CyberheistNews Vol 12 #52 | December 28th, 2022
[Heads Up] Top 10 Cyber Security Predictions for Next Year. Read It, This Is a Good One
To start off I'm repeating the tradition of my same New Year's wish as a newsletter editor since 1996: "A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights".
At the end of the year I spend a few days reading all the IT security pundit's 2023 predictions and synthesize them with my own perspective. The Crystal Ball editorial is the shortest of the year and takes the longest to write, but it's fun.
President Ronald Reagan once said, "The future doesn't belong to the fainthearted; it belongs to the brave." Sci-fi writer William Gibson added a few decades later: "The future is already here, it's just unevenly distributed." So, what will come next in our world of cybersecurity as we head into 2023?
The industry as a whole covered the following topics: This year will bring significant shifts to the world of cybersecurity. We could very well see a barrage of nation-state cyberattacks inspired by Ukraine's hybrid hot- and cyberwar, an increase in MFA attacks, innovative strikes against drones and space vehicles, and skyrocketing social engineering attacking social media with deepfakes.
As the reach of hacktivism continues to expand, organizations are being compelled to look beyond endpoint solutions and invest in new "umbrella" platforms like XDR, Managed XDR and HDR that can help them manage increasing Infosec complexities. Furthermore, ransomware is expected to remain a major threat as malicious actors experiment with new, even more damaging forms. We must be especially vigilant when it comes to emerging technologies such as self-driving automobiles, humanoid robots or the Metaverse that highly likely will provide cyber criminals with new attack surfaces. It is sure to be an eventful 2023.
As usual, I'm donning my asbestos undies, so you can safely flame my poor behind after reading the new 2023 predictions. Good riddance of 'annus horribilis' 2022 which was the year of permacrisis.
- A shift in focus to create a culture of security and resilience versus compliance and breach-prevention, as identity and authentication attacks will remain a constant threat.
- Dramatic rise of purely destructive attacks by APTs, as techniques of cyberwar will come to commercial cybercrime.
- Shapeshifting ransomware business models will become a bigger avenue for data theft and blackmail, EU possibly overtaking US as most-targeted.
- MFA adoption fuels a surge in social engineering, BEC and weaponized deepfakes will take new forms, social engineers set their sights on ICS systems.
- A Foundational Model for Adversarial AI will make it in the mainstream. Have you played with GPTChat? The coming GPT-4 will be a killer.
- Mobile Workplace Trends (gaming, LinkedIn, WhatsApp, Signal, Snapchat) create ever larger attack surfaces enabling lateral penetrations.
- Innovative Crime-as-a-Service players make major inroads.
- Cyber Insurers verticalize their already increased security requirements, both premiums and outright rejections skyrocket.
- Macro-economic pressures and the coming 2023 Recession expose weaknesses and increase systemic infosec risk.
- The fragility of crypto infosec will cause the mother of all breaches, undermining it as a whole, and spur central banks to roll out digital currencies. Search for CBDC and shiver.
In "The Big Lessons From History", financial writer Morgan Housel sums it up succinctly: "Risk is what you don't see," and "The riskiest stuff is always what you don't see coming." All the more reason to keep your eyes peeled and send monthly simulated phishing tests to keep your users on their toes!
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, January 11 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! KnowBe4 Mobile Learner App - Users Can Now Train Anytime, Anywhere!
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- NEW! AI-Driven phishing and training recommendations for your end users
- Did You Know? You can upload your own SCORM and video training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: Wednesday, January 11 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/4054183/88BA0B2BA080B14CBD5BD0884CE0BA18?partnerref=CHN2
"How I Lost My Dog and Almost My Google Credentials..."
A well-trained Knowster posted: "I lost my dog this weekend and my mother in law was trying to be helpful and put my real phone number on a few social media posts she made. Now I'm getting these kinds of texts and it's heartbreaking to think someone else may have fallen for this! A quick Google search let me know exactly what this guy really wanted."
Here are three screenshots that show 1) bad actor sets the hook 2) Sends the verification code, and 3) This is how the scam works.
