CyberheistNews Vol 12 #12 | Mar. 22nd., 2022
With the recent cyber attacks between Russia and Ukraine and the current intelligence coming from the U.S. Government, organizations want to shore up their defenses to reduce the risk of a successful attack by any nation-state.
Considering the target is towards the U.S.-defined critical infrastructure, organizations must implement the various safety requirements to protect their data and systems.
The U.S. has "evolving intelligence" that the Russian government is "exploring options for potential cyberattacks," President Joe Biden said in a statement on Monday. "It's part of Russia's playbook," Biden said.
The President also called on private sector companies to "harden your cyber defenses immediately" with measures such as multi-factor authentication, up-to-date security software and tools, secure data backups, and routine training drills. One of the bullets has our full agreement:
Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly;
“To be clear, there is no certainty there will be a cyber incident on critical infrastructure,” White House deputy national security adviser for cyber and emerging technology Anne Neuberger told reporters during a briefing on Monday afternoon. “So why am I here? Because this is a call to action and a call to responsibility for all of us,” she said.
Boards to approve and fast-track security spending
To mitigate threat tactics put forth by CISA's "Shields Up" will require boards to approve and fast-track spending for products and services not already implemented.
Some of the items that are the quickest return on investment and implementation time would be reviewing incident plans and recovery strategies in the event of an attack. Review and mitigate risks to external facing systems and verify they are fully patched and current on all security updates.
What you need is a robust security culture
The most impactful will be to ensure employees receive education, know the latest attack methods, and be vigilant on all unexpected emails requiring any urgency for action. Security awareness training is essential, and it's the first step towards having a robust security culture for the users and the organization's overall cyber resiliency.
An organization with a strong security culture is 52x less likely to provide credentials to cybercriminals unsuspectingly, exposing the organization to unnecessary brand reputation, loss of revenue, or data loss.
Users with security top of mind enable them to identify suspicious emails and report them to reduce the risk of further door openings for cybercriminals to gain entry to systems, networks, and data quickly.
https://thehill.com/homenews/administration/599072-white-house-warns-russia-prepping-possible-cyberattacks-on-us
A new analysis of attacks in 2021 shows massive increases across the board, painting a very concerning picture for 2022 cyberattacks of all types.
Mid-year reports of cyberthreats are informative but do not age well, and still require that organizations take a look at longer data trends to understand where to place their focus, efforts, and budget.
New data from security vendor PhishLabs in their Quarterly Threat Trends & Intelligence Report, covering all of 2021 provides a better sense of what last year's state of cyberattacks looked like, and unveils that the increases in efforts by cybercriminals that we saw throughout 2021 looks like they're here to stay for the time-being.
According to the report:
- Phishing attacks grew 28%
- Social Media-based threats grew by 103%
- Attacks with malware nearly tripled
- Vishing attacks (like the Amazon attack I’ve covered previously) that begin with a phishing email jumped 554%
- 52% of phishing attacks focused on credential theft
- 38% of phishing attacks are response-based (e.g., job scams, tech support, BEC)
- Only 10% focused on malware delivery
The overarching theme here is email is the delivery mechanism of choice – because it works. So, it's imperative that organizations put layered security measures in place to specifically stop email-based attacks – keeping in mind that with only 10% of attacks focused on malware delivery (and a portion of those using malicious links instead of attachments), some percentage of malicious phishing emails will make their way to your user’s Inbox.
This means that user must also participate in your organization’s security strategy, interacting with emails with a sense of vigilance and skepticism should an email seem unexpected, suspicious, out of the norm, etc.
This can be taught with security awareness training, where users see themselves as a part of your organization's layered security, helping to stop attacks before they do damage.
Blog post with links:
https://blog.knowbe4.com/email-based-vishing-attacks-skyrocket-554-percent
Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.
The new PhishFlip feature is included in PhishER — yes you read that right, no extra cost — so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.
See how you can best manage your user-reported messages.
Join us TOMORROW, Wednesday, March 23 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.
With PhishER you can:
- NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox
- Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: TOMORROW, Wednesday, March 23 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3595274/CBED27E05FF17653264E576D16B2BBEF?partnerref=CHN2
Email is the familiar form of phishing, but there's an ongoing criminal campaign that follows a different, arguably subtler avenue of approach: the corporate contact form. Abnormal Security has found that the BazarBackdoor is being distributed through this social engineering technique that succeeds in bypassing email filters.
Instead of sending phishing emails to the targets, the threat actors first use corporate contact forms to initiate communication. BleepingComputer describes how the process works:
"For example, in one of the cases seen by Abnormal's analysts, the threat actors posed as employees at a Canadian construction company who submitted a request for a product supply quote.
"After the employee responds to the phishing email, the attackers send back a malicious ISO file supposedly relevant to the negotiation.
"Since sending these files directly is impossible or would trigger security alerts, the threat actors use file-sharing services like TransferNow and WeTransfer as automated email screening improves (and the improvements have been significant) criminals will adapt and move to new vectors."
Abnormal Security, who's been tracking this trend, describes the advantages the criminals see in this approach. "There are two primary purposes for choosing this method for initial communication.
- "It disguises the communication as a request that could be reasonably expected to be received through an online request form.
- "It circumvents potential email defenses since the request would be delivered through a legitimate sender and does not contain any malicious content."
As automated email filtering gets better at screening for phishing attempts, criminals respond by looking for attack techniques that evade those tools. Abuse of corporate contact forms is one such technique. Train your users!
Blog post with links
https://blog.knowbe4.com/social-engineering-through-contact-form
We are excited to announce that Forrester Research has named KnowBe4 as a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 based on our scores in the strategy, market presence, and current offering categories.
We received the highest scores possible in 16 out of 30 evaluation criteria, including breadth of content coverage, security culture measurement and customer support and success.
According to the report, "KnowBe4 has one of the largest content libraries of the firms we evaluated; as customer references confirmed, its learner content is unique, varied, and engaging…"
"Prospective customers who are seeking innovation in training, behavior, and culture change but who value the stability of an established vendor should evaluate KnowBe4."
Being recognized as one of the organizations that are leaders in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 is an honor for us.
As providers of the world's largest security awareness training platform, we believe being named a Leader continues to show the success of our ability to enable organizations and their users to make smarter security decisions, improve their security culture and mitigate risk using world-class training and simulated phishing.
Learn why KnowBe4 has been recognized as a Leader.
Download your complimentary copy of the report now!
https://info.knowbe4.com/forrester-wave-security-awareness-training-chn
The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022, Forrester Research, Inc., March 16, 2022
Newly discovered data-destroying malware was found this week in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. "This new malware erases user data and partition information from attached drives," ESET Research Labs explained.
CaddyWiper is the fourth data wiper malware deployed in attacks in Ukraine since the start of 2022, with ESET Research Labs analysts previously discovering two others and Microsoft a third.
Large-scale cyberattacks have yet to be seen from Russia
Russian cyberattacks have been surprisingly limited since the outbreak of President Putin's war against Ukraine, but they haven't been absent. Ukraine's State Service of Special Communications and Information Protection (SSSCIP) tweeted Saturday, "Russian hackers keep on attacking Ukrainian information resources nonstop..." Despite all the involved enemy’s resources, the sites of the central governmental bodies are available.
One day before the Russian invasion of Ukraine started, on February 23rd, ESET researchers spotted a data-wiping malware now known as HermeticWiper, used to target Ukraine together with ransomware decoys. They also discovered a data wiper they dubbed IsaacWiper and a new worm named HermeticWizard the attackers used to drop HermeticWiper wiper payloads, deployed the day Russia invaded Ukraine.
Microsoft also found a wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine in mid-January, disguised as ransomware. As Microsoft President and Vice-Chair Brad Smith said, these ongoing attacks with destructive malware against Ukrainian organizations "have been precisely targeted."
This contrasts with the indiscriminate NotPetya worldwide malware assault that hit Ukraine and other countries in 2017, an attack later linked to Sandworm, a Russian GRU Main Intelligence Directorate hacking group.
Such destructive attacks are part of a "massive wave of hybrid warfare," as the Ukrainian Security Service (SSU) described them right before the war started.
Let's hope none of these strains escape their cage.
Blog post with links:
https://blog.knowbe4.com/eye-opener-ukraine-is-now-being-hit-with-4-different-strains-of-wiper-malware
Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?
KnowBe4's Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.
Here's how RanSim works:
- 100% harmless simulation of real ransomware and cryptomining infections
- Does not use any of your own files
- Tests 23 types of infection scenarios
- Just download the installer and run it
- Results in a few minutes
This is complimentary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!
Get RanSim Now
https://info.knowbe4.com/ransomware-simulator-tool-1chn
There is a new ransomware-as-a-service (RaaS) strain called LokiLocker, researchers at Blackberry warn. The malware uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don't pay.
"It shouldn’t be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer.
"LokiLocker is a relatively new ransomware family targeting English-speaking victims and Windows PCs. The threat was first seen in the wild in mid-August 2021," researchers from BlackBerry's Research & Intelligence Team said in a new report. The BlackBerry researchers estimate that LokiLocker currently has around 30 affiliates.
LokiLocker’s technical capabilities
When first executed on a computer, LokiLocker copies itself as ProgramData / winlogon [dot] exe and then sets up persistence by using a scheduled task and a start-up registry entries. The malware has a config file that affiliates can customize and which can be used to instruct the malware.
CONTINUED:
https://blog.knowbe4.com/heads-up-new-evil-ransomware-feature-disk-wiper-if-you-dont-pay
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Article by Yours Truly in Forbes. Budget Ammo for your C-suite:
https://www.forbes.com/sites/forbestechcouncil/2022/03/17/fortifying-your-last-line-of-defense-your-employees/
- Dalai Lama (born 1935)
"No one is useless in this world who lightens the burdens of another."
- Charles Dickens - Writer (1812 - 1870)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-12-Email-Based-Vishing-Attacks-Skyrocket-554-percent
I am a member of OODA loop. They are a great team that keeps me up to date about InfoSec issues. Their site always has interesting articles, and this one certainly got my attention. The title alone piqued my interest. I'm quoting the first few paragraphs and then link to the rest of the article. I think you will like it too.
"A thesis I cannot prove but I believe: We are witnessing the world's first war where open-source intelligence is providing more actionable insights than classified sources.
"In this war:
- Tiktok provided direct evidence of the nature of troop and equipment movements.
- Commercial imagery showed field deployment locations, field hospitals, then proof of movement to invade.
- Dating apps provided indications of which military units are being deployed.
- Twitter gave a platform for highly skilled deeply experienced open-source analysts to provide insights.
- Cloud connected smartphones with a wide range of capabilities throughout Ukraine gave direct tactical insights into how the war was and is being prosecuted.
- Open-source analysts are listening into and translating military communications.
- Cybersecurity analysts and cyber threat intelligence companies are sharing indicators of incidents faster than ever and before any tipping and queuing by government sources.
- Historians with great context on culture and history are more rapidly collaborating and sharing relevant insights.
Background:
"Open-Source Intelligence is a phrase I’ve known since I began a career in the intelligence community in 1982. By that time the intelligence community had already spent decades developing processes to leverage information produced by adversaries (even though what they say would have a propaganda slant it provided useful insights).
"For example, one of the most widely known feeds of open-source intelligence at the time was the reporting of FBIS, the Foreign Broadcast Information Service, which monitored and translated Soviet media sources.
"Other open-source intelligence also included great work by researchers and academics who studied everything they could on adversaries. An outstanding example from the Cold War was the body of knowledge produced by Harriet Fast Scott and William F. Scott, who were able to provide extensive insights into the internal power structure and military capabilities and intentions of the Soviet Union, all from reading open-source intelligence. Since then the world has changed dramatically."
CONTINUED:
https://blog.knowbe4.com/we-are-in-the-first-open-source-intelligence-war
Despite cloud vendors like Google detecting reverse proxies or man-in-the-middle (MiTM) attacks and halting logons to thwart malicious actions, a new method easily gains access.
A security researcher who goes by the handle mr.dox documents a new devious method to capture credentials and – more importantly – captures a user session bypassing MFA! The issue for most cybercriminals is that MFA stops attacks at logon.
Whether it's simply not having the second authentication factor to go with a compromised credential, or services like LinkedIn or Google who specifically look for any kind of unusual logon activity that appears to be a proxy-type connection (we’ve covered these before with Microsoft 365, where the credentials are passed to Microsoft as the user types them into a spoofed logon page and, if MFA is enabled, prompts the user in the same manner, passing any provided MFA data through to Microsoft to allow malicious access).
But this new attack method devised by mr.dox uses NoVNC remote access software and a browser session running in kiosk mode to gain access.
Here's how it works:
- The victim is sent a phishing email with a malicious link to review some seemingly important document
- The link starts a NoVNC session within the browser and connects the victim to the logon page of the cloud-based service of choice – without the user realizing it
- The user logs on as normal and – if MFA is configured – requires the user to provide the additional authentication factors
So, in essence, the attack technique has the victim perform an actual logon in a remote cybercriminal-controlled session. Once logged on, the user would no longer be needed and the session is established post-authentication for the cybercriminal to use as they see fit.
The ingenuity and deviousness of these kinds of new attack methods are exactly the reason why organizations must have their employees enrolled in continual Security Awareness Training that will teach them to spot the attack well before they click the link that installs the malware or – in the case above – presents a logon to a familiar cloud application.
Blog Post with links:
https://blog.knowbe4.com/phishing-method-uses-vnc-to-bypass-mfa-measures
"Hello Stu, just wanted to give a big shout out to [my CSM] Grace. She has been instrumental in assisting me with my KnowBe4 training & phishing and implementation. She has been going above and beyond multiple times for me and has been very kind and patient with me.
"She also does take feedback and makes sure to pass it along regarding on how we can improve the KnowBe4 experience. I am a fan of KnowBe4 and even had our sister company be also customers of KnowBe4. Looking forward to continually support KnowBe4 and fully utilize it!"
- M.Y., Cyber Security Analyst
"Good afternoon, I started in this position on February 1st. My work experience has not involved any internet security trainings, programs, or the like.
"Not having this experience presented a challenge for me in taking over our internet security program. As such, having Jeannine as my CSM has been invaluable so far and I am certain this will continue to be the case going forward.
"She is so knowledgeable, professional, amicable, and efficient that she has made my transition, in relation to my internet security management role, effortless. She is a great asset to your company, and I would highly recommend KnowBe4 to others based on my work with Jeannine! Please let me know if you have any questions."
- L.J., Director of Regulatory Affairs, Compliance, and Systems
- CaddyWiper data wiping malware hits Ukrainian networks. This is the fourth WIPER strain:
https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/ - Insurers are nervous about cyberattacks in the Ukraine war and are trying to protect themselves after judge rules wartime exclusions don't apply:
https://www.wsj.com/articles/ukraine-war-has-insurers-worried-about-cyber-policies-11647252180 - Human Factors: Why Technology Alone Will Never Equal Cyber Secure:
https://www.tripwire.com/state-of-security/podcast/human-factors-why-technology-alone-will-never-equal-cyber-secure/ - Ukraine's internet infrastructure struggles as Russian invasion continues:
https://therecord.media/ukraines-internet-infrastructure-struggles-as-russian-invasion-continues/ - Biden signs ransomware reporting mandate into law:
https://www.computerweekly.com/news/252514695/Biden-signs-ransomware-reporting-mandate-into-law - German government issues warning about Kaspersky products:
https://www.cyberscoop.com/kaspersky-warning-germany-bsi/ - Russia's disinformation machinery breaks down in wake of Ukraine invasion:
https://arstechnica.com/tech-policy/2022/03/russias-disinformation-machinery-breaks-down-in-wake-of-ukraine-invasion/ - How Cobalt Strike Became a Favorite Tool of Hackers:
https://www.esecurityplanet.com/threats/how-cobalt-strike-became-a-favorite-tool-of-hackers/ - U.S. financial regulators issued proposals requiring companies to report how the board manages cyber risk:
https://www.wsj.com/articles/new-u-s-financial-cyber-rules-focus-on-board-oversight-11647423003 - The Cybersecurity and Infrastructure Security Agency Working Group to Protect Critical Space Systems:
https://www.linkedin.com/pulse/cybersecurity-infrastructure-security-agency-working-group-giordani/
- This week's virtual Vaca! Top 10 Places To Visit In The UK:
https://www.youtube.com/watch?v=0kXCPo7c63I
- Insane Urban Downhill Run through the Streets of Valparaiso! FULL SCREEN:
https://www.youtube.com/watch?v=SfZ6q1-0Hpo
- Watch Sting, Blondie, Bonnie Tyler, Roxette, Boy George, Cyndi Lauper and Madonna perform their original hits - versus 20+ years later:
https://www.flixxy.com/pop-stars-perform-their-original-hits-vs-20-years-later.htm?utm_source=4
- CLASSIC Fascinating Wintergatan - Marble Machine (music instrument using 2000 marbles):
https://www.youtube.com/watch?v=IvUU8joBb1Q
- Another CLASSIC. The Pipe Dream animusic series came out 10 years ago but is still fan-tas-tic! Now in Hi-res:
https://www.youtube.com/watch?v=NtOUdIJsuBE
- What Is Your Greatest Fear? - Wingsuit Proximity, the first 2 minutes are great:
https://www.youtube.com/watch?v=10byeZV5jcc
- Lock Picking Lawyer Inside Perspectives - Picking Serrated Pins:
https://www.youtube.com/watch?v=muPJjTBuYHY
- How Wind Turbine Technicians Risk Their Lives to Keep Blades Spinning:
https://www.youtube.com/watch?v=bNBQKlHt6rg/
- The (crazy?) Plan To Literally Expand New York City:
https://www.youtube.com/watch?v=pyC9BqrEXso
- New Electric - The converted Electric Tractor that pulls 30 tons:
https://www.youtube.com/watch?v=N_gKNHeODhc
- What happens when a big ship loses its anchor? Wait till the end. Wow:
https://www.youtube.com/watch?v=lLLBhIJbVFs
- For Da Kids #1 - Dog PLAYS DEAD to Avoid Going Home While Park Crowd Watches:
https://www.youtube.com/watch?v=jHvim639FWQ
- For Da Kids #2 - Dog No One Wanted Gets The Absolute Perfect Mom:
https://www.youtube.com/watch?v=T6Jsl9PY8Tk
- For Da Kids #3 - Parrot Has A Say In Every Single Thing His Mom Does — And She Loves It:
https://www.youtube.com/watch?v=TwkCj2D1amg
- For Da Kids #4 - A chihuahua named Joya stole the show at Crufts 2022 with this crowd pleasing dance routine:
https://www.flixxy.com/chihuahua-dancing-swan-lake.htm?utm_source=4
- For Da Kids #5 - Woman can't believe her dog is real:
https://www.youtube.com/watch?v=ydy3mDkTO8E