CyberheistNews Vol 11 #20
Researchers at Cisco Talos warn that the threat actor known as APT36 is using new spoofed, 100%-cloned websites combined with malicious documents to deliver Remote Access Trojans and compromise networks.
“Our latest research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations,” the researchers write.
Cisco Talos also notes that the threat actor is targeting more verticals than usual in the latest campaign. “While military and defense personnel continue to be the group's primary targets, APT36 is increasingly targeting diplomatic entities, defense contractors, research organizations, and conference attendees, indicating that the group is expanding its targeting,” the researchers write.
The researchers add that APT36 is putting more effort into making its phishing lures more convincing. “The actors recently deviated from the CrimsonRAT infection chains to make their ObliqueRAT phishing maldocs appear more legitimate,” the researchers write.
“For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. APT36 also used HTTrack, a website copying tool, to create identical duplicates of legitimate sites.
“These examples highlight APT36 heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible,” the researchers conclude.
These types of attacks happen all over the world, often by state-sponsored hacking groups. You absolutely need a strong human firewall as your last line of defense to block social engineering attacks like this.
The bad guys are out there, watching and waiting for an opportunity to strike. They have carefully researched your organization in order to set the perfect trap. And the perfect backstory, or pretext, is the key.
The story might start with an urgent phone call from your “IT department” asking you to log into a new platform. Or it may seem like an innocuous email, but ends up harvesting important details about your organization. However it starts, this strategy can lead to the bad guys owning your network before you know it.
In this exclusive webinar Kevin Mitnick, KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you how the bad guys craft these cunning attacks. And more importantly, they tell you what you need to know to protect your organization.
In this webinar you’ll:
- Discover how anyone can be fooled by the right backstory (maybe even Kevin!)
- Learn why your users’ “illusion of invulnerability” may be your biggest weakness
- See how the bad guys can use the information gained to compromise your entire network
- Find out how to use this knowledge to strengthen your human firewall
Date/Time: TOMORROW, Wednesday, May 26 @ 2:00 PM (ET)
Save My Spot!
The US Federal Trade Commission (FTC) reports that victims have lost more than 80 million dollars in cryptocurrency scams since October of last year, with about 2 million of that total going to Elon Musk impersonators.
Scammers are taking advantage of misunderstandings that often surround cryptocurrency investments, and they use a variety of techniques. Impersonating celebrities like Musk is just one; there are also fake investment sites that you can't actually withdraw your "investment" from, giveaways that claim to multiply your cryptocurrency, and even classic online dating scams that attempt to con would-be romantic partners into crypto investment scams.
“In fact, the FTC’s new data spotlight shows that, since October 2020, nearly 7,000 people reported losses to bogus cryptocurrency investments, adding up to more than 80 million,” the FTC says. “People ages 20-49 were more than five times more likely than other age groups to report losing money on those scams.
But here’s an even more striking point: people in their 20s and 30s have lost more money on investment scams than on any other type of fraud. And more than half of their reported investment scam losses — $35 million — were in cryptocurrency.”
The FTC offers the following advice for people to avoid falling for these scams:
- “Research before you invest. Search online for the company and cryptocurrency name, plus ‘review,’ ‘scam,’ or ‘complaint.’
- “Be wary of guarantees and big promises. Scammers often promise you’ll make money quickly, or that you’ll get big payouts or guaranteed returns. They might offer you free money paid in cash or cryptocurrency — but, even if there’s a celebrity endorsement, don’t buy it. You’ll make money if you’re lucky enough to sell your crypto for more than you paid. Don’t trust people who say they know a better way.
- “Anyone who says you have to pay by cryptocurrency, wire transfer, or gift card is a scammer. If you pay, there’s usually no way to get your money back.”
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, June 9 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Wednesday, June 9 @ 2:00 PM (ET)
Save My Spot!
Credential stuffing in the financial services industry has risen significantly over the past year, according to Akamai’s latest State of the Internet / Security report. Credential stuffing is a type of brute-force attack in which cybercriminals take millions of previously breached usernames and passwords and run them through online services’ login portals until they find a match.
“In 2020, Akamai saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations specifically -- an increase of more than 45% year-over-year in the sector,” the company says.
“Akamai observed nearly 6.3 billion web application attacks in 2020, with more than 736 million targeting financial services -- which represents an increase of 62% from 2019. SQL Injection (SQLi) attacks remained in the top spot across all business types globally, making up 68% of all web application attacks in 2020, with Local File Inclusion (LFI) attacks coming in second at 22%.
However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52%, with SQLi at 33% and Cross-Site Scripting at 9%.”
While credential stuffing is different from phishing, Steve Ragan, the Akamai security researcher who authored the report, noted that the level of credential stuffing is an indicator of the number of phishing attacks targeting the industry.
“The ongoing, significant growth in credential stuffing attacks has a direct relationship to the state of phishing in the financial services industry,” Ragan said. “Criminals use a variety of methods to augment their credential collections, and phishing is one of the key tools in their arsenal. By targeting banking customers and employees in the sector, criminals increase their pool of potential victims exponentially.”
Akamai warns that DDoS attacks are also a growing problem for the financial services sector.
Almost every day we learn about a new data breach. This creates a very important need to address disclosed breaches. Do you know which of your users has put your organization at risk?
KnowBe4’s Password Exposure Test (PET) is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users.
PET makes it easy for you to identify users with exposed emails publicly available on the web and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!
Here's how the Password Exposure Test works:
- Checks to see if any of your organization’s email addresses have been part of a data breach
- Tests against 10 types of weak password related threats associated with user accounts
- Checks against breached or weak passwords currently in use in your Active Directory
- Reports on the accounts affected and does not show/report on actual passwords
Find Your Weakness!
We are very happy to see that Microsoft is introducing a new capability called Advanced Delivery, for the configuration of third-party phishing simulation campaigns and delivery of messages to security operations (SecOps) mailboxes.
They said: "Admins will now be able to explicitly configure for the following scenarios and ensure messages configured as part of these scenarios are handled correctly across product experiences:
- Third-Party Phish simulation campaigns: Admins using a third-party phish education vendor to simulate attacks that can help identify vulnerable users before a real attack impacts their organization.
- Security Operations (SecOps) mailboxes: These are special mailboxes Admins setup to support the ability for end users to report malicious emails to SecOps teams. These are also used by security teams to collect and analyze unfiltered messages.
It's Microsoft 365 Roadmap ID 72207:
We've been asking Microsoft to acknowledge and support simulated phishing platforms for some time and this is the first official feature from them that is designed to support simulated phishing.
Based on preliminary review this will be a simpler way to whitelist with M365 clients and will reduce false positives in several ways. We'll be ready when they roll this out with full details of how to use them with our platform and what to expect. Thanks Redmond, we appreciate it.
Let's stay safe out there.
Founder and CEO
PS: KnowBe4's "The Inside Man" Season Three Wins 2021 NYX Video Award:
PPS: The pros and cons of SOAR explained:
- Pablo Neruda - Poet (1904 - 1973)
"In questions of science, the authority of a thousand is not worth the humble reasoning of a single individual."
- Galileo Galilei - Astronomer (1564 - 1642)
Thanks for reading CyberheistNews
One of us got a call this week in which a familiar-sounding female voice introduced herself (itself?) as “Alexa,” and told us that our Amazon Prime account had been compromised, and that, should we wish to avoid being hit with a fraudulent charge for a pricey iPhone, we should “press one” forthwith.
Sounded legit. Haven’t we heard of this “Alexa” kid before? We’re pretty sure we asked her to play “Step Right Up” not too long ago.
Researchers at Armorblox have spotted voice phishing (vishing) campaigns that seek to trick victims into believing that someone has spent hundreds of dollars on their Amazon account. One of the phishing lures is an initial email that poses as an Amazon order confirmation, informing recipients that their 900-dollar purchase of an LG TV and an Xbox was successful.
Another email posed as a delivery notice for a package that cost 556 bucks. Both emails told the user to call a phone number if they weren’t the one who placed the order. If the user calls this number, they’ll be connected with the scammer.
“The email titles, sender names, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to come from Amazon, and a sense of urgency because they contained information on expensive online orders that the victims hadn’t made, and thus would be eager to reverse,” Armorblox says.
“The second vishing email included the victims’ email addresses in the mail body as well, further adding to the legitimacy of the conversation.”
No Malicious Links Allow Email To Bypass All Technical Defenses
Armorblox notes that relying on vishing makes it easier for the attackers to evade technical security measures, since there’s no malicious link in the email. “Both emails didn’t include any links or other conventional calls to action, which enabled them to bypass any detection controls that block known bad links,” the researchers write.
