CyberheistNews Vol 14 #16 Critical Improvements to the 7 Most Common Pieces of Cybersecurity Advice

Cyberheist News

CyberheistNews Vol 14 #16  |   April 16th, 2024

Critical Improvements to the 7 Most Common Pieces of Cybersecurity AdviceStu Sjouwerman SACP

By Roger Grimes

I have been in the cybersecurity industry for over 35 years and I am the author of 14 books and over 1,400 articles on cybersecurity.

I regularly speak with thousands of cybersecurity practitioners each year. Nearly every day, I see (good) cybersecurity advice, but some of it is just a bit shy of what is needed…such as "Use MFA!"

That is good advice but is not specific enough. It does not give enough detail. There is a slight adjustment needed to get the most benefit. In this blog, I cover the seven bits of cybersecurity advice that I see all the time that need some fine-tuned adjustment.

Focus More on Initial Root Causes

If you want to stop someone from breaking into your house, over and over, you need to focus more on how thieves break into houses (e.g., doors, windows, walls, roofs, garage, etc.) and less on what they do once they are in. Because if you do not focus on the entry points, what they take will just change over time.

In cybersecurity, there are 13 root (initial access) hacking causes. They are:

  • Social Engineering
  • Programming Bug (patch available or not available)
  • Authentication Attack
  • Malicious Instructions/Scripting
  • Data Malformation
  • Human Error/Misconfiguration
  • Eavesdropping/MitM
  • Side Channel/Information Leak
  • Brute Force/Computational
  • Network Traffic Malformation
  • Insider Attack
  • Third Party Reliance Issue (supply chain/vendor/partner/etc.)
  • Physical Attack

Every hacking and malware attack I have seen over my 35-plus years in the cybersecurity industry falls into one of these categories. Different organizations have different categories and descriptions, but I have spent over 20 years seriously analyzing hacking root causes and know I have the best list.

But take any root initial access hacking classification list and use and analyze it to assess risk and risk mitigations. A lot of people focus too much on hacking outcomes, such as ransomware, credential theft or exfiltrated confidential information.

Outcomes do matter, especially for the damage and cost assessment portion of risk management, but if you want to stop cybercrime and lower risk overall, focus more on initial root causes.

It can be hard, especially if you are not in the cybersecurity field to tell the difference between initial root causes and outcomes of initial root causes. More organizations and reports in the cybersecurity industry get it wrong.

Many, for example, mix up phishing as a root cause as compared to ransomware or computer malware. Those last two things are a result of an initial root cause, not an initial root cause, as phishing is.

[CONTINUED] at the KnowBe4 blog with links:

RIP Malicious Emails With KnowBe4's PhishER Plus

RIP malicious emails out of your users' mailbox with KnowBe4's PhishER Plus!

It's time to supercharge your phishing defenses using these two powerful features:
1) Automatically blocking malicious emails that your filters miss
2) Being able to RIP malicious emails before your users click on them

With PhishER Plus you can:

  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: TOMORROW, Wednesday, April 17, @ 2:00 PM (ET)

Save My Spot:

Water Facilities Compromised by Iranian Threat Actors

In December 2023, a joint alert was issued by the FBI, CISA, NSA, EPA and INCD regarding Iranian cyber actors known as "CyberAv3ngers" linked to Iran's Islamic Revolutionary Guard Corps (IRGC).

The group had claimed responsibility for compromising critical infrastructure targets in Israel and the U.S., including providing technical indicators. Further sanctions against the involved Iranians in February 2024 showed the seriousness of these activities.

Most concerning was CyberAv3ngers' focus on water facilities. Successful attacks in late 2023 accessed water authorities in Pennsylvania, Texas and Florida, though consequences were minimal. Messages still conveyed an ability to damage systems however. Iran's interest in water infrastructure dates back to at least 2013, indicating this may not be random.

Previous Iranian attacks have manipulated dam operations and water treatment processes in attempts to undermine public health. The 2020 attacks against Israeli water systems exploited Unitronics devices, motivating further targets using this justification. However, Iran's repeated focus suggests a strategic priority over these facilities beyond proximal technical access points.

As with energy infrastructure infiltrations attributed to China, unconcrete access may be established but left dormant for exploitation later. This stealthiness complicates defense but demonstrates sophisticated intent. With Iran's history enabling proxy operations deniably, permanent backdoors inspire serious concern — especially as many water utilities lack robust security.

While immediate destructive actions may depend on Iran's self-perceptions, compromised water introduces unacceptable risks to public safety that other targets do not. As meetings address this sector's vulnerabilities, reevaluating critical infrastructure security is overdue given infiltrations are now a reality beyond potentiality.

In addition to technical defenses, one of the most effective ways for critical infrastructure operators to strengthen their cybersecurity posture is by establishing a robust security culture within their organization.

A positive security culture where best practices are standardized and all employees feel responsible for protecting systems can help to minimize the risks posed by both external hackers and insider threats.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

KnowBe4 is the #1 SAT Platform on G2 for 19 Quarters!

Have you ever wanted to peek behind the curtain of security awareness training (SAT) platforms and see which one truly stands out? Well, you don't need to wonder anymore. The G2 Grid Report has done all the heavy lifting for you, making it easy for you to make an informed decision.

The G2 Grid Report ranks according to the people who use the products daily. We're talking genuine feedback, satisfaction ratings and how big of an impact they're making in the market.

In a league of our own, KnowBe4 scored in the 90s, the only vendor to do this. 98% of users gave us 4 or 5 stars and 93% would recommend us to others. Trust isn't just won; it's earned, and we take that to heart.

You'll get access to:

  • A line up of SAT vendors stacked and rated based on customer reviews
  • Profiles of each vendor highlighting strengths, industries and organization size
  • User-driven scores for ease of use, support quality and more, to help you pick the best platform
  • Ready to get your hands on this goldmine of information? Download your complimentary report and see why KnowBe4 has been ranked the #1 SAT vendor for the 19th consecutive quarter and has more customers than all SAT vendors combined.

Download Now:

New Phishing-as-a-Service (PhaaS) platform, 'Tycoon 2FA,' Targets Microsoft 365 and Gmail Accounts

A new PhaaS service brings the power of bypassing multi-factor authentication (MFA) to the world's most-used email platforms.

At its core, Tycoon 2FA isn't doing anything new. It uses a reverse proxy server to host a phishing web page that impersonates the legitimate email platform in question. Then it intercepts the victim's input and relays them to the legitimate service.

But it's how this platform does it that is sophisticated. In a deep dive analysis of the phishing kit by security vendor Sekoia, we get a glimpse into just how sophisticated and how much work goes into this latest iteration of the PhaaS platform. See the diagram on the blog post, link below. It shows you how it bypasses 2FA without letting the victim know.

According to Bleeping Computer's coverage of the Sekoia analysis, there are seven stages in this attack:

  • Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
  • Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
  • Stage 2 – Background scripts extract the victim's email from the URL to customize the phishing attack.
  • Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
  • Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
  • Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
  • Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack success.

According to Sekoia, Tycoon has received an estimated total of over $394K in bitcoin since the services inception back in 2019. Sekoia estimate that "several hundred Tycoon 2FA kits were sold as-a-service over half a year" since the latter part of 2024, demonstrating that this phishing kit is growing in popularity and effectiveness.

Blog post with links and screenshot:

Announcing AIDA: Artificial Intelligence Defense Agents!

Big news! We are excited to announce Artificial Intelligence Defense Agents (AIDA), KnowBe4's latest leap in fortifying security culture and managing human risk through the power of GenAI.

AIDA is not just another tool; it's a game-changer in empowering you to create a strong security culture.

Here's why AIDA is a substantial step forward:

  • Personalized Training: AIDA delivers tailored security awareness training, the right kind of training at the right time to the right audience
  • Adaptive Defense: Early testing indicates AIDA promises a shift from reactive to proactive defense strategies against AI-driven threats

Read the full blog:

Or check out the press release:

Budget Ammo Department

SC Magazine: "What Security Agencies, Regulators And Businesses Keep Getting Wrong About Cybersecurity":

INC. Magazine: "How to build a strong security culture":

Fast Company: "The growing threat of AI in social engineering: How business can mitigate risks":

[PODCAST] Perry Carpenter: "How Rachel Tobac Hacked Me":

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Honored and Privileged] Last week I was given the Holland on the Hill Freddy Heineken Award:

PPS: World-first 'Cybercrime Index' ranks countries by cybercrime threat level:

Quotes of the Week  
"A friend is someone who gives you total freedom to be yourself."
- Jim Morrison, Musician (1943 - 1971)

"The only way to have a friend is to be one."
- Ralph Waldo Emerson, American essayist and philosopher (1803-1882)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Cyber Attacks Could Cause Global Bank Runs

The International Monetary Fund (IMF) has warned that severe cyber attacks against financial institutions could lead to major bank runs and market selloffs. While this hasn't happened yet, the IMF has observed these effects on a smaller scale after a cyber attack hits a bank.

"Incidents in the financial sector could threaten financial and economic stability if they erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions," the IMF says.

"For example, a severe incident at a financial institution could undermine trust and, in extreme cases, lead to market selloffs or runs on banks".

"Although no significant 'cyber runs' have occurred thus far, our analysis suggests modest and somewhat persistent deposit outflows have occurred at smaller US banks after a cyberattack. Cyber incidents that disrupt critical services like payment networks could also severely affect economic activity.

"For example, a December attack at the Central Bank of Lesotho disrupted the national payment system, preventing transactions by domestic banks."

Security awareness training can give organizations an essential layer of defense against social engineering attacks. The IMF offers the following recommendations to help financial institutions avoid falling victim to cyberattacks:

  • "Periodically assessing the cybersecurity landscape and identifying potential systemic risks from interconnectedness and concentrations, including from third-party service providers.
  • Encouraging cyber 'maturity' among financial sector firms, including board-level access to cybersecurity expertise, as supported by the chapter's analysis which suggests that better cyber-related governance may reduce cyber risk.
  • Improving cyber hygiene of firms — that is, their online security and system health (such as antimalware and multifactor authentication) — and training and awareness.
  • Prioritizing data reporting and collection of cyber incidents, and sharing information among financial sector participants to enhance their collective preparedness."

Blog post with links:

Tokyo Police Department Warns of Phishing Scam

The Tokyo Metropolitan Police Department has warned of a phishing scam that's attempting to trick individuals with phony arrest warrants, the Japan Times reports.

"The police said they confirmed a case of a scam, which aims to deceive victims into accessing a fake website that looks like that of the Tokyo police and disclosing their personal information including names and bank account PIN codes," the Times writes. "It has prompted authorities to urge heightened vigilance among the public."

The criminals are impersonating the police to trick people into handing over personal and financial information. "According to the Tokyo police's special fraud task force, a man living in the capital received a suspicious call on his mobile phone around March from an individual posing as a police investigator who asserted that the man's bank account had been used in criminal activities," the Times says.

"Communication between the two parties continued on social media platforms, culminating in the victim being directed to a fraudulent website to purportedly verify an alleged arrest warrant. Upon visiting the fake website and entering his personal details, including name and phone number, he was presented with a fabricated 'arrest warrant' bearing his name.

"The victim was then instructed via phone to transfer hundreds of thousands of yen as an 'investigation fee' to a specified account for the warrant to be withdrawn. Upon clicking on the 'Investigation of Funds' option on the fake website, a form appeared to prompt the victim to enter his bank account details and PIN."

The police said at least four people lost money to this scam last month. The Times quotes a police official as saying, "It is easy to create fake websites. There could be other similar websites. We urge the public to exercise caution and remain vigilant against fraudulent schemes."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

The Japan Times has the story:

What KnowBe4 Customers Say

"Hey Stu! I appreciate you checking in to confirm things are going as expected. I can confirm that our team is extremely satisfied with all of the services KnowBe4 provides, and I am personally very grateful for the support I have personally received to set everything up. No complaints!"

- M.N., Director, Technical Operations

"Hi Stu, Thank you for your email. We are happy to use your platform, and our users completed first training. There was very positive feedback from them."

- N/L., Head of IT and Cyber Security

The 10 Interesting News Items This Week
  1. World-first 'Cybercrime Index' ranks countries by cybercrime threat level:

  2. Ransomware gang's new extortion trick? Calling the front desk:

  3. The Water Sector Is Being Threatened. That Should Worry Everyone:

  4. HHS alerts health sector to leading ransomware, social engineering threats:

  5. New PowerShell malware looks like it was written by AI:

  6. What keeps CISOs up at night? Mandiant leaders share top cyber concerns:

  7. Change Healthcare Faces Another Ransomware Threat—and It Looks Credible:

  8. Apple warns individuals of mercenary spyware attacks in 92 nations:

  9. Russia-Backed Hackers Still Exploiting Microsoft Email, U.S. Cyber Officials Say:

  10. 'Large-scale cyberattack' hits five French municipalities, impact may last 'months':

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews