CyberheistNews Vol 13 #25 | June 20th, 2023
[Fingerprints All Over] Stolen Credentials Are the No. 1 Root Cause of Data Breaches
Verizon's DBIR always has a lot of information to unpack, so I'll continue my review by covering how stolen credentials play a role in attacks.
This year's Data Breach Investigations Report has nearly 1 million incidents in their data set, making it the most statistically relevant set of report data anywhere.
So, what does the report say about the most common threat actions that are involved in data breaches? Overall, the use of stolen credentials is the overwhelming leader in data breaches, being involved in nearly 45% of breaches – this is more than double the second-place spot of "Other" (which includes a number of types of threat actions) and ransomware, which sits at around 20% of data breaches.
According to Verizon, stolen credentials were the "most popular entry point for breaches." As an example, in Basic Web Application Attacks, the use of stolen credentials was involved in 86% of attacks. The prevalence of credential use should come as no surprise, given the number of attacks that have focused on harvesting online credentials to provide access to both cloud platforms and on-premises networks alike.
And it's the social engineering attacks (whether via phish, vish, SMiSh, or web) where these credentials are compromised — something that can be significantly diminished by engaging users in security awareness training to familiarize them with common techniques and examples of attacks, so when they come across an attack set on stealing credentials, the user avoids becoming a victim.
Blog post with links:
https://blog.knowbe4.com/stolen-credentials-top-breach-threat
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist
Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!
The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.
Join us TOMORROW, Wednesday, June 21, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.
With PhishER you can:
- NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
- Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: TOMORROW, Wednesday, June 21, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/phisher-demo-june-2023?partnerref=CHN2
How NK's Cyber Criminals Stole 3 Billion in Crypto to Fund Their Nukes
The Wall Street Journal revealed that North Korea's hacker army managed to steal a huge amount of cryptocurrency amounting to $3 billion to finance their nuclear program. US officials have confirmed this news.
These hackers have a highly sophisticated method of operating. A specific example of their actions involved using a fake job offer to trick a startup into losing over $600 million. By posing as potential employers, they social engineered someone who was hopeful for a better job.
This incident highlights how the North Korean regime trains cybercriminals to deceive people by impersonating tech workers or employers as part of their illegal activities.
According to Chainalysis, a blockchain analysis firm, there has been a significant increase in the amount of stolen assets by North Korea-backed hackers. In 2022, they reportedly stole around $1.7 billion, which is much higher than the amount of $400 million stolen in the previous year.
Cryptocurrency thefts have hit an all-time high of $3.8 billion globally, making the past year the worst on record for such incidents. The majority of these heists were committed by groups associated with North Korea. The report also highlighted a pattern in hacking activity, which fluctuated over the year, with significant increases in March and October.
The cyber heists caused more than just financial losses. Reportedly, the stolen funds were used to support North Korea's global nuclear program. This is a serious matter since North Korea has already conducted six nuclear tests and is preparing for a seventh, which makes the situation even more urgent.
The recent information exposes the increasing dangers in the world of cryptocurrency and the urgent requirement for more robust security measures. It also highlights the difficult obstacles confronted by international organizations in preventing state-sponsored cybercrime.
Your employees are your last line of defense. Train them not to fall for bogus job offers.
Blog post with links:
https://blog.knowbe4.com/how-nks-cyber-criminals-stole-3-billion-in-crypto-to-fund-their-nukes
[Brand-New Benchmark] Here Are Your Updated 2023 Phishing By Industry Benchmark Results
With phishing on the rise, your employee's mindset and actions are critical to maintaining a strong security culture in your organization.
You need to know what happens when your employees receive phishing emails: are they likely to click the link? Get tricked into giving away their credentials or download malware? Or will they report the suspected phish and play an active role in your human defense layer?
Perhaps more importantly, do you know how effective new-school security awareness training is as a mission-critical layer in your security stack?
Find out with the BRAND-NEW 2023 Phishing By Industry Benchmarking Report, which analyzed a data set of 12.5 million users across 35,681 organizations with over 32.1 million simulated phishing security tests. In this unique report, research from KnowBe4 highlights employee Phish-prone™ Percentages by industry, revealing the likelihood that users are susceptible to phishing or social engineering attacks.
Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.
Do you know how your organization compares to your peers of similar size?
Download this new report to find out!
https://info.knowbe4.com/phishing-by-industry-benchmarking-report-chn
[Heads Up] Microsoft Warns Against a Sophisticated Phishing Attack That Targeted Large Banks and Top Financial Organizations
Microsoft describes a sophisticated phishing campaign that targeted large financial organizations. "Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations," the researchers write.
"The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple orgs. This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud."
The attackers used indirect proxies in order to create targeted phishing pages.
"While the attack achieved the end goal of a typical AiTM phishing attack followed by business email compromise, notable aspects, such as the use of indirect proxy rather than the typical reverse proxy techniques, exemplify the continuous evolution of these threats," the researchers write.
"The use of indirect proxy in this campaign provided attackers control and flexibility in tailoring the phishing pages to their targets and further their goal of session cookie theft. After signing in with the stolen cookie through a session replay attack, the threat actors leveraged multifactor authentication (MFA) policies that have not been configured using security best practices in order to update MFA methods without an MFA challenge.
"A second-stage phishing campaign followed, with more than 16,000 emails sent to the target's contacts." After compromising the initial account, the threat actors used the access to launch targeted attacks against the people who had recently communicated with the victim.
"The emails were sent to the compromised user's contacts, both within and outside of the organization, as well as distribution lists," the researchers write. "The recipients were identified based on the recent email threads in the compromised user's inbox. The subject of the emails contained a unique seven-digit code, possibly a tactic by the attacker to keep track of the organizations and email chains."
New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart BEC attacks.
Blog post with links:
https://blog.knowbe4.com/microsoft-business-email-compromise-financial
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, July 12 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Executive Reports - Can create, tailor and deliver advanced executive-level reports
- NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- Did you know? You can upload your own SCORM training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 60,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: Wednesday, July 12 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/4260900/2D5B5766C2EB5E51B2C0280BBCE3C996?partnerref=CHN
85% of Organizations Have Experienced at Least One Ransomware Attack in the Last Year
Ransomware attacks are as pervasive as ever, with new data demonstrating just how impactful the attacks really are.
If you're one of the lucky few organizations that hasn't fallen victim to a ransomware attack, consider yourself lucky. According to the 2023 Ransomware Trends Report from backup vendor Veeam, the vast majority of organizations (85%) have experienced a ransomware attack.
And while that number is pretty shocking, that's not the worst of it. According to the report, the impact felt in the aftermath is material and costly:
- 45% of production data was affected by a cyber attack
- On average, 15% of the organization's production data was unrecoverable
- 46% of organizations took two weeks or more (as much as four months) to completely recover from the event, with the average being three weeks
And despite all this, 56% of organizations run the risk of reinfecting their production environment during restoration because they have no means to ensure they're using clean data during the recovery. This fact alone clearly puts the complete prevention of ransomware attacks as the highest priority (with detection, response, and remediation still remaining important, of course).
So, if you're going to attempt to stop ransomware attacks, you must have a preventative strategy that aligns with the ways these attacks start. According to ransomware response vendor, Coveware, email-based phishing remains the top initial attack vector, making it imperative that your cybersecurity strategy include a layered approach (that includes security awareness training) to ensure the success rate of email-based attacks is as close to zero as possible.
Blog post with links:
https://blog.knowbe4.com/85-organizations-experienced-ransomware-attack
[INFOGRAPHIC] KnowBe4's SecurityCoach Shows Your Users' Top 10 Risky Behaviors (PDF)
So, what are your users up to? For the first time ever, we can report on the actual risky behavior of your users. SecurityCoach interfaces real-time with your security stack and filters out the risky behaviors so you can coach users at the moment it happens. We made an infographic for you that shows the top 10 risky behaviors. Some may surprise you.
Here is the blog post with the [PDF] list, which you might want to share with your users! No registration required:
https://blog.knowbe4.com/securitycoach-10-risky-user-behaviors
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [GITHUB COPILOT] Microsoft's Sudden AI Dominance Is Scrambling Silicon Valley's Power Structure:
https://www.bloomberg.com/news/features/2023-06-15/microsoft-prepares-to-cash-in-on-openai-partnership-with-copilot
PPS: Europeans Take a Major Step Toward Regulating A.I.:
https://www.nytimes.com/2023/06/14/technology/europe-ai-regulation.html
- Khalil Gibran - Poet (1883-1931)
- George Washington - 1st U.S. President (1732 - 1799)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-25-fingerprints-all-over-stolen-credentials-are-the-no1-root-cause-of-data-breaches
Phony GitHub Repos Attempt to Trick Security Researchers
Attackers are setting up GitHub repositories designed to trick security researchers into installing malware, according to researchers at VulnCheck.
The researchers first discovered a repo that claimed to be a zero-day vulnerability for the Signal messaging app. "In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day," the researchers write. "The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May."
The day after the phony Signal repository was taken down, the same threat actors set up another repository that posed as a WhatsApp zero-day. VulnCheck then discovered dozens of similar repositories that would have been of interest to security researchers.
"Recently, the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like Rapid7," the researchers write.
"Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product, including Chrome, Exchange, Discord, and more. Some of the accounts even advertise their 'findings' on Twitter." If the code is downloaded, it will install malware on the victim's device.
"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware," the researchers write. "It's unclear if they have been successful, but given that they've continued to pursue this avenue of attacks, it seems they believe they will be successful."
VulnCheck warns that researchers need to be aware that they can be targeted by these types of attacks. "Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub," VulnCheck says.
"Always review the code you are executing, and don't use anything you don't understand." New-school security awareness training can enable your employees to thwart targeted social engineering attacks.
VulnCheck has the story:
https://vulncheck.com/blog/fake-repos-deliver-malicious-implant
[Phishbait and AI] The New Threat in Sophisticated Phishing Attacks
Abnormal Security warns that attackers continue to abuse generative AI platforms like ChatGPT to craft convincing phishing emails. Abnormal has observed numerous types of phishing attacks that use grammatically correct templates created by generative AI. The researchers describe a targeted BEC attack that was assisted by AI: "Attackers are also using ChatGPT-like tools to impersonate vendors."
Vendor email compromise (VEC) attacks are among the most successful social engineering attacks because they exploit the trust that already exists in relationships between vendors and customers. And because discussions with vendors often involve issues around invoices and payments, it becomes harder to catch attacks that mimic these conversations—especially when there are no suspicious indicators of attack like typos."
The blog post has some interesting analyses, specifically how to identify if an attack was generated by an AI, there are tools for this.
Story at Abnormal:
https://abnormalsecurity.com/blog/generative-ai-chatgpt-enables-threat-actors-more-attacks
What KnowBe4 Customers Say
"Hi Stu, well that's very kind of you to reach out to customers and check in, much appreciated and great customer service. I'm very happy to report we are happy campers and that the system has been very well received, especially by our CEO who wanted to plug the cyber threat vulnerability gap to the extent possible through education & training.
So far it has met our expectations in this regard. The Modstore is going to be a fantastic library to shape our training from what I've seen. We've had a few technical issues on set up, that created an onboarding delay to get test phishing emails whitelisted properly, such that they could bypass our spam filters but that's been 100% on our end.
I guess the feedback is that your onboarding teams may want to double check with new users at the outset that they do have the eyes and ears of the IT teams that can react quickly.
I'd also like to take the opportunity to call out Joe B., one of your CSM's here in the UK. He's had endless patience and expert knowledge when we meet for the onboarding stages. As the CFO I'm not the greatest technically but that has not phased him and he directs me in an understandable non-techy manner. Thanks again for checking in."
- T.A., CFO
- Chinese spies globally breached hundreds of public, private networks, security firm says:
https://abcnews.go.com/US/wireStory/security-firm-chinese-hackers-broke-email-security-appliance-100104273 - Microsoft links data wiping attacks to new Russian GRU hacking group:
https://www.bleepingcomputer.com/news/security/microsoft-links-data-wiping-attacks-to-new-russian-gru-hacking-group/ - Cyber Insurance Premiums Surge by 50% as Ransomware Attacks Increase:
https://www.insurancejournal.com/news/national/2023/06/14/725215.htm - Consumers in the U.S. lost $330 million to text scams in 2022, FTC says:
https://www.bitdefender.com/blog/hotforsecurity/consumers-in-the-us-lost-330-million-to-text-scams-in-2022-ftc-says/ - AI-Generated Steganography. New research suggests that AIs can produce perfectly secure steganographic images:
https://www.schneier.com/blog/archives/2023/06/ai-generated-steganography.html - Ukraine information sharing a model for countering China, top cyber official says:
https://cyberscoop.com/information-sharing-china-threat/ - Researchers Report First Instance of Automated SaaS Ransomware Extortion:
https://www.darkreading.com/cloud/researchers-report-first-instance-of-automated-saas-ransomware-extortion - CISA to scan agency networks for risky web-connected devices under latest directive:
https://federalnewsnetwork.com/cybersecurity/2023/06/cisa-to-scan-agency-networks-for-risky-web-connected-devices-under-latest-directive/ - AI is a 'double-edged sword' in cybersecurity, says this UK professional:
https://blog.knowbe4.com/ai-double-edged-sword - CISA: LockBit ransomware extorted $91 million in 1,700 U.S. attacks:
https://www.bleepingcomputer.com/news/security/cisa-lockbit-ransomware-extorted-91-million-in-1-700-us-attacks/
- Your Little Big World Virtual Vaca #1 to Rotterdam, Holland. The architecture is amazing in just 3 mins:
https://www.youtube.com/watch?v=-03MCD8RfOc - Your Virtual Vaca #2 - Top 10 Places To Visit in French Polynesia:
https://www.youtube.com/watch?v=MJD2NcvYm4U - The Soul Flyers' Target is a door in the sky. Jumping INTO an airplane:
https://youtu.be/8lcvSdCXRzw - The Lockpicking Lawyer shows 3(!) Methods to hack This Sciener Fingerprint Gun Lockbox:
https://www.youtube.com/watch?v=s76blOsGcDg - Austria is Digging a Tunnel Like No Other:
https://youtu.be/pZHBpgt7kYQ - Rubik's Cube World Record broken after 4.5 years!:
https://twitter.com/maxfast23/status/1668113958442778624 - Incredible Cats Perform Mind-Blowing Trick Shots:
https://www.flixxy.com/incredible-cats-perform-mind-blowing-trick-shots.htm?utm_source=4 - Embark on an awe-inspiring journey through the vast expanse of the galaxy we live in, the Milky Way:
https://www.flixxy.com/the-scale-of-the-milky-way.htm?utm_source=4 - Showreel of Gravity Industry's JetPack best shots. I want one to fly to the office!:
https://youtu.be/ZtCC3b3TSBo - The German public toll road with no speed limit. Get me there:
https://www.youtube.com/watch?v=10Y-gWNJ2Sw - New Mercedes From The Year 2043, the Vision One-Eleven Concept Car:
https://www.youtube.com/watch?v=EK3myDjs7_U - I Exposed Magic's Oldest Secret! Penn And Teller's Trick:
https://www.youtube.com/watch?v=CnKSgYDDFyE - For Da Kids #1 - Groovy Cockatoo Loves Dancing With Human Siblings. Now they're BFF'S:
https://www.youtube.com/watch?v=UwuFFGKcb2I - For Da Kids #2 - Family Rescues a Deer that Changes Their Life:
https://youtu.be/kqUgMJ9bW5w - For Da Kids #3 - Woman Reunites Bonded Wild Horses:
https://youtu.be/7KI6rP0wFaU - For Da Kids #4 - Man rescues wolf. Now they're obsessed with each other:
https://www.youtube.com/watch?v=aR7aXOf8dCY - For Da Kids #5 - Woman Finds An Injured Baby Fox In The Forest. Now He Wrestles Her Cats:
https://www.youtube.com/watch?v=Y6uqvSoA_-s