“Including phone numbers as the payload makes the victim an active participant and continues the attack flow beyond the visibility of any email security solution.” Armorblox summarizes some security best practices to help users to avoid falling for these attacks:
- “Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- “Don’t use the same password on multiple sites/accounts.
- “Use a password management software to store your account passwords.
- “Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- “Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.”
Amorblox has the story:
A phishing campaign is abusing the secure email service Zix to fool users into handing over their credentials, SC Media reports. Researchers at Abnormal Security write that the links in the phishing emails lead to a benign OneNote page that contains a link to a phishing page.
“If the message recipient clicks on the link in OneNote, they are taken to the final phishing attack page, where they are prompted to enter their login credentials in order to view a document,” Abnormal Security says. “If the recipient falls victim to this attack, then the attackers will have full access to the recipient’s account and any sensitive information within it. They can even use the recipient’s account to send new attacks to the recipient’s unsuspecting colleagues.”
The researchers note that this campaign stands out due to its use of a Zix link to lend credibility to the scheme. “This attack uses a fairly common technique to evade email security, but with a twist,” the researchers write.
“Many attacks use a similar strategy as this attack and hide behind multiple layers of redirect links in order to confuse security systems. This attack took that strategy a step further by using a Zix link in order to take advantage of the trust placed in Zix and other secure messaging systems. Because the first page after the Zix link was a seemingly benign page hosted by Microsoft, Zix was unable to immediately tell that the link was malicious.”
Roman Tobe, cybersecurity strategist at Abnormal Security, told SC Media that the phishing emails were sent from a compromised email account belonging to a real estate company, which made the attack even more difficult to spot.
“The targeted company works with thousands of third-party vendors and supply chain partners,” Tobe said. “And these vendors and partners often cannot tell when their own employees are compromised and used to send phishing or invoice fraud attacks.” New-school security awareness training can help your employees avoid falling for phishing attacks that bypass your technical defenses.
Blog Post with links:
"I just wanted to let you know I gave our company a big “atta-boy” today in email and on Teams for our latest phishing security test – here is what I sent:
'Team, I just wanted to send out a quick Congratulations and Thank You for doing such a great job at identifying Phishing Scams! Give yourselves a round of applause and a pat on the back!
As you know each month, we send out simulated phishing attacks, and this month (for the first time) - no one was "hooked" by the simulated phishing attacks. In fact, over half of the company successfully identified the attack and hit the Phish Alert Button! Thank you again for being Intentionally Urgent in protecting our company and for being ALL IN!'
I can sleep much better at night! I look forward to using some of the new features that KnowBe4 is offering and continuing to prepare our team for new threats on the horizon!"
- B.J. Systems Engineer
- The Full Story of the Stunning RSA Hack Can Finally Be Told:
- Cyberinsurance provider CNA Financial Paid $40 Million in Ransom:
- Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions:
- Try This One Weird Ransomware Prevention Trick Russian Hackers Hate:
- Ransomware: 'We won't pay ransom,' says Ireland after attack on health service:
- Daniel Kahneman: "Clearly AI is going to win. How people are going to adjust is a fascinating problem":
- Ransomware victim shows why transparency in attacks matters:
- [From RSA] How to Get Employees to Care About Security
- CISA: Do Not Pay Ransomware:
- FBI spots spear-phishing posing as Truist Bank to deliver malware:
- This week's Virtual Vaca to the City of Athens in Greece. Portrait of a Changing Metropolis:
- Your second Virtual Vaca to West Virginia's New River Gorge, America's newest national park:
- Extreme Target Accuracy Ultimate Compilation:
- Our Home: Mercedes F1 Factory Tour!
- The Country That Becomes a Racetrack... Monaco:
- Islands In The Sky. Skydiving in the Maldives:
- Magician Michael Feldman performs an amazing and original magic trick with a simple balloon:
- 5 Epic Robot Contenders To SpotMINI:
- Wonderful play with shadows. Super fun & creative:
- Costway Hotel Safe Jiggled Open. Hotel safes are a great spot to store your dirty laundry and not much else:
- How space really looks from the planet Mars... Holy Moly!
- Does it Crush? How candy does in this test:
- For Da Kids #1 Now THIS is a great idea. skateboard+leafblower!
- For Da Kids #2 - Creating art with... a bar of soap?:
- For Da Kids #3 - Monkey Helps Dog To Cross The River:
- For Da Kids #4 - Cats can be so funny and full of personality: