CyberheistNews Vol 11 #42 [EYE OPENER] Why Security Awareness Testing Alone Isn't Enough





CyberheistNews Vol 11 #42
[EYE OPENER] Why Security Awareness Testing Alone Isn't Enough

Here is a story from one of our customers who wants to help other organizations like you strengthen their cybersecurity practices. Find out about the important lessons they learned when they suffered a ransomware attack, and what they did to bolster their security awareness training program to better defend against today's cyber threats.

Sky Lakes Medical Center is a not-for-profit, community-owned, internationally accredited acute-care teaching hospital. Sky Lakes serves more than 80,000 people in the Klamath and Lake counties in south-central Oregon and northern California. As the only hospital in a 10,000 square-mile area, it’s a critical asset to the communities it serves.

With an increase in cyberattacks on healthcare institutions, it’s also an important reminder of the need for a combined approach to employee cybersecurity awareness testing and training. Because of the great responsibility of delivering patient care in these communities, Sky Lakes knew creating an effective security awareness program meant they needed to offer security awareness testing and training on a continuous basis.

The medical center had put regular testing programs in place but had yet to implement security awareness training that would help employees spot the red flags of social engineering attempts.

Risks Increase, Security Awareness Training Is a Must

Hospitals have, for several years, contended with ransomware attacks that prey on the fact that taking data offline risks patient health, putting tremendous pressure on healthcare administrators and security teams. The American Academy of Medical Colleges reports that 1 in 3 global healthcare organizations were hit with ransomware in 2020, and COVID-19 related attacks are driving numbers even higher. HealthITSecurity has reported a 45% increase in cyberattacks against healthcare entities since November 2020.

Sam Stewart, network systems analyst at Sky Lakes Medical Center, took over management of the organization’s KnowBe4 deployment in late 2019. By early 2020 he had the system automated to serve phishing security tests to employees on a regular basis. At the time, however, employees were not being offered KnowBe4’s security awareness training, which provides deep knowledge about threats, how they are evolving, and topical examples of just how tricky they can be to identify.

Ryuk Ransomware Hits

In October 2020, a Sky Lakes employee opened an email from a personal account, clicked on a link to Google Drive and downloaded a file they thought was related to the company bonus program. Unfortunately, it was actually a malicious file that had been sent by Ryuk ransomware threat actors.

[CONTINUED:]
https://blog.knowbe4.com/why-security-awareness-testing-alone-isnt-enough
[Live Demo] Ridiculously Easy Security Awareness Training And Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, November 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, November 3 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458435/95D6D7245C6AC6CD8D15B37583BEE915?partnerref=CHN
New Impersonation Attack Demonstrates That Threat Actors Don’t Need To Get the Logo Correct

A new trend in social engineering and impersonation emerges as cybercriminals take advantage of a user’s inability to properly identify fake corporate logos in phishing attacks.

We’ve all seen the really bad impersonation phishing email attempts – you know the ones where you can immediately tell it’s not the vendor it purports to be from. And then there are the really good ones that look perfect. But one of the needs most phishing attacks have is a need to display graphics so copied logos and branding can be displayed in order to fool the recipient.

But security researchers at anti-phishing vendor Inky have spotted an attack where scammers attempting to impersonate Verizon use symbols to represent the “check” portion of the logo, making the entirety of the “logo” appear without the need for downloading images.

You may think, “come on… that doesn’t even look like the Verizon logo at all!” and you’d be right. But new branding research around how well consumers memorize corporate logos correctly shows that most people actually remember a version of the logo enough to recognize it, but most don’t actually know exactly what the logo looks like. Using ten of the most well-known brands, it was concluded that, at best, 30% of people can draw a near-perfect version of the logo, with the average being only 16.6% of people.

This means that it’s far more likely than you think that if a phishing scammer can use some rendition of a logo, it may just be enough to fool them into thinking it’s the company they are attempting to impersonate.

Users that undergo security awareness training are far less likely to fall for phishing attacks, regardless of how spot-on the impersonation. By reinforcing the need to scrutinize unsolicited and unexpected emails for sender details, content, type of request, and – yes – branding, it’s possible to spot nearly every phish a mile away.

Blog post with screenshot and links:
https://blog.knowbe4.com/new-impersonation-attack-demonstrates-that-threat-actors-dont-need-to-get-the-logo-correct
See How You Can Get Audits Done In Half The Time, Half The Cost And Half The Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, November 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, November 3 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3458400/7DC7CFBF986BD90F7C33AEC21D31C613?partnerref=CHN
Deepfake Technology Is Cloning a Voice From the C-Suite

Criminals used deepfake technology to steal $35 million from a company in the United Arab Emirates, Forbes reports. The attackers used “deep voice” technology to spoof the voice of a company’s director in order to trick a bank manager into transferring the money to the criminals’ bank accounts.

“In early 2020, a bank manager in the United Arab Emirates received a call from a man whose voice he recognized—a director at a company with whom he’d spoken before,” Forbes writes. “The director had good news: His company was about to make an acquisition, so he needed the bank to authorize some transfers to the tune of $35 million.

A lawyer named Martin Zelner had been hired to coordinate the procedures and the bank manager could see in his inbox emails from the director and Zelner, confirming what money needed to move where. The bank manager, believing everything appeared legitimate, began making the transfers.”

Jake Moore from ESET told Forbes that people need to be prepared to see more of these types of attacks as the technology becomes easier to use.

“Audio and visual deep fakes represent the fascinating development of 21st century technology yet they are also potentially incredibly dangerous posing a huge threat to data, money and businesses,” Moore said. “We are currently on the cusp of malicious actors shifting expertise and resources into using the latest technology to manipulate people who are innocently unaware of the realms of deep fake technology and even their existence.

Manipulating audio, which is easier to orchestrate than making deep fake videos, is only going to increase in volume and without the education and awareness of this new type of attack vector, along with better authentication methods, more businesses are likely to fall victim to very convincing conversations.”

New-school security awareness training enables your employees to thwart sophisticated social engineering attacks like this.

Forbes has the story:
https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/
10 Incredible Ways You Can Be Hacked Through Email & How To Stop the Cybercriminals

Email is still a top attack vector that cybercriminals use. A majority of data breaches are caused by attacks on the human layer, but email hacking is much more than phishing and launching malware!

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, explores 10 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run.

Plus, he'll share a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick.

Roger will teach you:
  • How silent malware launches, remote password hash capture, and how rogue rules work
  • Why rogue documents, establishing fake relationships and getting you to compromise your ethics are so effective
  • Details behind clickjacking and web beacons
  • Actionable steps on how to defend against them all
If all you were worried about were phishing attempts, think again!

Watch the Webinar Now!
https://info.knowbe4.com/webinar-10-ways-hacked-email-chn
Gartner: 'Top Predictions For IT Organizations and Users for 2022 and Beyond'

I found their prediction No. 7 interesting: "By 2024 a cyberattack will so damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack. Plummer says that it’s possible that a cyberattack has already led to a kinetic strike, just not on a large scale.

Cyberattacks are increasing, and the impact is growing per each attack, he notes. Critical infrastructure is often targeted, and attacks are considered terrorism (rather than crime). CIOs must invest in OT (Operational Technology) system redundancies.

Organizations must also increase information sharing -- from country to country and from company to company. In addition, organizations need to maintain enterprise-level cybersecurity.

Story at Informationweek:
https://www.informationweek.com/executive-insights-and-innovation/gartner-top-predictions-for-it-organizations-and-users-for-2022-and-beyond

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: We Are Official Guinness World Records Holders!
https://blog.knowbe4.com/we-are-official-guinness-world-records-holders



Quotes of the Week
"Nine tenths of education is encouragement."
- Anatole France - Novelist (1844 - 1924)


"He who does not punish evil commands it to be done."
- Leonardo DaVinci (1452 - 1519)



Thanks for reading CyberheistNews

Security News
Iranian Phishing Campaigns Are Running Rampant

Researchers at Google’s Threat Analysis Group (TAG) are tracking phishing campaigns by the Iranian threat actor APT35 (also known as Charming Kitten). The attackers used compromised websites to harvest users’ credentials.

“In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit,” the researchers write. “ Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.

Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices. APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security.

Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it's difficult for users to detect this kind of attack.” Google notes that the attackers also posed as conference officials to target people interested in events held in Munich and Italy.

“One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks,” the researchers write. “Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond.

When they did, attackers sent them phishing links in follow-on correspondence. Targets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files.

We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.”

New-school security awareness training enables your employees to thwart both criminal and state-sponsored social engineering attacks.

Google’s Threat Analysis Group has the story:
https://blog.google/threat-analysis-group/countering-threats-iran/
1 in 3 IT Organizations Have No Cyberattack Incident Response Plan

Despite increases in ransomware attacks, ransom amounts and how often payments are made, new data shows organizations aren’t responding in kind and putting response plans in place.

As expected, we’re continuing to see data corroboration around the rise in ransomware attacks this year; according to GetApp’s 2021 Data Security Report, ransomware attacks have increased 25% over last year. And yet, the report found that 33% of organizations have no incident response plan, as well as 23% have no processes in place to report a cyberattack.

While I’m glad to see that a majority of organizations believe themselves to be somewhat ready, the GetApp data digs a bit deeper to help determine why the increases in ransomware attacks are occurring.

According to the report:
  • The percentage of users clicking links in phishing emails has risen nearly 14% over last year while the percentage of orgs experiencing phishing attacks remained relatively flat
  • 60% of users admit to reusing the same password for multiple accounts
  • Those admitting to reusing password were 7x more likely to experience a ransomware attack, 3x more likely to experience account takeover, and 3.1x more likely to click on a phishing link
In short, it’s your users that are the problem. These users a) don’t know how to spot a phishing email, b) aren’t concerned about their role in the organizations cybersecurity stance, or c) both. The only way to truly counteract this issue of user ignorance and apathy is to enroll them in online security awareness training.

Blog post with links:
https://blog.knowbe4.com/1-in-3-it-organizations-have-no-cyberattack-incident-response-plan
What KnowBe4 Customers Say

"Hello Stu, too many companies take security awareness training for granted, and using the KnowBe4 platform has allowed us to implement a solid educational foundation and strategy to train our users and make sure we have a strong human firewall.

Here is what I have been impressed with;
  • The phishing campaigns uses current phishing emails and techniques just like the bad guys
  • The training campaigns can be filled with lots of quality content from the mod store that will significantly boost cybersecurity awareness among our employees and help them protect the company
  • Historic and current KPIs to help us understand our overall and individual risk postures which helps us identify where our weakest links are
  • PhishER has allowed our employees to join the war against cyber criminals and allowed us to be more proactive in protecting our users from email threats
  • Well respected members of the hacking community on your team like Kevin Mitnick, Roger Grimes, Perry Carpenter, and others that I have yet to be introduced
  • Lots of highly informational on-demand and live security awareness training webinars to choose from
Thank you for reaching out personally."
- C.R., Sr. Network Manager of Technology Innovation
The 10 Interesting News Items This Week
    1. Multiple Governments turn tables on ransomware gang REvil by pushing it offline:
      https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/

    2. How social engineering contributes to successful ransomware attacks:
      https://www.itproportal.com/features/how-social-engineering-contributes-to-successful-ransomware-attacks/

    3. U.S. Government set to ban sale of hacking tools to China and Russia:
      https://therecord.media/u-s-government-set-to-ban-sale-of-hacking-tools-to-china-and-russia/

    4. The White House's Plan to Stop Government Employees From Getting Phished:
      https://www.vice.com/en/article/93yemz/white-house-omb-phishing-plan

    5. FBI warns of fake govt sites used to steal financial, personal data:
      https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-govt-sites-used-to-steal-financial-personal-data/

    6. Russian-speaking cybercrime evolution: What changed from 2016 to 2021. 10 minute read:
      https://securelist.com/russian-speaking-cybercrime-evolution-2016-2021/104656/

    7. Nixon's unheard moon-disaster speech is now a warning about the deepfake future:
      https://www.zdnet.com/article/nixons-grim-moon-disaster-speech-is-a-now-a-warning-about-the-deepfake-future

    8. Ironscales: "Email Phishing is Biggest Security Threat To Businesses, According to IT Professionals":
      https://ironscales.com/blog/ironscales-releases-findings-from-state-of-cybersecurity-survey/

    9. One in 10 users click phishing links on mobile platforms:
      https://betanews.com/2021/10/21/users-click-phishing-links-on-mobile-platforms/

    10. FIN7 tries to trick pentesters into launching ransomware attacks:
      https://www.bleepingcomputer.com/news/security/fin7-tries-to-trick-pentesters-into-launching-ransomware-attacks/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews