CyberheistNews Vol 14 #46 [Eye Opener] Attackers Don't Hack, They Log In. Can You Stop Them?



Cyberheist News

CyberheistNews Vol 14 #46  |   November 12th, 2024

[Eye Opener] Attackers Don't Hack, They Log In. Can You Stop Them?Stu Sjouwerman SACP

The latest trend in cybercrime is that attackers don't really focus on "hacking" in; they're logging in.

We see this now in the wild, driven by organized criminal groups like Scattered Spider and BlackCat, who've re-emerged with a renewed focus on gaining access through legitimate means, often exploiting help desks and social engineering tactics.

Their strategies often rely on social engineering help desk staff into resetting credentials or bypassing multi-factor authentication (MFA), achieving access without breaking in. These attackers aim for the easiest route to your network, leveraging stolen credentials from info-stealers or posing as legitimate users to gain entry.

A recent case reported by ReliaQuest underscores this tactic. Scattered Spider used social engineering to trick a help desk, leading to a six-hour attack that ended in system encryption. The attackers even used Microsoft Teams to demand a ransom — showing a new level of boldness and ingenuity in modern cyber attacks.

As threat analyst Hayden Evans explains, "Attackers don't hack in; they log in." His advice is clear: organizations must enforce stringent help desk policies and ensure MFA configurations can withstand social engineering tricks.

To protect your network, work hard on improving employee training, monitoring for suspicious activity and reinforcing help desk protocols. These measures build resilience against today's advanced threat actors who bypass traditional security measures by simply logging in.

Blog post with links:
https://blog.knowbe4.com/eye-opener-attackers-dont-hack-they-log-in.-can-you-stop-them

Recon 2.0: AI-Driven OSINT in the Hands of Cybercriminals

Cybercriminals are using artificial intelligence (AI) and generative AI in open source intelligence (OSINT) activities to target your organization with supercharged reconnaissance efforts.

With AI-driven techniques, they can gather, analyze and exploit publicly available data to create highly targeted and convincing social engineering schemes, phishing campaigns and other forms of cyber attacks.

Join James McQuiggan, Security Awareness Advocate at KnowBe4, as he explores how attackers use AI and OSINT to quickly identify and prioritize targets. Learn how to develop robust cybersecurity strategies to counter AI-enhanced threats.

Using exclusive demos and real-world examples, you'll:

  • Gain insights into how AI and generative AI amplify OSINT-driven reconnaissance
  • Understand how attackers use AI to enhance data aggregation, profile generation and target prioritization to target your organization
  • Discover the implications of AI-driven OSINT and strategies for threat detection and mitigation
  • Learn why a strong security culture is still your best line of defense

Register now to learn how to detect and mitigate AI-enhanced OSINT threats.

Date/Time: TOMORROW, Wednesday, November 13, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/ai-driven-osint?partnerref=CHN2

BlackBasta Ransomware Gang Uses New Social Engineering Tactics To Target Corporate Networks

ReliaQuest has warned that the BlackBasta ransomware gang is using new social engineering tactics to obtain initial access within corporate networks.

The threat actor begins by sending mass email spam campaigns targeting employees, then adding people who fall for the emails to Microsoft Teams chats with external users.

These external users pose as IT support or help desk staff and send employees Microsoft Teams messages containing malicious QR codes. In some cases, the attackers used voice phishing (vishing) phone calls to convince users to install remote management software.

"The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment," the researchers write. "Ultimately, the attackers' end goal in these incidents is almost certainly the deployment of ransomware."

ReliaQuest emphasizes the massive scale of the campaign, with one user receiving a thousand malicious emails in under an hour.

"This rapidly escalating campaign poses a significant threat to organizations," the researchers write. "The threat group is targeting many of our customers across diverse sectors and geographies with alarming intensity. The sheer volume of activity is also unique; in one incident alone, we observed approximately 1,000 emails bombarding a single user within just 50 minutes. Due to commonalities in domain creation and Cobalt Strike configurations, we attribute this activity to Black Basta with high confidence."

Only one employee needs to fall for a phishing attack for an attacker to gain access to your network. New-school security awareness training can give your organization an essential layer of defense against social engineering tactics.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/blackbasta-ransomware-gang-uses-new-social-engineering-tactics

Rip, Flip, and Revolutionize Your Phishing Defenses with PhishER Plus

Human error contributes to 68% of data breaches, according to Verizon's 2024 Data Breach Investigations Report.

It's time to turn that statistic on its head and transform your users from vulnerabilities to cybersecurity assets.

Meet KnowBe4's PhishER Plus: The only SOAR email security offering that combines AI-driven protection with crowdsourced intelligence for unmatched email security and incident management.

In this demo, PhishER Plus can help you:

  • Slash incident response times by 90%+ by automating message prioritization
  • Customize workflows and machine learning to your protocols
  • Use crowdsourced intelligence from more than 13 million users to block known threats
  • Conducts real-world phishing simulations that keep security top-of-mind for users

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: Wednesday, November 20, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN

Attackers Abuse DocuSign to Send Phony Invoices

Threat actors are abusing DocuSign's API to send phony invoices that appear "strikingly authentic," according to researchers at Wallarm.

"Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard," Wallarm says.

The threat actors set up DocuSign accounts that allow them to create invoices for fake purchases. They can then send an email notification from the DocuSign platform.

"An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly," the researchers explain. "The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands, mostly software companies; for example, Norton Antivirus.

"These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders."

Notably, the threat actors have automated these phishing attacks using DocuSign's API, allowing them to mass-distribute the phony invoices.

"The longevity and breadth of the incidents reported in DocuSign's community forums clearly demonstrate that these are not one-off, manual attacks," the researchers explain. "In order to carry out these attacks, the perpetrators must automate the process. DocuSign offers APIs for legitimate automation, which can be abused for these malicious activities."

Since the messages come from a legitimate service, they're much more likely to bypass security filters and fool human users. While this campaign abused DocuSign, the researchers note that attackers can use other e-signature and document services to launch these attacks as well.

"The exploitation of trusted platforms like DocuSign through their APIs marks a concerning evolution in cybercriminal strategies," Wallarm concludes. "By embedding fraudulent activities within legitimate services, attackers increase their chances of success while making detection more challenging.

"Organizations must adapt by enhancing their security protocols, prioritizing API security, and fostering a culture of vigilance."

Blog post with links:
https://blog.knowbe4.com/attackers-abuse-docusign-to-send-phony-invoices

New Hire or Security Threat? Learn How to Spot Them

Every new hire represents both an opportunity and a potential risk. However, HR professionals often don't expect bad actors to "apply" for a position, which makes them susceptible to real security threats when hiring.

Are you equipped to ensure your organization's safety from the moment a candidate applies?

This module is for HR professionals, IT pros, hiring managers and others involved in the recruitment and onboarding of employees. It features an in-depth interview with KnowBe4 staff who recount their real-life experience in uncovering a bad actor working for a nation-state government, disguised as a "new hire" during his onboarding process.

We detail KnowBe4's quick response to secure the network and consequent efforts to educate others on this attempted attack and how it was foiled.

By the end of this module, you will be able to:

  • Improve organizational hiring security practices
  • Raise awareness about hiring-based security threats
  • Provide practical knowledge for identifying risks

Get Your Free Training:
https://info.knowbe4.com/free-cybersecurity-tools/secure-hiring-and-onboarding-chn


Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Budget Ammo #1] Stu goes LIVE in INC. Mag - "How to Navigate the AI Minefield":
https://www.inc.com/stu-sjouwerman/how-to-navigate-the-ai-minefield/90998714

PPS: [Budget Ammo #2] Clicker Beware: Understanding and preventing open redirect attacks:
https://www.scworld.com/perspective/clicker-beware-understanding-and-preventing-open-redirect-attacks

Quotes of the Week  
"Time is a created thing. To say 'I don't have time,' is like saying, 'I don't want to'."
- LAO TZU Chinese philosopher (6th century, but possibly the 4th century BCE)

"It is not our purpose to become each other; it is to recognize each other, to learn to see the other and honor him for what he is."
- Hermann Hesse - Novelist (1877 - 1962)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-46-eye-opener-attackers-dont-hack-they-log-in-can-you-stop-them

Security News

Attackers Abuse Eventbrite to Send Phishing Emails

Attackers are abusing Eventbrite's scheduling platform to send phishing emails, according to researchers at Perception Point. These attacks increased by 900% between July and October 2024.

"Perception Point researchers observed phishing emails delivered via 'noreply@events.eventbrite[.]com,'" the researchers write.

"Despite being presented as legitimate events created on the Eventbrite platform, attackers use these messages to impersonate known brands like NLB, DHL, EnergyAustralia, and Qatar Post.

"Each email urges the recipient to take action: reset your PIN code; verify your delivery address; pay for an outstanding bill; pay for a package. These time-bound requests employ a social engineering tactic threat actors use to prompt the target to act fast."

The attackers set up events in Eventbrite, and then send invitations with embedded phishing links. The emails are more likely to bypass security filters since they're sent from a legitimate service.

"Once the target clicks on the phishing link, they are redirected to a phishing page," Perception Point says. "We found examples spoofing Qantas airline, Brobizz toll collection, web hosting platform One(.)com, European financial institution NLB, and many more.

"Designed to look like legitimate websites, targets are asked for personal info, like their login credentials, tax identification numbers, phone numbers, credit card details, and more."

The attacker can fully customize the appearance of the email to make it look like a convincing notification from the spoofed brand.

"Once the attacker creates an event, they can then create emails from within the Eventbrite platform to be sent to attendees," the researchers write. "These emails can include text, images, and links, all of which are prime opportunities for attackers to smatter in malicious content.

"The attacker then enters their list of targets (or 'attendees') and sends them the invite email. Once sent, the target receives an email from 'noreply@events.eventbrite[.]com,' containing all of the malicious details the attacker included."

Blog post with links:
https://blog.knowbe4.com/attackers-abuse-eventbrite-to-send-phishing-emails

New Version of the Rhadamanthys Malware Spreads Via Phishing

Researchers at Check Point are tracking a "large scale and sophisticated phishing campaign" that's spreading an upgraded version of the Rhadamanthys infostealer. The phishing emails inform recipients that they've committed copyright infringement on their Facebook pages.

"This campaign utilizes a copyright infringement theme to target various regions, including the United States, Europe, East Asia, and South America," the researchers write. "The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity.

"Almost 70% of the impersonated companies are from Entertainment /Media and Technology/Software sectors." The emails have attachments that purportedly contain details on the copyright infringement. These attachments redirect users to Dropbox or Discord, where they're tricked into downloading a malicious archive.

The researchers believe financially motivated cybercriminals are behind the attacks. The campaign is opportunistically targeting a wide range of orgs, using automated tools to craft targeted phishing emails.

"Unlike nation-state actors, who typically target high-value assets such as government agencies or critical infrastructure, this campaign displays no such selectivity," Check Point says. "Instead, it targets a diverse range of organizations with no clear strategic connections, reinforcing the conclusion that financial motives drive the attackers.

"The infrastructure used, such as creating different Gmail accounts for each phishing attempt, indicates the possible use of automation tools possibly powered by AI. This level of operational efficiency, along with the indiscriminate targeting of multiple regions and sectors, points to a cybercrime group seeking to maximize financial returns by casting a wide net."

New-school security awareness training gives your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 orgs worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Check Point has the story:
https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/

Hood College Customer Case Study

We're pleased to provide a recently published case study featuring an education sector customer called Hood College. In addition to being one of the first customers to incorporate KnowBe4 Student Edition, here are some successes the customer saw through working with us:

  • Improved security awareness across more than 2,500 staff and students
  • Trainings are driving a reduction in clicks during phishing campaigns, moving from 12% toward goal of 6%
  • More than 200 suspicious emails reported via the Phish Alert Button every month
  • 40% of students have completed KnowBe4 Student Edition training, giving it a rating of 3.5 – 4.5 stars
  • Reduction in time and effort spent by IT department investigating possible phishing emails

Get direct access to this case study here:
https://www.knowbe4.com/hubfs/KSAT-Education-Hood-College-CS-en_US.pdf

What KnowBe4 Customers Say

"Stu, first, I hope you, your family, and operations are all safe and recovering from the horrific hurricanes we experienced last month. Just following up, we were able to attain Egress yesterday and will be switching over from Darktrace to Egress in December for our residential and title operations.

Also, will be trying to expand our current KnowBe4 from our title operations to our residential operations staff and possibly agents as well at that time, we are super excited to start our relationship with Egress and grow our already great relationship with KnowBe4."

- T.S., Director of Information Technology


"Hi Stu, we have found KB4 very beneficial in our awareness training initiatives. We are also a reseller and our customers are thrilled with it. Thank you for your email. That means a lot.

- K.T., Account Executive

The 10 Interesting News Items This Week
  1. ChatGPT-4o can be used for autonomous voice-based scams:
    https://www.bleepingcomputer.com/news/security/chatgpt-4o-can-be-used-for-autonomous-voice-based-scams/

  2. Nigerian Handed 26-Year Sentence for Real Estate Phishing Scam:
    https://www.infosecurity-magazine.com/news/nigerian-sentence-real-estate/

  3. Linux malware delivered by phishing emails:
    https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/

  4. Google Cloud to make MFA mandatory by the end of 2025:
    https://www.bleepingcomputer.com/news/security/google-cloud-to-make-mfa-mandatory-by-the-end-of-2025/

  5. Cyberattack on American Water: A warning to critical infrastructure:
    https://securityintelligence.com/news/cyberattack-on-american-water-warning-critical-infrastructure/

  6. Over 1,000 UK banking employees could be clicking phishing links every month:
    https://www.netskope.com/blog/netskope-threat-labs-quarterly-stats-for-oct-2024

  7. INTERPOL cyber operation takes down 22,000 malicious IP addresses:
    https://www.interpol.int/News-and-Events/News/2024/INTERPOL-cyber-operation-takes-down-22-000-malicious-IP-addresses

  8. Ransomware profits set to hit a new record:
    https://techcrunch.com/2024/10/31/2024-looks-set-to-be-another-record-breaking-year-for-ransomware-and-its-likely-going-to-get-worse/

  9. Oh, the Humanity! How to Make Humans Part of Cybersecurity Design:
    https://www.darkreading.com/cybersecurity-operations/how-to-make-humans-part-of-cybersecurity-design

  10. WSJ: "TSA Wants to Expand Cyber Rules for Pipelines and Railroads":
    https://www.wsj.com/articles/tsa-wants-to-expand-cyber-rules-for-pipelines-and-railroads-011b9d96?

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews