CyberheistNews Vol 11 #08
Video game studio CD Projekt Red, makers of The Witcher series and Cyberpunk 2077, have disclosed a ransomware attack, WIRED reports.
The attackers claimed to have stolen source code for the company’s games and threatened to release the data if the company didn’t pay the ransom. The company refused to pay, and the attackers have since claimed that they’ve sold the code.
“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” CD Projekt Red stated. “We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.
We are still investigating the incident, however at this time we can confirm that – to our best knowledge – the compromised systems did not contain any personal data of our players or users of our services. We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate this incident.”
CD Projekt Red added that it doesn’t know if the attackers stole data belonging to the company’s former employees, but cautions that these individuals should be on the lookout for fraud just in case.
“To our ex-employees: As of this moment, we don't possess evidence that any of your personal data was accessed,” the company wrote. “However, we still recommend caution (i.e. enabling fraud alerts). If you have questions, please write to our Privacy Team.
CD Projekt Red should be commended for resisting the pressure to pay the ransom, as this disrupts the attackers’ business model. New-school security awareness training can help your employees recognize social engineering attacks to prevent these attacks from occurring in the first place.
Story with link at the blog:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, March 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI Recommended training suggestions based on your users’ phishing security test results.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! 2021 Training Modules were just published in the ModStore.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Wednesday, March 3 @ 2:00 PM (ET)
Save My Spot!
You may have missed this extremely interesting bit of data that ZDNet just published. "Microsoft reckons that the huge attack on security vendors and more took the combined power of at least 1,000 engineers to create.
"The months-long hacking campaign that affected US government agencies and cybersecurity vendors was "the largest and most sophisticated attack the world has ever seen," Microsoft president Brad Smith has said, and involved a vast number of developers.
"The attack, disclosed by security firm FireEye and Microsoft in December, may have impacted as many as 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted inside SolarWinds's Orion network management software.
"I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," Smith told CBSNews' 60 Minutes
"Kevin Mandia, CEO of FireEye, also discussed how the attackers set off an alarm but only after the attackers had successfully enrolled a second smartphone connected to a FireEye employee's account for its two-factor authentication system. Employees need that two-factor code to remotely sign into the company's VPN. "Just like everybody working from home, we have two-factor authentication," said Mandia.
"A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, "Hey, did you actually register a second device on our network?" And our employee said, "No. It wasn't, it wasn't me."
Here is the link to the full ZDNet article:
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, March 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
By Roger Grimes.
Be aware of being involved in malicious CAPTCHA solving. I do not know anyone who loves CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart).
These are little online tests that supposedly tease out whether the action being performed is being done by a human or some automated bot program or script. They are needed because miscreants across the Internet would otherwise abuse the involved services to create bogus accounts used to hack others or simply abuse the system in some other way.
CAPTCHAs are an unfortunate, but necessary part of life (at least right now). We are forced to interact with them when we are newly registering on websites or performing a potentially risky action.
There are many different types of CAPTCHAs, ranging from extremely easy to solve to ones that require more effort and are more prone to human error. In their easiest form, they are simply a box (see example below) that we are told click.
The scary fact is that human error is a contributing factor in the majority of breaches. With so many technical controls in place hackers are still getting through to your end users, making them your last line of defense. How are they so easily manipulated into giving the bad guys what they want? Well, hackers are crafty. And the best way to beat them is to understand the way they work.
In this webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will take you through the "Cyber Kill Chain" in detail to show you how a single email slip up can lead to the total takeover of your network.
In this webinar you’ll hear about:
- How detailed data is harvested using public databases and surprising techniques
- Tricks used to craft a compelling social engineering attack that your users WILL click
- Cunning ways hackers deliver malicious code to take control of an endpoint
- Taking over your domain controller and subsequently your entire network
With tax season just around the corner, this simple, yet effective social engineering theme is perfect to get users to respond to phishing attacks exactly the way the bad guys want.
Every successful phishing attack starts with the premise of creating an email that will be sufficient to get the emotional buy-in from the reader enough to get them to interact. This has been shown to be something either positive or negative – doesn’t make much difference, as long as it gets the recipient to click the link, open the attachment, reply, etc.
Tax forms like the U.S. W-2s have already begun to be delivered to employees – some the old-fashioned way via mail, and most via email as an invitation to download the PDF version. Scammers know this and can easily impersonate your organization’s HR department asking the employee to review and/or download their W-2, offering up either a malicious attachment or link that will be used to infect the recipient’s endpoint, attempt to capture their logon credentials to Office 365, etc.
It’s important for you to educate your users on phishing scams like this.
Let's stay safe out there.
Founder and CEO
PS: KnowBe4 was named a January 2021 Gartner Peer Insights customers’ choice for security awareness computer-based training across three categories:
- J. Lavater
"We hold these truths to be self-evident: that all men are created equal; that they are endowed by their Creator with certain unalienable rights; that among these are life, liberty,
and the pursuit of happiness."
- Thomas Jefferson - Founding Father & US President (1743 - 1826)
Thanks for reading CyberheistNews
Some bug bounty seekers are using extortionist or fear-mongering tactics in an effort to get paid for reporting trivial flaws, according to Chester Wisniewski at Sophos. He calls them “beg bounty” attempts.
Wisniewski explains that, “‘Beg bounty’ queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.”
For example, some of these individuals use automated scanners to identify websites that don’t have DMARC enabled, then send a copy-and-pasted notification to each website’s owner.
“They claim to have found a ‘vulnerability in your website’ and then go on to explain that you do not have a DMARC record for protection against email spoofing,” Wisniewski writes. “That is neither a vulnerability nor is it in your website.
While publication of DMARC records can help prevent phishing attacks, it is not an easy policy to deploy, nor is it high on the list of security tasks for most organizations.”
While some of these people are probably well-meaning, others are clearly scammers seeking to frighten victims into paying. Even in the cases where real vulnerabilities were identified, the flaws were minor and not worthy of a bounty payout.
Additionally, many of the targeted organizations didn’t have bug bounty programs set up in the first place. Wisniewski thinks small businesses are most at risk of falling for these tactics.
“There are reports that paying beg bounties leads to escalating demands for higher payments,” Wisniewski says. “One organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.”
If you do have a bug bounty program, you’ll know about it. And if you don’t, let your people know that, too, so they don’t fall victim to this...what? Grey hat scam? Not all scams come in black and white. New-school security awareness training can help your employees remain calm and avoid falling victim to scare tactics and other social engineering techniques.
Sophos has the story:
Microsoft is still the most impersonated brand for phishing campaigns, according to researchers at Vade Secure. The security firm spotted 30,621 unique Microsoft related phishing URLs in 2020. The researchers note that “[a] single unique phishing URL could be used in hundreds or even thousands of phishing emails.”
Facebook was the second most impersonated, with 14,876 unique phishing URLs. PayPal came in third, followed by Chase and eBay. “COVID-19 colored everything in 2020, so it’s not surprising that cloud came out on top,” the researchers write.
“As the working world switched to remote, the need for cloud-based solutions skyrocketed. Microsoft Teams users increased from 44 million in March 2020 to 75 million in April 2020. Meanwhile, Facebook, Google, and Netflix saw big financial gains during COVID-19, and each is in the top 20.”
E-commerce phishing has also been on the rise due to the pandemic, and some new brands have made it to the top ten list. New to the Phishers’ Favorites list, Rakuten, a Japanese e-commerce company, made its first appearance on the list, coming in at #6,” the researchers write.
“Rakuten’s rise is thanks to a large spike in phishing activity in Q3 2020, when Vade Secure detected a 485 percent increase in Rakuten phishing URLs.”
The researchers also observed a year-over-year increase in phishing emails laden with the Emotet banking Trojan. “Phishing emails weaponized with malware also featured prominently in 2020,” Vade Secure says. “Emotet, which had gone silent in early 2020, returned briefly in the spring and came roaring back in the fall.
A wave of Emotet malware emails hit Microsoft users in September, with a single-day high of 1,799 phishing URLs and 13,617 for the quarter, a 44 percent increase from Q2.”
Trends in phishing lures change over time, but the underlying hallmarks of social engineering remain the same.
Vade Secure has the story:
"Stu, thank you for checking in. We are happy so far. We've only ran one test, but my CSM Joe has been helping us out. I came from an org where I was in charge of running the KB4 tests, so this is not my first experience. I've been happy with the product for as long as I've used it."
- L.B., Information Security Analyst
- Cybersecurity advice from the Houdini of hackers: An interview with Kevin Mitnick:
- Feds Indict North Korean Hackers for Years of Heists and Scams:
- Sandworm Hackers Hit French Monitoring Software Vendor Centreon:
- North Korea 'Tried to Hack' Pfizer for Vaccine Info:
- Yandex sysadmin caught selling access to email accounts:
- Nigerian BEC Kingpin Sentenced to Prison for $11 Million Global Fraud Scheme:
- Smishing and vishing: Explained and explored:
- Microsoft: SolarWinds hackers downloaded some Azure, Exchange source code:
- Just saw a tweet about a phone-based phish that was interesting, thought I'd share:
- Supply chain security is actually worse than we think:
- This week's Virtual Vaca to Auckland. Gorgeous timelapse!:
- Richard Browning is back with a mini virtual vaca flyby over the Maldive Islands:
- Using a rope to remove snow from a roof? Very creative:
- "BASE jumping into a plane mid-air. Truly a door in the sky:
- "How To Move a Building". Super interesting:
- Climbing UP the Almas Tower in Dubai *360 METERS* WHOA:
- Climbing DOWN the Tallest Crane in Dubai. Whoa!:
- The 363 members of the Fightin' Texas Aggie Band show off their incredible precision, coordination and musical talent:
- The "XY Problem" with IT Trouble Tickets. This is a good one:
- When Formula 1 Teams Cheat:
- Why Russia Is Terrified of SpaceX's Starlink:
- Security camera footage of wave breaking freighter in half. MAYDAY MAYDAY:
- Ford Expedition Lock Picked & Decoded w/ Lishi Tool:
- World record car jump attempt goes wrong and ends in spectacular crash:
- For Da Kids #1 - Dexter the lion is sneaking up on his friend Dean Schneider at the Hakuna Mipaka wildlife sanctuary in South Africa:
- For Da Kids #2 - Woman Spends 5 Months Saving A White Squirrel:
- For Da (slightly bigger) :-D Kids #3 - "Perseverance landed on Mars!":