CyberheistNews Vol 12 #09 | Mar. 1st., 2022
[Heads Up] The Ukraine War Started A New Wiper Malware Spillover Risk
The war in Ukraine increases the risk of wiper malware to spill over. I'm sure you remember NotPetya, which caused billions of dollars of downtime damage. The WSJ reports that Symantec observed wiper malware was put in motion just hours before Russian tanks arrived in Ukraine.
The WSJ said: "The wiper malware—this version is being called HermeticWiper by researchers—could mark an escalation in cyberattacks against various Ukrainian targets, security experts said. Websites of government agencies and banks were disrupted on Wednesday, and on Thursday, that of the Kyiv Post, an English-language newspaper."
"On Wednesday, Slovakia-based cyber firm ESET said it also detected the wiper strain on hundreds of machines in Ukraine, adding that timestamps indicated the malware had been created nearly two months ago in preparation for deployment."
The WSJ noted that "On Thursday morning, CISA Director Jen Easterly tweeted a Wired magazine article on the 2017 NotPetya hack, which emanated from a Ukrainian accounting firm and caused billions in lost sales and other damage to businesses including FedEx Corp. and Merck & Co. Inc."
“While there are no specific threats to the U.S. at this time, all orgs must be prepared for cyberattacks, whether targeted or not,” Ms. Easterly wrote.
So, we strongly recommend to:
- Make sure your backups work and test your restore function, not for just files but whole servers
- Patch all known vulnerabilities and test the patches
- Deploy strong MFA to as many employees as you can (some MFA can be easily circumvented)
- Step all employees through at least a 15-minute security awareness training module to keep them on their toes with security top of mind
And it pains me to say, that while you are at it, warn your users: Criminals will start new, devious charity campaigns that claim to help people in Ukraine. Remind your users to --only-- use legit charities they are already familiar with and to never click on a link in an email of a charity claiming to help Ukraine war victims.
Blog post with links:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, March 9 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look TWO NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Security Culture Benchmarking Feature Compare Your Organization’s Security Culture With Your Peers
- NEW! AI-Driven training recommendations for your end users in their own UI
- Brandable Content feature gives you the option to add branded custom content to select training modules
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: Wednesday, March 9 @ 2:00 PM (ET)
Save My Spot!
In a post Wednesday last week, Microsoft issued a warning that they are seeing a brand-new type of blockchain-centric attack aimed at web3 -- a term used to describe the decentralized environment created on the blockchain.
The post by the Microsoft 365 Defender Research Team analyzed the recent Badger DAO attack, which stole more than $120 million from blockchain users November and December last year.
They warned that these attacks are on the rise: "There are multiple types of phishing attacks in the web3 world," wrote Christian Seifert, member of the Microsoft 365 Defender Research Team. "The technology is still nascent, and new types of attacks may emerge."
Ice fishing involves cutting a hole in a frozen body of water in order to catch fish. Ice phishing, as the Defender team has coined it, uses social engineering to trick a user into signing a transaction that delegates approval of the user’s tokens to the attacker, it doesn’t involve stealing one’s private keys.
"The attack corrupts a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens (e.g., swaps)... In an ‘ice phishing’ attack, the attacker merely needs to modify the spender address to the attacker’s address."
"This can be quite effective as the user interface doesn’t show all pertinent information that can indicate that the transaction has been tampered with. Once the approval transaction has been signed, submitted, and mined, the spender can access the funds."
"In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all victim’s wallets quickly." This is the original post by Redmond, and it's quite interesting reading!"
Blog post with links:
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, March 9 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and are past due
Date/Time: Wednesday, March 9 @ 1:00 PM (ET)
Save My Spot!
A sextortion phishing campaign is targeting French speakers accusing them of viewing child abuse content, according to Paul Ducklin at Naked Security. The emails purport to come from the French police and are designed to frighten users into replying to the email to assert their innocence.
After a user replies, the scammer will attempt to convince them to pay a bogus fine to have the matter dropped. Ducklin offers the following advice to help people avoid falling for these scams.
- “How likely does the message really seem? The sender of this email was given as Jean-Luc Godard, who in real life is a world-famous left-wing French filmmaker now in his 90s. The investigating officer you are told to email directly is Frédéric Veaux, the Director General of the French Police. If you were being charged, you would have to be formally accused by name, not simply sent an email starting simply Monsieur/Madame." (Interestingly, the subject line said Mr/Mme, mixing up English and French in an obvious mistake.)
- “If in doubt, don’t give it out. If this were a genuine criminal investigation, you would not be invited to submit evidence in mitigation informally via email. That would be insecure both for you and the police and would almost certainly be useless in court anyway."
- “Don’t be afraid to check with a trusted source. If this email were genuine, and there really were police charges against you, then emailing back information of your own to defend yourself against as-yet unspecified, unknown claims against you would be a very bad idea. The police themselves would not ask you to do that, which makes it obvious that this email doesn’t come from the police in the first place.”
It’s not just France, either. We’ve seen an email from the Grand Ducal Police of Luxembourg, also in French, and better French than one usually sees. No one was named in the letter beyond “Madame/Monsieur,” but at least the hoods got rid of that “Mr.” Needless to say, it’s still not very plausible. Next time they may try Andorra, or Monaco, or the Sûreté du Québec.
New-school security awareness training can teach your employees to follow security best practices so they can thwart phishing attacks.
Blog post with links:
Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they’re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.
In this on-demand webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist shares a comprehensive strategy for phishing mitigation. With 30+ years experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against ever-present IT security threats like phishing.
In this webinar you’ll learn:
- How to develop a comprehensive defense-in-depth plan for phishing mitigation
- Ideas for security policies you can implement now
- Technical controls all organizations should consider
- Gotchas to watch out for with cybersecurity insurance
- Why it’s critical to develop your organization’s human firewall
Get the details you need to know now to protect your organization from phishing and social engineering attacks.
Watch the Webinar Now!
Let's stay safe out there.
Stu Sjouwerman, SACP
Founder and CEO
PS: New UK Article: "The Inside Man Season 4: The Future of Cybersecurity Awareness Training":
- Jimi Hendrix - Guitarist, Singer, Songwriter (1942 - 1970)
"Hear the other side."
- Augustine of Hippo - Philosopher (354 - 430)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
Used to disguise malicious file extensions, this legacy functionality is being repurposed in attacks to obfuscate attachment types and steal credentials in an impressive way.
Some languages in the world (such as Hebrew and Arabic) read right-to-left, as opposed to most languages (including English) that read left-to-right. To account for this, years ago, a non-printing Unicode character was devised [U+202e] to create a “right-to-left override”, better known as RLO.
For example, if I was to use that Unicode character in the phrase “Cyber[U+202e]Security”, it would be displayed “CyberytiruceS”. Now, apply this concept to, say, a malicious filename: “MaliciousAttachment[U+202e]pdf [dot] exe” would be displayed in Windows as “MaliciousAttachmentexe [dot] pdf”.
You can quickly see how this can take a file that is obviously suspicious at least, and make it appear very much benign, and even seem business-appropriate. In a new attack documented by security vendor Vade Secure, this method of obfuscation and social engineering has been seen recently in the wild targeting Microsoft 365 users.
In the attack, victims are sent an email with a “voice mail” attached with a filename that ends in “mth [dot] mp3”. Now, remember the RLO principles and you realize with the right placement of the Unicode character, this becomes “mp3 [dot] htm” – an HTML file! The HTML is loaded in the browser and the user is presented with a Microsoft 365 logon screen.
Blog post with screen shots:
A new phishing technique can allow attackers to bypass multifactor authentication, according to Lawrence Abrams at BleepingComputer. A security researcher who goes by “mr.d0x” on Twitter found that attackers can intercept one-time password codes by using the legitimate Virtual Network Computing (VNC) remote access software with the open-source VNC client noVNC.
“So how do we use noVNC to steal credentials & bypass 2FA?” mr.d0x said in a blog post. “Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com).
Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.”
Abrams explains that the attacker then has full visibility over the info that’s being entered. “However, as the login prompt is actually being displayed by the attacker's VNC server, all login attempts will happen directly on the remote server,” Abrams writes.
“mr.d0x told BleepingComputer that once a user logs into the account, an attacker can use various tools to steal credentials and security tokens. Even more dangerous, this technique will bypass MFA as the user will enter the one-time passcode directly on the attacker's server, authorizing the device for future login attempts.”
Mr.d0x adds that this technique isn’t unique to noVNC. It could also be applied to Apache Guacamole, TeamViewer, and Chrome Remote Desktop under the right circumstances. Multifactor authentication is an essential layer of defense, but attackers will continue to find ways around it.
BleepingComputer has the story:
What KnowBe4 Customers Say
"Hi Stu, thanks for the check in. We are happy campers :) getting ready to sign up for the new year shortly. The course offering are useful and educational and the overall platforms is amazing - quite frankly it is superior."
- B.W., Consultant.
- The difference between Risk and Cyber-risk. Top 6 critical infrastructure cyber-risks:
- U.S. Banks Are Prepared for Russia Sanctions, but Concerns Grow About Potential Hacks:
- CISA Creates List of Free Cybersecurity Tools and Services for Defenders:
- Cybercriminals Seek to Profit From Russia-Ukraine Conflict: https://www.securityweek.com/cybercriminals-seek-profit-russia-ukraine-conflict
- FBI, CISA, Cyber Command take aim at cyber-espionage by Iran's MuddyWater group:
- Increasing Number of Threat Groups Targeting OT Systems in North America: https://www.securityweek.com/increasing-number-threat-groups-targeting-ot-systems-north-america
- Ukraine invasion: How a digital cold war with Russia threatens the IT industry:
- US to attack cyber criminals first, ask questions later – if it protects victims: https://www.theregister.com/2022/02/21/doj_cyber_offensive_policy/
- UK alludes to retaliatory cyber-attacks on Russia:
- DoJ announces new strategy for countering nation-state threats:
- We've done a Virtual Vaca in The Grand Canyon State but this is awesome viewed at 8K:
- Top 10 Places In The Czech Republic - Travel Guide:
- People Are Awesome best of week: Man Rides On Wing Of Plane:
- World's Largest Fusion Device Breaks Energy Record:
- In search of the perfect screwdriver:
- World Record Group Skydive with a 164-Person Formation:
- Enchanting magician Liberty Larsen impresses with a mind-boggling time travelling trick:
- Lockpicking Lawyer: "Master Lock Sent Me a Challenge… Kinda":
- Penn and Teller's Fool us Season 8: Can Topas fool Penn and Teller on a treadmill?:
- Model S Plaid Faces Taycan Turbo S, Lucid Air In 3,000-HP Drag Race:
- VPN vocabulary: all the key terms and jargon explained:
- Cup Trick Shots. These are actually pretty cool!:
- "Stanley Kubrick on the meaning of the ending of 2001 in a rare 1980 interview":
- Top Gear: VW ID Buzz - Five Things You Need To Know About The Electric Van With A Big Plan:
- For Da Kids #1 - Woman Who Loves To Travel Adopts A Kitten Who Feels The Same Way:
- For Da Kids #2 - Vet Helps Bald Eagle Learn How To Fly Again:
- For Da Kids #3 - Jurassic World Dominion - Official Trailer: