CyberheistNews Vol 11 #22
Details on this new scam demonstrate how cybercriminal gangs are working to try use new angles and social engineering methods to trick users into becoming victims.
Receiving a bogus email pretending to be from Amazon is old news. We’ve seen countless impersonation emails over the last year alone. But this latest email-based attack documented by security researchers at Armorblox tells the tale of a phishing email that becomes a vishing (voice phishing) attack to trick potential victims into giving up personal details.
According to Armorblox, victims receive a realistic-looking Amazon email stating the recipient ordered a 77” TV (which are very expensive!).
The real brilliant part is with the “View or Manage Order” button – it’s nothing but an image with no URL linked to it whatsoever. Instead, you’ll note, there’s a message stating “If you did not place this order, please contact us at XXX-XXX-XXXX.”
This is where the phishing attack becomes a vishing attack.
When the victim calls the phone number (which is redirected to a disposable Google Voice number), a live person answers the call pretending to be from Amazon. They ask the victim for the order number, their name, and then verify credit card details before they cut the call short on purpose and block the victim’s number.
This kind of social engineering shows just how far the bad guys will go to establish credibility to lower someone’s defenses. Since most users are aware of phishing attacks, educating them via security awareness training about vishing attacks is also necessary to keep the organization safe from all attack vectors.
Blog post with links and screenshot:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, June 9 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: TOMORROW, Wednesday, June 9 @ 2:00 PM (ET)
Save My Spot!
Researchers at Sophos report finding a new ransomware strain in the wild. They call it “Epsilon Red.” The malware is written in GO, and it was delivered as the final executable payload in a hand-controlled attack against a target in the US hospitality sector.
“It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network,” Sophos said. “It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server.
From that machine, the attackers used WMI to install other software onto machines inside the network that they could reach from the Exchange server.”
Why Epsilon Red? Sophos shares the etymology, which may be news for any not fully up-to-date with the Marvel Comic Universe. The character Epsilon Red was a relatively obscure adversary of some of the X-Men, a ‘super soldier’ alleged to be of Russian origin, sporting four mechanical tentacles and a bad attitude.”
While the campaign uses complex layers of deception, the ransomware proper is, Sophos says, “barebones.” It’s a 64-bit Windows executable, and all it does is encrypt the files in the target system. Other functions, like communication, deleting shadow copies, killing processes, and so forth, have been, according to the researchers, “outsourced” to the PowerShell scripts.
The whole Red Epsilon package performs these actions against its targets:
- It kills processes and services for security tools, databases, backup programs, Office apps, and email clients.
- It deletes Volume Shadow Copies.
- It steals password hashes contained in the Security Account Manager file.
- It deletes Windows Event Logs.
- It disables Windows Defender.
- It suspends selected processes.
- It uninstalls security tools (included tools by Sophos, Trend Micro, Cylance, MalwareBytes, Sentinel One, Vipre, and Webroot).
- Finally, it expands permissions on the system.
Blog post with links:
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, June 9 @ 1:00 PM (ET), for a 30-minute live product demo of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
By Roger Grimes. I keep seeing a new ransomware term, “double extortion” being discussed. It is the hot, new buzzword surrounding ransomware. This term attempts to summarize how ransomware is no longer just encrypting data and how ransomware gangs are more commonly using data exfiltration and the threat of releasing that data to hackers or the public to get paid.
An example of a common use for this term is, “A good backup will no longer save you because of double extortion!” That is true. But it is really worse than that. If only it was double extortion.
Starting in late 2019, the first ransomware gangs started to use data exfiltration as a tactic. They got paid more money more often. Other ransomware gangs noticed and by the end of 2019, 10-15% of ransomware attacks involved data exfiltration. By the end of 2020, that number was over 70%. Now, halfway through 2021, it is over 80%.
This means that if you get hit by ransomware, odds are your company will also have a data exfiltration issue to deal with and a data breach to report.
But that is not all they do now. Besides stealing data, cyber criminals are stealing company, employee and customer passwords. It used to be that if they stole passwords, they only stole them to help infect more machines in the same network. Not anymore. Now, their primary goal for stealing passwords is to cause more damage and to do more extortion.
Your job is to safeguard your organization and its assets from bad actors trying to infiltrate your network. But what do you do when the threat is coming from what looks like a trusted partner or vendor? If they get hacked, the bad guys can target you based on your partnership. These attacks are incredibly hard to detect because they are actually coming from TRUSTED sources. In today’s environment you can trust no one!
Join Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, for this webinar where he’ll break down supply chain attacks to help you differentiate the good guys from the bad guys. He’ll discuss:
- How cyber criminals pulled off recent, high-profile supply chain attacks
- Why these threats are so hard to detect
- What you can do now to prevent these cyberattacks from compromising your organization
- How to turn the tables on attackers and use their attempts to actually improve your security posture
Date/Time: Wednesday, June 16 @ 2:00 (ET)
Save My Spot!
The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.
Internal guidance sent on Thursday to U.S. attorney's offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.
"It's a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain," said John Carlin, principle associate deputy attorney general at the Justice Department.
Reuters has the full story:
Let's stay safe out there.
Founder and CEO
PS: KnowBe4 Fresh Content Updates From May: Including New Mobile-First Training Modules:
PPS: Bloomberg "Hackers Breached Colonial Pipeline Using Compromised Password:"
- Albert Einstein - Physicist (1879 - 1955)
"When the power of love overcomes the love of power, the world will know peace."
- Jimi Hendrix - Guitarist, Singer, Songwriter (1942 - 1970)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
Schools are increasingly falling victim to cyberattacks such as phishing, according to researchers at IBM’s SecurityIntelligence. The researchers explain that schools are often under-resourced when it comes to cybersecurity, and the open nature of a school’s network can make it difficult to secure.
“Running on public funding could make it difficult for schools to find the money for consistent cybersecurity investments from year to year,” the researchers write. “At the same time, schools need to make their networks open to everyone they serve.
That includes teachers, administrators, students, staff, and parents — all of whom have varying levels of security awareness.” The researchers add that students and teachers are likely to face different types of threats, and a security awareness program should take this into account.
“Schools can concentrate the content of their security awareness training programs on threats that affect their teachers and staff,” the researchers write. “But they need a different strategy for students, more so those in K-12 facilities. Just as they cultivate students’ language, reading, writing and other skills, so too should they foster their pupils’ digital hygiene.”
The researchers write that schools can integrate this type of training into their curriculum in a way that makes it easy for students to learn.
“One of the most effective means to do this is to make it hands-on and fun,” the researchers write. “The Center for Internet Security and the Multi-State Information Sharing & Analysis Center hosts the National Kids Safe Online Poster Contest every year, in which kids create posters that educate their peers about staying safe online, including password hygiene, safe web browsing habits and identity theft. With programs like this, kids can be one of the many defenses against attacks on school cybersecurity.”
SecurityIntelligence has the story:
Researchers at Microsoft have observed another attack campaign by Nobelium, the Russian threat actor responsible for the SolarWinds campaign. Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust, explained in a blog post that the threat actor hacked into an email marketing account belonging to the US State Department’s USAID and used the account to send thousands of phishing emails with malicious links that would install a malware backdoor.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental orgs,” Burt wrote. “This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations.
While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work.
Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”
Burt noted that this campaign highlights the larger trend of state-sponsored threat actors shifting their targeting to align with their government’s objectives.
“[P]erhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating,” Burt wrote. “This time Nobelium targeted many humanitarian and human rights organizations.
At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere.
This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.”
Note that the Nobelium attackers compromised USAID’s account with a widely used email marketing service, one that many businesses use to send email newsletters to prospective customers. New-school security awareness training can help your employees spot the phishing emails that slip past your technical defenses.
Microsoft has the story:
"We are loving our software! We are already seeing a decrease in clicks and our people are reporting more phishing attempts all the time. This year during our annual training I will be using the platform instead of having to create my own program. Thank you!"
- R.K. IT Assistant
"Yes, so far so good, your team has been tremendous getting us familiar with the platform. So far we have received positive feedback from our employees on the training we choose."
- G.S. Director of IT
"Dear Stu, I am happy with the content. The users are excited with the knowledge they have gained. We are looking forward to mindset and behaviour change in order to fight cyber criminals."
- C.S. Group Chief Information Officer
- WSJ: Ransomware Is an Intolerable Situation Affecting All Sectors:
- Global Ransomware Damage Costs Predicted To Reach $250 Billion (USD) By 2031:
- Interpol Seizes $83 Million Headed for Online Scammers:
- UK Data Breach Culprits: Phishing and Ransomware Dominate:
- Russian underground forums launch competitions for cryptocurrency, NFT hacks:
- Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyone:
- What CISOs should know about returning to the office:
- Former Officials Say Broader Cybersecurity Requirements Needed for Critical Infrastructure:
- Fake Positive Reviews Mask Spoofed Browser Extensions:
- Head Of Cybersecurity Firm That Detected USAID Hack Explains What Happened:
- Summer 2021 is coming. Now is the time for all awesome people to go outdoors and have fun:
- Grab your seatbelt and strap in for your Virtual Vaca to the island of Madeira!:
- “The Ultimate Portable Safe” Opened With Red Bull Can:
- The World's First Energy Island:
- Luigi Stipa's 1933 experimental airplane - the ancestor of the jet engine:
- The difference between a Good Lap Vs Great Lap: F1 2021 Azerbaijan Grand Prix:
- World's first 'floating' pool suspended between London tower blocks. Yikes:
- GoPro Awards: Hot Air Balloon Skydive:
- Lars Andersen: Impossible Archery, for real:
- Classic Oldie Penn & Teller -- fooled by a cookie:
- For Da Kids #1: 10-Year-Old Peter Rosalita SHOCKS The Judges With "All By Myself":
- For Da Kids #2: Top 10 Animal Encounters:
- For Da Kids #3: Bears Dancing in the Forest. Funny and entertaining!:
- For Da Kids #4: Mom Secretly Adopts A Shelter Dog Her Daughters Fell In Love With: