CyberheistNews Vol 13 #37 Scary New IT Admin Attack Exposes Your MFA Weakness

Cyberheist News

CyberheistNews Vol 13 #37  |   September 12th, 2023

Scary New IT Admin Attack Exposes Your MFA WeaknessStu Sjouwerman SACP

Identity and authentication management provider Okta has warned of social engineering attacks that are targeting IT workers in an attempt to gain administrative privileges within organizations' networks.

"In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all Multi-Factor Authentication (MFA) factors enrolled by highly privileged users," Okta says.

"The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization."

The threat actors already had some information about the targeted organizations before they contacted the IT employees.

"Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account," Okta says.

"In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions." The attackers also impersonated another identity management provider using a phony app.

"The threat actor was observed configuring a second Identity Provider (IdP) to act as an 'impersonation app' to access applications within the compromised Org on behalf of other users," the company says. "This second Identity Provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called 'Org2Org') with the target.

"From this 'source' IdP, the threat actor manipulated the username parameter for targeted users in the second 'source' Identity Provider to match a real user in the compromised 'target' Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user."

New-school security awareness training teaches your employees to recognize social engineering tactics so they can recognize and red-flag targeted attacks.

Blog post with links:

Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods

Inadequate authentication measures leave your digital identity vulnerable to cybercriminals. Tools like multi-factor authentication, biometrics, passwords, PINs, and tokens are all more vulnerable to attacks and social engineering than you realize. And one wrong move leaves you and your organization powerless in the face of cyber threats.

In this webinar, Roger Grimes, Data-Driven Defense Evangelist for KnowBe4, takes you through the ins and outs of authentication hacking.

He'll share:

  • A deep dive into the authentication process and why strong authentication is vital to your organization's security
  • Detailed explanations of authentication vulnerabilities for biometrics, MFA, passwords, and more
  • Real-world examples of man-in-the-middle attacks, MFA bypasses, rogue recoveries and others
  • How to empower your end users to become your best, last line of defense

Your digital identity is the gateway to your organization's most valuable assets. Watch this webinar now to learn now to keep your fortress secure, and earn CPE for attending!

Date/Time: TOMORROW, Wednesday, September 13, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Nearly One-Quarter of Financial-Themed Spam Emails Are Really Phishing Attacks

While spam tends to be dismissed as being more of an annoyance, new research shows that there is a very real and ever-present threat in emails that are marked as "spam."

I've written plenty about phishing attacks that target bank customers. It's nothing new. What's interesting is a recent article by security researchers at BitDefender where banking-related phishing attacks are considered spam. According to the article, 23% of all financial-themed emails marked as spam were actually phishing attacks attempting to obtain banking credentials, PINs, and other financial information.

In all cases, the emails impersonated a legitimate bank to look like official correspondence, and each sought to have the recipient to logon to their account or provide details.

I'm honestly not sure why a phishing attack is considered spam – I suppose, in a way, because it's unwanted, it is spam. But, given the "harmless" image of spam – and the very much NOT benign nature of phishing attacks – it may be a bit improper to even refer to such emails as spam at all.

Calling them what they are (phishing attacks) would certainly help to elevate the employee's state of vigilance – particularly those that have undergone security awareness training.

No matter what you call it, I call it dangerous and potentially harmful. Stay vigilant, my friends!

Blog post with links and screenshot:

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of a new feature in the KnowBe4 PhishER platform!

Harness the power of reported messages from over 10 million trained users worldwide with the PhishER Plus Global Blocklist feature. This feature prevents future malicious emails, sharing the same sender, URL, or attachment, from reaching other users. These are real-world phishing threats, thoroughly vetted by both human intelligence and AI.

The result? Your Microsoft 365 email filters get a significant boost, all from within the PhishER console.

Join us for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • New! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • New! Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Find out how adding PhishER Plus can be a huge time-saver for your Incident Response team while ensuring your users are safe!

Date/Time: Wednesday, September 20 @ 2:00 PM (ET)

Save My Spot!

[BUDGET AMMO] 2024 Election Season Will Be Deepfake Tsunami

You can already see it coming. AI-driven deepfakes are going to be all over the place in America next year. You really need to train your users ahead of time. We have modules ready for you to do that. Especially Russia will be a major player in trying to influence the elections with their "active measures" disinformation campaigns that will be forwarded to friends and family as misinformation.

Two new studies of the potential of text- and image-generating algorithms suggest they could add scary new scale and power to online disinformation campaigns. This is a WIRED article that goes into the details of a potential arms race of nation-states into weapons of disinformation:

A good example is in this Forbes article which actually is great budget ammo because the political deepfake is pretty good and illustrates the problem:

KB4-CON EMEA Registration Is Now Open!

Exciting news, registration is now open for KB4-CON EMEA! Get ready to dive into the intersection of security culture and cybersecurity at our third annual virtual conference. It's the place to be for CISOs, security awareness pros, and cybersecurity experts across Europe, the Middle East, and Africa.

Join us on 7 November for a day packed with practical cybersecurity insights, best practices, and a chance to connect with our security experts and fellow peers. Plus, this event is free! Save your spot today.

Save My Spot!

How Secure Is Your Authentication Method?

By Roger Grimes

I frequently write about authentication, including PKI, multi-factor authentication (MFA), password managers, FIDO, Open Authentication, and biometrics. I have written dozens of articles on LinkedIn and have presented during many KnowBe4 webinars about different authentication subjects.

I have been professionally writing about authentication since at least November 2004, when I wrote my first e-book for Windows & IT Pro magazine on password attacks and security. This is to say that I think about authentication a lot.

Decades ago, I thought by now our world of authentication would have had only the best authentication solutions available. Instead, we still have nearly every authentication mechanism I knew of in the 1990s, and passwords are still the number one authentication method.

Sure, I see a lot more MFA solutions today, but if you added every non-password solution all together, they probably would not work on 2% of the world's sites and services. It is a travesty.

I thought passwords would have been a thing of the past a decade ago. I think I wrote my first "Passwords Are Going Away" article in the early 1990s. I wrote my second one in the early 2000s. I now no longer write that article, and I chuckle whenever I see someone else write it. Today, I think passwords may be with us another decade, if not forever. Why?

Well, for all the problems with passwords (e.g., overshared and often stolen), they work fairly well in many scenarios. Yes, they do get hacked and stolen all the time, but everyone, from a young child to a senior citizen, knows how to use them. You cannot say that for any other authentication mechanism.

Show me any MFA method, and I will show you a non-minor percentage of business-educated adults who cannot operate it.

[CONTINUED] At The KnowBe4 blog:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: I was just in Holland and the UK for the grand openings of our new offices there. Here is one article: "Cybersecurity specialist [KnowBe4] becomes third unicorn company to set up office in Leeds":

Quotes of the Week  
"The ultimate aim of martial arts is not having to use them."
- Miyamoto Musashi - Samurai and Philosopher (1584 - 1645)

"The best fighter is never angry."
- Lao Tzu (6th century BCE)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

[dot]US Domain Exploited for Phishing

The Interisle Consulting Group has published a paper looking at the phishing landscape in 2023, KrebsOnSecurity reports. Notably, Interisle found that the .us top-level domain is being widely abused in phishing attacks.

".US is the ccTLD of the United States and had a very large number of its domains used for phishing -- almost 30,000 domains, more than 20,000 of which were registered maliciously by phishers," Interisle said.

These phishing domains were used in a wide variety of attacks against targets in the US and around the world.

"Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers," Interisle said. "Significant numbers of .US domains were also registered to attack some of the United States' most prominent companies, including Bank of America, Apple, Microsoft, Meta, Amazon, AT&T, Citi, Comcast, and Target. .US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great Britain's Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority."

Dean Marks, emeritus executive director for the Coalition for Online Accountability, told Krebs that the .us domain should be more strictly regulated.

"Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware," Marks said. "In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public."

Blog post with links:

CISA Warns of Hurricane-Related Scams

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that scammers are exploiting the recent hurricanes that have hit the U.S. Criminals frequently impersonate charities and related organizations following natural disasters.

"CISA urges users to remain on alert for malicious cyber activity following natural disasters, such as hurricanes, as attackers target disaster victims and concerned citizens by leveraging social engineering tactics, techniques, and procedures (TTPs)," CISA says.

"Social engineering TTPs include phishing, in which threat actors pose as trustworthy persons/organizations—such as disaster-relief charities—to solicit personal information via email or malicious websites. CISA recommends exercising caution in handling emails with disaster-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas and text messages related to severe weather events."

CISA points to the Federal Trade Commission's (FTC's) recommendations for avoiding disaster-related scams. The FTC outlines the following red flags associated with charity scams:

  • "Don't let anyone rush you into making a donation. That's something scammers do.
  • Some scammers try to trick you into paying them by thanking you for a donation that you never made.
  • Scammers can change caller ID to make a call look like it's from a local area code.
  • Some scammers use names that sound a lot like the names of real charities. This is one reason it pays to do some research before giving.
  • Scammers make lots of vague and sentimental claims but give no specifics about how your donation will be used.
  • Bogus organizations may claim that your donation is tax-deductible when it is not.
  • Guaranteeing sweepstakes winnings in exchange for a donation is not only a scam, it's illegal."

The FTC also says to be wary of job-related scams following a natural disaster. "You may find yourself out of work after a disaster strikes," the FTC says. "To trick people looking for honest work, scammers advertise where real employers and job placement firms do. They lie about your chances of getting a job and often ask you to pay before you get one — which is a sure sign of a scam."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for these types of scams.

What KnowBe4 Customers Say

"Hello Stu, I wanted to send praise for Claire J.'s assistance and support she has provided our organization. Her knowledge of KnowBe4 products and services is always impressive, her communication and responsiveness is the best I have ever experienced with a third-party person of contact, and she has found clever and time-saving solutions for every problem or question I have presented her (most recently, she assisted me with implementing automations for PhishER which greatly increased our efficiency).

Claire is an amazing partner to work with, and I'm genuinely thankful for all of the assistance she has provided. I asked her if there was a survey or review I could fill out to show my appreciation and gratitude for her quality of service provided, and she referred me to your email address. I always make a point to mention my satisfaction to her directly on our communications, as well as to those within my organization, as she is a primary reason why I enjoy having KnowBe4 service for our organization.

Thank you for your time and have a great day."

- G.B., Information Security Engineer

The 10 Interesting News Items This Week
  1. Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach:

  2. Pentagon plans vast AI fleet to counter China, Wall Street Journal reports:

  3. China, North Korea pursue new targets while honing cyber capabilities:

  4. How New SEC Rules Can Benefit Cybersecurity Teams:

  5. CISA plans new 'secure-by-design' guidance:

  6. Generative AI and the Future of Information Warfare:

  7. Anthropic unveils Claude Pro, a paid subscription plan for its ChatGPT rival:

  8. Does Generative AI Comply With Asimov's 3 Laws of Robotics?:

  9. Microsoft says it will take the heat if Copilot AI commercial users get sued:

  10. North Koreans using new zero-day to target security researchers:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews