CyberheistNews Vol 12 #27 [New FBI and CISA Alert] This Ransomware Strain Uses RDP Flaws to Hack Into Your Network

Cyberheist News

CyberheistNews Vol 12 #27  |   July 6th, 2022

[New FBI and CISA Alert] This Ransomware Strain Uses RDP Flaws to Hack Into Your NetworkStu Sjouwerman SACP

As of May 2022, MedusaLocker has been observed predominantly exploiting vulnerable Remote Desktop Protocol (RDP) configurations to access victims' networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other law enforcement agencies.

The advisory is part of CISA's #StopRansomware collection of resources about ransomware. "MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments," the CSA notes.

Technical Detail Summary:

This ransomware strain uses a batch file to execute a PowerShell script which propagates MedusaLocker throughout the network by editing the EnableLinked Connections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.

Note that this new Cybersecurity Advisory has a top-right Action Box with suggestions you need to take ASAP to mitigate this threat. Their second bullet is: Train users to recognize and report phishing attempts. Grab your free Phish Alert Button and train your users as soon as you can.

Here is a link to the full Cybersecurity Advisory which has a PDF, full Indicators of Compromise (IoC) and suggested mitigations:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, July 13 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-Code Phishing Tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 13 @ 2:00 PM (ET)

Save My Spot!

3 New Tips to Pass Your Certified Security Awareness and Culture Professional (SACP)™ Exam

During 2019, I came to the conclusion we were way overdue for a vendor-neutral industry certification for professionals in our security awareness space. I literally scratched my head and asked myself why no one had done this yet.

I called all the usual "certification bodies," but none of them could fit this in their "foreseeable future roadmap." Being one of the pioneers in this industry, I decided I would take the initiative and sponsor the creation of an independent certification designed specifically for this new high-demand job role.

However, I had to find out how. That was a super interesting learning curve. It took quite a bit of research, calling experts, and finding out how certifications were developed, tested, validated, marketed and how they actually were run in testing centers.

I discovered the people behind some of those very prestigious certifications you have wanted yourself, and asked them how a new cert like this could be made into a reality.

To a large degree, it's a sizable group of Subject Matter Experts (SMEs) spending quite a bit of time, following a well-defined and trusted process to make sure that the certification is recognized, valid and valuable.

We were able to gather the SMEs, money and time, and during 2021 the whole project was completed and the new certification was released by the great team of H Layer Credentialing (That "H" stands for Human). It was an impressive amount of work by dozens of people. Thank you so much, you know who you are.

So, here are three tips that will help you:

1) There are two books covering most of the exam topics: "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors" by KnowBe4's Perry Carpenter who also helped with the creation of the certification. It links to a wealth of resources for further study if you want to drill down into topics. Here is the link to Amazon:

The other super relevant new book is by Perry Carpenter and Kai Roer: "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer" Here is the link to Amazon:

2) If you have time during a commute, or like the "Lunch & Learn" concept, Perry's "8th Layer Insights" is a great podcast that goes into detail on a bunch of security awareness topics with industry celebrity interviews which definitely helps pass the exam:

3) You want to make sure to read the whole question, word by word, twice before even looking at the answers. Skipping a single (small) word in the question may cause you to choose a wrong answer. No rushing or skimming! This is where 'Do it right the first time' is so important."

Here is more about the credential. H Layer Credentialing has an extensive site with super useful resources, how to apply, and where to take the test. Good luck, this is worth it!

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, July 13 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, July 13 @ 1:00 PM (ET)

Save My Spot!

FBI Warns of Deepfakes Used to Apply for Remote Jobs

If you're looking for your company's next remote IT position, you may want to think twice before doing so. The FBI recently reported to the Internet Complaint Center that there are multiple complaints of people using deepfake video to apply for remote jobs in tech.

The FBI details more on the complaint in their public service announcement, "The remote work or work-from-home positions identified in these reports include information technology and computer programming, database, and software related job functions. Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information."

Also according to the announcement, personal identifiable information has been used to seem more legitimate. If you suspect a fake applicant, please report it to the complaint center site.

Deepfake attacks are not going away anytime soon. Start new-school security awareness training now to ensure your users are able to spot the warning signs in a fake video.

Blog post with links:

12 Ways to Defeat Multi-Factor Authentication

Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!

Watch Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years' experience, for this on-demand webinar where he will explore 12 ways hackers can and do get around your favorite MFA solution.

This webinar includes a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security.

You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:

  • 12 ways hackers get around multi-factor authentication
  • How to defend your multi-factor authentication solution
  • The role humans play in a blended-defense strategy

Watch the Webinar Now!

Bad News to Ransom Payers: 80% of You Will Face a Second Attack Within 30 Days

New insight into what happens during and after a ransomware attack paints a rather dismal picture of what to expect from attackers, your executives and your operations.

I'd love to tell you that once you get through a ransomware attack, all will be well. But that's just not the case. According to CyberReason’s Ransomware: The True Cost to Business report, the reality of mid- and post- ransomware attack circumstances are anything but resilient.

Let's start with the fact that, according to the report, 73% of all orgs have experienced a ransomware attack in the last 12 months. And of those that were attacked, the question of paying whether the ransom was paid always comes up:

  • 41% paid to "expedite recovery"
  • 28% paid to "avoid downtime"
  • 49% paid to "avoid a loss in revenue"

But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

Then there is the aftermath to the organization:

  • 54% still had corrupted systems or data
  • 37% had to lay off employees
  • 35% had a C-level resignation
  • 33% had to temporarily suspend business

What's interesting is that 75% of organizations believe they have the right contingency plans to manage a ransomware attack – a number that hasn't changed in the last year, according to CyberReason. This data point mixed with the aftermath stats above makes me think of the old adage "The best-laid plans of mice and men often go awry."

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [RSA VIDEO] "Did you know that July is Ransomware Awareness Month?:"

Quotes of the Week  
"Whoever is careless with the truth in small matters cannot be trusted with important matters."
- Albert Einstein (1879 - 1955)

"If you make listening and observation your occupation you will gain much more than you can by talk."
- Robert Baden-Powell (1857 - 1941)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Innovative Way to Bypass MFA Using Microsoft WebView2 Is Familiar Nevertheless

By Roger A. Grimes

An interesting way to bypass multi-factor authentication (MFA) was recently announced by Bleeping Computer. This particular attack method requires a potential victim to be tricked into downloading a malicious executable (not so hard unfortunately), and the resulting rogue code then uses Microsoft Edge's WebView2 control to essential create a rogue web page which can mimic any other web page, except with new malicious coding inserted.

As the author of the Wiley book, "Hacking Multifactor Authentication," I am obsessively interested in any new MFA hacking technique. This is definitely a new method and I am glad researchers shared it. Here is how it works:

  • User is somehow tricked into downloading malicious content
  • Malicious content uses Microsoft Edge's WebView2 control to create a new, malicious, web instance mimicking an existing legitimate web instance, including cookies, passwords, etc.
  • The new malicious web instance can further socially engineer the user into revealing more confidential information, take over the user’s legitimate web instance, steal the user's logon credentials, steal the user’s legitimate web instance access control token, and more.

The cybersecurity sky is the limit! There is even a readily available related attack tool, from which most of the recent security conversations were generated.

But here is something to keep in mind, anytime an endpoint is compromised, it is essentially game over for any defense. Once an endpoint has been compromised, it is not the user's endpoint anymore. It might not even be the same operating system.

Microsoft unofficially stated the obvious over two decades ago, in early 2000, as the first law of its 10 Immutable Laws of Security: Law #1: If a bad guy can persuade you to run his program on your computer, it is not your computer anymore.

Truth. And using MFA does not change this.

CONTINUED at the KnowBe4 blog:

Wars and Lechery, Nothing Else Holds Fashion

Shakespeare said it first, and things haven't changed: suffering and desire continue to drive victims to the social engineers. Researchers at Bitdefender have observed a phishing campaign that's using a phony dating site for men to meet Ukrainian women.

"[In] the past couple of weeks, spammers have been targeting internet users with a mixed bag of online dating opportunities such as mail order bride services and dating platforms where single western men can meet Ukrainian women," the researchers write.

"Despite the ongoing conflict on Ukrainian soil, many dating platforms are still up and running. Since June 10, tens of thousands of spam emails promoting perfect matches between men and beautiful Ukrainian women targeted the inboxes of users from across the globe.

"The spam emails originate from IP addresses in Turkey. Sixty-six percent of messages arrived in inboxes in the US, 10% in Ireland, 3% in Sweden, Germany and Denmark, and only 2% in the UK."

When a user visits the site, they'll be asked to enter personal details, just as they would on a legitimate dating site.

"Upon filling out the requested information, users are directed to another online dating platform, where they can immediately start chatting with beautiful women," Bitdefender says. "But there's a catch. Interacting with single ladies on the platforms isn't cheap. Packages can run into the hundreds of dollars and include sending emails, a limited amount of chat time, and unlocking all profile photos of single Ukrainian women."

While users should exercise caution on any dating sites, this one in particular had many red flags. "Behind all the smoke and mirrors, users risk a lot of money in searching for their soul mate," the researchers conclude. "Moreover, the likelihood of actually communicating with a Ukrainian woman is slim.

"Dating platforms such as these are notorious for using bots to facilitate communication with as many users as possible. Profiles seem too good to be true and many customer reviews reveal that despite breaking the bank to set up a real-life meeting with the women active on the website, none have shown up.

"The correspondence resembles a marketing romance scam, and although it does not align with the situation in Ukraine, it does profit from human emotional drivers and the lack of personal connection experienced by millions of individuals during the pandemic."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for these types of scams.

Blog post with links:

What KnowBe4 Customers Say

"Stu, Thanks for reaching out. Things are going well. I couldn't be happier with the results so far. Y'all have an awesome product suite. Kimberly G. and Ben S. are providing top notch support! Zac P. and Brittany S. were fantastic to deal with for the sales aspect. You seem to have quite the Rockstar team. I'm impressed. Glad we signed up for 3 years! Please feel free to quote any of my feedback for your sales and marketing efforts. Cheers."

- O.J., Manager, Strategic Partnerships & Compliance

The 10 Interesting News Items This Week
  1. FBI: "North Korea Lazarus Hackers Blamed for $100 Million Horizon Bridge CyberHeist":

  2. New '22 Dark Web Shopping Splurge Price Index. Fascinating what you can buy:

  3. Ukraine targeted by almost 800 cyberattacks since the war started:

  4. Microsoft Reports on Russian Cyber War and Disinformation Efforts In Ukraine:

  5. Ukraine arrests cybercrime gang operating over 400 phishing sites:

  6. Deepfake Awareness Riding on Top Gun’s Coattails:

  7. 6 podcasts about the dark side of the web:

  8. Lessons On The Future of Cyberwar From Russia:

  9. Google blocked dozens of domains used by hack-for-hire groups:

  10. China lured graduate jobseekers into digital espionage:

  11. BONUS: "If it Hadn't Been for the Prompt Work of the Medics"; FSB Officer Inadvertently Confesses Murder Plot to Navalny:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews