CyberheistNews Vol 12 #15 | Apr. 12th., 2022
Bloomberg has reported that forged "Emergency Data Requests" last year induced Apple and Meta to surrender "basic subscriber details, such as a customer's address, phone number and IP address."
Emergency Data Requests (EDRs) come from US law enforcement authorities. But don't they need a warrant to ask for this kind of information? Yes, normally they do. Brian Krebs explains, "In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena."
And what about tech companies like Apple and Meta? Don’t they know how to receive and respond to warrants? Again, yes, they do. Krebs explains further: "Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name."
So, what’s going on with EDRs? They’re a bit different. They’re issued in special circumstances by law enforcement agencies when the authorities are concerned about a clear, imminent danger, and they can be issued without the usual legal and judicial review.
As Krebs puts it, "But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents."
This is the proverbial ticking time bomb, when law enforcement needs information immediately because the threat is both imminent and grave. And of course, a company receiving that kind of request wants to comply. No one wants mayhem, especially mayhem their cooperation might have prevented, and so the recipient is likely to choose responsive, quick disclosure over insistence on procedural privacy safeguards.
Unfortunately, it's difficult to determine whether an EDR (which, remember, is by its very nature an emergency measure designed to bypass ordinary procedures) is real or not. "It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate," Krebs writes.
"Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately."
Thus urgency, here as in so many other cases, seems to have served to lower the victims' guard. None of the companies who were affected by the scam are without experience in handling requests from law enforcement, and they all have policies in place to prevent this sort of thing from happening.
The social engineers found the procedural gap and drove through it. Changes to policy, and especially some reliable and fast means of authenticating EDRs, should help alleviate the problem.
CONTINUED with links::
https://blog.knowbe4.com/social-engineering-by-emergency-data-request
Skyrocketing attack rates, double and triple extortion, increasing ransom demands...cybercriminals are inflicting pain in every way imaginable when it comes to today's ransomware attacks. And you need to be prepared to protect your network, NOW.
Find out the steps you need to take to minimize damage to your network and your organization when a ransomware attack strikes.
In this webinar Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, will take you step-by-step through best practices for preventing ransomware attacks and a post-attack response plan.
You'll learn:
- Critical first steps to take when you think you’ve been hit with ransomware
- Tips for protecting your data and your network from further infiltration
- How to determine whether network credentials or data have been compromised
- Step-by-step actions to guide your response, recovery and mitigation
Don't let cybercriminals run rampant within your network. Find out how to protect yourself before it’s too late and earn CPE credit for attending!
Date/Time: TOMORROW, Wednesday, April 13 @ 2:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3734584/36B35925792B6BD0093449CDA5716910?partnerref=CHN2
New insights into the state of data security show a clear focus on the weakest part of your security stance – your users – and organizations doing little to address it.
It's frustrating when the answer is right there in front of the face of organizations today and you have to watch them scramble around the problem without really addressing it. This is exactly what I see in the data found in Thales' 2022 Data Threat Report.
Within the report, we find data points of brilliance around awareness of the problem of users:
- Human Error is seen as the highest threat to organizational security, with 38% of organizations ranking it as the top threat. For reference, Nation States was only a top concern for 28% of organizations.
- 29% of organizations ranked ‘accidental human error’ as the top threat (and again for reference, only 17% ranked external attackers with financial motivation as a top threat).
- 79% of organizations are concerned about the security risks with an increasingly remote workforce.
It's evident that users play a role in making an organization insecure, right? So, we'd expect to see lots of spending on ways to secure the user. But according to the report, organizations are prioritizing network security (e.g., Intrusion Prevention Solutions, gateways, firewalls), key management, cloud security, and zero trust solutions.
It seems like the focus is way too much on trying to prevent data from leaving, instead of stopping attackers from ever getting in. With the data showing organizations are very aware of the factor users play in cyberattacks, I would expect to see more focus on security awareness training to reduce the threat surface of phishing – a primary attack vector in nearly every kind of cyber attack.
This kind of training helps to establish good cyber hygiene, a sense of vigilance, and has been shown to reduce the risk of users falling for social engineering tactics employed within phishing attacks.
Blog post with links:https://blog.knowbe4.com/human-error-ranked-top-cybersecurity-threat
Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.
The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost—so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.
See how you can best manage your user-reported messages.
Join us Wednesday, April 27 @ 2:00 PM (ET), for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:
- NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
- Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and G Suite
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: Wednesday, April 27 @ 2:00 PM (ET)
Save My Spot!https://event.on24.com/wcc/r/3714065/5BD9491A0AB0D7F3D6BC353B291E134C?partnerref=CHN
The group behind the recent attacks on Okta, NVIDIA, and Microsoft may be moving on to less-prominent organizations, using their data destruction extortion model on new victims.
It's not every day Microsoft puts out warnings about a specific threat group. But in the case of Lapsus$ (referenced by Microsoft as DEV-0537), it’s warranted. Lapsus$ has gone after some pretty big-name companies (including Microsoft) and appears to be going after "smaller fish" as well, Microsoft warns in a recent threat intelligence update.
What makes Lapsus$ so dangerous is two-fold. First, their attacks are focused on extortion via the threat of data destruction (so, think ransomware, but deletion instead of encryption). Second, they are very good at soliciting for and obtaining credentialed access to organizations.
This is a bit of a new tactic, as most cybercriminal gangs stick to phishing or brute force attacks against an RDP connection. Lapsus$ even goes as far as to pay off employees at cellular companies to perform SIM swaps that assigns an employee's mobile number to a threat actor-controlled device.
This allows Lapsus$ to get past most multi-factor authentication that uses an employee’s mobile phone as the second factor.
These guys are so good, they’re even finding ways to join a victim organization’s crisis communication calls to understand their incident response plan, giving Lapsus$ the upper hand to ensure their extortion tactics still pay off.
I'd normally want to mention the importance of awareness training in cases when phishing and social engineering attacks are used. But in the case of Lapsus$, the expertise demonstrated to date, along with their ability to exploit vulnerabilities to gain access to systems and data makes them particularly dangerous and noteworthy.
Blog post with links:https://blog.knowbe4.com/microsoft-warns-of-lapsus-targeting-organizations-for-data-exfiltration-and-destruction
You already have challenging compliance requirements and having enough time to get your audits done is a continuous problem.
According to the most recent ACA Compliance Group Report, "Key Trends and Forces Shaping Risk and Compliance Management," 44% of firms are being asked to show proof that security controls are in place to protect customer data in the cloud.
The Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE18) framework is designed to help you do just that. Often, organizations use this framework to obtain a System and Organization Controls 2 (SOC 2) certification.
If you're trying to wrap your head around how to best meet compliance requirements for the SSAE18, you likely have a lot of questions. You want answers and need guidance on how to best meet the requirements to get your organization ready for an audit — fast.
Find out your organization's audit readiness now!
KnowBe4's new Compliance Audit Readiness Assessment (CARA) is a free tool that helps you gauge your organization’s readiness in meeting compliance requirements for the SSAE18 framework. The assessment guides you through a subset of specific Control Components of the SSAE18 requirements to help you identify areas within your current environment that may need attention. CARA asks you to rate your readiness for each requirement and then provides an analysis of your results. It also provides guidance to help you create and implement controls to help get your organization ready for a SOC 2 compliance audit.
Here's how CARA works:
- You will receive a custom link to take your assessment
- Rate your organization's readiness for each requirement as Met, Partially Met, or Not Met
- Get an instant analysis and summary of potential gaps in your cybersecurity
- Receive a personalized report with control guidance suggestions to help you meet compliance
- Results in just a few minutes!
Take your first step towards understanding your organization's readiness for a SOC 2 compliance audit now.
https://info.knowbe4.com/soc2-compliance-audit-readiness-assessment-chn
From Amazon: "Security Awareness programs have gone from an afterthought to a critical component of Information Security programs. Most large organizations now have one or more full-time employees dedicated to awareness and managing human risks. This book defines a common framework for building a broad awareness program using the Train, Reinforce, Assess and Manage (TRAM) model.
It includes specific advice and examples for activities across the TRAM functions. This book is filled with examples of deliverables an awareness professional can leverage in their program. This book also provides logical maturity steps that map out the progression for maturing an awareness program using TRAM. This Awareness Program Maturity Model (APMM) allows awareness practitioners to plan, measure and mature their program.
The book is also a great prep guide for studying for the Security Awareness and Culture Professional (SACP) exam." Link to the Amazon Kindle version:
https://www.amazon.com/Security-Awareness-Program-Builder-Professional-ebook/dp/B09VGHBL8B/
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: KnowBe4 and its third parties do not use the Spring framework. KnowBe4 products are not affected by the Spring4Shell vulnerability.
PPS: This is remarkable to say the least. The U.S. Opens a Risky New Front in Cyberdefense:
https://www.washingtonpost.com/business/the-us-opens-a-risky-new-front-in-cyberdefense/2022/04/08/5a378e2e-b72f-11ec-8358-20aa16355fb4_story.html
- Mark Twain - Author (1835 - 1910)
"Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away."
- Antoine de Saint-Exupery - Novelist (1900 - 1944)
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-15-heads-up-hard-boiled-social-engineering
A phishing campaign impersonating WhatsApp has targeted more than 27,000 mailboxes, according to researchers at Armorblox. It’s not clear who the attackers were, but they used an old version of a road safety operations website belonging to Russia’s Ministry of Internal Affairs, which helped the emails to bypass authentication checks.
"The domain of the email sender was ‘mailman.cbddmo[.]ru,'" the researchers write. "Research from our team suggests the email domain is associated with the 'center for road safety of the Moscow region' page. According to the website this organization was established to provide assistance to the State Road Safety operations for Moscow and it belongs to the Ministry of Internal Affairs of the Russian Federation.
It's possible that attackers exploited a deprecated or old version of this organization's parent domain to send the malicious emails. The email passed all authentication checks (SPF, DMARC).”
The emails informed recipients that they had received a voicemail on their WhatsApp account, and directed them to click a link in order to listen to it.
"Upon clicking the 'Play' link in the email, recipients were redirected to a page that attempts to install a trojan horse JS/Kryptik," the researchers write. "This is a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit.
Once the target landed on the malicious webpage, he or she was prompted to confirm they 'are not a robot. If the target clicked 'allow' on the popup notification in the URL a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control. Once the malware was installed (Infostealer) it can steal sensitive information like credentials that are stored within the browser."
Armorblox recommends that users slow down and think when they receive unsolicited emails, so they can avoid falling for these attacks. A cognitive speed bump might be in order for this kind of traffic.
"Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions," the researchers write. "It's much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a WhatsApp link leading to an HTML download? Why is the sender email domain from a third-party organization?)."
So, if you were wondering what traffic was like around the Arbat, well, this site might not have been the one to check. New-school security awareness training can enable your employees to thwart phishing attacks.
Armorblox has the story:
https://www.armorblox.com/blog/whatsapp-voicemail-phishing-attack/
Scammers are impersonating Europol with fraudulent phone calls in an attempt to steal personal and financial information, according to Kristina Ohr at Avast. The German Federal Criminal Police Office (BKA) recently warned of this campaign as well.
"Two of our colleagues already received one of these calls," Ohr says. "The first call was an automated greeting that said that their data had been stolen and that they should press number 1 to speak to a Europol employee. The colleagues were then connected to a real person. According to the BKA, a special technical procedure is used for the calls, which is why the recipients are shown a phone number that actually belongs to Europol or a German police station. Our colleagues, on the other hand, were called from regular cell phone numbers."
One of Ohr's colleagues received one of these scam calls and initially believed it was real. "One colleague, who we'll call 'Sarah,' received the call when she was on the road and distracted on a Saturday afternoon," Ohr says. "She thought, 'Europol is calling? It must be serious!' The automated message at the beginning was credible and the woman on the phone sounded thoughtful. She even had answers for many of Sarah’s questions.”
Sarah added that the woman sounded sincere, which made the phone call even more convincing. "Even more so, the way the lady spoke on the phone was believable and serious," Sarah said. "Only after the conversation did I realize that she had asked me for my name at the beginning, which she should actually know if my identity had actually been stolen."
Avast offers the following recommendations for users to avoid falling for these attacks:
- "Do not disclose your personal data on the phone and do not allow yourself to be pressured.
- "Do not give out your bank account or other payment information.
- "Remember that Europol has no authority to fine you or take any other criminal action against you. Just hang up.
Educating your employees to follow security best practices so they can avoid falling for phishing attacks is a must today. Avast has the story:
https://blog.avast.com/fraudulent-calls-from-alleged-europol-employees
"We love it! Scheduling a full year of monthly campaigns was super easy and now we don’t have to worry about it. Our HR manager loves having a new employee campaign. And the best part? LoganF. He has been super to work with. He takes the initiative to make sure we got on track and checks in on us regularly. He also has a great sense of humor.
Honestly, I was skeptical when our CEO wanted to change from the Sophos phishing system to KnowBe4, but your system is so much more robust and having Logan helping us makes it worth every penny."
- V.C., Information Systems and Support Services ManagerHey Stu, seriously, I am loving the products that we use from KnowBe4. We are in process right now of getting everyone through what we're calling our "Initial training" Campaign which will be a part of our onboarding process, we have already completed 1 phishing test and I've got another one in mind for the end of next month.
The only thing that I'm a little disappointed about was that season 4 of "Inside Man" ended on a bit of a cliffhanger...WHAT'S GOING TO HAPPEN NEXT? Lol.
All teasing aside, the service that I've been getting from CoryB has been outstanding. He's been super helpful and very patient with my idiotic questions. I know that I'm thrilled that we're working with KnowBe4, and I know that my management is equally as satisfied with what we're able to set up by using the Phishing services. Cheers!"
- L.J., Assistant Director, Information Systems- Google and Microsoft are battling. Here is a salvo from Google: "Government workers in U.S. say Microsoft tech is insecure":
https://cloud.google.com/blog/products/identity-security/government-workers-say-microsoft-tech-makes-them-less-secure-new-survey - State Department Launches New Cybersecurity Bureau:
https://www.cnet.com/tech/services-and-software/state-department-launches-new-cybersecurity-bureau/ - Borat RAT malware: A 'unique' triple threat that is far from funny:
https://www.zdnet.com/article/borat-rat-malware-a-unique-triple-threat-that-is-far-from-funny/ - Global APT Groups Use Ukraine War for Phishing Lures:
https://www.infosecurity-magazine.com/news/global-apt-ukraine-war-phishing/ - Ukraine spots Russian-linked 'Armageddon' phishing attacks:
https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/ - Partisan Rift Stalls Efforts to Secure Critical Infrastructure from Cyberattack:
https://www.nextgov.com/cybersecurity/2022/04/partisan-rift-stalls-efforts-secure-critical-infrastructure-cyberattack/364120/ - Hamas-Linked Hackers Using Sexy 'Catfish' Lures, New Malware:
https://www.securityweek.com/hamas-linked-hackers-using-sexy-facebook-catfish-lures-new-malware - US disrupts Russian Cyclops Blink botnet before being used in attacks:
https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/ - Text From Myself Scam Explained — You’re Not Going Crazy!:
https://news.trendmicro.com/2022/04/01/text-from-myself-scam/ - Data leak from Russian delivery app shows dining habits of the secret police:
https://www.theverge.com/2022/4/3/23008658/data-leak-russian-delivery-app-dining-habits-secret-police-yandex-food
- Your virtual Vaca is to India this week!:
https://www.youtube.com/watch?v=35npVaFGHMY
- Boarding A Moving Ship & 25 Other Odd Skills From People Are Awesome:
https://www.flixxy.com/people-are-awesome-best-of-the-week-106.htm?utm_source=4
- The two newest EV trucks going head to head: 2022 GMC Hummer EV vs Rivian R1T:
https://www.youtube.com/watch?v=OfUlV0Woxuo
- Fly a Helicopter on Mt. Everest In Incredible Virtual Reality! (360 Video):
https://www.youtube.com/watch?v=n0lm4crJ8cc
- 12 Newest Robots That Will Blow Your Mind:
https://www.youtube.com/watch?v=klpbY7pwYF4
- Drone Flight Through The New Tesla Giga Factory In Berlin:
https://www.flixxy.com/drone-flight-through-the-tesla-giga-factory-in-berlin.htm?utm_source=4
- The Sea Beast | Official Teaser at Netflix:
https://www.youtube.com/watch?v=Ua-b6CDFU-A
- World Champion Of Card Magic On Ellen: Shawn Farquhar:
https://www.flixxy.com/world-champion-of-card-magic-on-ellen-shawn-farquhar.htm?utm_source=4
- A fun oldie for IT folks:
https://www.flixxy.com/java-forever.htm?utm_source=4
- The story behind the large concrete arrows scattered across Utah:
https://www.youtube.com/watch?v=-DfzbnW2DTI
- Inside London's Nightmare Station:
https://www.youtube.com/watch?v=1S3J1d9BpUo
- Watch Elon Musk's Tesla Cyber Rodeo Event in 8 Minutes (Supercut):
https://www.youtube.com/watch?v=AOMDV_zLvrs
- Fully Electric Rolls-Royce Spectre Winter Testing. Wonder what they will price this at...:
https://www.youtube.com/watch?v=9YNhZh96vKs
- For Da Kids #1 - Tiny Rhino Jumps For Joy When She Meets Her First Friend:
https://www.youtube.com/watch?v=ZOD0xtUADWs
- For Da Kids #2 - Golden Retriever fetches the cat to pose for a family photo:
https://www.flixxy.com/family-portrait.htm?utm_source=4
- For Da Kids #3 - Sisters Have A Sleepover With... Their Tiny Baby Donkey?!:
https://www.youtube.com/watch?v=TA-LgRO7s74
- For Da Kids #4 - Mama Pittie Teaches Rescued Baby Raccoon How To Survive In The Wild:
https://www.youtube.com/watch?v=n_VoMhw7Psg - For Da Kids #5 - Guy Rescues Dying Fish From The Pet Store:
https://www.youtube.com/watch?v=PQjcUljM2Kk