CyberheistNews Vol 12 #04 [FBI HEADS UP] US Defense Industry Targeted with New USB-Based Ransomware Attacks






CyberheistNews Vol 12 #04
[FBI HEADS UP] US Defense Industry Targeted with New USB-Based Ransomware Attacks

The FBI recently released a notice about cybercriminal group FIN7, according to a Bleeping Computer article, warning defense contractors to be wary of USB drives being sent through the mail. According to the notice, FIN7 is impersonating Amazon and the Department of Health & Human Services (depending on the target victim) in an effort to get them to plug in the USB drive.

The USB drives are "Bauds" or "Bad Beetle USB" devices with the Lily GO logo, and are commonly available for sale on the Internet. The drives register with the victim computer as a keyboard and include a wealth of hacker tools, including Metasploit, Cobalt Strike, Carbamic malware, the Griffon backdoor, and PowerShell scripts.

The goal of these drives is to infect networks with either BlackMatter or REvil ransomware.

This is a real-world form of targeted attack that uses the same social engineering we commonly see in phishing attacks. Users that undergo continual security awareness training are already aware they should not be plugging in unknown USB drives – especially those sent unsolicited.

These attacks could just as easily be turned into an access for sale attack, given the amount of control hackers have over the compromised endpoint. Be on guard.

Blog post with links:
https://blog.knowbe4.com/fbi-us-defense-industry-organizations-targeted-with-usb-based-ransomware-attacks
[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature, which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.'

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, January 26 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, January 26 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3576188/FA09F0A5C2F096098B9041A69E43FDB8?partnerref=CHN2
In Order to Have Good Security Culture, Behavior Comes First

In our efforts to raise awareness among users of the importance of cybersecurity and the part they have to play in it, we sometimes go about things in a long-winded manner. Many times, organizations spend a long time trying to convince people why they should take security seriously. They will come up with elaborate explanations as to why reusing passwords is a bad idea, or how the Wi-Fi in their favorite coffee shop could lead to their demise, or how minting NFTs will cause the world economy to collapse.

This does work in many cases. You inform someone of the underlying reasons and the broad impact of their actions > they understand and change their behaviors accordingly > this leads to better security and everyone lives happily ever after.

But this approach does not work on everyone, and is not the most effective in all scenarios.

So what do we do?

We start with the behavior.

Consider the introduction of recycling bins. Yes, they are for the good of the environment, to prevent the ice caps from melting and to save polar bears. But is that what everyone is thinking about when they sort out their rubbish? In many cases, that is not the case. The fact that packaging usually mentions whether it can be recycled, and the provision of recycling bins next to general waste bins, makes it an easy and almost seamless behavior to adopt.

Some people may not even be aware that recycling can potentially benefit the environment. But they will justify their doing so in their minds.

Give people a reason and they may not supply the behavior. But give people a behavior, and they will have no problem supplying the reasons themselves.

This is where building a strong security culture within an organization can have massive benefits, like when people observe most of their colleagues behaving in a certain way. For example, they see everyone wearing their pass at all times and locking their workstations when away from it – they will adopt those behaviors too.

Will they understand all of the reasons? Probably not. But as long as they adopt the right behaviors, that goes a long way in reducing risk, which is ultimately what we want.

Behavior comes first – attitude changes to keep up. Blog post with links:
https://blog.knowbe4.com/in-order-to-have-good-security-culture-behaviour-comes-first
Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

DMARC, SPF, and DKIM are global anti-domain-spoofing standards, which can significantly cut down on phishing attacks. Implemented correctly they allow you to monitor email traffic, quarantine suspicious emails, and reject unauthorized emails. But less than 30% of organizations are actually using them. And even fewer are using them correctly.

In this on-demand webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF, DKIM the right way. You’ll also discover six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

You’ll learn:
  • How to enable DMARC, SPF, and DKIM
  • How to best configure DMARC and other defenses to prevent phishing attacks
  • What common configuration mistakes organizations make
  • Why a strong human firewall is your best last line of defense
Get the details you need to know now to protect your organization from phishing and social engineering attacks.

Watch the Webinar Now!
https://info.knowbe4.com/implementing-dmarc-chn
[INFOGRAPHIC] KnowBe4's Top-Clicked Phishing Email Results for Q4 2021 Compare the U.S. and EU+

KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. We analyze the top categories, general subjects (in both the United States and Europe, Middle East and Africa), and "in the wild" attacks.

Business, Online Services, and HR-Related Messages Get the Most Clicks

Business phishing emails remain the highest-clicked category around the world. This category contains typical communication that employees might receive. The subjects of these emails include fake invoices, purchase orders, requests for information, shared files, and more. Online Services includes messages that claim to be from well-known companies and most of the time contain spoofed domains of popular websites within the email copy. HR-related messages could potentially affect daily work and spoof the users' own domain with an “HR” mailbox name. The common thread is that the emails convey a sense of urgency and entice users to take an action.

Behavioral Differences Between the U.S. and EMEA

“When comparing the results from the U.S. phishing emails to those in Europe, the Middle East and Africa (EMEA), email subjects in the U.S. appear to originate from the users’ organizations and are focused on security alerts related to passwords and internal company policy changes,” said Stu Sjouwerman, CEO, KnowBe4. “However, in EMEA, the top subjects are related to users’ everyday tasks and the subject lines appear to be more personalized to entice the user to click. As expected, we did see some phishing email subjects related to the holidays, especially holiday shopping in particular. Employees should remain ever vigilant when it comes to suspicious email messages in their inboxes because just one wrong click can wreak havoc for an organization.”

See the Full Infographic with Top Messages in Each Category for Last Quarter at our blog:
https://blog.knowbe4.com/q4-2021-top-clicked-phishing-results-compare-us-emea
Does Your Domain Have an Evil Twin?

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!
https://info.knowbe4.com/domain-doppelganger-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.


PS: KnowBe4 Named a 2021 Gartner Peer Insights™ Customers’ Choice for Security Awareness Computer-Based Training:
https://blog.knowbe4.com/knowbe4-named-a-2021-gartner-peer-insights-customers-choice-for-security-awareness-computer-based-training

Quotes of the Week
"Silence is one of the great arts of conversation."
- Marcus Tullius Cicero - Orator and Statesman (106 - 43 BC)


"Brevity is a great charm of eloquence."
- Marcus Tullius Cicero - Orator and Statesman (106 - 43 BC)



Thanks for reading CyberheistNews

Security News
A Cyberespionage Group Uses Social Engineering

A sophisticated China-aligned threat actor is using social engineering to carry out cyberespionage and financially motivated attacks, according to researchers at Trend Micro.
“Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lucca that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes,” the researchers write. “The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others.

However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.”

The threat actor used spear phishing, watering-hole sites, and website vulnerabilities to compromise its victims.

“The group has three primary attack vectors, two of which involve social engineering,” the researchers write. “The social engineering techniques can be broken down into spear phishing emails and watering hole websites. Our telemetry data shows Earth Lucca sending spear phishing emails containing malicious links to one of their targets — a media company. These links contain files that are disguised either as documents that would be of interest to the potential target, or as opinion forms allegedly coming from another media organization. The user eventually downloads an archive file containing either a malicious LNK file or an executable — eventually leading to a Cobalt Strike loader.”
The threat actor used watering-hole sites to target victims who are interested in certain topics.

“In addition to spear phishing emails, Earth Lucca also made use of watering hole websites — they either compromised websites of their targets or set up fake web pages copied from legitimate websites and then injected malicious JavaScript code inside them,” Trend Micro says. “These links to these websites are then sent to their victims (although we were not able to definitively pinpoint how this was done).”
New-school security awareness training can enable your employees to avoid falling for targeted social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/a-cyberespionage-group-uses-social-engineering
North Korean Cryptocurrency Theft Relies on Social Engineering

A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang’s Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.

“If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust,” Kaspersky says. “Be it an internal bank server communicating with SWIFT'S infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means.

Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.”

This campaign is targeting small- to medium-sized cryptocurrency companies, as the attackers know that these companies often lack the resources to defend against sophisticated attacks.

“According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups,” the researchers write. “The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions.

A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”

Seongsu Park, a senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said that companies of all sizes need to be aware of these types of attacks.

“As attackers continuously come up with a lot of new ways to trick and abuse, even small businesses should educate their employees on basic cybersecurity practices,” Seongsu Park said. “It is especially essential if the company works with crypto wallets.

There is nothing wrong with using cryptocurrency services and extensions, but note that it is also an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”

Kaspersky has the story:
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
What KnowBe4 Customers Say

"Hello Stu, Thank you so very much for reaching out! Yes, the training and phishing service are definitely getting good results for us. I am really appreciating having a place that helps manage and track training and phishing campaigns all in one place, and the fact that I can lose the spreadsheet!

The staff are also enjoying the different format, and the ability to do the training on their own time as opposed to a scheduled meeting.

Also want to say how much I appreciate the support from Grace. She has been an absolute star at getting us up and running!"
- T.B. Privacy Officer


The 10 Interesting News Items This Week
    1. Attackers use public cloud providers to spread RATs:
      https://www.csoonline.com/article/3648038/attackers-use-public-cloud-providers-to-spread-rats.html

    2. 40 Billion User Records Exposed Globally in 2021:
      https://cisomag.eccouncil.org/40-billion-user-records-exposed-globally-in-2021/

    3. Indonesia's central bank confirms ransomware attack, Conti leaks data:
      https://www.reuters.com/world/asia-pacific/indonesia-cbank-attacked-by-ransomware-says-no-impact-services-2022-01-20/

    4. FSB detains administrator of UniCC carding forum:
      https://therecord.media/fsb-detains-administrator-of-unicc-carding-forum/

    5. A month in the life of a UK social engineer - part three:
      https://www.bleepingcomputer.com/news/security/new-white-rabbit-ransomware-linked-to-fin8-hacking-group/

    6. How to Build a Security Awareness Training Program:
      https://securityboulevard.com/2022/01/how-to-build-a-security-awareness-training-program/

    7. Cyberspace in multi-domain operations: the case of Ukraine:
      https://thecyberwire.com/stories/535a78cbd34d4a489159c318cc6d694f/cyberspace-in-multi-domain-operations-the-case-of-ukraine

    8. Cyber incidents tops the Allianz Risk Barometer for businesses, followed by business interruption:
      https://www.sme10x.com/technology/cyber-incidents-tops-the-allianz-risk-barometer-for-businesses-followed-by-business-interruption

    9. New Requirements in the Wake of Omicron have led to Increased Dark Market Activity Around Fake Covid Certificates:
      https://blog.checkpoint.com/2022/01/14/new-requirements-in-the-wake-of-omicron-have-led-to-increased/

    10. CISA urges US orgs to prepare for data-wiping cyberattacks:
      https://www.bleepingcomputer.com/news/security/cisa-urges-us-orgs-to-prepare-for-data-wiping-cyberattacks/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2022 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews