CyberheistNews Vol 14 #14 [SCARY] Research Shows Weaponized GenAI Worm That Gets Distributed Via A Zero Click Phishing Email

Cyberheist News

CyberheistNews Vol 14 #14  |   April 2nd, 2024

[SCARY] Research Shows Weaponized GenAI Worm That Gets Distributed Via A Zero Click Phishing EmailStu Sjouwerman SACP

Israeli researchers came out with a hell of a thing just now. Here is a bit of the abstract and a video. YIKES.

In the past year, numerous companies have incorporated Generative AI (GenAI) capabilities into new and existing applications, forming interconnected GenAI ecosystems consisting of semi/fully autonomous agents powered by GenAI services.

While ongoing research highlighted risks associated with the GenAI layer of agents (e.g., dialog poisoning, privacy leakage, jailbreaking), a critical question emerges: Can attackers develop malware to exploit the GenAI component of an agent and launch cyberattacks on the entire GenAI ecosystem?

The blog post has a three-minute video that shows the whole thing.

Their paper introduces Morris II, the first worm designed to target GenAI ecosystems through the use of adversarial self-replicating prompts. The study demonstrates that attackers can insert such prompts into inputs that, when processed by GenAI models, prompt the model to replicate the input as output (replication) and engage in malicious activities (payload).

Additionally, these inputs compel the agent to deliver them (propagate) to new agents by exploiting the connectivity within the GenAI ecosystem. They demo the application of Morris II against GenAI-powered email assistants in two use cases (spamming and exfiltrating personal data), under two settings (black-box and white-box accesses), using two types of input data (text and images).

The worm is tested against three different GenAI models (Gemini Pro, ChatGPT 4.0, and LLaVA), and various factors (e.g., propagation rate, replication, malicious activity) influencing the performance of the worm are evaluated.

Blog post with links to the site with video and whitepaper. You may need an incognito window to get there.

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, April 3, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2023 Phish-prone™ Percentage Benchmark by Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, April 3, @ 2:00 PM (ET)

Save My Spot!

If Social Engineering Accounts for up to 90% of Attacks, Why Is It Ignored?

By Roger Grimes

Social engineering and phishing are involved in 70% to 90% of all successful cybersecurity attacks. No other initial root hacking cause comes close.

This is not a recent development. Social engineering has been the number one type of attack since the beginning of networked computers. Despite this long-time fact, most organizations do not spend 3% of their IT/IT Security budget to fight it.

It is this fundamental misalignment of resources against the ways people and devices are hacked that allows hackers and their malware programs to continue to be so successful for decades. This is the number one problem, and why we keep getting hacked.

When I tell people of this long-time conundrum, they ask why it is so. Many reasons ultimately, including that there are a lot of different ways that you could be broken into. All of which you are expected to prevent, all at once. Cybersecurity compliance regulations often have hundreds of controls you are expected to deploy and oversee.

But every control that focuses on something far less likely to happen while ignoring what is very likely to happen is an inefficient, likely failed defense.

We are being told that we need to focus on everything…or the wrong thing, and not being told what the biggest part of the problem is, by far, and that we need to focus, first and best, on it. And the problem is not just occurring at the individual cyber defender level, or even at the individual organization level.

It is a global systemic problem. Even the national and global organizations specifically created to protect you against cyber threats are letting you down and telling everyone to focus on the wrong problems.

[CONTINUED] Blog post with links:

All The Ways the Internet Is Surveilling You

Your personal information is continuously harvested and analyzed by countless data brokers eager to sell to the highest bidder. From your name to your online activities, to your employment details and even your real-time location — all are on the market for anyone interested.

Join us for this webinar with Roger A. Grimes, Data-Driven Security Evangelist at KnowBe4, as he discusses the extensive surveillance enabled by the internet, the risks of your personal data falling into the hands of malicious entities, and methods to protect yourself.

In this session, you will learn:

  • The various ways you are being surveilled, including through "free" GPS-enabled apps you have downloaded
  • How your digital footprint is commodified and utilized by social engineers
  • Techniques to detect signs of surveillance
  • Effective strategies to protect yourself from malicious tracking and defend against the tactics of social engineering

Learn ways to keep your online information safe and protect yourself against malicious scams. Plus, you will earn continuing professional education (CPE) credits for attending!

Date/Time: Wednesday, April 10 @ 2:00 PM (ET)

Cannot attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:

[NEW FBI REPORT] Losses Due To Cybercrime Jump to $12.5 Billion as Phishing Continues To Dominate

The FBI's Internet Crime Complaint Center (IC3) newly-released Internet Crimes Report provides an unbiased big picture of the cybercrimes that were the most used and most successful.

A few weeks ago, we covered the alarming trends on ransomware, and the FBI's IC3 division took in over 880,000 complaints last year from individuals and businesses about every cybercrime being committed. Unfortunately, the details on overall cybercrime show things are not improving.

According to the report, over the last five years the data has been collected, the number of complaints and annual losses have continued to increase every year. This year's complaints were about 10% more than the previous year, and the total losses grew just over 20% in 2023 to reach $12.5 billion.

The top five crimes (in descending order) according to the FBI were:

  • Phishing (with just under 300K crimes)
  • Personal Data Breach (55K)
  • Non-Payment/Non-Delivery (50K)
  • Extortion (48K)
  • Tech Support (37K)

On a macro scale, phishing is the overwhelming attack type at nearly six to one over the next top crime. Last year's top five crimes were in the exact same order. So, why are we not stopping attacks? The answer lies in the data – phishing is the number one attack vector and continues to grow because it continues to be an effective means of tricking recipients.

In other words, the recipients themselves are not trained to spot malicious emails. And for organizations, given that security awareness training is readily available is just unacceptable.

It is simple: trained users are equipped to stop attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links and screenshot:

Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your email filters?

Email filters have an average 7-10% failure rate where enterprise email security systems miss spam, phishing and malware attachments.

KnowBe4's Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here is how it works:

  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!

Your KnowBe4 Compliance Plus Global Fresh Content Updates From March 2024

KnowBe4 – Know Your Customer: Introduction
Employees of financial institutions must verify the identity of each customer they interact with in the course of their daily work. In this training module, you will review the three pillars of the Know Your Customer (KYC) protocol: Customer Identification Program (CIP), Customer Due Diligence (CDD) and Ongoing Monitoring. You will practice implementing them in various scenarios.

MediaPRO – Introduction to Risk Management
In this training module, employees will learn about the importance of risk and the goals of risk management. The module covers the risk management process, how to manage risk, the types and sources of risk and the different types of threat actors. It also discusses the different types of risk controls, the risk assessment process and provides an overview of risk response.

MediaPRO – Getting to Know Customer Proprietary Network Information (CPNI)
In this training module, employees will learn the basics of Customer Proprietary Network Information (CPNI), what CPNI includes and does not include, the federal rules of CPNI and the importance of monitoring for and reporting breaches of CPNI.

KnowBe4 – Ireland: Bribery, Corruption and the Law
Every country, Ireland included, grapples with corruption. Corruption erodes an organization's ethical standing and poses significant risks to the whole operation. This training module will equip employees with the knowledge of offenses encompassed by the Irish Criminal Justice (Corruption Offenses) Act 2018 and help them spot the hazards linked with bribery and corruption.

The Security Awareness Company – Belgium: Data Protection Impact Assessment Guidelines
In certain cases, the General Data Protection Regulation (GDPR) requires controllers to perform a data protection impact assessment (DPIA). This short Mobile-First Module provides an overview of what a DPIA is, when it must be used and what it requires.

KnowBe4 – Understanding Psychosocial Risk Factors (NOM-035)
This training module explains more about Mexico's Psychosocial Risk Prevention Standard (NOM-035). Employees will learn what constitutes a psychosocial risk, methods to identify psychosocial risks, and behaviors that may require additional evaluation to comply with standard requirements.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

P.S.: Your KnowBe4 Fresh Content Updates From March 2024:

P.P.S.: RIP Daniel Kahneman, pioneer of what became known as behavioral economics:

Quotes of the Week  
"Happiness lies in the joy of achievement, in the thrill of creative effort."
- Theodore Roosevelt (1858 - 1919)

"Creativity is intelligence having fun."
- Albert Einstein (1879 - 1955)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

New Phishing-as-a-Service Kit Attempts To Bypass MFA

A Phishing-as-a-Service (PhaaS) platform called "Tycoon 2FA" has surged in popularity over the past several months, according to researchers at Sekoia.

The phishing kit is notable for its focus on bypassing victims' multi-factor authentication measures. "Our monitoring of the prominent PhaaS kit revealed that Tycoon 2FA has become one of the most widespread AiTM phishing kits over the last few months, with more than 1,100 domain names detected between late October 2023 and late February 2024," Sekoia says.

"In mid-February 2024, we identified a new emerging version of the Tycoon 2FA that was widely distributed in the wild. This new version enhances its obfuscation and anti-detection capabilities and changes network traffic patterns."

The phishing sites are distributed via emails with malicious links or QR codes.

"The customers of the Tycoon 2FA PhaaS mainly distribute their phishing pages using redirections from URLs and QR code, which are embedded in email attachments or email bodies," the researchers write.

"The Tycoon 2FA service provides their clients with templates of phishing attachments (HTML pages), aiming at offering ready-to-use decoy documents, and making it easier for cybercriminals to carry out their campaigns.

"For example, some PDFs use human resources, financial, or security-themed lures to convince the target into following the next steps up to sharing their credentials and resolving the MFA challenge. Sekoia observed decoys impersonating DocuSign, Microsoft, Adobe, among others."

The phishing kit's targeting is largely indiscriminate, although some users focus on employees in certain departments.

"Most of the phishing campaigns carried out by the Tycoon 2FA customers seem to target organizations worldwide, by sending large volumes of phishing emails," the researchers write. "Some of the customers focus on identifying and targeting employees in the financial, accounting, or executive departments to take advantage of their access through fraud or use of privileged information."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

A Simple 'Payment Is Underway' Phishing Email Downloads RATs From AWS, GitHub

Analysis of a new initial access malware attack shows how simple these attacks can be while also proving that malware can reside on legitimate repositories.

Security analysts at cybersecurity company Fortinet dissect the methods and actions taken by a new malicious Java-based downloader intent on spreading the remote access trojans (RAT) VCURMS and STRRAT.

According to the analysis, the threat actors store their malware on public services that include Amazon Web Services (AWS) and GitHub, using the commercially available code obfuscator Branchlock to avoid detection of the malicious Java code.

The start of this attack is little more than a "Remittance Summary" email that includes what appears to be a PDF attachment, but is actually an image linking to the malicious java file. Screenshot is available on the blog.

The final payload includes a keylogger, password recovery malware and one of the two RATs. I spend a lot of time covering rather sophisticated campaigns; this one is the complete opposite: just click the "attachment" and let the Java do the rest. That is it — just one click and the rest is done.

This attack demonstrates just how simple phishing can be to find its next victim. The use of legitimate services and obfuscation of malicious code make it difficult for security solutions to spot the email as being malicious.

This leaves only the user who has undergone continual security awareness training to quickly realize that this email is bogus and to promptly delete it. To do anything else is to ensure a RAT in your proverbial kitchen.

Blog post with links:

What KnowBe4 Customers Say

"Hello Stu, I wanted to drop you a line praising Sophie M. who has been our CSM as we introduced KnowBe4 to our organization.

She has been an absolute joy to work with through this process bringing knowledge and support with a smile and an engaging manner even as I blundered my way through some early stages.

We have all experienced poor customer service many times and so I really wanted to take a moment to extol her professionalism and character. She is a credit to your organization."

- B.G., Finance Manager

The 10 Interesting News Items This Week
  1. U.S. accuses Chinese hackers of 14-year campaign targeting government officials:

  2. Pentagon, Congress have a 'limited window' to properly create a Cyber Force:

  3. Finland confirms APT31 hackers behind 2021 parliament breach:

  4. Hackers Breached Hundreds Of Companies' AI Servers, Researchers Say:

  5. 'Darcula' iMessage and RCS smishing attacks target USPS and global postal services:

  6. CISA's proposed framework for cyber incident reporting rules includes subpoena power:

  7. Cyber Leaders Struggle With Heightened Job Expectations, Communicating With Board:

  8. APT29 launches phishing campaign against German politicians:

  9. Prigozhin Is Dead, but His Troll Farms Are Alive and Peddling Disinformation:

  10. U.S. offers $10 million reward for information on ALPHV/BlackCat ransomware gang:

  11. BONUS Report: 'Adversary' (read: Russia) Responsible for Havana Syndrome Attacks:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews