CyberheistNews Vol 12 #34 [Eye Opener] The Cisco Hack Was Caused by Initial Access Broker Phishing

CyberheistNews Vol 12 #34 | August 23rd, 2022

[Eye Opener] The Cisco Hack Was Caused by Initial Access Broker Phishing Stu Sjouwerman SACP

Cisco has disclosed a security incident that occurred as a result of sophisticated voice phishing attacks that targeted employees, according to researchers at Cisco Talos.

The researchers believe the attack was carried out by an initial access broker with the intent of selling access to the compromised accounts to other threat actors.

"On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors," Cisco said in a statement. "In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco's network since discovering the incident.

"Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web."

Cisco Talos explains that the attackers first gained access to Cisco's networks after hacking an employee's personal Google account, then stole the employee's Cisco passwords via Google Chrome's password syncing feature. The attackers then used various social engineering tactics to expand their access.

"After obtaining the user's credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target's mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving," Cisco Talos says.

"Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user."

New-school security awareness training can teach your employees to follow security best practices so they can thwart social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/initial-access-broker-phishing

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, August 24 @ 2:00 PM (ET), for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Save My Spot!
https://info.knowbe4.com/phisher-demo-august-2022?utm_campaign=CHN2

[Heads Up] More Super Targeted Spear Phishing Ahead

By Roger A. Grimes.

Hardly a day goes by without a news alert about the latest HUGE data breach. It's so commonplace today that it rarely rates showing at the top of the news. In a newspaper, the announcement of the latest breach may be on the third page. We've become numb to them. And that’s a big problem.

For sure, much of our personal information is out there, including PII, phone numbers, home and work address locations, and a ton of very specific information related to us.

A recent CISO told me he was not only surprised that voice-based phishing calls were over half of his total phishing volume reported to his SOC but that he could not readily understand how the phishing calls understood which of his co-workers were at home (and called their cell phone numbers) and which were back working at work (and called the facility's main phone number and knew which internal extension to ask for). It was as if the attackers had an up-to-date call list of his employees, even though there wasn't one to his knowledge.

I've had other IT employees remark about they were amazed how the spear phishing scammers knew exactly who to target in accounting or payroll to send their latest business email compromise (BEC) scam. The victims and their roles within their organization were not particularly well-known outside the company, and yet they were still successfully targeted by the exact type of message that made the request seem more legitimate.

I've had friends who showed me SMS-based phishing messages that contained their names and other personal information, so that the person trying to scam them, for sure, had relevant personal information. We all know that not only are attackers stealing and abusing other hackers' piles of stolen information but that we are, being the social creatures that we are, revealing all sorts of good information on ourselves and our work positions, which hackers gladly use to their advantage.

CONTINUED:
https://blog.knowbe4.com/more-super-targeted-spear-phishing-ahead

Forrester Total Economic Impact of KnowBe4 Offers 276% ROI and Payback Within 3 Months

KnowBe4 commissioned Forrester Consulting to conduct a Total Economic Impact study examining the potential Return on Investment (ROI) enterprises might realize by deploying KnowBe4's Security Awareness Training & Simulated Phishing and PhishER platforms.

Forrester assessed the cost savings, productivity gains, and business benefits experienced by a global enterprise customer. Read the study today to learn how KnowBe4 offers the following benefits:

Reduction in risk exposure through a stronger cybersecurity posture
Time savings in email alert investigation and reduction in incident response costs
Risk-adjusted total benefits of more than $1.1 million Present Value (PV) over 3 years
A three-year ROI of 276% with payback in less than 3 months

Download Your Copy of the Study Now!
https://info.knowbe4.com/2021-forrester-tei-study-chn

One-Third of Organizations Experience Ransomware Attacks at Least Weekly

New data shows attempted ransomware attacks are occurring far more frequently while a lack of confidence is found in security measures and solutions to stop ransomware attacks.

We'd like to think that as cybercriminals improve their game that security solutions and organizational cybersecurity programs, policies and procedures would equally evolve to continually stand toe-to-toe with the current state of ransomware attacks. But new data found in Menlo Security’s 2022 Impacts: Ransomware Attacks and Preparedness report demonstrates that this just isn't the case.

According to the report, just about every organization is experiencing ransomware attacks to some degree:

53% have been the victim of an attack in the last 18 months
33% experience ransomware attacks weekly
9% experience them daily

This is far more frequent than just a year or two ago. So, we'd expect that security stances are equal to the task of protecting the organization, right?

Not so fast.

According to the report, email was found to be the #1 ransomware attack vector posing the greatest risk. And yet, only 62% of organizations are confident that their security solutions focused on phishing attacks will actually protect them against ransomware attacks.

Add to this 43% of organizations say employees are their weakest cybersecurity link. This only compounds the problem; organizations know email and phishing are a big issue, and yet they aren't taking steps to change the employee from a cyber-liability to becoming a part of the organization's security strategy.

Through security awareness training, employees learn to spot phishing and social engineering attacks that make it past security solutions, thereby avoiding any interaction with malicious content that may lead to a ransomware – or any other – attack.

Blog post with links:
https://blog.knowbe4.com/one-third-of-organizations-experience-ransomware-attacks-at-least-weekly

Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today

Cybercrime has become an arms race where the cybercriminals constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network.

Staying a step ahead may even involve becoming your own cybercrime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, shows you how to become a digital private investigator!

You’ll learn:

How to forensically examine phishing emails and identify other types of social engineering
What forensic tools and techniques you can use right now
How to investigate rogue smishing, vishing and social media phishes
How to enable your users to spot suspicious emails sent to your organization

Get inside the mind of the hacker, learn their techniques, and how to spot phishing attempts before it's too late!

Watch the Webinar Now!
https://info.knowbe4.com/phishing-forensics-chn

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Browse the New ModStore for an overview of all the fresh KnowBe4 Compliance Plus Training. Scroll down and keep on scrolling!
https://www.knowbe4.com/en/knowbe4-compliance-plus-training-library

PPS: Black Hat 2022 reveals enterprise security trends. Reducing the growing blast radius:
https://venturebeat.com/security/black-hat-2022-reveals-enterprise-security-trends/

NOTE: 81-year-old gets scammed out of 420K, and it all started with a McAfee tech support email...
https://www.nj.com/news/2022/08/woman-81-gets-scammed-out-of-420k-now-she-may-lose-her-home.html

PROTECT YOUR FAMILY. Did you know that KnowBe4 has a free one-hour Internet Security Awareness home course for your family? Sit down with them and step them through the family-friendly modules. It's needed, fun, extremely educational and could prevent a disaster like the scam above.

This is the link:
https://www.knowbe4.com/homecourse

The password is simple by design: homecourse

Quotes of the Week

"Books are the quietest and most constant of friends; they are the most accessible and wisest of counselors, and the most patient of teachers."
- Charles W. Eliot (1834 – 1926)

"Daring ideas are like chessmen moved forward; they may be beaten, but they may start a winning game."
- Johann Wolfgang Von Goethe - (1749 –1832)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-34-eye-opener-the-cisco-hack-was-caused-by-initial-access-broker-phishing

Security News

Ransomware Strains Almost Double in Six Months from 5,400 to 10,666

A recent report from FortiGuard Labs saw ransomware strains double in total so far compared to 2021, and the year is not over yet.

In a statement from FortiGuard Lab's Chief Strategist, "Cyber adversaries are advancing their playbooks to thwart defense and scale their criminal affiliate networks. They are using aggressive execution strategies such as extortion or wiping data as well as focusing on reconnaissance tactics pre-attack to ensure better return on threat investment."

With our recent insights on one-third of organizations getting weekly ransomware attacks and the recent Cisco hack that started with an initial access broker, ransomware is not going away anytime soon. Bad actors will continue to utilize ransomware as their strongest method of infiltrating into your organization's database.

But how can you defend against these types of attacks in the future? In short, new-school security awareness training is the answer. Your organization needs to gain a deeper understanding of goals and tactics used by threat actors and stay up-to-date on the latest attacks. And as the number of threats continue to increase in size, your human firewall can grow in size too.

Blog post with links:
https://blog.knowbe4.com/whoa-ransomware-strains-almost-double-in-six-months-from-5400-to-10666

Children of Conti Go Phishing

Researchers at AdvIntel warn that three more ransomware groups have begun using the BazarCall spear phishing technique invented by the Ryuk gang (a threat group that subsequently rebranded as Conti). BazarCall callback phishing allows threat actors to craft much more targeted social engineering attacks designed for specific victims. The researchers outline the four stages of this technique:

"Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.
"Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.
"Stage Three. Upon accessing the victim's desktop, a skilled network intruder silently entrenches into the user's network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
"Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim's network. This initial access is then used and exploited in order to target an organization's data."

The researchers conclude that more ransomware actors will likely incorporate this technique into their own attacks.

"Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain," AdvIntel says.

"Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaigns as a base and developing the attack vector into their own. This trend is likely to continue:

"As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on."

Conti as such may no longer be an active brand, but its operators haven't retired. New-school security awareness training can teach your employees to thwart evolving social engineering tactics.

Blog post with links:
https://blog.knowbe4.com/children-of-conti-go-phishing

What KnowBe4 Customers Say

"Stu, Thanks for the follow up! We ran 3 successful campaigns so far. Now we are running a phishing simulation campaign for 1 week, see where we stand :) What can I say, it's very easy to setup anything because we had Kimberly help creating the drafts - she's awesome! All good from our side!"

- R.V., IT Manager

"This redacted email went out today regarding an incident that happened today and I thought that you guys might appreciate the results. Just some positive feedback...

"All, Today around 11:35 AM we received a round of malicious emails from a source at ___. The email was sent from an ___ hacked account and contained a malicious payload. Thanks to the diligence of several employees who, armed by our internal cybersecurity / phishing training, used the "Phish Alert" process and alerted us of a potential problem.

"Our IT team immediately investigated the email and by 11:45 AM we issued a remediation process to remove the 27 emails from our systems and block the inbound email address to prevent further intrusion.

"You are being sent this email because you have received/sent emails to ___ in the last 7 days. While our contacts at ____ are aware of the issue and are taking steps to avoid further issues, please be “extra diligent” with emails that are coming from ___ just in case.

"Phishing emails are becoming more sophisticated and are becoming harder and harder to identify. Before you click on ANY link or attachment please make sure that you are certain that it is legitimate. In this case the source was a known source and you cannot solely rely on the source as a validation of the email. If you have any questions please let me know or contact the helpdesk."

- K.G., IT

The 10 Interesting News Items This Week