CyberheistNews Vol 11 #41 [EYE OPENER] Two-Thirds of Organizations Have Been a Target of Ransomware

CyberheistNews Vol 11 #41
[EYE OPENER] Two-Thirds of Organizations Have Been a Target of Ransomware

The latest data reveals ransomware’s pervasiveness throughout every industry, size, and type of organization, confirming its’ place as the No. 1 cyberthreat today - and a glaring clue why...

We told you last month about Fortinet’s findings where ransomware grew over 1000% between July 2020 and June 2021. This new data from Fortinet’s 2021 Ransomware Survey Report shows just how egregious ransomware attacks are today, and how organizations aren’t making the connection between the cyberattack and their own users. First a bit of data on the state of ransomware attacks:
  • 67% of orgs have been a target of ransomware attacks
  • 16% have been hit three or more times
  • 96% feel at least moderately prepared (despite the % of attacks indicating otherwise)
So, organizations should take a look at why they are being hit so much, right? I don’t think they see what I’m seeing in the rest of the data – take a look:
  • Nearly a third (32%) say there’s a lack of security awareness training
  • 61% have user training – but as part of an incident response plan (after and not before???)
  • 58% of ransomware attacks in North America start with phishing a user
And most importantly:

In the list of protection and defensive measures essential to secure against ransomware, nowhere to be found is security awareness training:

I can only conclude that some organizations today are not making the connection between their own users playing a part in either helping or stopping ransomware attacks. New-school security awareness training helps you create a proactive security stance designed to stop ransomware attacks that start with phishing as the initial attack vector.

Blog post with links:
[New PhishER Feature] Turn the Tables on the Cybercriminals With PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately ‘flip’ a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, October 20 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, October 20 @ 2:00 PM (ET)

Save My Spot!
[HEADS UP] Dutch Government Can Respond to Ransomware Attacks With Armed Forces if Needed

According to a recent article from The Record, Dutch government officials stated that intelligence or military services can be used to counter cyber-attacks. This includes ransomware, which is a major threat to its national security.

Ben Knapen, Dutch Minister of Foreign Affairs, stated the following in the Dutch Parliament, "If a ransomware attack, whether or not with a financial objective, crosses the threshold of a (manifesting) threat to national security, for example due to the failure of critical sectors, then the government also has other resources at its disposal,”

The attack would be under investigation, attributed to the specific cyber criminal, and action would be taken against the threat actor and/or threat group.

Knapen also stated that the Netherlands can also respond with Armed Forces if necessary. For example, a counter-attack can be carried out to protect that state. While the Netherlands does not respond to all cyber attacks this way, the government normally relies on legal channels first.

The Netherlands has not yet faced a ransomware attack large enough to require these measures to be taken, but should be taken as a warning for any ransomware gangs to not infiltrate. The Dutch state will reply without a forewarning.

While this is a great next step in protecting potential victims from a ransomware attack, there are still attacks present that impact private companies. Only new-school security awareness training can build a human firewall and enable your users to report any suspicious activity.

Blog post with links:
Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products

Multifactor Authentication (MFA) can be a highly effective way to safeguard your organization’s data, but that doesn’t mean it’s unhackable. And nobody knows that better than award-winning author and Data-Driven Defense Evangelist at KnowBe4, Roger Grimes. While researching his recent book Hacking Multifactor Authentication, Roger tested over 150 MFA solutions. And he wants to share what he learned with you!

Join Roger as he discusses the good, the bad, and the ugly lessons he learned from his research. He’ll share with you what works, what doesn’t, and what you should absolutely avoid.

In this on-demand webinar you’ll learn about:
  • Differences between various MFA tools and why they matter
  • Real-world hacking techniques Roger used to expose MFA weaknesses
  • What makes MFA software weak or strong and what that means to you
  • Tips on choosing the best MFA software for your company
  • Why a strong human firewall is your best last line of defense
Get the details you need to know to become a better IT security defender.

Watch Now!
[WARNING] Cybercriminals Target Organizations Going Through M&A Activity

The changing of hands of significant amounts of money is enough reason to get the attention of cybercriminals. So, how can organizations prepare for what should be an expected series of attacks?

Despite COVID, there has been little slowdown in mergers and acquisitions activity. The opportunity to change business strategies, purchase struggling businesses, etc. has led to a wave of M&A activity in the last 18 months. But those transactions involve lots of money, which has cybercriminals looking for ways to take advantage of the situation and find a cyberattack strategy that will yield a big payout.

According to global consultancy firm Deloitte’s M&A Trends Survey 2021, the largest concern about executing a deal for over half of organizations (51%) is the threat of cyberattack.

In a recent TechRepublic interview with Jim Crowley, CEO of cybersecurity solutions provider Industrial Defender, discusses why companies undergoing a merger or acquisition are a target. According to Crowley, “If you sold a business to a large company or a private equity firm, they would have a lot more resources to pay up than if you were a smaller stand-alone organization without a strong balance sheet.”

Crowley goes on to discuss how phishing attacks, data breaches targeting intellectual property, and ransomware attacks can all be negatively impactful during an M&A transaction.

Deloitte recently released some guidance on the role of cybersecurity in M&A which includes cybersecurity protection through solutions, cyber resilience capabilities through backups and disaster recovery initiatives, and cyber vigilance through continual monitoring on the part of IT and security awareness training for employees.

Blog post with links:
Does Your Domain Have an Evil Twin?

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!
When It Comes to Password Hygiene, Users Say One Thing, but Do Another

With credentials being at the forefront of most cyberattacks, the need for strong, unique passwords is at an all-time high. But new data shows users know what to do, but don’t do it.

We’ve seen how the majority of phishing attacks target credentials, so it becomes increasingly important for those stolen credentials to only provide access to a singular platform/application/etc. But, that only works IF (and it’s a pretty big if!) users utilize unique usernames and passwords for each and every system.

According to LastPass’ Psychology of Passwords report, users are a bit apathetic to the cause of securing the organization with proper password hygiene:
  • 51% of users rely on their memory to keep track of passwords, despite 79% agreeing that compromised passwords are concerning
  • 65% always or mostly still use the same password or a variation, despite 92% admitting that they know using the same password or a variation is a risk
Now add in working remotely – something I’ve written about a number of times as not helping the organization’s security stance – and LastPass shows users aren’t looking out for their organization:
  • 47% have not changed their online security habits since working remotely
  • 46% have not strengthened their passwords while working remotely
  • 44% have shared sensitive information and passwords for professional accounts while working remotely
In short, users are not concerned (or are made to be concerned) with password security. Security awareness training assists with not just educating users on scams, phishing attacks, social engineering tactics, and the like, but also teaches users why they need to be vigilant, use good password hygiene, and participate in the organization security.

This password problem can only be addressed through educating your users.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: The U.S. Treasury put out a new advisory on potential sanctions risks for facilitating ransomware payments. I'm not sure if you noticed, but cyber security training was the number three recommendation on their recommended mitigation list (behind backups and incident response). We were ahead of AV and patching. That's a big improvement.

Learn more about the risks of ransomware payments:

Quotes of the Week
"The reward of a thing well done is having done it."
- Ralph Waldo Emerson - Poet (1803 - 1882)

"There is nothing so useless as doing efficiently that which should not be done at all."
- Peter Drucker - Management Consultant (1909 - 2005)

Thanks for reading CyberheistNews

Security News
What’s Next for the 3.8 Billion Entries in the Clubhouse-Facebook Database? Plenty of Social Engineering Attacks

What do you get when you add a totally free 1.3 Billion set of phone numbers and data from millions of Facebook profiles? A massive dox database of users now up for sale for $100,000.

The Clubhouse data breach earlier this year, while headline-worthy, resulted in a big nothing where all the phone numbers exfiltrated were simply posted on the Dark Web. But one enterprising hacker combined the Clubhouse data with several of the already famous Facebook breaches, along with other data sources to create a 3.8 billion-strong database of accounts.

It’s been posted up for sale for $100,000 to any and all takers who believe they can do some effective mischief and malice with it.

There are a few ways this data can be used:
  • SMiShing Attacks – if threat actors have your phone number and name, they can use texting to trick you into all kinds of badness; credential attacks, fraud, malware, and more.
  • Account Takeover Attacks – with the Facebook account details and phone number, it’s possible to potentially brute force account logins, even perform SIM-swapping for accounts using SMS as their 2Fa.
  • Social Engineering Attacks – I’ve seen successful attacks with less pertinent or valuable details over the years. Having your current phone number and Facebook logon is easily enough to trick users into giving up their credentials, credit card details, and more.
This latest sale of data raises a major red flag for organizations – with literally billions of users prime for social engineering scams, this data set can easily be used to target executives, those in the Finance department, etc. in an interest to infect corporate endpoints, install ransomware, etc.

Users should be warned against any kind of notification that either overtly is tied to Facebook or could remotely be associated with their Facebook account. Users that undergo continual security awareness training should already be aware of this potential scam and be vigilant against it.

Blog post with links:
IBM: "Phishing Is a Popular Criminal Tactic"

Researchers at IBM describe how criminals use phishing kits to launch widespread phishing campaigns with minimal effort. Phishing kits are software products that automate the process of setting up spoofed websites and handling email campaigns.

“The majority of phishing sites we see in our day-to-day analysis originate from phishing kits that are available for purchase on the dark web and are being reused by many different actors,” the researchers write.

“Typical kits are professionally written and can contain thousands of lines of code. They can be configurable based on the campaign and even have proper error reporting. These kits range in price from a few hundred to a few thousand dollars and can be deployed in a matter of minutes. Conversely, malware attacks change all the time, shifting tactics around for all aspects, especially the underlying code.”

The criminals usually buy cheap domains to host their phishing sites, though they can spend more money to gain access to more resilient infrastructure.

“In most of the attacks we observe, phishers register cheap domains for malicious use, host attacks on a compromised domain or a combination of both,” the researchers write. “Some domain registrations are easy to fund, and this does not require exploiting or compromising an existing site.

The downside is that it’s easier to detect and block a standalone malicious site versus an attack hosted on an established legitimate one. Dark web vendors who play in the phishing game sell access to compromised servers, but this option does raise the overall cost of the attack.”

Attackers can also buy lists of target email addresses that have been collected from data breaches and other sources.

“Once the phishing attack is ready, it has to get in front of potential victims,” the researchers write. “To send it out to the right audience, phishers can either contract an underground service that specializes in spamming, or they can go ahead and buy their own target lists. Target lists can be specific to a region or a language and can help attackers get into inboxes of webmail providers and company emails alike.

Depending on the viability of the data and its contents, email lists can go for $50 to $500. The price is offset by the reuse of the same list for other attacks or reselling it to other criminals.”

SecurityIntelligence has the story:
NIST on Phishing Awareness

People need to be conscious of the fact that anyone can fall for social engineering tactics, according to Shaneé Dawkins at NIST, the US National Institute of Standards and Technology. Dawkins explains that lower-level employees shouldn’t be complacent because they assume they won’t be targeted. Attackers can use access to any account as a launching pad for further attacks within an organization.

“Attackers can reach you through different avenues, including email or text message,” Dawkins writes. “Anyone can be phished – Phish can be sent to your work email address or personal email address. You may think you do not have access to anything worth stealing, but all of us are targets, not just upper management.

Anyone can be an entry point to infect and expose a larger organization. Anything can be spoofed – the sender’s email address, the content of the message, URLs, logos, everything!”

Dawkins stresses that people need to have the humility to understand that they are susceptible to social engineering attacks. While a person may see some scams as obvious, there are most likely additional phishing tactics that they’re unaware of.

“Being Cyber Smart means having the awareness that anyone can be phished, and being on guard to protect yourself and your organization against phishing threats,” Dawkins writes. “When you receive an email, pause a moment to process the message and its content.

Being Cyber Smart is not falling for common tactics – such as limited time offers or offers too good to be true – used by attackers to elicit a rash judgment under pressure, compelling you to click a fraudulent link or download a malicious attachment. Being Cyber Smart when it comes to phishing attacks is to stop and think about an email’s sender and the message’s content before you click.”

NIST has the story:
What KnowBe4 Customers Say

"Yes, we are very happy with your platform! We're about halfway through our first real campaign and so far, the results have been better than we anticipated. Our baseline campaign had a 60% click-rate, so I was terrified, but so far the click-rate is only 6% and we're halfway through. The feedback from my staff has been very positive. We appreciate our new partnership!"
- D.T., IT Manager

"Hi Stu, thanks for reaching out. I am getting good results. The system is showing me which employees are at a higher risk of making mistakes and that helps us focus on our weak areas in our human firewall. This is my second time around and the improvements you have made are noticeable. Having Sillena as my Customer Success Manager is a big plus. She is very easy to talk to and very thorough when explaining how to use and set up phishing campaigns and training. Thanks again!"
- M.J., IT Manager
The 10 Interesting News Items This Week
    1. Google Is Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries:

    2. U.S. Convenes International Summit on Ransomware. Russian government wasn’t invited:

    3. Why the West has itself to blame for Russian corruption:

    4. Google analyzed 80 million ransomware samples. Here's what it found:

    5. Account takeover named top fraud risk for businesses:

    6. Australia to tackle ransomware data breaches by deleting stolen files:

    7. This is how Formula 1 teams fight off cyberattacks:

    8. How Security Teams Can Reinforce End-User Awareness:

    9. US government discloses more ransomware attacks on water plants:

    10. Workers unwilling to shoulder responsibility for cybersecurity:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews