CyberheistNews Vol 12 #30 [Heads Up] New MFA 'Prompt Bombing' Attacks Give Access to Laptops, VPNs, and More

Cyberheist News

CyberheistNews Vol 12 #30  |   July 26th, 2022

[Heads Up] New MFA 'Prompt Bombing' Attacks Give Access to Laptops, VPNs, and MoreStu Sjouwerman SACP

While multi-factor authentication (MFA) significantly reduces an organization's threat surface by making the stealing of credentials much harder, a new attack takes advantage of phone calls as the second factor.

Whenever cybercriminals can successfully leverage the victim themselves as part of an attack, they will. And that appears to be the case in a new attack by cybercriminal group Lapsus$. In this new attack, first detailed by Wired, Lapsus$ has taken advantage of various platforms' MFA implementation that uses either a phone call or pushing a button on the screen of their mobile phone.

The attack method is rather simple – call the victim employee a multitude of times at 1am when they're sleeping, and - according to Lapsus$ on their official Telegram channel – [the victim employee] "will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device."

According to reports, Lapsus$ has successfully used MFA prompt bombing against Microsoft to gain access to the internal Microsoft network via an employee’s VPN.

Users of MFA need to be made aware of these types of techniques via security awareness training to group this kind of unexpected prompting in with phishing emails, social engineering scams on social media, etc. – anytime they interact with something that provides access that they were not expecting to see should be considered suspicious.

Blog post with links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, July 27 @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, July 27 @ 2:00 PM (ET)

Save My Spot!

Cybersecurity Should Be an Issue For Every Board Of Directors

With so many boards of directors focused on operations, revenue, strategy, and execution, they are completely forgetting the simple fact that a single cyberattack can bring all that to a screeching halt.

Maybe members of an organization’s board of directors don't care about cybersecurity because it feels very much in the technical weeds. Perhaps it’s because they don’t understand what constitutes a cyberattack. Or maybe it's because they fail to understand the implications and repercussions of an attack on the business they seek to help grow.

I read an article I wanted to share and summarize from security vendor SentinelOne entitled On the Board of Directors? Beware of These Six Common Cyber Security Myths. In it they highlight some pretty universally-shared misconceptions about cybersecurity that also act as reasons why the board should be asking the question "how is our cybersecurity stance" at the very same table where they talk about "how was last quarter’s earnings?"

The six misconceptions SentinelOne outlines that Boards often have are:

  • Cybersecurity is only necessary for certain types of businesses
  • You only need software-based security solutions
  • Software vulnerabilities are too much in the weeds for the Board
  • Supply chain attacks aren't a concern
  • The board can’t have an impact on cyber threats
  • Employees will always be a cyber risk

The board's job is to strategically manage risk. Usually, the focus is on operational risk. But the modern board of directors should be focused on all types of risk – which now includes cyber threats. The misconceptions above are likely just scratching the surface, but they do make the case that boards today need to expand the discussion to include cybersecurity.

Blog post with expanded bullets for each of the six points before:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, August 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-Code Phishing Tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, August 3 @ 2:00 PM (ET)

Save My Spot!

FBI Warns of Phony Cryptocurrency Investment Apps

Cryptocurrency investors have lost nearly $43 million to fraudulent cryptocurrency investment apps, according to the U.S. Federal Bureau of Investigation (FBI).

"The FBI has observed cyber criminals contacting U.S. investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cyber criminals have used with increasing success over time to defraud the investors of their cryptocurrency," the Bureau says.

"The FBI has identified 244 victims and estimates the approximate loss associated with this activity to be $42.7 million. The FBI encourages financial institutions and their customers who suspect they have been defrauded through fake cryptocurrency investment apps to contact the FBI via the Internet Crime Complaint Center or their local FBI field office."

In one recent example, scammers stole $3.7 million from 28 people. "Between 22 December 2021 and 7 May 2022, unidentified cyber criminals purporting to be a legitimate U.S. financial institution defrauded at least 28 victims of approximately $3.7 million," the FBI says. "The cyber criminals convinced victims to download an app that used the name and logo of an actual U.S. financial institution and deposit cryptocurrency into wallets associated with the victims' accounts on the app.

"When 13 of the 28 victims attempted to withdraw funds from the app, they received an email stating they had to pay taxes on their investments before making withdrawals. After paying the supposed tax, the victims remained unable to withdraw funds."

The FBI offers the following recommendations for users, and it also has recommendations for businesses, specifically financial services companies, who have a role in making social engineering more difficult from their end.


See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, August 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18 and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, August 3 @ 1:00 PM (ET)

Save My Spot!

[Eye Opener] Both Job Seekers and Employers Should Be Aware of New Sophisticated Scams

By Roger A. Grimes.

With record low unemployment, a tight labor market, and increasing customer demand, everyone says it is an employee's job market out there. But it is getting tougher to get a real job and to hire a good employee these days.

An increase in social engineering attacks offering fake jobs and fake employees is making it harder for both potential employees and employers to know who to trust. Job seekers are being offered fake jobs solely to steal their money or they are utilized as unwitting pawns to compromise their existing employers; and employers are being exploited by fake employees who want to steal intellectual property, secrets and value.

Fraudulent jobs and employees are becoming something all job hunters and employers need to worry about. If you are looking for a job, do you know how to spot a fake job? If you are an employer, do you know how to detect a fake employee? This article will offer some suggestions to both potential employees and employers.

Roger covers the following need-to-know topics:

  • Fake Job Offers
  • Insert Trojan Horse Programs
  • Compromise Your Existing Employer
  • Company Employment Threats
  • Defenses for job seekers and for companies trying to hire people


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Budget Ammo by yours truly for the C-Suite: Malicious AI Isn't A Distant Reality Anymore:

PPS: Striving for 100% Completion Rates: Getting Compliance on Your Compliance Training:

Quotes of the Week  
"Courage is the most important of all the virtues, because without courage you can't practice any other virtue consistently."
- Maya Angelou - Writer (1928 - 2014)

"The human race has one really effective weapon, and that is laughter."
- Mark Twain - Author (1835 - 1910)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

LinkedIn Remains a Leading Platform for Social Engineering

LinkedIn, as is well-known, is a widely used professional networking platform. With more than eight-hundred-million members, it offers an extensive pool of attractive potential victims: working, connected, in many cases well-off. Their profiles carry a good deal of personal information, and their connections offer opportunities for scammers to pivot, with plausible come-ons, to other potential victims.

A study by researchers at Check Point found that almost half–some 45%--of all the email phishing attempts observed during the second quarter of 2022 mimicked LinkedIn’s "style of communication" as they sought to direct their marks to a spoofed LinkedIn login page to harvest their account credentials.

That's a big jump from the fourth quarter of 2021, when Check Point found that only 8% of the brand phishing attacks sought to take advantage of LinkedIn's reach and reputation. Researchers at Vade Secure reached a similar conclusion: in 2021 LinkedIn trailed both Facebook and WhatsApp in the rate of attempted impersonation.

Things have clearly changed. Social engineers impersonating communications from LinkedIn dangle phish bait that's likely to attract the attention of the platform’s professionally-minded clientele. The scam message may indicate that another LinkedIn user is interested in doing business with the mark, that the mark has "appeared in X searches this week," or even something as simple as a note that a message is waiting for them.

These approaches have particular appeal now, in a fluid labor market where people are leaving jobs and looking for better places. But the scammers don't stop there. One of their common goals, the FBI warns, is to take advantage of another current fashion, and seek to lure their marks into speculative (and bogus) investments in cryptocurrencies.

LinkedIn has offered some advice for its users that’s worth taking to heart:

  • "Be wary of and consider reporting," the platform says, three common problems:
  • "People asking you for money who you don't know in person. This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings.
  • "Job postings that sound too good to be true or that ask you to pay anything upfront. These opportunities can include mystery shopper, company impersonator, or personal assistant posts.
  • "Romantic messages or gestures, which are not appropriate on our platform - can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests."

Practice helps teach proper caution. New-school security awareness training can help impart a healthy wariness among your employees as they use LinkedIn and other professional networking tools.

Help Net Security has the story:

Social Engineering in Wartime

The Russian invasion of Ukraine has been accompanied by cyberattacks, most of them directed at espionage, and the Russian intelligence services have made heavy use of social engineering to gain access to their targets.

Early this week Google's Threat Analysis Group (TAG) published a full report on what it's seen, recently, of Turla and other threat actors aligned with the Russian cause. Turla is seeking to induce Ukrainians to download malicious apps that misrepresent themselves as tools Ukrainian patriotic hacktivists could use to conduct distributed denial-of-service (DDoS) attacks against Russian networks.

Of course the apps do nothing of the kind, and they’re not from the source (Ukraine’s Azov Regiment) that they claim is offering them. Google writes, "Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment.

"This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule."

Other Russian threat groups TAG mentions include the GRU (APT28, Sandworm, or Fancy Bear) and a privateering spin-off of the possibly defunct Conti gang. These are exploiting the now-patched Follina remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool.

TAG's observations confirm earlier reports by CERT-UA. "The Sandworm campaign used compromised government accounts to send links to Microsoft Office docs hosted on compromised domains, primarily targeting media organizations in Ukraine," the report says, adding, "TAG has also observed an increasing number of financially motivated actors targeting Ukraine.

"One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor."

TAG also notes that the Russian threat group ColdRiver (also called "Callisto" but better known as Gamaredon or Primitive Bear) "continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists."

ColdRiver has used Dropbox and Google Drive to host malicious PDFs. So phishing is a principal tool of espionage services. For all the media attention zero-day exploits receive, intelligence services rely on a version of their traditional recruitment tradecraft, updated for an online world.

Its aim is what it always has been: to persuade people to act contrary to their interests and commitments. Your organization may not be targeted by intelligence services (although that’s a possibility you shouldn't necessarily overlook), but whether the social engineers are criminals or spies, new-school security awareness training can give your employees a healthy sense of suspicion so they can recognize a malicious approach, whoever’s behind it.

Google's Threat Analysis Group has the story:

What KnowBe4 Customers Say

"Hi Stu, Thanks for reaching out! I am a happy camper and things are going well so far here. Your team has been great and very helpful. I've particularly enjoyed working with Joneny V. She has done an excellent job helping us get our program up and running and is always pleasant to work with!"

- E.D., IT Security Administrator

"Thank you for reaching out to us. I would say yes, we are a happy camper/customer. We are happy with the features of the Knowbe4 tools, and have successfully launched our baseline test and Foundations training campaign. Our Customer Success Manager, Jacob D., has been a great resource. He has walked us through our initial set up, and is always very responsive to my questions. We are expanding our user base now to our subsidiary companies, and setting up our next campaigns."

- S.D., Data Governance Practice Lead

The 10 Interesting News Items This Week
  1. [WHOA NELLIE] Ransomware attacks cost the U.S. 159.4 Billion in downtime alone in 2021:

  2. The 10 Latest Artificial Intelligence Trends That Your Business Needs to Embrace:

  3. What AI Still Doesn't Know How to Do:

  4. Russian SVR hackers use Google Drive, Dropbox to evade detection:

  5. CISA to open its first-ever international branch office in UK:

  6. Cryptocurrency sent to mixers reaches an all-time high thanks to illicit activity:

  7. Surreal or too real? Breathtaking AI tool DALL-E takes its images to a bigger stage:

  8. EU warns of Russian cyberattack spillover, escalation risks:

  9. Conti’s Reign of Chaos: Costa Rica in the Crosshairs:

  10. FBI pushing for changes to rules around Treasury sanctions, SEC cyber incident reporting:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews