CyberheistNews Vol 14 #21 How Come Unknown Attack Vectors Are Surging in Ransomware Infections?

Cyberheist News

CyberheistNews Vol 14 #21  |   May 21st, 2024

How Come Unknown Attack Vectors Are Surging in Ransomware Infections?Stu Sjouwerman SACP

Trend analysis of ransomware attacks in the first quarter of this year reveals a continual increase in the number of "unknown" initial attack vectors, and I think I understand why..

There are two reports that you should be keeping an eye on—the updated Verizon Data Breach Report and Coveware’s Quarterly Ransomware Reports.

In Coveware's Q1 report, we see a continuing upward trend in “unknown” as the top initial attack vector.

Historically, phishing and remote access compromise (formerly reported as RDP compromise) seemed to battle for the top spot each quarter. Simultaneously, as the occurrence of "unknown" and phishing increased, remote access compromise also appeared to rise, though at a slower pace.

Then it hit me: A fair amount of “unknown” could be attributed to phishing.

Let’s address the growth in remote access compromise. The growth in the number of compromised credentials on the dark web is fueling this. And where are those credentials obtained? Phishing-based credential harvesting campaigns. So, it’s likely a material portion of the ransomware attacks attributed to remote access compromise also involve phishing.

Now let’s talk about the decline in phishing. We saw in the Verizon report that 89% of users that click a malicious link don’t report it. While organizations may find an instance or remnants of malware post-attack on an endpoint, they have no idea how it got there because users aren’t reporting their interaction with phishing emails. So, I’m going to add a bunch more to phishing – this time from “Unknown."

Finally, regarding "Unknown" itself, Coveware has commented on the attack vector's rise:

“It should be noted that while the clear attack vector may be unidentified by forensics, the initial access is typically just one of a dozen or so tactics necessary to achieve extortion level impact, often chained together (e.g., email phishing, RDP compromise, software vulnerability).”

Where does this leave organizations today?

Fortunately, not in a position of complete uncertainty. Revisiting the chart and considering the "adjusted" role of phishing, it becomes clear that the focus should still be on the three prevailing threat vectors: phishing, remote access and software vulnerabilities.

The reality is threat actors only have so many ways of gaining entry into an organization. By focusing on the three primary threat vectors, your preventative strategy becomes truly practical and impactful.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links and graphics:

RIP Malicious Emails With KnowBe4's PhishER Plus

RIP malicious emails out of your users' mailbox with KnowBe4's PhishER Plus!

It's time to supercharge your phishing defenses using these two powerful features:

1) Automatically blocking malicious emails that your filters miss
2) Being able to RIP malicious emails before your users click on them

With PhishER Plus you can:

  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: TOMORROW, Wednesday, May 22, @ 2:00 PM (ET)

Save My Spot:

Scam Service Attempts to Bypass Multi-factor Authentication

A scam operation called "Estate" has attempted to trick nearly a hundred thousand people into handing over multi-factor authentication codes over the past year, according to Zack Whittaker at TechCrunch.

The scammers target users of Amazon, Bank of America, Capital One, Chase, Coinbase, Instagram, Mastercard, PayPal, Venmo, Yahoo and more.

"Since mid-2023, an interception operation called Estate has enabled hundreds of members to carry out thousands of automated phone calls to trick victims into entering one-time passcodes," Whittaker writes.

"Estate helps attackers defeat security features like multi-factor authentication, which rely on a one-time passcode either sent to a person's phone or email or generated from their device using an authenticator app. Stolen one-time passcodes can grant attackers access to a victim's bank accounts, credit cards, crypto and digital wallets, and online services."

Allison Nixon, Chief Research Officer at Unit 221B, told TechCrunch, "These kinds of services form the backbone of the criminal economy. They make slow tasks efficient. This means more people receive scams and threats in general. More old people lose their retirement due to crime — compared to the days before these types of services existed."

Multi-factor authentication offers a crucial layer of defense against hackers, but users need to be aware that social engineering attacks can still bypass these measures.

"While services that offer using one-time passcodes still provide better security to users than services that don't, the ability for cybercriminals to circumvent these defenses shows that tech companies, banks, crypto wallets and exchanges, and telecom companies have more work to do," Whittaker says.

Blog post with links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, June 5, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, June 5, @ 2:00 PM (ET)

Save My Spot!

[Beware] Ransomware Targets Execs' Kids to Coerce Payouts

Just when you think bad actors cannot sink any lower, they find a way to.

In a recent chilling evolution of ransomware tactics, attackers are now also targeting the families of corporate executives to force compliance and payment.

Mandiant's Chief Technology Officer, Charles Carmakal, highlighted this disturbing trend at RSA 2024 this month: criminals engaging in SIM swapping attacks against executives' children.

The attackers then use the children's phone numbers to make threatening calls directly to the executives, creating a highly stressful negotiating environment.

This tactic is a troublesome shift in ransomware "operations" from merely disrupting company operations to attempting to directly target their families. By exploiting personal connections, attackers amplify the psychological impact, forcing executives to make decisions under extreme stress.

Ransomware attacks have mutated over time, in parallel with the strains of the code itself. The landscape keeps changing, with some of the recent tactics including:

  • Direct threats to executives and their family members, often at their own homes
  • Disruptive actions against critical services, such as diverting ambulances and accessing sensitive health information

For organizations in mission-critical industries and sensitive sectors like healthcare, the stakes are higher than ever. These organizations, which handle vast amounts of personal and health-related information, find themselves facing not just operational disruptions but also ethical dilemmas about whether to comply with extortion demands, especially when these involve sanctioned entities.

"And it can be an impossible choice," Mandiant's head of global intelligence Sandra Joyce added. "If it's an OFAC or sanctioned country that you're paying a ransom to, that's a violation. But if you don't pay, and there's a business disruption or personal, private information [is leaked]. It's the worst day of their career having to deal with something like that."

May 1, 2024, UnitedHealth CEO Andrew Witty told tell US lawmakers: "As chief executive officer, the decision to pay a [$22 million] ransom was mine," as Witty put it in written testimony [PDF] he delivered to the House Energy and Commerce Committee. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."

Making sure this does not happen to your own org boils down mostly to these three things:

  1. Patch all known software vulnerabilities ASAP
  2. Step all staff from the mailroom to the boardroom through new-school security awareness training
  3. Use phishing-resistant MFA

CISA also recommend the very same things, see their #StopRansomware May 10 advisory regarding Black Basta:

Blog post with links:

The New "Why Consider Compliance Plus" Guide

Compliance Training That Engages Your Employees: Have Limited Resources but Need an Effective Compliance Program?

If you're responsible for compliance training, you likely have constraints on time and budget. But ensuring your workforce truly understands and applies compliance requirements is critical for avoiding risks like fines, reputational damage and lost business.

That's why KnowBe4 created Compliance Plus: a global multilingual library of 600+ expert-created, fresh compliance content covering a wide range of vital topics.

This guide explores how Compliance Plus can help you:

  • Combine security awareness and compliance training cost-effectively
  • Tailor training by role/team for better knowledge retention
  • Build a comprehensive program to mitigate compliance risks

Download Now:

Verizon: The Human Element is Behind Two-Thirds of Data Breaches

Despite growing security investments in prevention, detection and response to threats, users are still making uninformed mistakes and causing breaches.

One of the basic tenets of KnowBe4 is that your users provide the org with an opportunity to have a material (and hopefully positive) impact on a cyber attack.

They are the ones clicking malicious links, opening unknown attachments, providing company credentials on impersonated websites and falling for social engineering scams of all kinds.

According to the latest Verizon Data Breach Investigations Report, this "human element" (which this year excludes internal threat actors and solely focuses on mistakes users make that cause data breaches) is involved in 68% of data breaches.

This percentage is consistent with last year. And while no growth *is* good news, it still demonstrates that users are not improving their sense of vigilance as part of their job — at least not at a fast enough rate where we'd see them outpacing improvements in social engineering and find a lower percentage in this year's report.

Continue creating a stronger security culture!

Blog post with links and graphs:

There is a Space Cyber War Raging Above Ukraine

It's not just a hybrid ground/cyber war in Ukraine. The Western world is helping Ukraine from space with various satellite services. We all know that SpaceX has positioned numerous Starlink satellites over Ukraine so that their army can communicate. But there are continuous disruption attacks.

GPS systems are susceptible to disruptions that range from simple signal loss in remote areas to active threats like jamming and spoofing which is happening as we speak above Ukraine. The Russian GRU is disrupting GPS to block Ukraine targeting their positions.

Jamming involves overpowering GPS signals with intense transmissions, drowning them out. Spoofing, however, is more insidious, sending fabricated signals to mislead GPS devices about their true location and direction.

The threat of spoofing is not just a plot from a spy movie, It's real, especially near conflict zones. Here are some hair-raising numbers. In 2022, civilian aircraft experienced over 49,605 spoofing incidents, often disrupting flights by misdirecting them, which increases the workload on crews and jeopardizes passenger safety.

This kind of interference can cause a plane to display incorrect information about its speed, location, and even fuel levels, potentially leading to catastrophic outcomes.

The UK has pioneered a revolutionary approach to counteract GPS jamming and spoofing. It's a threat largely hidden from the public eye, but it is crucial to transportation security and thousands of software applications.

To combat these threats, British entities have collaborated on developing a cutting-edge quantum navigation system. This new system utilizes quantum sensing under cryogenic conditions, tracking the movement of atoms with extraordinary precision through quantum properties like entanglement and interference.

Here are some articles if you want to dive deeper in this type of space cyber war.

Quantum navigation system aims to counter deadly GPS spoofing:

Russia Launched Research Spacecraft for Antisatellite Nuclear Weapon Two Years Ago, U.S. Officials Say:

And if you want to read a fantastic thriller about this topic and learn a lot at the same time: "Phantom Orbit" by David ignatius:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: At RSA I was interviewed by the very popular European TechZine team. Here is the podcast!:

Quotes of the Week  
"The two most engaging powers of an author is to make new things familiar and familiar things new."
- Samuel Johnson (1709 - 1784)

"Tell me and I forget, teach me and I may remember, involve me and I learn."
- Benjamin Franklin (1706 - 1790)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

[FBI ALERT] Warns of AI-Assisted Phishing Campaigns

The U.S. Federal Bureau of Investigation's (FBI's) San Francisco division warns that threat actors are increasingly using AI tools to improve their social engineering attacks.

"AI provides augmented and enhanced capabilities to schemes that attackers already use and increases cyber-attack speed, scale, and automation," the FBI says.

"Cybercriminals are leveraging publicly available and custom-made AI tools to orchestrate highly targeted phishing campaigns, exploiting the trust of individuals and organizations alike. These AI-driven phishing attacks are characterized by their ability to craft convincing messages tailored to specific recipients and containing proper grammar and spelling, increasing the likelihood of successful deception and data theft."

Attackers are exploiting AI tools to create deepfakes that convincingly impersonate real people.

"In addition to traditional phishing tactics, malicious actors increasingly employ AI-powered voice and video cloning techniques to impersonate trusted individuals, such as family members, co-workers, or business partners," the FBI says. "By manipulating and creating audio and visual content with unprecedented realism, these adversaries seek to deceive unsuspecting victims into divulging sensitive information or authorizing fraudulent transactions."

The Bureau offers the following advice to help users avoid falling for these scams:

  • "Stay Vigilant: Be aware of urgent messages asking for money or credentials. Businesses should explore various technical solutions to reduce the number of phishing and social engineering emails and text messages that make their way to their employees. Additionally, businesses should combine this technology with regular employee education and employees about the dangers of phishing and social engineering attacks and the importance of verifying the authenticity of digital communications, especially those requesting sensitive information or financial transactions.
  • Implement Multi-Factor Authentication: Utilize multi-factor authentication solutions to add extra layers of security, making it more difficult for cybercriminals to gain unauthorized access to accounts and systems."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

The Social Engineering Tactics of Ransomware-as-a-Service Operator Black Basta

Our friends at OODA Loop reported last week: another high-impact ransomware attack in the healthcare sector, this time on Healthcare Giant Ascension. The attack has been attributed to a Russian non-state actor Black Basta – a "group…believed to have been started by former members of the infamous Conti ransomware collective, which dissolved in May 2022."

Since then, Black Basta and its affiliates have hit over 500 orgs around the world, predominantly in North America, Europe and Australia.

Who is Black Basta? "Unlike some ransomware groups, Black Basta does not outright define the ransom amount to be paid. Instead, they tell the victim to contact them via a specified [.]onion URL to negotiate it."

They target businesses and organizations in critical infrastructure sectors (including healthcare). In late 2023, Elliptic and Corvus Insurance pinpointed "at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022," and said that blockchain transactions form a clear link between Black Basta and Conti.

Thursday, May 9th: Catholic health system Ascension warns of disruptions following cyberattack. "One of the largest Catholic health systems in the U.S. is dealing with a disruption to its clinical operations following a cyber attack detected on Wednesday. Ascension, a nonprofit organization that runs 140 hospitals across 19 states, published a notice saying it discovered unusual activity on network systems and immediately began an investigation, hiring Mandiant and notifying law enforcement soon after.

Why it matters:

The impact of the cyberattack on Ascension is still under assessment, with potential data breach being a significant concern. This highlights the critical need for robust cybersecurity measures within large-scale healthcare systems to ensure the privacy and safety of patient data.

"Given incidents such as this and the previous ransomware attack on UnitedHealth Group's Change Healthcare, the American Hospital Association has urged Congress to enforce stronger cybersecurity strategies in healthcare. This suggests the need for legislative action and improved national defense against such cyber threats."

Full story at OODA LOOP:

CISA Cybersecurity Advisory: #StopRansomware: Black Basta

What KnowBe4 Customers Say

[Unsolicited feedback] "Hello Becky, I wanted to let you know that Les has been the most knowledgeable and professional representative from KnowBe4 that I have ever worked with. I hope he stays with Knowbe4 and my account for a long time."

- K.F., IT Analyst

"Hi Stu, Thank you for your email. Since implementing KnowBe4, we've received overwhelmingly positive feedback. Our security awareness training program has seen a remarkable improvement, thanks to KnowBe4's up-to-date training modules and user-friendly interface.

Moreover, PhishER has proven to be a great tool in our fight against phishing attacks. Its efficiency in detecting and responding to suspicious emails has appreciably reduced our response time."

- C.J., Senior Cybersecurity Specialist

The 10 Interesting News Items This Week
  1. Prepare to Get Manipulated by Emotionally Expressive Chatbots:

  2. UK "increasingly concerned" about Russian intelligence links to hacktivists:

  3. 8 out of 10 Organizations Experience a Cyber Attack and Attribute Users as the Problem:

  4. Southeast Asian scam operations are stealing $64 billion per year:

  5. FBI seize BreachForums hacking forum used to leak stolen data:

  6. North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign:

  7. American IT Scammer Helped North Korea Fund Nuclear Weapons Program, U.S. Says:

  8. Russian hackers use new Lunar malware to breach a European govt's agencies:

  9. UK insurance industry begins to acknowledge role in tackling ransomware:

  10. Russian Disinfo Campaign Blames Ukraine for Shooting of Slovakia's Prime Minister:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews