CyberheistNews Vol 11 #28 [HEADS UP] Live Phishing Attack Uses New Infection Technique to Deliver Malware

CyberheistNews Vol 11 #28
[HEADS UP] Live Phishing Attack Uses New Infection Technique to Deliver Malware

Researchers at McAfee warn that a current phishing campaign is delivering malware via Word documents that don’t contain any malicious code. When a user opens the document and enables content, the document will download an Excel file that’s used to construct a malicious macro after the documents are on the system. This helps the macros bypass security filters.

“The malware arrives through a phishing email containing a Microsoft Word document as an attachment,” the researchers write. “When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.

After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions. Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32[dot]exe.”

Importantly, the user still has to enable macros in the first document in order for the second document to be downloaded. As a result, the infection chain can be thwarted if users are trained to never enable macros in an Office document.

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog,” the researchers write. “Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.

Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.”

New-school security awareness training teaches your employees to follow security best practices.

Story with link to infection chain at KnowBe4 Blog:
[New PhishER Feature] Turn the Tables on the Cybercriminals With PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately ‘flip’ a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, July 21 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite.
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly.
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat.
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, July 21 @ 2:00 PM (ET)

Save My Spot!
Spear Phishing Campaign Targets Energy Companies

Researchers at Intezer have spotted a phishing campaign that’s targeting energy companies in South Korea, the United States, the United Arab Emirates, and Germany. Most of the targets are located in South Korea.

“The attackers use typosquatted and spoofed emails to launch the attack,” the researchers write. “The campaign spreads via phishing emails tailored to employees at each company being targeted. The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity.

Each email has an attachment, usually an IMG, ISO, or CAB file. These file formats are commonly used by attackers to evade detection from email-based Antivirus scanners. Once the victim opens the attachment and clicks on one of the contained files an information stealer is executed.”

Intezer notes that the attachments pose as PDF files in order to trick the victim into opening the file.

“The emails are formatted to look like valid correspondence between two companies,” the researchers write. “This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments. The emails use social engineering tactics such as making references to executives, using physical addresses, logos and emails of legitimate companies. They also include requests for quotations (RFQ), contracts, and referrals/tenders to real projects related to the business of the targeted company.”

The researchers add that the attackers are familiar with corporate conversations, which adds to their credibility.

“The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence,” Intezer says. “The recipient email addresses of these emails range from generic email handles such as ‘info@target_company[.]com’ or ‘sales@target_company[.]com’ to specific people within companies. This suggests that for some companies they have likely managed to gather more intelligence during reconnaissance than others.”

New-school security awareness training will train your employees to block targeted social engineering attacks.
Updated Ransomware Simulator Now With 23 Latest Infection Scenarios

As ransomware techniques continue to evolve, two new ransomware strains, DearCry and Black Kingdom, were blamed for the huge Microsoft Exchange server attacks earlier this year, which affected hundreds of thousands of organizations globally. The hackers used these attacks to siphon email and compromise environments.

Whether your organization runs Exchange or receives emails from organizations that use Exchange servers, the risk has just skyrocketed. That’s why we've updated our Ransomware Simulator tool “RanSim” to add another two new ransomware scenarios you can test on your network! These new scenarios simulate ransomware strains like DearCry and Black Kingdom that exploit known ProxyLogon vulnerabilities in Exchange, encrypting copies of attacked files and deleting the originals.

Try KnowBe4’s updated Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:
  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 23 types of infection scenarios
  • Just download the installer and run it
  • Results in a few minutes!
This is complimentary and will take you five minutes max. RanSim may give you some insights about your endpoint security you never expected!

Get RanSim!
84% of Organizations Experienced Ransomware and Phishing-Related Security Events in the Last 12 Months

New research from Trend Micro and Osterman Research highlights where organizations are strongest and weakest at stopping phishing attacks resulting in ransomware.

We already know ransomware is a problem. But it’s a two-pronged discussion. Part of the problem is the prevalence and ease of access to very sophisticated ransomware technology. The other part of the problem is how well organizations can stop attacks. New data in Trend Micro’s How to Reduce the Risk of Phishing and Ransomware report exposes where organizations are struggling to stop attacks.

According to the report, the top 4 most effective ways organizations protect against phishing and ransomware threats, organizations are best at:
  • Protecting endpoints from malware
  • Protecting end users from ransomware
  • Protecting backup integrity
  • Training end users on detecting and addressing phishing/social engineering
Despite these efforts, the report goes on to highlight the percentage of orgs that have experienced 17 different types of security incidents. The top 3 are:
  • A business email compromise attack was successful in tricking at least one lower-level employee within our company (53% of organizations)
  • A phishing message has resulted in a malware infection (49%)
  • A phishing message has resulted in an account compromise (47%)
I can’t help but wonder if the “training” being given to users is truly security awareness training as we here at KnowBe4 define it. Our research has shown that over 30% of employees within an organization generally will fail a phishing test (and, therefore, the real thing).

Many organizations identify annually break room training or monthly email reminders as “awareness training". But we see it as a continual education of the user, keeping them constantly updated on the latest campaigns, methods, social engineering tactics, and their role in the organization’s security. This is accomplished through continual online Security Awareness Training matched with monthly phishing testing.

According to our research, this combination can reduce the 30+% of employees failing a phishing test down to just 4.7% of employees – a reduction in your organization’s human threat surface of 87%!

I would encourage you to scrutinize how your organization defines Security Awareness Training and take a look at effective ways to train your users to play a part in your organization’s security stance.

Story with links:
Re-Check Your Email Attack Surface Now. (We are always adding new breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Cybercriminals are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.

Do this complimentary test now!

Get your EEC Pro Report in less than 5 minutes. It’s often an eye-opening discovery. You are probably not going to like the results...

Get Your Report:
New York Department of Financial Services Issues New Guidance to Financial Services Orgs to Counter Ransomware

For obvious reasons, New York is usually early related to cyber security regulations for the Financial Industry. What I like about this new guidance is they are recommending social engineering mitigations as the first and primary mitigation to fight ransomware.

Most guides don't. The most recent NIST guide to fight ransomware didn't, as an example. They listed fighting social engineering as number 8 out of 8 recommended mitigations. Anytime I see social engineering mitigations positioned as the first recommended mitigation I consider it a win.

We are starting to see it happen a bit more recently...whether based on our messaging or just people finally recognizing the importance. I like to think we played a part in it.

On a related note, the list of mitigations listed in that NY Fin Services guide seemed inspired by our Roger Grimes' recent root cause analysis articles and on the ransomware webinars he is doing. Here are the seven most important things to mitigate ransomware and prevent weeks of downtime:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Yours Truly in Fast Company: Key concepts in Biden’s Executive Order can improve cybersecurity:

PS: We are happy to announce that KnowBe4 Received 4 ISO Certifications!:

Quotes of the Week
"Always believe in yourself. Do this and no matter where you are, you will have nothing to fear."
- Hayao Miyazaki - Film Director (born 1941)

"There is only one corner of the universe you can be certain of improving, and that's your own self."
- Aldous Huxley - Novelist (1894 - 1963)

Thanks for reading CyberheistNews

Security News
American Rescue Plan Phishbait

Researchers at DomainTools warn that scammers have set up phishing pages designed to steal information from people seeking assistance under the American Rescue Plan Act. The phishing sites ask the user to enter a wealth of personal information, including their Social Security number and a photo of their driver’s license.

“On March 11, 2021, President Joe Biden signed the American Rescue Plan Act into law,” the researchers explain. “The COVID-19 pandemic relief bill was designed to provide $1,400 in immediate relief to working families, emergency paid leave for over 100 million Americans, and expand the child tax credit among a number of other grants and pillars to assist with other budget shortfalls.

Since this act was signed into law, DomainTools researchers have monitored for new registrations of domains that targeted relief recipients. Unfortunately, many relief recipients are unaware that this relief will be automatically assigned to them by the IRS, so scammers are using this as an opportunity to collect social security numbers and driver’s license photographs to use in identity theft.”

The researchers initially identified a single domain, and then tied that domain to dozens of similar phishing sites. “Credential harvesting campaigns continue to be a fruitful way for attackers to gain legitimate legal documents they can then resell or use for more sophisticated behavior,” the researchers conclude.

“When looking for federal aid, those in need the most may not always be fully aware of how that aid is being distributed. In the case of the American Rescue Plan Act that money was coming directly from the IRS, but nonetheless unsuspecting victims could be led into uploading their ID documents to one of these sites.”

The researchers recommend the following for users:
  • “Reporting the site to Google Safe Browsing if you come across one so that it will be blocked as soon as possible on all major browsers.
  • “Reporting the malicious site up to your security team along with the phishing email that came with it as there may be a campaign targeting your employees.
  • “Never upload your documents to a website you are not logged into and particularly not a site claiming to be a federal one without a .gov domain name.”
DomainTools has the story:
Phishbait Follows Current Events.

Crisis draws opportunistic criminals, and the Kaseya ransomware incident is no different. Kaseya’s updates on the incident have included repeated warnings not to be taken in by emails or phone calls purporting to offer news, advice, or patches of the company’s VSA software.

“Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments,” the company posted on Friday, adding: “Spammers may also be making phone calls claiming to be a Kaseya Partner reaching out to help. Kaseya IS NOT having any partners reach out – DO NOT respond to any phone calls claiming to be a Kaseya Partner.

“DO NOT click on any links or download any attachments in emails claiming to be a Kaseya advisory. However, some customers have subscribed to our support site and, at this point, those automated emails may contain links. As precaution, be careful with any links or attachments in any emails.”

Malwarebytes had noted last week that references to the Kaseya incident have begun appearing as phishbait in social engineering schemes, usually emails offering malicious links or attachments. The subjects suggest an offer of advice, warning, or counsel in the matter of the Kaseya exploit.

“Threat actors often use opportunistic themes in their campaigns and we believe this is the case here,” Jerome Segura, Director of Threat Intelligence at Malwarebytes said. “This Kaseya fake update is a Cobalt Strike payload and interestingly hosted on the same IP address used for another campaign pushing Dridex.

In the past we've seen the same threat actor behind Dridex using Cobalt Strike.” Treat emails or phone calls of this kind with the same caution you’d apply to notices of automatic renewals of services you don’t remember signing up for, or appeals for your cooperation from foreign officials (or their widows). New-school security awareness training can help your people develop resistance to these forms of social engineering.

Kaseya’s warnings, and their accompanying updates, may be found here:
What KnowBe4 Customers Say

"My company purchased your product through MattB, a sales rep at KnowBe4. I want you to know our experience has been great, Nicole our account setup rep and Matt have been wonderful. I received your book "A Data Driven Defense", and wanted to say Thank You!

We will be taking your product to our annual summit held by our private equity group owners to present to all of the companies in their portfolio. If there are any additional materials you may have to help me prepare I would be very interested in them. Thank you again for your great Product, People, and Service!"
- S.D., Information Technology Director

"We recently purchased your product for use in our organization. First time users in an organization that supports Public safety and First responders in the Province of British Columbia.

With the business we are in and support, services are critical and time is vital even when it comes to the delivery of information and training. Without proper preparation and deployment, staff would not buy in to it and consider it a waste of time.

Susan was assigned as our Client Success agent. I would like to bring your attention to the fact that she is an excellent representative for your organization and product. Patient and professional with my team who probably demand more of her time than some other clients. Susan’s demeanor during meeting demonstrates genuine support for us to successfully inform and train our staff. An excellent representative of your company."
- S.R., Manager Policy, Security & Review Services

The 10 Interesting News Items This Week
    1. REvil websites down after governments pressured to take action following Kaseya attack:

    2. This ransomware gang hunts for evidence of crime to pressure victims into paying a ransom:

    3. Interpol urges police to unite against 'potential ransomware pandemic':

    4. Ransomware gangs seek employees with 'people skills' for negotiations":

    5. Colorado's new law further increases need for privacy awareness training:

    6. CISA Launches New Website to Aid Ransomware Defenders:

    7. New Law Will Help Chinese Government Stockpile Zero-Days:

    8. Warning: The FBI Has Issued A Serious Bitcoin And Crypto Alert:

    9. iOS zero-day let SolarWinds hackers compromise fully updated iPhones:

    10. US offers $10 million reward for info on state-sponsored hackers disrupting critical infrastructure:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews