CyberheistNews Vol 13 #39 How Chinese Bad Actors Infected Networks With Thumb Stick Malware

Cyberheist News

CyberheistNews Vol 13 #39  |   September 26th, 2023

How Chinese Bad Actors Infected Networks With Thumb Stick Malware...Stu Sjouwerman SACP

WIRED just published an article that made me both disappointed and surprised at the same time. Security researchers found USB-based Sogu espionage malware spreading within African operations of European and U.S. firms.

Yup, you read that right: USB-based malware.

Here is a quick summary with a link to the full article at WIRED. The upshot? You still need to train your global workforce on the risks of them good 'ol USB sticks...

The cybersecurity firm Mandiant has uncovered a resurgence in USB-based malware attacks led by a China-linked hacker group called UNC53. This group has successfully hacked at least 29 global organizations since last year by social engineering employees into using malware-infected USB drives.

Many of these attacks have originated from the African operations of multinational companies in countries such as Egypt, Zimbabwe and Kenya. The malware used is a decade-old strain known as Sogu, which has been involved in significant cyber-espionage activities in the past.

The campaign is especially effective in regions where USB drives are still commonly used, like Africa. Mandiant found that the malware often spreads from shared computers in places like internet cafés, affecting various sectors including consulting, banking and government agencies. The malware uses clever tactics to infect machines, even those without internet connections, and communicates with a command-and-control server to steal data.

Mandiant researchers note that this indiscriminate method allows the hackers to cast a wide net, sorting through victims for high-value targets later. The campaign highlights the need for organizations to remain vigilant against all forms of cyber threats, even those considered outdated.

This is particularly important for global networks that include operations in developing countries, where older technologies like USB drives are still in use. Train your workforce!

Blog post with links:

China's Cyber Offensive: FBI Director Reveals Unmatched Scale of Hacking Operations:

USPS Customers Become the Latest Target of the Chinese Smishing Group Called "Smishing Triad":

[NEW FEATURES DEMO] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, October 4, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 4, @ 2:00 PM (ET)

Save My Spot!

Scam-as-a-Service Classiscam Expands Impersonation in Attacks to Include Over 250 Brands

Now entering its third year in business, the phishing platform, Classiscam, represents the highest evolution of an "as a service" cybercrime, aiding more than 1,000 attack groups worldwide.

What do cybercriminals need for a successful attack? A convincing email, a list of potential target email addresses, and a website to extract payment details, bank login credentials, etc. And it's the last part that's usually the barrier to market for those that want to get into cybercrime.

But scam-as-a-service platform Classiscam has evolved its operations over the years, according to a new report by cybersecurity vendor Group-IB. It has created a template-based service where attackers can create brand impersonated webpages and support localization to expand attacks globally.

According to Group-IB, 251 unique brands were impersonated in the last two years in a total of 79 countries. Over 38,000 separate cybercrime groups have used this service from 2020 through this year, raking in an estimated $64.5 million to Classiscam during that time.

Used to target EMEA, Latin America, and APAC regions, the potential for this platform to expand operations into North America is high.

The real danger for organizations is the templated phishing sites. By continually monitoring and improving these sites, attackers are more successful. In other words, it becomes more likely that targets will become victims.

All the more reason to prop up your user's sense of vigilance through continual security awareness training to help make the phishing attacks that precede the Classiscam pages obvious to the user.

Blog post with links:

Are Your Users' Passwords... P@$$w0rd?

Verizon's Data Breach Report showed that 86% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security, using weak passwords and falling for phishing and social engineering attacks.

KnowBe4's complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any failures so that you can take action. This tests against ten types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus six more.

Here's how Weak Password Test works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!

This will take you five minutes and may give you some insights you never expected!

Find your weak passwords:

Vanishing Act: The Secret Weapon Cybercriminals Use in Your Inbox

Researchers at Barracuda describe how attackers use legitimate email inbox rules to control compromised accounts and evade detection.

"In order to create malicious email rules, the attackers need to have compromised a target account, for example, through a successful phishing email or by using stolen credentials seized in an earlier breach," the researchers write.

"Once the attacker is in control of the victim's email account — a type of attack known as an account takeover — they can set one or more automated email rules, a simple process that enables the attackers to maintain stealthy, persistent access to the mailbox — something they can use for a whole variety of malicious purposes."

Inbox rules can be exploited to carry out further social engineering attacks using the compromised accounts. "BEC attacks are all about convincing others that an email has come from a legitimate user, in order to defraud the company and its employees, customers, or partners," the researchers write.

"Attackers could set a rule that deletes all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO). This allows the attackers to pretend to be the CFO, sending colleagues fake emails to convince them to transfer company funds to a bank account controlled by the attackers."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

[CONTINUED] at the KnowBe4 blog:

Introducing Hack-A-Cat: The Ultimate Cyber Game For Kids!

We are proud to announce KnowBe4's first ever entry into the Roblox gaming platform: Hack-A-Cat!

This game is free of cost to all users of the Roblox platform. We're committed to sharing cybersecurity best practices with young people wherever we can.

So… What Is This Game?

Our first Roblox game is fresh off the digital presses, and we want you to be one of the first to play. In "Hack-A-Cat," players take on the role of either a Cat or Mouse and engage in a high-stakes showdown.

The cats must ship all their precious tuna before the timer runs out, but the mice are out to stop them using real-world hacker tactics! No matter the role players choose, gamers of all ages are taught vital cybersecurity skills.

So what are you waiting for? Check it out for free on Roblox, and tell us what you think on LinkedIn by tagging @KnowBe4 in your post.

Let's Start Gaming:

[YIKES] AI Now Enables Subliminal Image 'Inception

Seen Christopher Nolan's movie Inception? If you haven't, it's about a thief who is given the task of planting an idea into the mind of a CEO. The technology of implanting ideas is nothing new. Communist regimes were the very early countries developing mind control technologies. American psychologists have experimented with subliminal messaging including in advertising.

Let's have a quick look at the definition of the word subliminal: "sub·lim·i·nal" - of a stimulus or mental process below the threshold of sensation or consciousness; perceived by or affecting someone's mind without their being aware of it.

Well, you can now instruct an AI to create an "optical illusion" (the most blatant euphemism I have seen this year) This is scary. Especially when you know that AI will soon be able to create live-action full-size motion pictures.

The picture spells the word OBEY in black if you had not noticed yet. The Stable Diffusion picture was shared on Twitter (now X). If you step back you start seeing it, but the small version at the top of the blog post makes it clear right away.

This is the kind of thing that you would want to see regulated, but with bad actors releasing their own models, this is not expected to be very effective, unless someone develops scalable, widespread technology that recognizes this type of thing. In the meantime, being trained against disinformation and manipulation is more valuable than ever.

Blog post with must-see pictures and links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: We are proud to announce KnowBe4's first ever entry into the Roblox gaming platform: Hack-A-Cat!:

Quotes of the Week  
"Freedom is the sure possession of those alone who have the courage to defend it."
- Pericles, Greek Statesman (495 BC - 429 BC)

"Let your motto be 'eternal vigilance is the price we pay for liberty.'"
- Earliest appearance of this phrase in print is "4th July, 1817, Vermont Gazette,"

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Trends in Phishbait

ZeroFox warns that phishing-as-a-service (PhaaS) offerings are increasingly including features to bypass multifactor authentication.

"In 2023, 'in-the-middle' techniques are some of the most frequently-observed methods used to gain access to MFA-secured networks," the researchers write. "They enable threat actors to intercept or bypass MFA protocols by stealing communications without the victim's knowledge.

"Threat actors create and exploit new sessions, or intercept existing ones, via session hijacking—including the stealing or selling of cookies and authentication tokens—session fixation, or session cloning. Exploiting vulnerabilities at the application and network layers can grant threat actors access to an authenticated session, undermining MFA protocols.

"Attackers can seize control of session permissions and parameters, facilitating greater opportunity for exploitation and detection avoidance."

A significant amount of phishing emails are used to deliver malware, particularly ransomware. "Malicious email attachments will very likely remain one of the most prevalent means of malware distribution for the foreseeable future," ZeroFox says.

"Reporting states that malicious attachments are leveraged in approximately 40 percent of phishing attacks and have been responsible for the delivery of 35 percent of ransomware so far in 2023—the highest of any delivery method. "Despite security controls being regularly updated to account for these file types—ensuring suspicious files are flagged to end users—it is very likely threat actors will continue to pivot to file types that circumvent security controls."

The researchers note that attackers are using a variety of different file types and techniques to distribute malware. "Threat actors increasingly leverage files such as Windows image files (ISO), archive files (RAR), Windows Shortcut files (LNK), OneNote files, restricted permission messages (RPMSG) files, and Windows Script files to deploy malicious payloads," the researchers write.

"Threat actors have also been observed leveraging HTML smuggling to deliver prominent malware strains such as QBot and Emotet, whereby threat actors conceal a malicious script inside these files that is able to assemble and embed itself on the target network upon activation. This avoids malicious code being passed over the network."

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.

ZeroFox has the story:

More Elon Musk Impersonation

There's been a surge of Elon Musk-themed cryptocurrency scams on TikTok, BleepingComputer reports. The scammers inform the victims that they can claim their reward after spending a small amount of bitcoin (about $132) to activate their account.

"BleepingComputer tested one of the giveaways to see how it works and found that almost all utilize the same template, which pretends to be a crypto investment platform," BleepingComputer says. Most of the videos use website domains that look slightly similar to the real thing.

"To take part in the giveaway, users are prompted to register an account and enter a promo code shared in the TikTok video. Once they enter the code, the site will pretend to deposit Bitcoin into the user's wallet."

Users should assume that any offer purporting to give away free money is a scam.

"It is essential to recognize that almost every crypto giveaway site is a scam, especially those claiming to be from Elon Musk, Tesla, SpaceX, Ark Invest, Gemini, and high-profile exchanges and celebrities that promise massive returns.

"If you see emails, videos, tweets, or other messages on social media promoting these giveaways, remember that any cryptocurrency you send will just be stolen with nothing in return."

BleepingComputer cites a Better Business Bureau warning issued last week outlining the following advice for avoiding TikTok scams:

  • "Use good judgment. Get-rich-quick schemes and investments guaranteed to give you a huge return are nearly always scams. If an offer sounds too good to be true, it probably is.
  • Do your research. Before you contact someone through TikTok or another social media platform, look up their name, phone number, and company name (if they have one) online. You'll likely find complaints online about it if they have conned others.
  • Don't give into scare tactics. If an 'investor' contacts you, they may try to convince you the investment will only work if you act right now. Or, if you've already sent them funds, they may threaten you with legal action if you don't pay their fees. In any case, don't give in to scare tactics. Recognize them as the hallmarks of a scam.
  • Understand how digital wallet services work. Treat any money you send through a digital wallet service like cash. Once you send the money, there will be little you can do to get it back if you were scammed. Using these apps only with people you know and trust is best."

It's not just individuals who can fall for these scams. Someone who bites on the Elon-Musk phish bait can easily enmesh their organization in unwanted problems.

New-school security awareness training gives your employees a healthy sense of suspicion so they can avoid falling for scams and other social engineering attacks.

BleepingComputer has the story:

What KnowBe4 Customers Say

"I wanted to take a moment to let you know how awesome Max has been as our account representative. He always goes the extra mile to make sure we are up to speed on all the new features and constantly provides superior customer service on our account.

He has helped us to fully automate much of our training program. This has had a huge business impact for our non-profit organization's limited resources.

He always responds very promptly to any requests for support and has repeatedly taken the extra time to show how valuable KB4 is to our senior leadership team. Max consistently gives the kind of value-driven customer service that is remembered when it is time for renewal decisions to be taken.

I could really go on and on, but I just wanted you (and Max) to know how very much we appreciate his efforts to help us enhance and mature our cybersecurity program. Thank you!"

- W.R., Senior IT Security Analyst

"I'd like to leave some feedback regarding Zoya S. and the help she has provided us. Zoya has been a dream to work with, she's very professional and knows a lot about the product. With clear explanations she was able to educate myself on the best practices that would be most suitable for our business.

Going that extra mile Zoya has also helped us set up KnowBe4 so that we're getting the maximum benefits out of the platform with minimal effort and administration. We are extremely happy with KnowBe4! Keep up the good work."

- J.M., IT Technician

The 10 Interesting News Items This Week
  1. Cyber Insurance Claims Frequency and Severity Both Increased For Businesses in 1H 2023:

  2. International Criminal Court Says It Detected 'Anomalous Activity' (Russian?) in Its Information Systems:

  3. Youth hacking ring at the center of cybercrime spree (Ceasars, MGM):

  4. Forbes: "Take These Active Approaches To Insider Risk":

  5. German spy chief warns of cyberattacks targeting liquefied natural gas terminals:

  6. Hackers Released Updated Version of Black Hat AI Tool WormGPT V2:

  7. Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher:

  8. 1 year ago: "Cyber attacks more likely to bring down U.S.' most-advanced F-35 stealth fighter jet than Russian missiles" Did it happen this week?:

  9. Why is Mexico Offering Russia a Safe Haven for Its (cyber) Spies?:

  10. Hotel hackers redirect guests to fake to steal cards:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews