CyberheistNews Vol 13 #01 [Heads Up] Giant LastPass Breach Can Supercharge Spear Phishing Attacks



Cyberheist News

CyberheistNews Vol 13 #01  |   January 4th, 2023

[Heads Up] Giant LastPass Breach Can Supercharge Spear Phishing AttacksStu Sjouwerman SACP

By Roger A. Grimes

KnowBe4 recommends that everyone use a password manager to create and use strong passwords as a part of their password policy:
https://info.knowbe4.com/wp-password-policy-should-be

LastPass, one of the world's most popular password managers, recently had a bad data breach as revealed here:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

LastPass divulged that although user's plaintext passwords were not accessed, what the hackers did get included the following information:

  • website URLs for the user's stored passwords
  • end-user names
  • billing addresses
  • email addresses
  • telephone numbers
  • company names
  • IP addresses from which customers were accessing the LastPass service

The hackers also got LastPass user's encrypted passwords for each stored logon. The encryption protection is strong AS LONG AS the master password users used for LastPass was strong. If you're interested in a more detailed discussion, go here:
https://www.linkedin.com/pulse/just-how-bad-recent-lastpass-compromise-roger-grimes

In summary, if your LastPass password was at least 12-characters long (the current LastPass default), contained some complexity, wasn't an easy-to-guess password, and was not used on any other site or service, then you're probably OK. If not, you need to immediately change all your passwords, both the LastPass master password and all the passwords you stored in LastPass.

Spear Phishing Bonanza

However, the plaintext information that was stolen (listed above) is incredibly useful to any hacker doing social engineering and phishing. It allows an attacker to specifically target (i.e., spear phish) a potential victim using information not known to the general public and other hackers.

For example, with a list of the web sites that someone logs onto, a phisher can craft specific phishing emails that pretend to be from that web site. It could include the user's name, telephone number and mailing address. Each added detail adds to the veil of false legitimacy to a social engineering email. Each included detail increases the percentage of people who will become victims.

Knowing people's phone numbers and what websites they belong to opens up an avenue for a fake tech support call. Mailing addresses can allow elaborate scams through postal mail. Here's a brazen example of such a scam:
https://www.nasdaq.com/articles/inside-the-scam%3A-victims-of-ledger-hack-are-receiving-fake-hardware-wallets-2021-06-17

The sky is the limit on the types of spear phishing scams that can be created and delivered using the information that was stolen in the LastPass breach. Kudos to LastPass for making sure the most critical user information, the user's passwords, were stored in an encrypted state.

But this breach, like all the others before it, are calling into question about what type of user information should or shouldn't be considered "critical information" and always stored in an encrypted state. If the information can be used to identify or contact you, it should probably be encrypted by default.

LastPass users were relieved to learn that their stored passwords were not directly compromised, but what information was taken by the hackers is likely to have spear phishing repercussions for years to come.

Blog post with links:
https://blog.knowbe4.com/heads-up-lastpass-attack-could-supercharge-spear-phishing-attacks

[NEW PRODUCT] Real-Time Coaching in Response to Risky User Behavior

Do you need an easy, automated way to reinforce and remind users of your security policies and training so that they make fewer risky security mistakes? If you engage your users in real-time at the moment that risky security behavior happens, you create a strong security culture and reduce human risk for your organization.

Enter SecurityCoach; a new product from KnowBe4 designed to help you develop a strong security culture by changing employee mindset through real-time security coaching in response to their risky security behavior.

Based on alerts generated by your existing security stack products, SecurityCoach analyzes and identifies detected threat events to send your users contextual, real-time coaching at the moment risky behavior occurs.

When you provide instant coaching on risky activities, you reinforce your security awareness training and policies, improve knowledge retention and help your users understand the risks associated with their behaviors.

With SecurityCoach you can:

  • Coach users in real-time based on their own real-world behavior
  • Gain additional value from your existing security stack by integrating with common security products and services
  • Measure and report on improved real-world security behavior across your organization, providing justification for continued investment
  • Reduce the burden on the SOC and improve efficacy through automation and reducing alert noise caused by users repeating risky security behaviors
  • Build custom campaigns for high-risk users or roles that are considered a valuable target for cybercriminals

SecurityCoach is an optional add-on for KnowBe4 customers with a Platinum or Diamond level security awareness training subscription.

Learn More!
https://www.knowbe4.com/products/securitycoach

[Eye Opener] Insurance Policy Doesn't Cover Ransomware Attack, Ohio Supreme Court Says

Dec. 27, 2022, The Ohio Supreme Court ruled in favor of an insurance company, determining that its contract to cover any direct physical loss or damage to property did not encompass ransom payments made when a hacker illegally gained access to medical billing software company EMOIs systems and data.

The incident happened back in 2019 when cybercriminals managed to breach into the software provider which assists medical practices with booking appointments, keeping records and payment management.

The cybercriminals extorted EMOI with a request of three bitcoins worth around $35,000 at the time in order to return its data. After complying and paying their ransom, they were able to regain control over most of their stolen information. To be better protected against future attacks, EMOI improved their network security and processes. However, Owners Insurance Company which wrote the policy, denied the claim for any damages sustained during the breach.

The Supreme Court carefully examined whether the defense against "direct physical harm to property" covers losses caused by threats to data, such as software, and not just damage that is done on tangible items like computers. The justices then unanimously overturned a lower court's ruling after concluding that software is an intangible item that cannot experience any direct physical deficit or destruction. Hmmm.

Blog post with links:
https://blog.knowbe4.com/eye-opener-insurance-policy-doesnt-cover-ransomware-attack-ohio-supreme-court-says

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, January 11, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users Can Now Train Anytime, Anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM and video training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 11, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4054183/88BA0B2BA080B14CBD5BD0884CE0BA18?partnerref=CHN2

Microsoft Warns of Signed Drivers Being Used to Terminate AV and EDR Processes

The malicious abuse of several developer program accounts in Microsoft's Windows Hardware Developer Program allowed threat actors to have malware evade detection.

It's a long-term play, but one that is quite an impressive feat – threat actors sought to compromise credentials that gave them access to submit malware-embedded drivers for Microsoft certification – something that would cause security products to see them as trustworthy and allow them to run. The signature screenshot shows how very valid these drivers appear to an attacked system - there isn't a hint that anything is afoot when you look at it.

According to security vendor SentinelOne, the drivers contained POORTRY and STONESTOP malware, part of a small toolkit designed to terminate antivirus and EDR processes. Security vendor Mandiant observed a threat group designated only as UNC3944 using SMS phishing as the initial attack vector to obtain credentials that would later be used to gain access to systems to deploy the signed driver.

The use of a driver is a brilliant touch, but threat actors still need to gain access to systems – which means obtaining credentials, a method of entry, etc. Usually this involves some interaction with a user (via texting, in the case of Mandiant's research).

And while it's possible to see these kinds of driver-based efforts begin with vulnerabilities, it's necessary for organizations to ensure any email- or web-based initial access is relegated to an absolute minimum – something accomplished by enrolling users in ongoing security awareness training to ensure they see malicious content for what it really is.

Blog post with links and screenshot:
https://blog.knowbe4.com/microsoft-warns-of-signed-drivers-being-used-to-terminate-av-and-edr-processes

12 Ways to Defeat Multi-Factor Authentication

Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!

Watch Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years experience, for this on-demand webinar where he will explore 12 ways hackers can and do get around your favorite MFA solution.

This webinar includes a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security.

You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:

  • 12 ways hackers get around multi-factor authentication
  • How to defend your multi-factor authentication solution
  • The role humans play in a blended-defense strategy

Watch the Webinar Now!
https://info.knowbe4.com/webinar-12-ways-to-defeat-mfa-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: NYTimes: 'There Is No Reasonable Way for This to End': Bill Browder on How to Stop the Ukraine War:
https://www.nytimes.com/2022/04/09/business/dealbook/09db-browder-russia-santions.html

PPS: Your KnowBe4 Fresh Content Updates from December 2022:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-december-2022

Quotes of the Week  
"The future belongs to those who believe in the beauty of their dreams."
- Eleanor Roosevelt (1884 - 1962)

"When everything seems to be going against you, remember that the airplane takes off against the wind, not with it."
- Henry Ford - Industrialist (1863 - 1947)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-01-heads-up-giant-lastpass-breach-can-supercharge-spear-phishing-attacks

Security News

1 Out of 10 Threats Still Make It All the Way to the Endpoint

Despite good intentions, layered security measures, and efficacy claims by security solution vendors, new data shows that email-based threats are still getting all the way to the Inbox.

Given all that your organization has in place to stop threats from entering into your environment, you'd like to think it all gets stopped. Your security vendors certainly tell you that their solution stops some very high percentage of attacks – likely in the 99-point-something range.

And the layered defense you've implemented is designed to address attacks from a number of directions, giving you a heightened chance of stopping an attack before it does any damage.

But new data from Acronis in their End-of-Year Cyberthreats Report shows that 11.7% of all attacks still make it to the endpoint. This is a nearly 11% increase from the previous quarter – meaning threat actors are getting better at avoiding detection and obfuscating the malicious nature of their emails.

Part of this "success" may be due to the short lifespan of a given piece of malware – according to the report (emphasis is mine):

The average lifetime of malware samples in November 2022 was 1.7 days, after which a threat would disappear and never be seen again. In Q2 2022, this figure was at 2.3 days, showing that malware is even more short-lived today as attackers use automation to create new and personalized malware with a frequency that overwhelms traditional signature-based detection. Seventy-four percent of the samples observed were seen only once across our customer base.

With this newfound data, it should be obvious that you should expect that malicious emails are going to find their way past your security solutions, making it absolutely necessary for your users to be the last line of defense in organizational security by being vigilant when interacting with email and the web – something taught with frequent security awareness training.

Blog post with links:
https://blog.knowbe4.com/one-out-of-10-threats-still-make-it-all-the-way-to-the-endpoint

Finance and Insurance Is the Sector Most Impacted by Data Breaches In 2022

Analysis of the year's breaches shows finance and insurance businesses are the most targeted and have lost a material count of records as a result.

It makes sense that threat actors want to "go where the money is." The data in the finance and insurance industry can contain banking information, account balances, and access to all of it. The value of this is immeasurably more than just a stolen username and password, as there is financial context with the data itself. So, it makes sense that this industry sector is "where the money is" and is, therefore, a greater target for threat actors.

According to security vendor Flashpoint's Year In Review: 2022 Financial Threat Landscape, a cross-section of data breaches by industry vertical shows that businesses in finance and insurance were the most targeted:

In all, Flashpoint denoted 566 data breaches with over 254 million records leaked. They do note that the same industry was not in the top spot with regard to ransomware attacks – something confirmed by Sophos' The State of Ransomware in Financial Services 2022 report, in which only 55% of finance and insurance organizations experienced a ransomware attack – a far cry from the overall average of 66% across all industry sectors.

And because a material amount of these attacks can be attributed to untrained employees, it's necessary for financial and insurance organizations to take strides to ensure their staff are properly educated using security awareness training on cyberattacks, initial attack vectors, social engineering tactics, and more – all practices used by threat actors seeking to gain access to your data, applications, and systems.

Blog post with links:
https://blog.knowbe4.com/finance-and-insurance-is-the-sector-most-impacted-by-data-breaches-in-2022

What KnowBe4 Customers Say

"Hi Stu, I would be remiss for not emailing you regarding Zach P. The KnowBe4 platform was purchased before I started here in August, and I knew our CEO really likes this tool. I was feeling a bit overwhelmed at learning a new company's people, contracts, culture, etc. and adding a new learning platform just seemed like a lot.

"Well! No need to worry in the oh so capable and caring hands of Zach! He is really helpful, extremely responsive, pleasant to work with, personable, smart, and really knows your product. I hope you have many more like him in your arsenal!"

- W.S., Facility Security Officer

The 10 Interesting News Items This Week
  1. [FOR YOUR C-SUITE] Understanding Security Detection And Response Technologies: What Lies Behind The Acronyms:
    https://www.forbes.com/sites/forbestechcouncil/2022/12/30/understanding-security-detection-and-response-technologies-what-lies-behind-the-acronyms/

  2. ChatGPT? Stable Diffusion? Generative AI jargon, explained for management:
    https://www.fastcompany.com/90826308/chatgpt-stable-diffusion-generative-ai-jargon-explained?

  3. TikTok banned from House of Representatives devices:
    https://therecord.media/tiktok-banned-from-house-of-representatives-devices

  4. Insurance policy doesn't cover ransomware attack, Ohio Supreme Court says:
    https://blog.knowbe4.com/eye-opener-insurance-policy-doesnt-cover-ransomware-attack-ohio-supreme-court-says

  5. Hackers stole data from multiple electric utilities in recent ransomware attack:
    https://edition.cnn.com/2022/12/27/politics/hackers-data-utilities-ransomware-sargent-lundy/

  6. 23 AI predictions for the enterprise in 2023. Check out #19:
    https://venturebeat.com/ai/23-ai-predictions-for-the-enterprise-in-2023/

  7. North Korean hacking outfit impersonates venture capital firms:
    https://www.scmagazine.com/analysis/identity-and-access/north-korean-hacking-outfit-impersonates-venture-capital-firms

  8. Google AdWords scam epidemic shows social engineering is evolving:
    https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e

  9. Global Trends In Security Culture in Cybercrime Magazine:
    https://cybersecurityventures.com/global-trends-in-security-culture/

  10. Hefty penalties and jail for hacking information systems of government institutions in UAE:
    https://gulfnews.com/uae/government/hefty-penalties-and-jail-for-hacking-information-systems-of-government-institutions-in-uae-1.92948412

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews