CyberheistNews Vol 13 #19 [Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users

CyberheistNews Vol 13 #19 | May 9th, 2023

[Watch Your Back] New Fake Chrome Update Error Attack Targets Your Users Stu Sjouwerman SACP

Compromised websites (legitimate sites that have been successfully compromised to support social engineering) are serving visitors fake Google Chrome update error messages.

"Google Chrome users who use the browser regularly should be wary of a new attack campaign that distributes malware by posing as a Google Chrome update error message," Trend Micro warns. "The attack campaign has been operational since February 2023 and has a large impact area."

The message displayed reads, "UPDATE EXCEPTION. An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update." A link is provided at the bottom of the bogus error message that takes the user to what's misrepresented as a link that will support a Chrome manual update. In fact the link will download a ZIP file that contains an EXE file. The payload is a cryptojacking Monero miner.

A cryptojacker is bad enough since it will drain power and degrade device performance. This one also carries the potential for compromising sensitive information, particularly credentials, and serving as staging for further attacks.

This campaign may be more effective for its routine, innocent look. There are no spectacular threats, no promises of instant wealth, just a notice about a failed update. Users can become desensitized to the potential risks bogus messages concerning IT issues carry with them.

Informed users are the last line of defense against attacks like these. New school security awareness training can help any organization sustain that line of defense and create a strong security culture.

Blog post with links:
https://blog.knowbe4.com/fake-chrome-update-error-messages

A Master Class on IT Security: Roger A. Grimes Teaches You Phishing Mitigation

Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they're more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, where he'll share a comprehensive strategy for phishing mitigation. With 30+ years of experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you're prepared to defend against ever-present IT security threats like phishing.

In this webinar you'll learn:

How to develop a comprehensive defense-in-depth plan for phishing mitigation
Ideas for security policies you can implement now
Technical controls all organizations should consider
Gotchas to watch out for with cybersecurity insurance
Why it's critical to develop your organization's human firewall

Get the details you need to know now to protect your organization from phishing and social engineering attacks.

Date/Time: TOMORROW, Wednesday, May 10, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/phishing-mitigation-mc?partnerref=CHN2

[Feet on the Ground] Stepping Carefully When Making an AI Your BFF

Bloomberg's Brad Stone wrote an op-ed covering this topic. In the past month, a chatbot called "My AI" or "Sage" has appeared as a new friend for several hundred million Snapchat users. The chatbot utilizes OpenAI's advanced artificial intelligence tool, ChatGPT. It has shown up unexpectedly at the top of many users' friend lists on the messaging app, which is considered prime app real estate.

Parent groups expressed concerns when Sage was introduced to Snapchat+, as they feared younger children might not realize they are communicating with a chatbot. This led to numerous video commentaries on social media platforms such as Snapchat, Instagram and TikTok.

Users interacted with Sage by requesting it to act as their boyfriend, complete their homework, and even asked it personal questions. The chatbot responded by revealing its knowledge of their location.

AI tools such as ChatGPT and social media are about to collide

Sage suggests that generative AI tools such as ChatGPT and social media are about to collide. This happened when mixed reviews started coming in for Sage from users. Meanwhile, Mark Zuckerberg, the CEO of Meta Platforms Inc. announced on a quarterly earnings call that conversational AI is soon going to make its way on social networks like Facebook, Instagram and WhatsApp.

Zuckerberg shared with investors that he believes there is a chance to introduce AI agents in a useful and meaningful way to billions of people. He also mentioned that generative AI will be incorporated into all their products and can be utilized by advertisers for tasks such as customer support. This may mean encountering chatbots when seeking assistance.

Is AI's killer app social instead of search?

Zuckerberg and Snap CEO Evan Spiegel are proposing that AI's killer app could be social instead of search. This means providing people with an effortless method to find answers to their pressing questions without having to use Google. Additionally, it can serve as a constant virtual assistant suggesting amusing videos and providing clever ideas on what to say in group chats.

The risk obviously is that this killer app will devolve into social engineering at scale.

Blog post with links:
https://blog.knowbe4.com/feet-on-the-ground-stepping-carefully-when-making-an-ai-your-bff

Warren Buffet just commented on AI too, he likens AI to the atomic bomb in that "we won't be able to un-invent it" Link at Fortune Magazine:
https://fortune.com/2023/05/06/ai-warren-buffett-charlie-munger-berkshire-hathaway/

WIRED Magazine published: "These ChatGPT Rivals Are Designed to Play With Your Emotions." Startups building chatbots tuned for emotionally engaged conversation say they can offer support, companionship—and even romance. (Not to say anything about social engineering...)
https://www.wired.com/story/fast-forward-chatgpt-rivals-emotions/?

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us Wednesday, May 17, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
Easily integrate with KnowBe4’s email add-in, Phish Alert Button, or forward to a mailbox

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, May 17, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-may-2023?partnerref=CHN

Response-Based Business Email Compromise Contributes to 97% of Attacks

The malwareless and seemingly benign nature of business email compromise emails, mixed with impersonation techniques, are difficult to spot as being malicious, making them even more dangerous.

I've covered both the threat of business email compromise and response-based email attacks before. How can I not? They are prominent techniques used by phishing scammers everywhere. But it's the reported combination of the two by PhishLabs that has me concerned. Representing the overwhelming lion's share of all email threat volume reported, the use of such business-toned, long-tailed email attacks are a greater danger to organizations.

Take the following example, provided by Phish Labs:

[CONTINUED] Blog post with screenshot:
https://blog.knowbe4.com/response-based-business-email-compromise

Are Your Users' Passwords... P@ssw0rd?

Are your users' passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security, using weak passwords and falling for phishing and social engineering attacks.

KnowBe4's complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any failures so that you can take action. This tests against ten types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus six more.

Here's how Weak Password Test works:

Reports on the accounts that are affected
Tests against 10 types of weak password related threats
Does not show/report on the actual passwords of accounts
Just download the install and run it
Results in a few minutes!

This will take you five minutes and may give you some insights you never expected!

Find your weak passwords:
https://info.knowbe4.com/weak-password-test-chn

[Eye Opener] HTML Phishing Attacks Surge by 100% In 12 Months

The Cyberwire reported: "Barracuda released a study indicating that HTML attacks have doubled since last year. The researchers note that not only is the total number of attacks increasing, but the number of unique attacks seems to be increasing as well.

"On March 23, almost nine in ten (405,438 — 85%) of the total 475,938 malicious HTML artifacts were unique; which means that almost every single attack was different." HTML attacks are commonly seen in phishing campaigns when users download HTML attachments from emails.

Barracuda recommends that organizations adopt email protections to spot and block malicious HTML attachments, that they train their personnel to spot phishing emails, that they implement MFA and consider a zero-trust security model, and that they prepare an incident response plan that includes ways of disrupting a campaign should it penetrate your organization.

Blog post with links:
https://blog.knowbe4.com/eye-opener-html-phishing-attacks-surge-by-100-in-12-months

[FASCINATING READING] Google: "We Have No Moat, and Neither Does OpenAI"

"The text is a very recent leaked document, which was shared by an anonymous individual on a public Discord server who has granted permission for its republication. It originates from a researcher within Google. We have verified its authenticity. The only modifications are formatting and removing links to internal web pages. The document is only the opinion of a Google employee, not the entire firm. We do not agree with what is written below, nor do other researchers we asked, but we will publish our opinions on this in a separate piece for subscribers. We simply are a vessel to share this document which raises some very interesting points."

Link to the SemiAnalysis site:
https://www.semianalysis.com/p/google-we-have-no-moat-and-neither?utm_source=tldrai

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] EY Survey: "Why nearly 80% of leaders are increasing cybersecurity spend":
https://www.cnbc.com/advertorial/2023/04/18/why-nearly-80percent-of-leaders-are-increasing-cybersecurity-spend-.html

PPS: KnowBe4's KB4-CON 2023 Speakers Tackled Cyber Defense and Security Culture Topics:
https://www.knowbe4.com/press/knowbe4s-kb4-con-2023-speakers-tackled-cyber-defense-and-security-culture-topics

Quotes of the Week

"By seeking and blundering we learn."
- Johann Wolfgang von Goethe (1749 – 1832)

"Every great achievement throughout history has demanded some level of calculated risk, because with great risk comes great reward."
- Bill Nelson, NASA Administrator, after the SpaceX Starship explosion. (1942 - )

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-19-watch-your-back-new-fake-chrome-update-error-attack-targets-your-users

Security News

WSJ: "Merck's Insurers on the Hook in $1.4 Billion NotPetya Attack, Court Says"

I receive the WSJ Cybersecurity newsletter, which by the way is warmly recommended. Kim Nash today reported a shocker that will make everyone's insurance premiums go even further up: "Six years after the worldwide NotPetya cyberattack, a court ruled insurers for Merck & Co. must help cover $1.4 billion in losses."

New Jersey appellate division judges rejected the insurers' argument that the 2017 attack, which U.S. officials later blamed on Russia, was akin to an act of war normally excluded from coverage.

"The exclusion of damages caused by hostile or warlike action by a government or sovereign power in times of war or peace requires the involvement of military action," the judges wrote. "Coverage could only be excluded here if we stretched the meaning of 'hostile' to its outer limit."

You should share this story with your infosec budget holders.
https://blog.knowbe4.com/wsj-mercks-insurers-on-the-hook-in-1.4-billion-notpetya-attack-court-says

Phishing as an Espionage Tactic for Cybercriminals

Phishing is a familiar criminal tactic. It's also used by intelligence services for cyber espionage campaigns. On Friday, April 28th, 2023, CERT-UA, Ukraine's Computer Emergency Response Team, reported that Russian operators are sending phishing emails that misrepresent themselves as sending instructions on installing a Windows security update.

"The Computer Emergency Response Team of Ukraine (CERT-UA) says Russian hackers are targeting various government bodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense against cyber attacks," BleepingComputer writes. "CERT-UA believes that the Russian state-sponsored hacking group APT28 (aka Fancy Bear) sent these emails and impersonated system administrators of the targeted government entities to make it easier to trick their targets." APT28 is associated with Russia's military intelligence service, the GRU.

Should the victims follow the instructions in the email, they'll find themselves installing a PowerShell script that simulates a Windows update but in fact downloads a second malicious PowerShell payload in the background. That payload is "basic information-harvesting" malware that abuses the legitimate Mocky tool.

"CERT-UA recommends that system administrators restrict the ability to launch PowerShell on critical computers and monitor network traffic for connections to the Mocky service API."

Whether the social engineering originates with criminals or a government's intelligence service, new school security awareness training can help any organization's personnel learn to withstand these threats.

Blog post with links:
https://blog.knowbe4.com/phishing-espionage-tactic

What KnowBe4 Customers Say

"Hello Stu, I wanted to take the time to sincerely thank you on behalf of our team for assigning Courtney as our CSM. This is our first experience with externally provided Cybersecurity and compliance training (normally done in house) and she has been absolutely terrific in handholding us through the onboarding process and diligently working with our training team to make them feel comfortable with using KnowBe4 platform.

She has also been outstanding at helping guide our HR team towards evaluation of add on modules that we will most likely end up purchasing. It is not often these days that you come across such a dedicated employee and someone that clearly knows and enjoys their job but is also so customer centric, so I wanted to take the time to share our experience.

I am a member of Innovation Council for the Receivables Management Industry as a whole and will be mentioning KnowBe4 as an outstanding and highly recommended partner to our industry peers during our annual gathering because of Courtney's efforts. Thank you."

- Y.K., CIO

The 10 Interesting News Items This Week