Warn your family and friends against this devilish scam.
https://blog.knowbe4.com/how-i-lost-my-dog-and-almost-my-google-credentials
KnowBe4 Has Been Named a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022
Forrester Research has named KnowBe4 as a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 based on our scores in the strategy, market presence and current offering categories. We received the highest scores possible in 16 out of 30 evaluation criteria, including breadth of content coverage, security culture measurement and customer support and success.
According to the report, "KnowBe4 has one of the largest content libraries of the firms we evaluated; as customer references confirmed, its learner content is unique, varied, and engaging… Prospective customers who are seeking innovation in training, behavior, and culture change but who value the stability of an established vendor should evaluate KnowBe4."
Being recognized as one of the organizations that are leaders in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 is an honor for us. As providers of the world's largest security awareness training platform, we believe being named a Leader continues to show the success of our ability to enable organizations and their users to make smarter security decisions, improve their security culture and mitigate risk using world-class training and simulated phishing.
Learn why KnowBe4 has been recognized as a Leader.
Download your complimentary copy of the report now!
https://info.knowbe4.com/forrester-wave-security-awareness-training-chn
The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022, Forrester Research, Inc., March 16, 2022
Social Engineering, Money Mules, and Job Seekers
A small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.
The scam began with a gig economy job offer. "A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home," the CBS explained. "They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account."
All a prospective "cash processor" needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need "proximity to a bitcoin machine." If the aspiring cash processors did an Internet search for their prospective employer, they would "find a professional website, with information matching what was provided in the employment agreement." And it came with a Nova Scotia address, just to lend verisimilitude to the scam.
The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.
[CONTINUED]:
https://blog.knowbe4.com/social-engineering-money-mules-and-job-seekers
Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today
Cyber crime has become an arms race where the cybercriminals constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network.
Staying a step ahead may even involve becoming your own cyber crime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.
In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, shows you how to become a digital private investigator!
You'll learn:
- How to forensically examine phishing emails and identify other types of social engineering
- What forensic tools and techniques you can use right now
- How to investigate rogue smishing, vishing, and social media phishes
- How to enable your users to spot suspicious emails sent to your organization
Get inside the mind of the hacker, learn their techniques, and how to spot phishing attempts before it's too late!
Watch the Webinar Now!
https://info.knowbe4.com/phishing-forensics-chn
[BOOK REVIEW] "Surprised Again!―The COVID Crisis and the New Market Bubble"
Want a peek in the 2023 economic Crystal Ball?
Alex Pollock and Howard Adler wrote a compelling, easy-to-read about the current economy and how overall debt is accumulating. I read it over Christmas and it's full of excellent insights. One of them being: "Liquidity is a figure of speech. We know that markets freeze up during a crisis and that liquidity disappears just when you need it, and indeed because you need it."
Thomas H. Stanton, Johns Hopkins University wrote: "A masterful survey of the financial sector and its post-COVID dependence on easy money from the Federal Reserve. This book is the first place to turn for a clear exposition of key financial topics—housing, municipal debt, pension funds, student loans, cryptocurrencies, and more. The reader will be surprised yet again at the extent of financial problems lurking below the surface."
James Grant, Grant's Interest Rate Observer said: "What will not surprise you is the wisdom, wit, and insight in this indispensable guide to financial prophecy. The future may be a closed book, but you must open—and read—this one."
[Warmly Recommended] Here is a link to the Kindle version:
https://www.amazon.com/dp/B0BHTW423S?ref_=k4w_ss_details_rh
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [YEAR-END BUDGET AMMO] By yours truly at Forbes: "Deepfakes: Get ready for phishing 2.0":
https://www.fastcompany.com/90829233/deepfakes-get-ready-for-phishing-2-0
- Mark Twain - Author (1835 - 1910)
- Mahatma Gandhi - Leader (1869 - 1948)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-52-heads-up-top-10-cyber-security-predictions-for-next-year
Now BEC Attacks Steal Physical Goods
The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) have released a joint advisory warning that scammers are launching business email compromise (BEC) attacks to divert and steal deliveries of food and ingredients worth hundreds of thousands of dollars.
"While BEC is most commonly used to steal money, in cases like this criminals spoof emails and domains to impersonate employees of legitimate companies to order food products," the advisory states. "The victim company fulfills the order and ships the goods, but the criminals do not pay for the products.
"Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company's reputation."
Most of the thefts involved large shipments of powdered milk, which are usually sold on the black market to buyers in China. According to the Register, foreign-made powdered milk is still in high demand by parents in China following a 2008 incident in which thousands of children were hospitalized by a melamine-contaminated domestic brand.
The joint advisory describes several of these BEC attacks, including the following: "From at least June through August 2022, unknown criminal actors used the identity of a US company to fraudulently attempt to obtain store credit and/or place large purchase orders to procure shipments of powdered milk and other ingredients from multiple suppliers," the advisory states.
"Industry dairy vendors notified the company that the unknown third party created falsified credit applications, purchase orders, and invoices in their attempts to place large orders for powdered milk. In one instance, the attempted purchase orders totaled nearly $230,000."
[CONTINUED]
https://blog.knowbe4.com/now-bec-attacks-steal-physical-goods
Increase In XLL Files Used to Deliver Malware
Attackers are using XLL files to embed malicious code in Office documents, according to researchers at Cisco Talos. Microsoft is phasing out the ability to execute VBA macros in Office documents. These macros have been one of the most popular ways to deliver malware, so attackers are turning to new ways to smuggle malicious code.
"Add-ins are simply pieces of executable code, in various formats and capabilities, that can be added to Office applications in order to enhance the application's appearance or functionality," the researchers write.
"Add-ins may come in a form of specific Office documents containing VBA code or modules containing compiled functionality, whether the compiled functionality is contained in .NET bytecode (VSTO plugins), in a form of COM servers or in a form of dynamic loading libraries (DLL) renamed with a specific filename extension."
If a user opens an XLL file, the system will automatically launch Excel, although users will see a security warning before the malicious code is allowed to execute. "Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included," the researchers write. "This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened.
"Unfortunately, this protection technique is often ineffective as a protection against the malicious code as many users tend to disregard the warning." Nation-state actors and sophisticated criminal groups have been using XLL files for several years, and the technique is growing in popularity.
CTA
https://blog.knowbe4.com/xll-files-used-to-deliver-malware
What KnowBe4 Customers Say
"I wanted to reach out to tell you how great it has been to work with Nadia S. over the last six months. Nadia was able to help us get our phishing program in place quickly, with two successful campaigns run since late August. This was a huge goal of our organization and would not have happened without her help.
"Nadia walked us through everything, answering all of my countless questions, always with an amazing attitude and patience. Her knowledge of the products is priceless! She is such a pleasure to work with and I wanted to make sure you knew how appreciated she is by our team!"
- G.N., Director, Security Training and Awareness
"Let me tell you a brief story ...I started as CISO for this company a few years ago, and finding vendors has been a trial by fire.
"We are constrained by HIPAA and therefore SOC2 ... we are a small business (70 people) with a limited budget so we find ourselves patching solutions together based on budget and minimum requirements. We have looked at a hundred different vendors for twenty different needs and the single primary issue that confronts us is the onramp to using, understanding and fully implementing each new UI for each new vendor.
"KnowBe4 has been the single best vendor we have encountered. The initial inquiry was met with straightforward cost and benefit. And then you assigned a person to actively push the adoption with meetings and training and clear guidance. We spent no time guessing how to do anything or wondering what to do next.
"Your person (Crystal) literally chased us to get the settings done, the baseline done, the first campaign set up, and led us to an immediate success with the adoption of your platform.
"If wishes were horses, we'd all be eating steak (Firefly), but I wish every vendor was as proactive in leading their customers up the onramp to immediate ROI. I want to congratulate your entire operation on the best experience and the best results we have had in the past few years."
- W.A., Chief Information Security Officer
- [Warmly Recommended] 10 AI Predictions For 2023:
https://www.forbes.com/sites/robtoews/2022/12/20/10-ai-predictions-for-2023/ - Google outlines 6 cybersecurity predictions for 2023:
https://venturebeat.com/security/google-cybersecurity-predictions/ - Ukraine's DELTA military system users targeted by info-stealing malware:
https://www.bleepingcomputer.com/news/security/ukraines-delta-military-system-users-targeted-by-info-stealing-malware/ - Incident responders brace for end-of-year cyber scaries:
https://www.cybersecuritydive.com/news/cyber-security-incident-response-holiday-prep/639137/ - Russian hackers targeted petroleum refining company in NATO state:
https://therecord.media/russian-hackers-targeted-petroleum-refining-company-in-nato-state/ - Former Mobile Phone Store Owner Sentenced to 10 Years in Federal Prison for Multimillion-Dollar Scheme to Illegally Unlock Cellphones:
https://www.justice.gov/usao-cdca/pr/former-mobile-phone-store-owner-sentenced-10-years-federal-prison-multimillion-dollar - Why Security Teams Shouldn't Snooze on MFA Fatigue:
https://www.darkreading.com/endpoint/why-security-teams-shouldn-t-snooze-on-mfa-fatigue - Russian hackers accessed JFK airport taxi software: Port Authority:
https://therecord.media/russian-hackers-accessed-jfk-airport-taxi-software-port-authority/ - Comcast Xfinity accounts hacked in widespread 2FA bypass attacks:
https://www.bleepingcomputer.com/news/security/comcast-xfinity-accounts-hacked-in-widespread-2fa-bypass-attacks/ - LastPass customer password vaults stolen, targeted phishing attacks likely:
https://www.itpro.co.uk/security/369776/lastpass-customer-password-vaults-stolen-targeted-phishing-attacks-likely
- [SUPER FAVE] Happy Holidays from Boston Dynamics, Tree's Company:
https://www.youtube.com/watch?v=7Wm6vy7yBNA - The 'Best Of 2022' GoPro highlight reel is here - from ski resorts to surf breaks, race tracks and more:
https://www.flixxy.com/best-of-2022-a-year-in-review-gopro.htm?utm_source=4 - People Are Awesome Best Of The Year 2022:
https://www.youtube.com/watch?v=9rtTKb86IpI - Biggest stunt in cinema history: Tom Cruise riding a motorcycle off a cliff. Mission Impossible Dead Reckoning:
https://www.flixxy.com/biggest-stunt-in-cinema-history-tom-cruise-mission-impossible-2023.htm?utm_source=4 - I like the Tesla Dog Mode Cabin Camera:
https://www.youtube.com/watch?v=DGnaWgXqBCA - A Swarm of Robots Built This Tunnel. For Realz:
https://www.youtube.com/watch?v=bfJY0syocfU&feature=youtu.be - Inside The World's Only Private Boeing 787 Dreamliner!:
https://www.youtube.com/watch?v=r15_6z9xryo - Car Thieves vs. the Final GlitterBomb 5.0
https://www.youtube.com/watch?v=iWeu2dxHRDg - Bloomberg Businessweek 2022 "Jealousy List" with the best-written stories of the year:
https://www.bloomberg.com/features/2022-jealousy-list/ - For Da Kids #1 - Guy Frees Elephant After 50 Years In Chains:
https://www.youtube.com/watch?v=2UOwk3NPsIE - For Da Kids #2 - Cheetah jumps into a Safari Vehicle:
https://www.youtube.com/watch?v=gw-MWnpqAoE - For Da Kids #3 - Sheep Rescued From Mountain Looks So Different Now:
https://www.youtube.com/watch?v=ZxN83WVZqsk - For Da Kids #4 - Biggest Cat That Purrs And Meows:
https://www.youtube.com/watch?v=BXhfZRE08ko - For Da Kids #5 - Santa's Little Helpers:
https://www.youtube.com/watch?v=ngjLoQfrMlI