CyberheistNews Vol 14 #30 The SEC Fines a Public Company 2 Million+ For Ransomware Negligence

The SEC Fines a Public Company 2 Million+ For Ransomware Negligence

According to the filing, the organization in question failed to devise controls to adequately detect, respond to, and disclose an attack that included data exfiltration and service disruption.

Back in 2021, R.R. Donnelley & Sons Co. (RRD), a publicly traded global provider of marketing and business communication services, succumbed to a ransomware attack that resulted in the successful encryption of their computers, exfiltration of over 70GB of data (which included the personal and financial information for 29 clients), and disruption of RRD's business services.

In the filing, RRD "failed to execute a timely response to a ransomware network intrusion that occurred between November 29, 2021 and December 23, 2021." Over 20 alerts were generated by RRD's managed service provider, but only three were escalated to the internal security team.

The SEC notes a few specifics about the negligence on RRD's part:

• The indications that similar activity was taking place on multiple computers
• Connections to a broad phishing campaign
• Open-source intelligence that the malware was capable of facilitating remote execution of arbitrary code

Even so, RRD did nothing about the alerts until a month later — when it was too late.

KnowBe4's Data-Driven Defense Evangelist Roger A. Grimes provides this statement, "The SEC has shown increasing likelihood to fine and penalize companies it thinks aren't doing enough to protect customer data and information. In response, there have been three types of organizations. Organizations that are doing more than they need to, such as reporting cybersecurity incidents that don't even meet the materiality requirements, organizations who meet the letter of the law, and those that seem unaware or actively ignoring legal requirements. Customers are paying attention."

The result is a $2.125 million fine by the SEC because of the impact these oversights had on shareholders. The takeaway from this is for organizations to have proper controls and process for the following:

• Audit and oversight over security service providers
• Review and escalation of security alerts
• Design and implement effective disclosure controls

Additionally, given the role of phishing in the attack, I'd add putting controls in place such as security awareness training to stop phishing and social engineering attacks before users engage with them to enable malware, credential theft and any other malicious action needed to continue an attack.

Blog post with links:
https://blog.knowbe4.com/sec-fines-publicly-traded-company-ransomware-attack

PS: We have a new free tool available that you can use to test if data can be exfiltrated from your network. See below:

[NEW FREE TOOL] Would Your Network Survive a Breach?

Data exfiltration is the new name of the game for cybercriminals, who have used it in a staggering 90% of all cyber attacks. IBM's 2023 Cost of a Data Breach Report found that only a third of data breaches were detected internally, with the rest being notified by attackers or third parties.

The stakes have never been higher to protect your organization's data.

With this in mind, KnowBe4 is introducing a new free tool, BreachSim, to identify your network's vulnerabilities and empower you to get ahead of the hackers to shore up your cyber defenses.

BreachSim exposes the sobering risk landscape you face without the proper protective measures. The results of this simulation help you find the weaknesses in your security infrastructure and see first-hand the importance of training employees.

How BreachSim works:

• 100% harmless simulation of real breach and data exfiltration attacks
• Provides secure .txt, .doc, and .bmp test files for the simulation
• Tests over 12 realistic data exfiltration scenarios following the MITRE ATT&CK framework
• Just download the installer, upload the secure test files and run
• Results in a few minutes!

Run the simulation and uncover the network vulnerabilities unique to your organization today.

Find Out Now:
https://info.knowbe4.com/free-tools/breach-simulator-1-chn

CrowdStrike Phishing Attacks Appear in Record Time

I have been the CEO of an anti-virus software developer. We had a special acronym for catastrophic events like this, a so-called "CEE." As in "Company Extinction Event."

Within hours of mass IT outages on Friday, a surge of new domains began appearing online, all sharing one common factor: the name CrowdStrike. As the company grapples with a global tech outage that has delayed flights and disrupted emergency services, opportunistic cybercriminals are quick to exploit the chaos.

Numerous websites have surfaced, promising help to those affected by the outage. Names like crowdstriketoken[.]com, crowdstrikedown[.]site, crowdstrikefix[.]com, were identified by a UK-based cybersecurity researcher specializing in credential phishing.

These new domains were registered and designed in record time to lure in people desperate to restore their systems. While phishing sites commonly emerge following major events, the scale of Friday's outages presents a vast field of potential victims.

According to the researcher, several sites were still under construction, including crowdstrike-helpdesk[.]com, and crowdstrikeclaim[.]com. Bloomberg reported that he began monitoring the situation around midday in the UK and discovered new domains registered as early as 4:12 a.m. EDT, totaling 28 sites so far.

NOTE: the fix is to boot into the Windows "safe mode," delete the offending file—called C-00000291*.sys—and reboot. Microsoft says 8.5 million devices were impacted, that number represents less than 1% of Windows devices worldwide.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already observed threat actors exploiting this incident for phishing and other malicious activities. They urge people to avoid clicking on suspicious links.

George Kurtz, CEO of CrowdStrike, said: "Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we're taking to prevent anything like this from happening again."

I know George and I'm sure that CrowdStrike will survive this. But it sure is a massive headache for customers. He said: "We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you're engaging with official CrowdStrike reps. Our blog and technical support will continue to be the official channels for the latest updates."

Exactly. Warn your users to not get lured onto a scam site and download a fake update.

Blog post with links
https://blog.knowbe4.com/crowdstrike-phishing-attacks-appear-in-record-time

Rip Malicious Emails With KnowBe4's PhishER Plus

Rip malicious emails out of your users' mailbox with KnowBe4's PhishER Plus! It's time to supercharge your phishing defenses using these two powerful features:

With PhishER Plus you can:

• NEW! Detect and respond to threats faster with real-time web reputation intelligence with PhishER Plus Threat Intel, powered by Webroot!
• Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
• Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
• Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
• Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: TOMORROW, Wednesday, July 24, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-1?partnerref=CHN2

New Ransomware Threat Group Calls Attack Victims to Ensure Payments

Analysis of new ransomware group Volcano Demon provides a detailed look into how and why calling victims ups the chances of ransomware payment.

Security researchers at Halcyon have uncovered a new ransomware threat group that initially follows traditional methods — harvesting admin credentials, data exfiltrated to a C2 server, logs cleared and data was encrypted using LukaLocker.

However, Volcano Demon attacks take a different direction in the extortion phase. The theft and encryption of the victim's data aligns with traditional double extortion techniques. But instead of leaking to a site on the dark web, this group instead makes phone calls to "leadership and IT executives to extort and negotiate payment."

According to a Recorded Future article on the same attack, it appears that the threat actors "call very frequently, almost daily in some cases."

What's interesting here is how the use of phone calls may actually increase the likelihood of payment. Think of how easy it is for a company to ignore a complaint email; why? Because there's not person holding the recipient accountable.

Same could be said for Volcano Demon's phone calls — rather than negotiating via email (which can be ignored by victim organization leadership), phone calls put the victim directly in touch with attackers, potentially negotiating some kind of terms that result in a payment to the attackers.

We might eventually see services offered to ransomware groups for handling ransom negotiations; we've seen the modularization of every other aspect of attacks, so why not "collections?"

All the more reason to render these attacks useless by stopping them in their tracks. Those relying on phishing as the initial access method can be thwarted by a layered email defense that includes security awareness training to ensure users participate in the organization's defenses against malicious email and web content.

Blog post with links:
https://blog.knowbe4.com/new-ransomware-threat-group-calls-victims

Whitepaper: KnowBe4's Phish Alert Button Teamed with PhishER Plus

The volume of phishing emails is not slowing down, meaning all your users need to know the steps to take when confronted with one (and quickly).

The vital capability of reporting phishing emails empowers your users to be part of the team. Plus, it gives your infosec team essential insight into the threats your technical defenses are missing.

The New Microsoft Ribbon Integrated PAB provides your users a safe way to report email threats to the security team for analysis, and automatically deletes the email from the user's inbox to prevent further exposure.

This Ribbon Integrated PAB becomes even more valuable when combined with PhishER Plus, KnowBe4's lightweight Security, Orchestration, Automation and Response (SOAR) platform.

This whitepaper explores how the PAB combined with PhishER Plus helps you:

• Turn your users into an active part of your security team
• Augment human intelligence with artificial intelligence
• Tap into a constantly-updated global phishing threat feed

Download this whitepaper today!
https://info.knowbe4.com/resources/whitepaper/phish-alert-button-teamed-with-phisher-plus-chn

[Recommended Podcast] "Why Enterprise AI Fails and How to Fix It"

CXOTalk goes into how to stop AI project failure. AI holds immense promise, but why do so many AI projects fail? In Episode 840 of CXOTalk, they uncover the common pitfalls that plague AI implementations and explore practical strategies for achieving real-world success.

Their guest, the brilliant Sol Rashidi, author of "Your AI Survival Guide" and seasoned technology executive (Sony Music, Estée Lauder), shares invaluable insights from her extensive experience leading data and analytics initiatives.

This episode is a must-watch for business and technology leaders seeking to navigate the complexities of AI:
https://music.youtube.com/watch?v=eYryeIgPvQM&si=J69LGfTwqeJQ5NaB

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO #1] Study Proves It: Security Awareness Training Reduces Phishing Attacks:
https://securitytoday.com/Articles/2024/07/16/Study-Proves-It-Security-Awareness-Training-Reduces-Phishing-Attacks.aspx

PPS: [BUDGET AMMO #2] Yours Truly in Inc Mag: "5 Essential Ingredients for Effective Security Training"
https://www.inc.com/inc-masters/5-essential-ingredients-for-effective-security-training.html

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-30-the-SEC-fine-a-public-company-2-million-plus-for-ransomware-negligence

Phishing Continues to Be the Primary Entry to Ransomware Attacks

Phishing remains a top initial access vector for ransomware actors, according to researchers at Cisco Talos. The threat actors often use phishing to steal legitimate credentials so they can use employee accounts without raising suspicion.

"Talos' studies indicate that the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism," the researchers write.

"Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements, consistent with our 2023 Year in Review report. Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector."

Ransomware actors conduct open-source research to tailor their social engineering attacks. The criminals are also getting better at bypassing multifactor authentication.

"In the first phase of a ransomware attack, adversaries work to gain initial access to the target network, using a combination of social engineering, network scanning, and open-source research to learn about their victims, identify possible access vectors, and customize their initial access attempts,"

"Adversaries may send emails containing malicious attachments or URL links that will execute malicious code on the target system, deploying the actors' tools and malware, and exploiting multi-factor authentication (MFA). There are many ways adversaries hope to bypass MFA, whether because of poor implementation or because they already have valid account credentials.

"Most notably, we have seen an increasing number of ransomware affiliates attempting to exploit vulnerabilities or misconfigurations in internet-facing systems, such as in legacy or unpatched software."

New-school security awareness training can give your organization an essential layer of defense against phishing and other social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.

Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/phishing-continues-ransomware-attacks

Malvertising Campaign Impersonates Microsoft Teams

Researchers at Malwarebytes warn that a malvertising campaign is targeting Mac users with phony Microsoft Teams ads.

The ads are meant to trick users into installing Atomic Stealer, a commodity strain of malware designed to steal information from macOS systems.

"Based on our tracking, Microsoft Teams is once again a popular keyword threat actors are bidding on, and it is the first time we have seen it used by Atomic Stealer," the researchers write. "Communication tools like Zoom, Webex, or Slack have been historically coveted by criminals who package them as fake installers laced with malware.

"This latest malvertising campaign was running for at least a few days and used advanced filtering techniques that made it harder to detect. Once we were able to reproduce a full malware delivery chain, we immediately reported the ad to Google."

The ads are purchased on Google and appear to lead to Microsoft's website. After clicking the link, however, the user is redirected to a malicious website called "teamsbusiness[.]com."

"Once the downloaded file MicrosoftTeams_v.(xx).dmg is mounted, users are instructed to open it via a right click in order to bypass Apple's built-in protection mechanism for unsigned installers," Malwarebytes explains.

"We were able to reliably search for and see the same malicious ad for Teams which was likely paid for by a compromised Google ad account. For a couple of days, we could not see any malicious behavior as the ad redirected straight to Microsoft's website.

"After numerous attempts and tweaks, we finally saw a full attack chain. Despite showing the microsoft.com URL in the ad's display URL, it has nothing to do with Microsoft at all. The advertiser is located in Hong Kong and runs close to a thousand unrelated ads."

Blog post with links:
https://blog.knowbe4.com/malvertising-campaign-impersonates-microsoft-teams

What KnowBe4 Customers Say

"Hi Stu, is this a test, should I PAB this? :D

Jokes aside, it is an honor sir that you give me the opportunity to share my feedback. We are really happy with the product and the capabilities. We noticed a major decrease in phishing clicks since implementing KnowBe4 and our security culture is constantly improving, factoring in deep fakes, AI chatbots, etc.

Training wise, the content is just right and updated, people are still resisting their assignments but the leaderboard is helping me a lot to keep them engaged as they keep "fighting" for the first place all the time. I know for sure they would love to have an individual user leaderboard to brag to their colleagues and some extra badges.

Overall the experience is smooth, the site is responsive and the UI is intuitive for users to browse. We would love to see some more features & integrations such as PAB for our mail client.

Once again I want to sincerely thank you for giving me this opportunity to share feedback."

- V.A., Senior Systems Administrator

"Stu, we are very happy and excited to be using the KnowBe4 platform. Our CSM, Max, is amazing and extremely helpful and does a tremendous job of guiding us to the next level of protection."

- K.D., Senior System Administrator

1. This new hacking method is mind-blowing – Akami DNS data exfiltration:
   https://www.techradar.com/computing/cyber-security/this-new-hacking-method-is-mind-blowing-akami-dns-data-exfiltration
   
   
2. Cyberattacks in Q2 2024 reach highest level in the past two years:
   https://blog.checkpoint.com/research/check-point-research-reports-highest-increase-of-global-cyber-attacks-seen-in-last-two-years-a-30-increase-in-q2-2024-global-cyber-attacks
   
   
3. China's APT41 targets shipping and technology sectors:
   https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
   
   
4. Iranian Hackers Deploy New BugSleep Backdoor in Middle East Phishing Attacks:
   https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns
   
   
5. Phishing campaign abuses SharePoint servers:
   https://cybersecuritynews.com/phishing-attack-sharepoint-servers
   
   
6. Fascinating paper about jailbreaking LLMs. TLDR: Don't phrase harmful requests like, "How do I _____?" Instead say, "How did people _____?"
   https://arxiv.org/abs/2407.11969
   
   
7. Priscila, Queen of the Rideshare Mafia. Crazy!
   https://www.wired.com/story/priscila-queen-of-the-rideshare-mafia
   
   
8. AI Remains a Wild Card in the War Against Disinformation:
   https://www.darkreading.com/cyber-risk/ai-remains-wild-card-in-war-against-disinformation
   
   
9. SolarWinds beats most of U.S. SEC lawsuit over Russia-linked cyberattack:
   https://www.cnbc.com/2024/07/18/solarwinds-beats-most-of-us-sec-lawsuit-over-russia-linked-cyberattack.html
   
   
10. 15M email addresses stolen from Atlassian's Trello shared on hacking forum:
    https://siliconangle.com/2024/07/17/15m-email-addresses-stolen-atlassians-trello-shared-hacking-forum
    
    

• Virtual Vaca #1 Caleta Tortel, Chilean Patagonia in 4K:
  https://youtu.be/LlLiT-tyqFM
  
  
• Virtual Vaca #2 Dubrovnik, Croatia by drone [4K]:
  https://youtu.be/G1k2uW9qe5I
  
  
• [SUPER FAVE] Mind-Blowing Card Magic: Eric Chien's Jaw-Dropping Performance. The reactions of the Korean panel are out there:
  https://www.flixxy.com/mind-blowing-card-magic-eric-chien-jaw-dropping-performance.htm?utm_source=4
  
  
• Need some space? Gorgeous Special Dolby Vision 12K HDR 120FPS:
  https://www.youtube.com/watch?v=nDZghjCRNTQ
  
  
• From mind-bending acrobatics to awe-inspiring artistry, these incredible people are pushing the boundaries of human potential:
  https://www.flixxy.com/you-wont-believe-what-these-people-can-do.htm?utm_source=4
  
  
• How the Internet is Heating Paris:
  https://youtu.be/2gWudPtN6z4
  
  
• How The Boston Dynamics Atlas Robot Manipulates Objects. It is getting good...:
  https://youtu.be/LeeiN9smjjY
  
  
• Carlos Pedro Briceño flies with his Wingsuit, Double Target Hit, El Ávila, Caracas, Venezuela:
  https://youtu.be/FcJYZITSpNA
  
  
• Riding In The Driverless Robotaxi Zoox:
  https://youtu.be/0OjZaI-aANE
  
  
• How Silicon Anode Batteries Will Bring Better Range To EVs:
  https://youtu.be/vj0siYi4h0o?si=7ufkEyqdKJHbdO32
  
  
• World's Most Advanced Flying Cars. I want that XPENG one!:
  https://youtu.be/WIYp62vDtf4
  
  
• Top 10 Fastest cars at the Festival of Speed 2024:
  https://www.youtube.com/watch?v=DUUmE0S8PBI
  
  
• For Da Kids #1 - Rescue Lamb Runs The House With Dog BFF:
  https://youtu.be/qWPdGQRwRkU
  
  
• For Da Kids #2 - Mama Dog Left Outside Shelter Tied To Her Babies:
  https://youtu.be/YEkRKkp-obE
  
  
• For Da Kids #3 - Horse Sneaks Into Lady's House Daily For 6 Years:
  https://youtu.be/bP91r-FxOCc
  
  
• For Da Kids #4 - Grandpa Fox Plays With Babies And Becomes Their Grandpa:
  https://youtu.be/TxCEyvOjIwQ
  
  
• For Da Kids #5 - Squirrel squeaks like toy when touched:
  https://youtu.be/MRXdirqKSt8