CyberheistNews Vol 11 #10 [Heads Up] The Bad Guys Now Likely Own Your Exchange OWA Server

CyberheistNews Vol 11 #10
[Heads Up] The Bad Guys Now Likely Own Your Exchange OWA Server

What if Chinese state-sponsored hackers have hacked your OWA using several brand-new zero-day vulns? Or worse, Eastern European Ransomware Criminals?

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

The Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide, at least 30,000 in America — with each victim system representing approximately one organization that uses Exchange to process email.

The truth is, if you are running an OWA server exposed to the internet, assume you have been compromised between 02/26-03/03 and you are now in incident response mode until proven otherwise.

An adversary owning your email systems, being able to see all threads, and injecting a reply containing a malicious link into an existing thread between trusted parties is a worrying thought. You gotta train your users for events like this! And of course patch those systems immediately.

It was all over the press, but Brian Krebs covers it the best as usual, and he has a quick thing you can check to see if you are compromised:

Here is the Microsoft blog about this urgent issue, where they have an update that multiple bad actors are attacking unpatched systems. Do this immediately:
Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products

Multi-Factor Authentication (MFA) can be a highly effective way to safeguard your organization’s data, but that doesn’t mean it’s unhackable. And nobody knows that better than award-winning author and Data-Driven Defense Evangelist at KnowBe4, Roger Grimes. While researching his most recent book Hacking Multifactor Authentication, Roger tested over 150 MFA solutions. And he wants to share what he learned with you!

Join Roger as he discusses the good, the bad, and the ugly lessons he learned from his research. He’ll share with you what works, what doesn’t, and what you should absolutely avoid.

In this webinar you’ll learn about:
  • Differences between various MFA tools and why they matter
  • Real-world hacking techniques Roger used to expose MFA weaknesses
  • What makes MFA software weak or strong and what that means to you
  • Tips on choosing the best MFA software for your company
  • Why a strong human firewall is your best last line of defense
Get the details you need to know to become a better IT security defender. Plus, earn CPE credit for attending!

Date/Time: THIS WEEK, Wednesday, March 10 @ 2:00 PM (ET)

Save My Spot!
Someone Hacked the Four Top Russian Cybercrime Forums in One Month

Intrepid investigative cyber security reporter Brian Krebs has some interesting news. He said: "Over the past few weeks, three [updated to four] of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked.

In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums.

On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. “Maza,” “MFclub“), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves.

At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as “I seek you,” was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram."

Someone is sending a message. Not too hard to guess who, looking at the timing:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, March 17 @ 2:00 PM (ET) for a live 30-minute demo of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, March 17 @ 2:00 PM (ET)

Save My Spot!
[BUDGET AMMO] New Stanford Research: 88% of Data Breaches Are Caused by Human Error

A recent 2020 report we just discovered confirms what we have been saying for many years now. About 9 out 10 data breaches are caused by your users. We are pleased that the somewhat older data from Trend Micro we were referencing has been proven still valid today.

Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake. Human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.

The study was done by Stanford University Professor Jeff Hancock and security firm Tessian. The study “Psychology of Human Error” highlighted that employees are unwilling to admit to their mistakes if organizations judge them severely.

Understanding the psychology behind human errors helps organizations to know how to prevent mistakes before they turn into data leaks. According to the study, nearly 50% of the employees stated that they are “very” or “pretty” certain they have made an error at work that could have led to security issues to their company. The study goes into detail about the differences between young and older employees, where younger users will more easily admit to mistakes and are also easier to phish.

Other Findings include:
  • Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam.
  • 57% of remote workers admit they are more distracted when working from home.
  • The top reasons for clicking on phishing emails are the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%).
“Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen,” the study report concluded. Stepping users through new-school security awareness training is a must that you simply cannot afford not to do.

Full article at CISO MAG:
How Vulnerable Is Your Network Against Ransomware and Cryptomining Attacks?

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

Try KnowBe4’s Ransomware Simulator tool (RanSim) and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 20 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:
  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 21 types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
This is complimentary and will take you 5 minutes.

RanSim may give you some insights about your endpoint security you never expected!

Download RanSim!
[BOOK REVIEW] "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race"

I'm reading this fascinating book that reveals a part of our world that has been hidden for too long. The upshot is that America has built the world's most sophisticated cyberweapons, but now they're being used against the US. The book explains the discovery of and trade in zero-day vulnerabilities.

The best example of a massive zero-day hack exploit is the OWA one above. These things are a terrible liability.

Nicole Perlroth who has been covering cyber security for the New York Times for more than a decade, says other countries' cyber capabilities have caught up to the US in recent years. At the same time, she argues, America's critical infrastructure — because so much of it is owned by private companies and connected to the internet — has become a huge target for its adversaries.

It's a great read, I'm halfway and I already think this is something you are going to both enjoy and get the shivers from.

Link to Kindle Version:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: KnowBe4 acquired MediaPro. We're going to make a great team together:

Quotes of the Week
"In questions of science, the authority of a thousand is not worth the humble reasoning of a single individual."
- Galileo Galilei

"It is the first responsibility of every citizen to question authority."
- Benjamin Franklin

Thanks for reading CyberheistNews

Security News
Most Phishing Emails Are After Credentials

57% of phishing emails in 2020 were designed for stealing credentials, according to Cofense’s most recent Annual State of Phishing Report. Meanwhile, just 12% of phishing attacks last year were used for delivering malware. Cofense believes this is because credential phishing emails are better at bypassing email security filters than emails with malicious attachments or download links.

Likewise, conversational phishing attacks, like business email compromise (BEC), have grown more popular. “The vast majority of phishing campaigns are credential theft or conversational,” Cofense says. “While malicious attachments still play a role in phishing, the frequency of this has dramatically declined over the years.

In fact, most phish attachments these days are not even malware, but instead, conduits to open a browser to further credential theft. While on the decline, we have our finger on the pulse of phishing related malware.”

The researchers add that cyberattacks resulting from credential theft are often harder to detect than those that rely on malware, since the attackers are using legitimate accounts within the organization.

“Remember, credentials are high value,” the report says. “They provide the keys to the castle for adversaries, sometimes allowing for long-term access to sensitive accounts and information. While threat actors constantly develop sophisticated techniques to evade SEGs and steal credentials, many still use tried-and-true methods with significant success.

Data breaches and theft originating from stolen credentials are extremely common, giving threat actors access to sensitive data, web servers, end user accounts, and leave the organizational infrastructure vulnerable to other attack types.”

Cofense adds that attackers are also increasingly abusing trusted services from Microsoft, Google, Adobe, DropBox, and others to host their malware or phishing pages, since these services are less likely to be flagged by security measures.

New-school security awareness training can give your organization an essential last layer of defense by teaching your employees how to recognize social engineering attacks.

HealthITSecurity has the story:
Universal Health Services Victim of Ryuk Ransomware, Costing $67 Million

Fortune 500 hospital and health care service provider Universal Health Services (UHS) became victim to Ryuk ransomware in September 2020.

UHS released the following statement, "The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,"

The hospital operations system and affected systems managed to be restored. The hospital has stated that normal operations have resumed.

Remember in October 2020 when the government warned of Ryuk ransomware targeting healthcare industries? The deadly ransomware group has already hit about 20 companies a week and have been the masterminds behind the big wave of attacks on the US healthcare system.

It's important to make sure you frequently check your network's effectiveness. New-school security awareness training can also help your users spot and report any suspicious activity in their day to day operations.

Blog Post with links:
What KnowBe4 Customers Say

"Stu, just a quick follow up. Tyffany and Huyen have been excellent to work with. Having been in the Tech industry 30 years managing infrastructure, compliance, licensing, subscriptions, implementations, etc... I'm super impressed with the personal implementation experience and the role your Customer Success Managers provide.

We've still got a ways to go, but I'm looking forward for the insights and improvements we gain in Security Awareness with KnowBe4."
- S.R., Sr. Director IT
The 10 Interesting News Items This Week
    1. Password Reuse at 60% as 1.5 Billion Combos Discovered Online:

    2. WSJ: Russian Disinformation Campaign Aims to Undermine Confidence in Covid-19 Vaccines:

    3. ‘Deep Nostalgia’ Can Turn Old Photos of Your Relatives Into Moving Videos:

    4. These are the tools that were used to create the hyper realistic Tom Cruise deepfakes:

    5. But Tom Cruise deepfake creator says public shouldn’t be worried about ‘one-click fakes’ just yet:

    6. Deepfakes as a Service - Recorded Future/Cyberwire:

    7. California DMV Issues REAL ID Phishing Scam Alert:

    8. Securing The Remote Workforce Is Top Priority, But It Won't Be Easy. Yours Truly via Forbes:

    9. The Cybersecurity 202: A new government watchdog report highlights urgent federal cybersecurity risks:

    10. Newly Identified Zoom Impersonation Phishing Campaigns:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews