CyberheistNews Vol 12 #48 [Eye Opener] Microsoft Warns Against Recent, Complex, Ransomware Campaign



Cyberheist News

CyberheistNews Vol 12 #48  |   November 29th, 2022

[Eye Opener] Microsoft Warns Against Recent, Complex, Ransomware CampaignStu Sjouwerman SACP

Microsoft has observed a threat actor that's been running a phishing campaign since August 2022. The threat actor, which Microsoft tracks as "DEV-0569," is using phishing emails to distribute malicious installers for legitimate apps, including TeamViewer, Microsoft Teams, Adobe Flash Player, Zoom and AnyDesk. The phishing campaign leads to the installation of ransomware and information-stealing malware.

"Historical observation of [a] typical DEV-0569 attack begins with malicious links delivered to targets via malicious ads, fake forum pages, blog comments, or through phishing emails," the researchers write. "These links lead to malicious files signed by the attacker using a legitimate certificate.

"The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands."

In the most recent campaign, the threat actor is using website contact forms, legitimate software depositories and Google Ads to distribute their links.

"In late October 2022, Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering," the researchers write.

"Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site. Microsoft reported this abuse to Google for awareness and consideration for action. Using Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP ranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security sandboxing solutions."

New-school security awareness training teaches your employees how to recognize advanced social engineering attacks like this.

Blog post with links:
https://blog.knowbe4.com/a-recent-complex-ransomware-campaign

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, December 7 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own training video and SCORM modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 7 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3947028/0273119CCBF116DBE42DF81F151FF99F?partnerref=CHN2

World Cup Phishing Attacks Doubled and Will Increase

Researchers at Trellix revealed that phishing email attacks targeting users in the Middle East doubled in October 2022 ahead of the World Cup in Qatar, as reported by The Record.

The end game of these attacks includes financial fraud, credential harvesting, data exfiltration, surveillance and damage to a country or organization's reputation.

The rest of the world will soon follow.

The emails vary in subject matter. Here are a few examples provided by Trellix:

  • Fake FIFA help desk emails warning of two-factor authentication deactivation
  • Emails impersonating a team manager with a supposed payment confirmation phishing link
  • Fake FIFA ticketing office emails warning of a payment issue
  • Bogus legal notifications of a ban implemented by FIFA from registering new players
  • Impersonated Players Status Department emails notifying users of delayed legal fees using WeTransfer's template
  • Spoofed emails from Snoonu, the official food delivery partner of the World Cup, offering fake free tickets to those who register

John Fokker, head of threat intelligence and principal engineer at Trellix, told The Record that they anticipate these attacks to continue through January 2023. "In this instance, we found the attention to the details incorporated into the malicious URLs and customized web pages to be notable, allowing cybercriminals to successfully impersonate league staff and team managers," he explained.

Trellix said the top five malware families it found targeting Middle Eastern countries right now included Qakbot, Emotet, Formbook, Remcos and QuadAgent. These malware strains typically intend to steal confidential data or info, credentials or gain remote control of a device.

Jeremy Fuchs, a cybersecurity research analyst at Avanan, confirmed that they have also seen an influx of phishing emails related to the World Cup in a variety of different languages. "One common thread is related to betting on the World Cup, trying to entice end-users to wager. Instead, the email and resulting link steals credentials," he said.

[CONTINUED] at KnowBe4 blog with links:
https://blog.knowbe4.com/world-cup-phishing-attacks-doubled-and-will-increase

[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, December 7 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!

  • NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

Date/Time: Wednesday, December 7 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3946869/A4B03C4D685DC29FEC41BCFE1596B0A7?partnerref=CHN2

[Heads Up] 5 Top Scams to Watch Out for This Holiday Season

Here is a 3-minute article that we suggest you copy/paste and send to all your users:

"The holiday season is a time when people are especially vulnerable to scams. This is because they are busy and often have their guard down. Criminals take advantage of this by circulating fake e-gift cards, posing as charities, targeting specific demographics, and so on. In this 3-minute article, we will discuss 'Google's five most popular scams' being circulated this holiday season. So if you want to be aware of the dangers lurking online, then keep reading!

  1. E-gift card scams
  2. Charities
  3. Demographic Targeting
  4. Subscription renewals
  5. Crypto scams

"With the holiday season in full swing, so are gift card and prize scams. These scammers will often lie about being a known contact of yours to try and get you to buy them a gift card, or they may offer an amazing prize in exchange for your credit card information. If you receive any suspicious emails like this from someone claiming to be your friend, make sure to confirm it with them through another method before doing anything further. And as always, if something seems too good to be true, it probably is.

"Be wary of scammers and phishing attempts; they actually worsen during the holiday season. This would not only hurt those who fall for the scams, but also charities that could've benefited from donations. For example, an attacker may pretend to be associated with a charity related to current events or one with a familiar name. If someone contacts you asking for money via personal email or another method, beware that it might be fraudulent.

"With more people shopping online and sharing personal information this holiday season, scammers are taking advantage by targeting consumers with fraud that seems more realistic. For example, you might get an email from what looks like your child's school PTA about a holiday fundraiser.

"But if you click on the link in the email, it could take you to a fake website where you're asked to enter sensitive information like your credit card number or Social Security Number. These types of scams can be difficult to identify because they seem so personalized. But if you're aware of potential threats and know what to look for, you can help protect yourself against them.

"Scammers love to target people at the end of the year, and one particularly nasty version of these emails spoofs antivirus services. They lure victims with promises of improved security, but if you take a closer look at the sender's email address, you can usually spot these scams pretty easily.

"Cryptocurrency-based scammers are more prevalent during times of higher crypto usage, like now. They often use a cryptocurrency wallet to collect payment and may threaten their victim if they don't receive the funds. Gmail usually sends a warning about these kinds of emails, but it's helpful to know how to spot them on your own too. Some key things to look out for that signal fraud include typos, strange email addresses, and demands for payment.

"By being aware of these five popular scams circulating this holiday season, you can protect yourself and your loved ones from potential fraud."

Blog post with links:
https://blog.knowbe4.com/send-this-to-your-users-5-top-scams-to-watch-out-for-this-holiday-season

[NEW MOBILE APP] Security Awareness Training Anytime, Anywhere

What if you could manage the ongoing problem of social engineering with security awareness training anytime, anywhere? Now you can broaden the protection of your largest attack surface with 24/7 access to assigned training modules, giving your users flexibility to consume content when it's convenient for them.

Anytime, Anywhere Learning

The KnowBe4 Learner App enables your users to complete their security awareness and compliance training conveniently from their smartphones and tablets. You can now cover employees that don't typically have access to a desktop or laptop device by using the KnowBe4 Learner App. Keep your employees on track to reach their learning requirements with easy access to training that's available with just a few taps.

The KnowBe4 Learner App Provides:

  • Convenience and mobility - learn anytime, anywhere
  • Seamless Localized Learner Experience from desktop to mobile
  • Increased user engagement and faster completion rates of your assigned training campaigns
  • Fingertip access to 100+ KnowBe4 training modules already optimized for mobile use

And the best part? There is no extra cost! The KnowBe4 Learner App is included with your training subscription and is available for Android and iOS devices.

Learn more about the KnowBe4 Learner App now!
https://www.knowbe4.com/mobile-learner-app

Image-Based Phishing and Phone Scams Continue to Get Past Security Scanners

Using the simplest tactic of not including a single piece of content that can be considered malicious, these types of scams are making their way to inboxes every single time.

What happens if the malicious bit of a phishing scam is nothing more than a phone number – and it's embedded within an image to boot? We've covered these kinds of scams before – particularly those pretending to be Amazon. It's a brilliantly simple technique used to get past security scanners; by not having any known-malicious content (remember, it's just an email with an image in it), it gets through to the users Inbox.

But security company Inky detected a recent example of these attacks that was impersonating Geek Squad by using optical character recognition (OCR) within the embedded images.

Because many email clients automatically display attached images, this scam is enabled and requires the victim to call the phone number displayed in the image (as there is no link to click and the sender email addresses are often indicated to be a "no-reply" type of email account.

Victims call the number and criminal call centers use social engineering to trick the victim into giving up their credit card details. It's a scam that is going to require that every email scanning security solution to offer OCR as a means of detection which is extremely hard to scale due to the CPU required.

Until then, users need to play a role in their organization's security – something taught through continual security awareness training – and see the scam for what it is and ignore it appropriately.

Blog post with screenshot and links:
https://blog.knowbe4.com/image-based-phishing-vishing-get-past-security-scanners


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Budget Ammo @ Forbes] "Six Things To Consider When Designing Your Cybersecurity Awareness Training Program":
https://www.forbes.com/sites/forbesbusinesscouncil/2022/11/22/six-things-to-consider-when-designing-your-cybersecurity-awareness-training-program/

PPS: [WHOA] WhatsApp data breach sees nearly 500 million user records up for sale:
https://blog.knowbe4.com/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale

Quotes of the Week  
"Don't ever become a pessimist... a pessimist is correct oftener than an optimist, but an optimist has more fun, and neither can stop the march of events."
- Robert A. Heinlein - Writer (1907 - 1988)

"If you want to test a man's character, give him power."
- traditionally attributed to President Abraham Lincoln

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-48-eye-opener-microsoft-warns-against-recent-complex-ransomware-campaign

Security News

Watch Out for 'MFA Fatigue Attacks'

Researchers at Specops Software describe a technique attackers are using to bypass multifactor authentication (MFA). In an article for BleepingComputer, the researchers explain that attackers repeatedly attempt to login to an account protected by MFA, which spams the user with MFA requests until the user finally approves the login.

"Cybercriminals increasingly use social engineering attacks to access their targets' sensitive credentials," the researchers write. "Social engineering is a manipulative technique used by hackers to exploit human error to gain private information. MFA fatigue is a technique that has gained popularity among hackers in recent years as part of their social engineering attacks.

"This is a simple yet effective technique with destructive consequences as the hackers are banking on their targets' lack of training and understanding of attack vectors."

If the user is unaware of this technique, they may accept the request to make the notifications stop. "Since many MFA users are unfamiliar with this style of attack, they would not understand that they are approving a fraudulent notification," the researchers write.

"As the MFA notifications appear continuously, a user may get tired and assume it's an annoying system malfunction; hence accept the notification as they did previously. Unfortunately, this grants the hacker access to the user's critical infrastructure."

This technique was used by the Lapsus$ cybercriminal gang to successfully breach Uber in September 2022. "As these MFA bombing attacks have obvious negative impacts on businesses, companies should ensure that all their critical infrastructures and resources are protected from internal or external threats," the researchers write.

"These attacks can damage a company's reputation and erode the trust of its customers, leading to a loss of customers and sales volume. Additionally, MFA attacks can disrupt your operations, cause loss of sensitive information and alter your business practices."

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to follow security best practices.

BleepingComputer has the story:
https://www.bleepingcomputer.com/news/security/mfa-fatigue-attacks-are-putting-your-organization-at-risk/

Callback Phishing by Luna Moth

We've seen the criminal activity cluster researchers call "Luna Moth" before. Back in August the group was noted for its complex mixture of social engineering approaches: phishing, vishing, bogus support sessions, and fake subscription scams designed to induce the victim to install remote access Trojans. Luna Moth is back, or, more accurately, still with us. Palo Alto Networks' Unit 42 is tracking a surge in the gang's callback phishing.

"The initial lure of this campaign is a phishing email to a corporate email address with an attached invoice indicating the recipient's credit card has been charged for a service, usually for an amount under $1,000. People are less likely to question strange invoices when they are for relatively small amounts.

"However, if people targeted by these types of attacks reported these invoices to their organization's purchasing department, the organization might be better able to spot the attack, particularly if a number of individuals report similar messages.

"The phishing email is personalized to the recipient, contains no malware and is sent using a legitimate email service. These phishing emails also have an invoice attached as a PDF file. These features make a phishing email less likely to be intercepted by most email protection platforms."

The PDF file has a phone number that will connect the victim to the scammer. The scammer then instructs the victim to download a remote support tool so the scammer can manage the victim's computer, supposedly to cancel the phony subscription.

After exfiltrating data, the attackers email the compromised organization and threaten to release stolen data unless the victim pays a suitable ransom. The ransom amount varies with the victim's perceived revenue, ranging from around $30,000 to over $1 million, payable in Bitcoin. There is, of course, no guarantee that the crooks will keep their promise to delete the stolen files if they're paid.

New-school security awareness training teaches your employees how to recognize social engineering attacks, especially the more plausible, multi-stage attacks that characterize callback phishing.

Palo Alto Networks has the story:
https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/

What KnowBe4 Customers Say

"Stu - First off, I suck at exec-speak, so I apologize ahead of time. I wanted to reach out and thank you for creating and maintaining a platform that addresses such a large number of issues involving the training that goes into protecting a company and ensuring its compliance.

"Hopefully you've made it this far in my note, because no matter how amazing your product is, without equally amazing people supporting it and supporting your customers, that flash stays in the pan.

"To that end, I would truly and sincerely like to thank you for having Alex H.  and Brad S. (alphabetical listing - they're both incredible) on your team. With their help, we have gone from a company asking itself "how many different companies do we need??" down to "hey, toss the new guy in KnowBe4's user list and he'll automatically get all his training assigned and tracked".

"I cannot begin to tell you how much of a relief it is to have such a simple yet effective solution. In short, or what I'll call short, thank you."

S.P., Information Security Officer

The 10 Interesting News Items This Week
  1. Cybersecurity incidents cost organizations $1,197 per employee, per year:
    https://blog.knowbe4.com/cybersecurity-incidents-cost-organizations-1197-per-employee-per-year

  2. Ducktail spins new tales to hijack Facebook Business accounts:
    https://www.computerweekly.com/news/252527564/Ducktail-spins-new-tales-to-hijack-Facebook-Business-accounts

  3. KnowBe4's new 'SecurityCoach' provides real-time coaching to reduce risky behavior:
    https://siliconangle.com/2022/11/07/knowbe4s-new-securitycoach-provides-coaching-reduce-risky-behavior/

  4. Google releases 165 YARA rules to detect Cobalt Strike attacks:
    https://www.bleepingcomputer.com/news/security/google-releases-165-yara-rules-to-detect-cobalt-strike-attacks/

  5. Google: "5 scams to watch out for this holiday season":
    https://blog.knowbe4.com/send-this-to-your-users-5-top-scams-to-watch-out-for-this-holiday-season

  6. DHS Secretary: Cyberattacks are the most significant threat to port infrastructure:
    https://therecord.media/dhs-secretary-cyberattacks-are-the-most-significant-threat-to-port-infrastructure/

  7. U.S. Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks:
    https://www.securityweek.com/us-offshore-oil-and-gas-infrastructure-significant-risk-cyberattacks

  8. Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks:
    https://www.darkreading.com/remote-workforce/google-blocks-231b-spam-phishing-messages-2-weeks

  9. Four Impersonation Attacks Organizations Should Be Wary Of:
    https://www.forbes.com/sites/forbestechcouncil/2022/11/23/four-impersonation-attacks-organizations-should-be-wary-of/

  10. KnowBe4's Team of Cybersecurity Experts Release Top Five Predictions for 2023:
    https://www.knowbe4.com/press/knowbe4s-team-of-cybersecurity-experts-release-top-five-predictions-for-2023

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews