CyberheistNews Vol 7 #42 U.S. warns about phishing attacks on nuclear, energy, aviation, water, and manufacturing industries

CyberheistNews Vol 7 #42
U.S. warns about phishing attacks on nuclear, energy, aviation, water, and manufacturing industries

The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with spear phishing attacks with malicious attachments and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.
[Heads-Up] Advertising Intelligence Can Be Misused for Social Engineering

You are probably aware of the terms SIGINT (signals intelligence, like radio interception) and HUMINT (human intelligence, like espionage). There is a new term coined by the University of Washington called ADINT which shows how anyone can track what apps an employee uses and where they have been—for just 1,000 dollars—and can be used for social engineering attacks.

A team of computer science engineers at UW learned that obtaining an employee's smartphone’s mobile advertising identification, known as a MAID, would open the door to all the information advertisers use to serve promotional materials. The study is titled "Using Ad Targeting for Surveillance on a Budget."

"It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study. The University of Washington will present its findings in Dallas on Oct. 30 at Association for Computing Machinery’s Workshop on Privacy in the Electronic Society.

The attacks could use data like an employee's personal interests, dating habits, religion, health conditions, political status, the apps they use and, possibly, even more.

It’s also disturbingly easy for the bad guys to learn a user's MAID. They can simply gain access to a Wi-Fi router or eavesdrop on an unsecure Wi-Fi network.

Full story with links and a blurb you can email to your users at the KnowBe4 blog:
Goldman Sachs Invests 30 Million Dollars in KnowBe4

I have some exciting news for you today. First, Goldman Sachs believes in our mission, has invested in us, and is now on our board of directors. Second, we have acquired the awareness training company Securable. io.

Another announcement with some more excellent news will follow in a few days. Here is an extract from the funding press release that went out this morning:

"Tampa Bay, FL – October 24, 2017. KnowBe4, Inc. today announced it secured 30 million dollars in growth capital financing led by new investor Goldman Sachs Growth Equity (GS Growth) with existing investor Elephant participating. The new round brings KnowBe4’s total financing to 44M dollars and comes on the heels of an explosive quarter of continued growth.

The new funds will primarily be invested in international growth and product development, further demonstrating KnowBe4’s commitment to help organizations enable their employees to make smarter security decisions.

In Q3 2017, KnowBe4 announced its sales were 2.63X greater than Q3 2016. This marks the 18th straight quarter of growth, driven by an increasing enterprise demand for its new-school approach to security awareness training.

“KnowBe4 has separated itself as a leader in the cyber-security awareness training market, with their platform becoming a “need to have” for businesses across sectors and geographies in the fight against cyber-threats,” said Hans Sherman, a Vice President in Goldman Sachs’ Merchant Banking Division, who will join the KnowBe4 board of directors in connection with the investment.

Sherman continued: “With an innovative approach towards ensuring that their clients’ security systems and practices are layered, KnowBe4 empowers its users to protect against phishing and cyber-attacks. Our financing will support the company’s continuing growth as they expand globally and develop new products to serve this fast-growing market.”
KnowBe4 Expands Its Security Vision With the Acquisition of
Securable. io

The addition allows for a more personalized approach to security awareness training The acquisition of Securable. io gives KnowBe4 a growing library of unique content to increase user skill and engagement. This specific technology allows organizations to use a data and context-driven approach for automatically assigning training based on behavior that is being observed by individuals or groups within the organization.

“As part of our new-school approach to help organizations manage the problem of social engineering, the addition of Securable. io adds content analytics and options for a more personalized approach to training," said Stu Sjouwerman, KnowBe4 Founder and CEO. This enables KnowBe4 to get a closer look at how users are interacting with content and find the most relevant and engaging training for that person.

Securable CEO Brad Reynolds stated, “We are excited for the opportunity to bring the Securable. io product into the KnowBe4 family. Data-driven cybersecurity education offers a significant benefit and we feel KnowBe4 is the perfect company to take the Securable offering to the next level. We look forward to KnowBe4 utilizing this technology to help users make better security decisions.”
Seagate Gets Initial OK for 5.7 Mil Employee Phishing Settlement

A California federal judge gave his initial blessing Thursday to Seagate Technology LLC’s settlement that includes services valued at 5.75 million dollars and resolves class-action litigation over a 2016 data phishing incident that allegedly affected about 12,000 employees and their close relatives.

U.S. District Judge Richard Seeborg granted preliminary approval to the deal, which will see every current and former employee of the data-storage company whose W-2 tax forms were stolen by hackers, as well as the family members listed on those filings, get two years of Experian identity theft protection.

The W-2 forms were stolen through CEO Fraud where the bad guys simply spoofed the email address of the CEO and *asked* for the W-2's to be sent. More at Law360, but there is a paywall:
Can You Be Spoofed? Find out for a Chance to Win.

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Nintendo Switch at the same time. Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!

To enter just go here fill out the form, it's quick, easy and often a shocking discovery that your mail servers are not configured correctly. Yep, it’s that easy:
Live Webinar Today: "Ransomware - The Billion-Dollar Innovation Industry"

Since ransomware exploded on the scene, the bad guys have been working hard to innovate. Having earned a billion dollars in 2016, they have the resources. Now ransomware is being leveraged in ways it never has been before.

Join us for this 45-minute webinar as we discuss the latest innovations in ransomware and how you can help protect your organization from these devastating attacks.

Key topics covered in this webinar:
  • How Ransomware started
  • What led to its explosion in growth
  • Where Ransomware is heading
  • Techniques for dealing with Ransomware
  • How to create a “human firewall”
Date/Time: TODAY, October 24th at 2:00 pm EDT for 45-minutes
Register Now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"The saddest aspect of life right now is that science gathers knowledge faster than society
gathers wisdom."
- Isaac Asimov - Writer

"The world always seems brighter when you've just made something that wasn't
there before."
- Neil Gaiman - Writer

Thanks for reading CyberheistNews
Security News
Lower Cybercrime Costs! Attack Humans...

This could be a headline on a dark web site for cyber criminals. And it would be correct.

Our colleagues at Wombat did some digging and came up with relevant research you should know about.

The Ponemon Institute recently published their 2017 Cost of Cyber Crime Study and they delivered some sobering statistics that I will not bore you with. The upshot is that we are losing the war on cybercrime. The study noted that the attackers are getting smarter and more organized, and are “finding it easier to scale cybercrime globally.”

And while technology certainly plays a role in these economies of scale, we recently saw in the 2017 edition of The Human Factor, a report by cybersecurity company Proofpoint, evidence that cybercriminals are putting the big money on scaling social engineering–based attacks. In other words, they’re relying more heavily on individual human actions rather than automation and opportunistic vulnerability exploits.

As the Proofpoint report indicates, human actions are increasingly at the root of cybersecurity issues. And as the Ponemon report shows, the cost of those cybersecurity issues is rapidly increasing. Changing the behavior of your employees can help you reduce the costs associated with detection, investigation, remediation, and response to these successful attacks.

The key is to move the dial not only on awareness of social engineering attacks, but also on identification and avoidance. Recognizing that a threat exists is not the same as being able to apply what you have learned, stepping through new-school security awareness training. Blog with links:
The First Recorded Statement of Security Awareness Training?

I was just sent a link to video of Kevin Mitnick's testimony before a congressional committee of March 2, 2000 where he explained how he was able to hack into dozens of large organizations including the IRS using social engineering as his only tool.

The sender asked: "Stu, is this the first recorded statement on, or possibly the genesis of, Security Awareness Training?"

Excellent question and I am asking all subscribers the same thing. Are you aware of any earlier specific mention of "security awareness training" this in any form? Email me at please.

We might be not only the most popular, but Kevin, our Chief Hacking Officer could perhaps also be the first to bring up the idea of specific training against social engineering.

Forward to the C-SPAN video until about 13 minutes in, where he mentions "extensive user education and training" at 13:50. Let me know?
Cybersecurity Is Dead – Long Live Cyber Awareness

CSO contributor Scott Goldman wrote: "Let's face it: anyone who depends solely on prevention is doomed.

Cybersecurity is dead. Let’s face the facts here, folks – it’s hopeless. The bad guys have won and anyone who depends solely on prevention is doomed. Cyberattacks are, at their essence, just like any other type of crime: you can make all the efforts to prevent it from happening but in the end it’s going to happen anyway so you have to be prepared for it.

I mean, really – do I have to remind anyone of the companies that supposedly protected their data and, well, didn’t? Equifax is just the latest. Has everyone forgotten about Target, Citibank, Sony or the almost comically colossal screw-up of THREE BILLION records revealed at Yahoo!?

OK, if you’ve been living in a cave for a while how about this: The NSA – yes, that’s right, the top-secret, James Bond-ish superspy arm of your U.S. government was hacked. And let’s not forget that the government agency tasked with making sure that public companies disclose everything – the SEC – has been breached, too. [...]

Don’t get me wrong – I’m all about educating employees not to click links, showing people what phishing emails look like and how to report them to the IT department, tightening up firewalls, installing virus detection and putting up whatever other obstacles can be erected that will block, delay or divert a hacker.

But in the end, just like a house with a sophisticated burglar alarm system, dead-bolt locks, crash-proof glass and a really mean dog, if a pro wants to get in, they’re getting in.

Recovery takes planning and planning takes analysis. What you need to do is to take a close look at your own situation and decide how you’d best recover when you get hacked or held hostage by a ransomware attack (probably the most likely scenario today). Ask yourself (and your IT department) these questions:
  1. If you were hacked, what would you do?
  2. How frequently is your data backed up?
  3. Will you pay the ransom?
  4. What about the companies and people you work with?
  5. What's your communication plan?
Scott goes into detail on these 5 points and the post is warmly recommended!:
Chrome Smoked by Edge in Browser Phishing Test

At last some good news for Microsoft’s ignored Edge browser: new tests by NSS Labs have found that it beats Chrome and Firefox hands down at blocking malware downloads and phishing attacks.

After 23 days of continuous tests between 23 August and 15 September this year, Edge version 38 blocked 96% of the socially-engineered malware (SEM) samples thrown against it in the form of malicious links and pop-ups, compared to 88% for Chrome version 60 and 70% for Firefox version 55. (The researchers describe SEM attacks as “a dynamic combination of social media, hijacked email accounts, false notification of computer problems, and other deceptions to encourage users to download malware”.)

Edge did even better when it came to phishing, blocking 92% of malicious URLs, compared to Chrome’s 75% and Firefox’s 61%.

NSS also looked at “zero hour” protection, which is how long it takes for each browser to block brand new threats once they’ve been introduced into the test.

For zero-hour SEM, Chrome started at 75% before climbing to a peak of 95% after seven days, while Firefox started at 54%, climbing to a peak rate of only 80% over the same period. Compare that to Edge which managed a steady 99.8% from hour one.

For zero-hour phishing URLs, the results weren’t quite as wide, but even here Edge started at 82% to Chrome’s 59% and Firefox’s 51%. Firefox clawed back some of the gap by day seven, scoring a peak rate of 81% to Chrome’s weakening 65%, but still ended up lagging Edge’s 89%.

These differences sound significant but how seriously should we take them? More:
Google’s Alphago Zero AI Quickly Masters GO Board Game With No Human Help

Google AI has always had great results in beating chess players. So they then taught it to teach it the Chinese game GO by playing against GO players but... the new Alpha GO zero played the top 100 human GO players and learned how to become the best GO Player in the world purely by knowing the rules. It then played against itself and without any human player experience taught itself how to play and beat the 100:
Ransomware Decryption Framework Now Available

McAfee has released a decryption framework to boost the production of decryption tools to help victims of ransomware attacks.

Victims of ransomware attacks typically have few options if they have failed to make backups of the data encrypted and are being held to ransom.

Victims can either pay up or lose their data, but the No More Ransom cross-industry initiative is aimed at providing a third option by providing free decryption tools.

“If you are an individual researcher, and you have access to these keys, you will have to spend a lot of time developing a tool that enables people to decrypt their computers, so we have created a free ransomware decryption framework,” said Raj Samani, chief scientist at McAfee.

"The framework will allow for the rapid incorporation of decryption keys and custom decryption logic when they become available, said Samani, and get help to victims of ransomware a lot quicker. “It enables anyone in the industry to create more tools to ensure a safer society.” More:
Interesting News Items This Week

For our UK friends. New Scam Impersonates Value Added Tax Form to Deliver Malware:

British Security Advice Van Trades Your Phishiest Emails for "Phish and Chips":

DHS Orders Federal Agencies to Use DMARC, HTTPS:

Google to Offer Stepped-up Security for 'High Risk' Users. Takeaway: This is positioned at a very "high risk" pool of people:

Printers: The Weak Link in Enterprise Security:

CERT: These emerging technologies bring new risks:

Google Chrome May Add a Permission to Stop In-Browser Cryptocurrency Miners:

Necurs Downloader Takes Screen Grabs to Improve Ransomware Attacks:

Clinic Pays Ransom After Backups Encrypted in Attack:

This new botnet could take down the internet - and it's rapidly spreading across the world:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews