CyberheistNews Vol 12 #18 [Heads Up] The 4 Major Tactics: How Hackers Steal Your Passwords and How To Defend Yourself

By Roger A. Grimes

Despite the world's best efforts to get everyone off passwords and onto something else (e.g., MFA, passwordless authentication, biometrics, zero trust, etc.) for decades, passwords have pervasively persisted.

Today, nearly everyone has multiple forms of MFA for different apps and websites AND many, many passwords. The average person has somewhere between three to seven unique passwords that they share among over 170 websites and services. Here are some related statistics:

• The average person has 19 passwords - but 1 in 3 don't make them strong enough - Naked Security
• The average employee manages nearly 200 passwords - Dark Reading
• Password security habits survey results - Digital Guardian
• Average number of passwords per person - Answers.com
• The average business user has 191 passwords - Security Magazine

And, unfortunately, those passwords often get stolen or guessed. This is why I recommend the following password policy guide. [Infographic at blog]

Most computer security experts agree with these policy recommendations, but more than a few readers might be shaking their heads, especially at the recommendations to use 20+ character passwords/passphrases. Why in the world would anyone need a 20+ character password to protect against password hacking attacks?

In general, password attacks fall into four different major categories:

• Password theft
• Password guessing
• Password hash theft and cracking
• Unauthorized password resetting or bypass

CONTINUED on the KnowBe4 blog with links, examples and screenshots:
https://blog.knowbe4.com/how-hackers-get-your-passwords-and-how-to-defend

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, May 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

• NEW! Support for QR-code phishing tests
• NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
• NEW! AI-Driven training recommendations for your end users
• Brandable Content feature gives you the option to add branded custom content to select training modules
• Did You Know? You can upload your own SCORM training modules into your account for home workers

Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, May 4 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3713715/A497B5E485F699EE7662135628028A56?partnerref=CHN2

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) just updated its alert on the wiper malware Russia has deployed during its hybrid war. "This advisory has been updated to include additional Indicators of Compromise (IOCs) for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022. Additional IOCs associated with WhisperGate are in the Appendix.

Link to CISA:
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

Russia is getting a taste of their own medicine

As an aside, the Washington Post has a good article showing Russia is finally getting a taste of their own medicine: "Hacking Russia was off-limits. The Ukraine war made it a free-for-all." Putin is unable to stop the cyberattacks, and is actually the one causing it to happen:
https://www.washingtonpost.com/technology/2022/05/01/russia-cyber-attacks-hacking/

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, May 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

• NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
• Vet, manage and monitor your third-party vendors' security risk requirements
• Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
• Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
• Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: TOMORROW, Wednesday, May 4 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3714080/886880A2B779CE5599CBD8DD39A88585?partnerref=CHN2

As the number of ransomware attacks has increased 24% over the previous year, security researchers estimate the total associated attack costs to be just over 7 times higher.

Every time there's a news story about a ransomware attack, there's so much focus put on the ransom itself - this is probably due to the fact that the payment can be easily quantified; whether it be the amount asked for or the amount paid.

We're all aware of the practical costs a business has to absorb should it become a ransomware victim - but those costs are seldom (if ever) revealed, leaving us guessing as to how much a ransomware attack actually costs the victim organization.

But new compiled and analyzed data from researchers at Check Point and Kovrr shows that the ransom amount is but a small portion of the total real cost of surviving a ransomware attack. When considering the losses in response and restoration costs, legal fees, monitoring and decreases in revenues, real-life cost data from actual organizations that were hit with ransomware paints the picture that ransomware is so very much more expensive than the ransom alone.

According to Check Point, the average ransom payment is 48.6% of the initial ransom demand - which is an average of about 2.82% of the victim's annual revenue. So you can do the math: the average ransom paid is about 1.37% of annual revenue. But the overall costs are much, much more.

According to Check Point, the average total cost of a ransomware attack is 7.083 times larger than the paid ransom. This means the average ransomware attack costs organizations an average of 9.7% of their annual revenues!

Now you do the math - which is more expensive: dealing with the financial repercussions of a ransomware attack or putting up a layered defense strategy that includes protecting the most likely (and least protected) aspect of your environment: your users?

Organizations that deploy new-school security awareness training as part of their security strategy significantly reduce their attack surface by nearly eliminating social engineering-based attacks as a possible initial ransomware attack vector.

Blog post with links:
https://blog.knowbe4.com/eye-opener-the-ransom-payment-is-only-15-of-the-total-cost-of-ransomware-attacks

It feels like we hear about a new devastating cyberattack in the news every day. And attack methods seem to be proliferating at an exponential rate. So, which tactics should you be aware of beyond standard "click and infect" attack vectors?

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and popular cybersecurity author, for this eye-opening webinar. Roger will share his take on several significant, advanced, and yes, crazy cyberattacks he's seen in the wild. Plus, he'll share defensive strategies you'll want to implement to prevent them from affecting your network.

You'll see examples of 10 amazing hacks showing how:

• Your users' passwords can be cracked in mere minutes
• Cybercriminals easily bypass multi-factor authentication
• Automated malware can devastate your network
• Hackers can completely take over your network with a few simple steps
• And more!

Find out what you can do to mitigate these advanced hacking techniques instead of becoming the next unknowing victim. And earn CPE for attending!

Date/Time: Wednesday, May 11 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3773375/EC4C66935FFFD67831C404749AE1A4F4?partnerref=CHN

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: The people in your organization have a bigger impact on cybersecurity posture than your technology does:
https://www.linkedin.com/posts/chris-h-97680442_cybersecurity-technology-people-activity-6924001497743540224-UMD1

PPS: Ammo for your C-levels. "Making Sense Of Cybersecurity Culture By Defining And Engaging It":
https://www.forbes.com/sites/forbesbusinesscouncil/2022/04/26/making-sense-of-cybersecurity-culture-by-defining-and-engaging-it/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-18-heads-up-the-4-major-tactics-how-hackers-steal-your-passwords-and-how-to-defend-yourself

Researchers at IBM Security X-Force are tracking a financially motivated cybercriminal group called “Hive0117” that's impersonating a Russian government agency to target users in Eastern Europe.

"The campaign masquerades as official communications from the Russian Government's Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecom, Electronic and Industrial sectors," the researchers write. "The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine."

"The phishing emails contain a malicious zip file that will install the DarkWatchman remote access Trojan. The emails attempt to convince the user to download and open this file.

"The contents of the emails feature identical Russian-language text detailing several articles related to enforcement procedures associated with the Kuntsevsky District Court of Moscow, upheld by the ‘Bailiff of the Interdistrict Department of Bailiffs for the Execution of Decisions of the Tax Authorities,'" the researchers write.

"The only variation observed by X-Force within the emails is in the name and 'case number' associated with the individual email and accompanying malicious ZIP archive file attachment."

The researchers note that some of the emails were specifically sent to high-ranking employees at the targeted companies.

"X-Force discovered multiple emails that were sent in mid-February 2022 to individual users, including a state-owned communication company based in Lithuania, a prominent Industrial Enterprise in Estonia, and several electronic and telecommunication businesses located in Russia," the researchers write.

"In some cases, the emails were targeting company owners, as well as individuals in leadership positions associated with Dispatch Services and Sales. Targeted organizations could be of high value to criminal actors given the targets' potential trusted access to a wide and distributed client base."

New-school security awareness training can teach your employees how to recognize phishing and other social engineering attacks.
https://blog.knowbe4.com/criminal-gang-impersonates-russian-government-in-phishing-campaign

It's not just deep-pocketed corporations that prove attractive targets for social engineering. Any organization that holds information that can fetch a good price in the criminal marketplace will draw the attention of social engineers.

According to Risk & Insurance, a case in point may be found in community associations. They hold a great deal of personal data: names and addresses of their members, and often those members’ Social Security numbers, bank accounts, and credit card information. The value of these data in the criminal-to-criminal market is obvious.

Moreover, those data can all too often be poorly protected. Kevin Davis, president of Kevin Davis Insurance Services, told Risk & Insurance, “These groups are prime targets for cybercriminals due to their low-tech systems housing sensitive information….

"Many do not have a risk assessment plan to identify system vulnerabilities, nor do they have a documented security-incident response plan. Once criminals get inside the community association system, they have easy access to social security numbers, banking information, email addresses, client information, anything that will create serious problems for the association."

The article outlines five approaches criminals commonly use against community associations. Impersonation scams, whether by email or by phone, are often seen. "One of the most common types of social engineering scams in recent years is when fraudsters impersonate the U.S. Social Security Administration (SSA)," Davis said.

A second risk is ransomware, usually installed when a worker is induced to click a malicious link. A third risk is posed by a lost or stolen device, since some associations overlook best practices in protecting such devices. Weak passwords, for example, are all too common. The fourth threat is business email compromise. And the fifth is a general risk shared by many businesses and other organizations: remote work increases exposure to compromise.

The article concludes by recommending a range of best practices. We'll add one: training. New-school security awareness training can equip members of any organization with the tools they need to recognize and fend off social engineering.

Risk & Insurance has the story:
https://riskandinsurance.com/5-cyber-threats-community-organizations-cant-ignore/

The latest scam is impersonating T-Mobile and focused on collecting your personal data by tempting you with free "gifts."

Who doesn't like free stuff? With mobile carriers often having promotions like "Get an iPhone 13 on us!", it's not too far-fetched to believe they may be giving away a free gift to one (or more) of its customers.

In a recent scam (that many of you probably experienced), a text was sent out to a group of mobile phone numbers (which looked like a group text). The message may have said something to the effect of "Your bill is paid for March. Thanks, here's a little gift for you" and proceeded to provide a URL that had zero to do with T-Mobile. Upon clicking the link, victims were taken to one of many pages impersonating T-Mobile and offering gifts like an Apple iPad Pro and Magic Keyboard.

Questions are asked to "verify" you, which could be used to collect details used to aid SIM swapping activities, commit identify theft, and more. Employees that have stepped through continual security awareness training already know to be suspicious of any communication that involves receiving something for free. In the case of this scam, if it seems too good to be true, it definitely is.

Blog with links and screenshot:
https://blog.knowbe4.com/if-you-got-a-your-bill-is-paid-for-text-youre-part-of-a-massive-t-mobile-texting-scam

"I am very happy that our company is using KnowBe4 and I am improving the setup actively.

I've run a phishing simulation for different smart groups with a customized difficulty level, short training campaigns and I have everything set up by following your knowledge base.

I am discussing with MassimoF and he is very helpful and responsive - following our recent conversation, I will initiate a competition between different teams and give prizes; next thing is to enable the Phish Alert Button and print some security posters and send a weekly newsletter with hints and scams.

I am positive that this will increase the awareness and I will have all employees participating to the trainings (currently we have 45% attendance, which is not 100%.) In time, I am sure this will improve.

I am also interested in sharing best practices for using the tool, and I am discussing with colleagues from different companies for this or just asking Massimo for help."

- A.E., GDPR Privacy Officer

"Stu - thank you for reaching out and yes, so far I am very happy with KCM. I was brought on board to help mature the processes and ensure we are meeting our regulatory requirements. I inherited a competitor's product which required me to spend a lot of time configuring the product to fit our needs - never a good thing - and our ROI was limited at best.

I was impressed with the ease and functionality that KCM had when I viewed one of the webcasts, and even more so after meeting with MarkM. He is very knowledgeable and personable, to the point where my onboarding meeting was more of a meet-and-greet with KristenW, as Mark had set me on a path that had already gone well passed the normal onboarding experience.

With limited resources here with GRC experience or knowledge, it was nice to be able to "talk shop" with a vendor that wasn't there to simply sell me on a product, but made me feel that he wanted me to be successful with the product.

Refreshing sales experience to say the least. Thank you again for reaching out and I look forward to continued maturity in our GRC processes, with KCM as one of the primary tools to get us there!"

- T.M., Director of Enterprise Risk Management

1. A chilling Russian cyber aim in Ukraine: Digital dossiers:
   https://apnews.com/article/russia-ukraine-technology-business-border-patrols-automobiles-fa3f88e07e51bcaf81bac8a40c4da141
    
2. The trouble with BEC: How to stop the costliest internet scam:
   https://www.welivesecurity.com/2022/04/26/trouble-bec-how-stop-costliest-scam/
    
3. Animated QR codes: how do they work, and how to create your own?
   https://www.bleepingcomputer.com/news/technology/animated-qr-codes-how-do-they-work-and-how-to-create-your-own/
    
4. FBI releases movie on China's plan to steal US technology:
   https://americanmilitarynews.com/2022/04/fbi-releases-movie-on-chinas-plan-to-steal-us-technology/
    
5. Interpol: We can't arrest our way out of cybercrime:
   https://www.theregister.com/2022/04/29/interpol_cybercrime_partnerships/
    
6. US offers $10 million reward for tips on Russian Sandworm hackers:
   https://www.bleepingcomputer.com/news/security/us-offers-10-million-reward-for-tips-on-russian-sandworm-hackers/
    
7. Russian govt impersonators target telcos in phishing attacks:
   https://www.bleepingcomputer.com/news/security/russian-govt-impersonators-target-telcos-in-phishing-attacks/
    
8. Microsoft: "Russia Coordinating Cyberattacks With Military Strikes in Ukraine":
   https://www.securityweek.com/russia-coordinating-cyberattacks-military-strikes-ukraine-microsoft
    
9. Russia Sanctions Complicate Paying Ransomware Hackers:
   https://www.wsj.com/articles/russia-sanctions-complicate-paying-ransomware-hackers-11651138201?
    
10. Europol: "Deepfakes Set to Be Used Extensively in Organized Crime":
    https://www.infosecurity-magazine.com/news/europol-deepfakes-organized-crime/?&web_view=true  

• Your first Virtual Vaca to THE MOUNTAINS - Wonderful Cinematic Short Film:
  https://www.youtube.com/watch?v=JUh4koZ8Uqw
   
• Second Virtual Vaca to the lovely Ore Mountains, Germany | Little Big World:
  https://www.youtube.com/watch?v=8qgtCLvkgHo
   
• UNIQUE FUN. Three guys on stilts and one drummer performance from South Africa:
  https://www.flixxy.com/three-guys-on-stilts-got-talent.htm?utm_source=4
   
• The Lockpicking Lawyer: "The inevitable result of not understanding the security fundamentals." Ospon Fingerprint Gun Box":
  https://www.youtube.com/watch?v=QNMeeVcVvjw
   
• Big Air & Epic Tricks | People Are Awesome Best Of The Week:
  https://www.youtube.com/watch?v=_kJtYfS9V0c
   
• VW ID. Buzz: World Exclusive First Drive! & Why It’s Our Electric Car of the Year:
  https://www.youtube.com/watch?v=7q0mQ-9_gSY
   
• The Best Way to Charge Your New Electric Car at Your House:
  https://www.youtube.com/watch?v=Ft-aMNRDXD8&t=14s"
   
• Japan has a T-rex race and it's the funniest thing you'll see on the internet today:
  https://www.timeout.com/tokyo/news/japan-has-a-t-rex-race-and-its-the-funniest-thing-youll-see-on-the-internet-today-042622
   
• Watch the Jetson ONE Personal Aerial Vehicle take off and fly over the Tuscan landscape. I want one:
  https://www.flixxy.com/jetson-one-take-off-in-tuscany.htm?utm_source=4
   
• Daredevil pilots attempt double plane swap midair, but the FAA is investigating:
  https://www.youtube.com/watch?v=bsL63HLH1i0
   
• Italy is building a digital twin of Milan into Italy's new tech capital:
  https://www.youtube.com/watch?v=Q6TRvT9nE4k
   
• GoPro: The Best Wingsuit Flight of Marshall Miller's Life:
  https://www.youtube.com/watch?v=hRJcAFE64nM
   
• Why a Billionaire Tried to Stop This Bridge:
  https://www.youtube.com/watch?v=lipnIdz6_L4&t=125s
   
• For Da Kids #1 - This dog is awesome! Amber and Nymeria - Britain's Got Talent 2022:
  https://www.flixxy.com/amber-and-nymeria-britains-got-talent-2022.htm?utm_source=4
   
• For Da Kids #2 - Cat Adopts His New Puppy Brother The Second He Meets Him:
  https://www.youtube.com/watch?v=ntmy_ZdORZ4
   
• For Da Kids #3 - Rescue Dog Does Parkour To Keep The Squirrels Out Of Her Yard:
  https://www.youtube.com/watch?v=c8t1kzHk_KM
   
• For Da Kids #4 - These Two Feral Cats Will Restore Your Faith In True Love:
  https://www.youtube.com/watch?v=gyUlM1RAGUE
   
• For Da Kids #5 - David Attenborough will make you think about weeds in a different light:
  https://www.youtube.com/watch?v=k99irWyeobo