to say Brady has been very helpful while I get KCM off the ground. Brady checks in regularly and helps me stay on top of our goals on how we intend to use KCM. Brady has been instrumental in these beginning stages. He is an assist to your team. I just wanted to share this with you. I hope you had a wonderful and restful holiday season."
- N.H., IT Support Specialist II,

"Your company’s product, services and training model have greatly aided our security awareness, hygiene, and anti-phishing education and training. I respect your company’s leadership dedication and involvement. At the technical level; your support teams, knowledgebase, blog and industry-talented champions have also contributed to our growth.

Matt has greatly improved our security and anti-phishing program development. His leadership, insights and talents have motivated and moved the bar higher than ever before. Personally, it is my pleasure working for us with the KnowBe4 teams."
- M.J., Cybersecurity Analyst
The 10 Interesting News Items This Week
    1. Babuk Locker is the first new enterprise ransomware of 2021:

    2. North Korean software supply chain attack targets stock investors:

    3. Email security vulnerabilities at heart of most cyber insurance claims:

    4. Mobile Phishing Grows 27% last Quarter, But Is a Preventable Threat:

    5. US Judiciary adds safeguards after potential breach in SolarWinds hack:

    6. SolarWinds hires Chris Krebs and Alex Stamos as part of security review:

    7. Hackers can clone Google Titan 2FA keys using a side channel in NXP chips. Discuss at HackBusters:

    8. Best practices for building a security culture program:

    9. The anatomy of a modern day ransomware conglomerate:

    10. New Golang worm turns Windows and Linux servers into monero miners:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews