CyberheistNews Vol 14 #01 [Heads Up] SMTP Smuggling - How It Easily Circumvents Your Email Defenses

Cyberheist News

CyberheistNews Vol 14 #01  |   January 3rd, 2024

[Heads Up] SMTP Smuggling - How It Easily Circumvents Your Email DefensesStu Sjouwerman SACP

A newly-discovered technique misusing SMTP commands allows cybercriminals to pass SPF, DKIM and DMARC checks, allowing impersonated emails to reach their intended victim.

Earlier this month, Timo Longin, security researcher with cybersecurity consulting firm SEC Consult published details on what is now referred to as SMTP smuggling. Simply put, he detected miscommunications using the SMTP protocol that allowed message content to be submitted to a receiving email server in a way that makes the protocol simply accept the message and process its delivery to the intended recipient.

While rather in the weeds in terms of how it works, in essence cybercriminals take advantage of what should be the end-of-data sequence near the beginning of the submission of an email message, entire emails are "smuggled" within the process, therefore bypassing normal steps that include checking SPF, DKIM and DMARC.

In the screenshot in the blog post (link below), you'll note the initial short email with the email body of "lorem ipsum." But then there's this extra email with the email body of "I am the admin now!" The specific content is irrelevant (other than to provide an example of something benign vs. malicious in nature), but it shows how SMTP smuggling occurs.

According to Longin, this method can be used to impersonate emails from any high-profile brand. This is where it becomes a real problem. Users that have not undergone security awareness training will be more prone to believing an email is actually from the company it claims to be, falling for the socially engineered scam within.

The vulnerability was initially reported to vendors in late July. Microsoft has since rolled out a patch, but other vendors, including Cisco, have yet to do so.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with link and screenshot:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, January 10, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 10, @ 2:00 PM (ET)

Save My Spot!

AI in 2024: The Top 10 Cutting Edge Social Engineering Threats

The year 2024 is shaping up to be a pivotal moment in the evolution of artificial intelligence (AI), particularly in the realm of social engineering. As AI capabilities grow exponentially, so too do the opportunities for bad actors to harness these advancements for more sophisticated and potentially damaging social engineering attacks. Let's explore the top 10 expected AI developments of 2024 and their implications for cybersecurity.

1. Exponential Growth in AI Reasoning and Capabilities
As Vinod Khosla of Khosla Ventures points out, "The level of innovation in AI is hard for many to imagine." AI's reasoning abilities are expected to soar, potentially outperforming human intelligence in certain areas. This could lead to more convincing and adaptable AI-driven social engineering tactics, as bad actors leverage these reasoning capabilities to craft more persuasive attacks.

2. Multimodal Large Language Models (MLLMs)
MLLMs, capable of processing and understanding various data types, will take center stage in 2024. These models could be used to create highly convincing and contextually relevant phishing messages or fake social media profiles, enhancing the efficacy of social engineering attacks.

3. Text to Video (T2V) Technology
The advancement in T2V technology means that AI-generated videos could become a new frontier for misinformation and deepfakes. This could have significant implications for fake news and propaganda, especially in the context of the 2024 elections, or real-time business email compromise attacks.

4. Revolution in AI-Driven Learning
AI's ability to identify knowledge gaps and enhance learning can be exploited to manipulate or mislead through tailored disinformation campaigns, targeting individuals based on their learning patterns or perceived weaknesses.

5. Challenges in AI Regulation
Governments' attempts to regulate AI to prevent catastrophic risks will be a key area of focus. However, the speed of AI innovation will outpace regulatory efforts, leading to a period where advanced AI technologies inevitably will be used in social engineering attacks.

6. The AI Investment Bubble and Startup Failures
The surge in AI venture capital indicates a booming market, but the potential failure of AI startups due to business model obsolescence could lead to a set of orphaned, advanced, but unsecured AI tools available for malicious use.

7. AI-Generated Disinformation in Elections
With major elections scheduled globally, the threat of AI-generated disinformation campaigns is more significant than ever. These sophisticated AI tools are already being used to sway public opinion or create political unrest, there are a whopping 40 global elections in 2024.

8. AI Technology Available For Script Kiddies
As AI becomes more accessible and cost-effective, the likelihood of advanced AI tools falling into the wrong hands increases. This could lead to a rise in AI-powered social engineering attacks even by less technically skilled bad actors.

9. Enhanced AI Hardware Capabilities
Jensen Huang, co-founder and chief executive of Nvidia, told the DealBook Summit in late November that "there's a whole bunch of things that we can't do yet." However, the advancements in AI hardware, such as Neural Processing Units (NPU), will lead to faster and more sophisticated AI models. This could allow real-time, adaptive social engineering tactics, making scams more convincing and harder to detect.

10. AI in Cybersecurity and the Arms Race
While AI advancements provide tools for cybercriminals, they also empower more effective AI-driven security systems. This is leading to an escalating arms race between cybersecurity measures and attackers' tactics, where real-time AI monitoring against AI-driven social engineering attacks might become reality.

The upshot is that 2024 is set to be a landmark year in AI development, with far-reaching implications for social engineering. It is crucial for cybersecurity professionals to stay ahead of these trends, build a strong security culture, adapt their strategies, and keep stepping their workforce through frequent security awareness and compliance training.

Blog post with links:

Critical Considerations When Evaluating SAT Vendors

The vendor landscape for security awareness training (SAT) is as diverse as it is innovative.

This market has changed significantly over the past several years as CISOs and security leaders now seek to ensure that any SAT program is changing user behavior and empowering their business to understand, reduce and monitor employee cyber risk.

An SAT vendor should provide the necessary tools to turn your users into a human firewall while serving as a foundation for improved security culture and human risk management.

Read this whitepaper to learn:

  • Seven critical capabilities any SAT vendor should provide
  • What to know before your evaluate SAT platforms
  • How the market continues to transition and key capabilities to ensure your future success

Download this whitepaper today!

Impersonation Attack Data Breaches Predicted to Increase in 2024

With so much of an attack riding on a cybercriminals ability to gain access to systems, applications and data, experts predict the trend of rising impersonation is only going to get worse.

The Identity Theft Resource Center's 2024 Predictions includes one that organizations should be paying close attention to:

An unprecedented number of data breaches in 2023 by financially motivated and nation/state threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.

Data breaches are considered the number one business risk to organizations, giving credence to the beginning part of ITRC's prediction. And we already have seen the use of impersonation grow as credentials have become the primary target of initial access brokers, with over 10,000 credentials a month being sold on the dark web!

But these credentials aren't the endgame, according to the ITRC; they are simply a means to gather as much personal information about an individual (sort of a modern-day doxing) so that they can commit much more lucrative crimes that yield more money per victim. Another of the ITRC's predictions gives some context of how this data may be misused:

The availability of compromised consumer data and the use of large language models (LLMs) may result in AI-created, highly convincing "medical records" that could be submitted to insurance carriers.

But to get access to enough data, cybercriminals need to first gain access to corporate data that may contain personal details for customers, patients, etc. Which brings me back to where I started — cybercriminals need credentials to gain initial access, move laterally, and access sensitive data.

So, stopping a string of attack actions with that very first credential — which likely is compromised as part of a credential harvesting attack — is imperative.

And, with the owner of the credential — one of your users — giving up the credential as part of a socially engineered phishing scam, this critical juncture requires its own type of security control — found in new-school security awareness training. No credentials means no access, which means no data breach, which means no misuse of personal data.

Blog post with links:

[CASE STUDY] Gamifying the Way to Phishing Resilience at Whitbread

Multinational hospitality provider Whitbread understands just how vital knowledge of phishing email tactics is to organizational security. KnowBe4's simulated phishing capabilities and integrated training helped the information security awareness and communications manager improve phishing report rates and drive user engagement, reminding users of the vital part they play in Whitbread's security culture.

Learn how KnowBe4's simulated phishing platform with integrated training allowed them to:

  • Increase reported simulated phishing emails from 2% to 31% in less than a year
  • Improve communication between users and the InfoSec team
  • Enroll nearly a quarter of users in an inaugural simulated phishing tournament
  • Raise user engagement with security training and simulated phishing

Download this case study today!

I made it in the Top 25 Cybersecurity CEOs to Watch in 2024

The CyberExpress is a VC-backed cyber security news mag that provides the latest news and analysis about the information security industry. They published an article December 20, 2023, titled "Top 25 Cybersecurity CEOs to Watch in 2024."

"These leaders have demonstrated an unwavering commitment to innovation, employing cutting-edge technologies to fortify security defenses. In an era marked by relentless technological evolution and the omnipresence of cyber threats, the role of cybersecurity professionals has become increasingly important."

"The cybersecurity CEOs embody a remarkable blend of expertise, adaptability, and forward-thinking leadership that sets them apart in security domain. As stewards of technological advancement, these CEOs are not merely guardians of data; they are architects of the future, steering their organizations with unparalleled vision and resilience.

"Their ability to anticipate and proactively address online threats places them at the forefront of the cybersecurity industry."

I am honored and humbled to be on this list:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from December 2023. Watch the latest video!:

PPS: Did you know KnowBe4 created a security game for kinds on Roblox? Check out Hack-A-Cat!:

Quotes of the Week  
"The best way to predict the future is to create it."
- Peter Drucker (1909 - 2005)

"The future is already here – it's just not evenly distributed."
- William Gibson: (1948 - )

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Ransomware Attacks Rise 85% Compared to the Previous Year

With November demonstrating multiple increases when compared to various previous time periods, new data signals that we may be in for a bumpy ride in 2024.

It's nice when we get to see reports that are published relatively quickly to let us get a sense of where cyberattacks are today versus, say, a quarter or two ago (or even last year!). The NCCGroup's Cyber Threat Intelligence Report was just published and covers ransomware attacks through November of this year.

What makes this particular report so alarming is the fact that the attacks observed in November (which historically is an uptick month where the number of attacks rises) has established material rises in the number of attacks from a few comparative perspectives:

  • The number of attacks from January through November of this year is approximately 85% greater than the same timeframe last year
  • The number of attacks in November alone is 67% more than November of last year
  • November 2022 experienced 30% more ransomware attacks than October 2022

The major players observed by NCCGroup were Lockbit 3.0, BlackCat, and Play. The largest verticals targeted were Industrial, Consumer Cyclicals, Healthcare, and Technology. Lastly, the dominant region was North America with 50% of the attacks, followed by Europe with 30% of the attacks.

With affiliates of these groups using phishing as one of the initial attack vectors, it's imperative to make sure you start off 2024 with a layered defense that includes email and web protection, endpoint detection and response, and new-school security awareness training.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

What KnowBe4 Customers Say

"I would like to express my satisfaction with Santiago M.'s performance. Despite not having all the answers immediately, he demonstrated efficiency and appeared to be a capable professional in terms of knowledge of the platform. I am inclined to continue working with him as our Customer Success (CS) as I believe this partnership will lead to success and significant optimization of the platform. I sincerely appreciate the prompt assistance and understanding shown regarding our needs."

O.D., Tecnologia da Informação

"So far our experience has been good, with the only hiccups being of my own making. :) I have been working with Amy B., and she has been outstanding. We're working to through all of the aspects of setup and use, and she has been knowledgeable and accessible. One of the better implementation experiences I've had. So yes sir, I'm a happy camper!"

- R.S., Director, Information Technology

The 10 Interesting News Items This Week
  1. WSJ: "China Is Stealing AI Secrets to Turbocharge Spying, U.S. Says.":

  2. Iranian-Linked Hacks Expose Failure to Safeguard U.S. Water System:

  3. 2023 Rewind: highlights of the year in cybersecurity:

  4. Most Sophisticated iPhone Hack Ever Exploited Apple's Hidden Hardware Feature:

  5. Did the Colonial Pipeline ransomware infection cause real change in the aftermath?:

  6. Unveiling the true cost of healthcare cybersecurity incidents:

  7. What is an NPU? Here's why everyone's suddenly talking about them:

  8. China arrests 4 people who developed ChatGPT based ransomware:

  9. Why CISOs Need to Make Cyber Insurers Their Partners:

  10. Cybersecurity in the Year Ahead: Think 2023 on Steroids:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews