CyberheistNews Vol 8 #12 A Cyber Attack in Saudi Arabia Had a Deadly Goal - Experts Fear Another Try

CyberheistNews Vol 8 #12
A Cyber Attack in Saudi Arabia Had a Deadly Goal - Experts Fear Another Try

Last summer, a petrochemical plant in Saudi Arabia was the target of a cyber attack that investigators believe was designed to sabotage the plant's operations and cause an explosion. Iran is probably behind it.

Bug in code prevents deaths

The only reason the explosion did not occur was that there was a bug in the attack code. The incident is being investigated by Mandiant, Schneider Electric, the NSA, the FBI, the US Department of Homeland Security (DHS) and the Pentagon's Defense Advanced Research Projects Agency (DARPA).

Generally the Iranians use spear phishing attacks to get into their targets. The story is in the NY Times and a recommended read. Also excellent to send to your management because stories like this illustrate the need for increased IT security budget:
Malicious Cyber Activity Surges Coincide With Geopolitical Events

A lot of social engineering draws its plausibility from current events. Some of these are as predictable as the calendar. Valentine's Day? Here's a quick link to get you those flowers and candy you forgot about. Tax season? Hey, it's us, the IRS. March Madness? Click here to share your bracket (come on, it'll be fun).

We've warned about all of these elsewhere. But other, more serious and less predictable events also shape phishbait. International conflict increasingly plays out in cyberspace as well as physical space. And nation-state hacking units work social engineering as much as any common criminal.

The hackers, probably Russian, who intruded into the Winter Olympics networks got there by phishing. Other Russian hackers who've taken down sections of the Ukrainian power grid over the last few years got into the utilities' networks by phishing.

Currently an Iranian threat group, called variously "MuddyWater" or "TEMP.Zagros," is phishing targets in the Middle East and Asia. The goal appears to be strategic intelligence. The means by which MuddyWater accomplishes its cyberespionage is a phishing email baited with a plausible, malicious Word document.

When gullible recipients open the email and click the attachment, they install the spyware payload. It pays for any business to keep abreast of geopolitical events if only for this reason: they can help keep their employees aware of some likely forms social engineering will take.

You may not be interested in geopolitics, but geopolitics is interested in you.

One of the larger crises with significant implications for cyberspace is the current conflict between the UK and Russia over Russia's apparent attempt to assassinate a spy and his daughter in England.

Both sides are threatening cyber retaliation. Security awareness training should be as realistic and timely as possible. KnowBe4 has a Current Events phishing template category that is kept up to date with today's breaking news items.

See Comodo's take on the correlation of attacks with current events here:
Scam of the Week: Phishing Madness!

Beware of March Madness, criminal hackers are at it again, after Valentine's Day their phishing agenda has moved to the next topic. They are now spoofing popular March Madness websites, and that includes bracket sites and live game streaming.

Last season, traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.

Also, monitoring sites observed an increase in activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, and attempted domain squatting. All of this is going on again this year, and it will be on your corporate networks if you do not take proactive measures.

Make sure your email filters are getting updated consistently and as often as possible. Next, I suggest you send this email to your employees, friends and family. You're welcome to copy/paste/edit:

Heads-up! The bad guys are at it again, this time with March Madness. They are sending phishing emails, and try to lure you to scam sites that are copies of legit sites that cover brackets and stream games. That way they steal your username and password which they can use to hack into our network and perhaps other sites where (we hope not!) you have used the same password.

So, only use NCAA-sanctioned, official sites and apps and don't make this March Sadness!

For KnowBe4 customers, we have a few brand new templates in the Current Events category, three NCAA flavors and also a few very recent other phish-bait current events. Here is a screenshot at the KnowBe4 Blog:
Join Us for Our Live Webinar: Securing the Human Layer

The intersection between technology and human security is a difficult challenge for any organization to tackle, and although detection technologies are advancing, criminals are rapidly evolving their techniques and tactics to even greater levels of sophistication.

Their attacks are difficult to detect, and even security administrators themselves fall victim now and then.

Join Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, as he explains the value of better understanding human nature, patterns and success practices when using technology to build a more secure operating environment.

Hear practical advice on how to make both security and technology work with (rather than against) human nature to help reduce technology friction and simultaneously raise the security posture and resilience of the organization.

Key Topics covered in this Webinar:
  • Looking at the multi-dimensional nature of security
  • Finding relevant intersections between technology & behavior
  • Strategies to make awareness stick
  • Brainstorming activities for planning your custom "Human Firewall"
Attend this webinar. It will make you change the way you think about computer security.

Date/Time: Thursday, March 22nd at 2:00 PM ET. Register Now:
Microsoft: "Phishing Still Number One Method for Cyber-Attacks"

Microsoft has just released their Security Intelligence Report (SIR), its annual cybersecurity summary, and it says that phishing is still the most popular way for cyber-criminals to attack, giving security experts everywhere headaches.

To create the report, Microsoft scanned more than 400 billion emails, 450 billion authentications and 1.2 billion devices. More than half (53%) of all email threats are phishing ones.

Three quarters (75%) contain a malicious URL. Here is the upshot:
  • Hackers in general have diverted their attention to the 'low-hanging fruit'. The SIR describes three of these routes: social engineering, poorly-secured cloud apps, and the abuse of legitimate software platform features.
  • Social engineering attacks are largely synonymous with phishing attacks. The SIR notes "a significant volume of phishing-based email messages at the very end of the year 2017. Phishing was the #1 threat vector (>50%) for Office 365-based email threats in the second half of calendar year 2017." There are various tools available to help detect phishing, but some academics doubt that even machine learning techniques will be unable to solve the problem.
  • Microsoft stresses the value of end-user security awareness training. While users are often called 'the weakest link', they are also a critical line of defense. Every well-trained user is effectively an individual human firewall.
“As software vendors incorporate stronger security measures into their products, it is becoming more expensive for hackers to successfully penetrate software. By contrast, it is easier and less costly to trick a user into clicking a malicious link or opening a phishing email,” Microsoft said.

More detail and link to full SIR PDF:
New Phishing Security Test - See How You Compare to Peers in Your Industry.

We've got something really cool for you: the new Phishing Security Test v3.0.

Sending simulated phishing emails is a fun and an effective cybersecurity best practice to patch your last line of defense… your users.

Find out the Phish-prone percentage™ of your organization with our updated Phishing Security Test that now includes new Industry Benchmarking. See where you stack up! Industry Benchmarking enables you to compare your organization’s Phish-prone percentage with others in your industry.

With Our Updated Phishing Security Test:
  • You can customize the phishing test based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. There is no cost.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"I believe alien life is quite common in the universe, although intelligent life is less so. Some say it has yet to appear on planet Earth." - Stephen Hawking

"To confine our attention to terrestrial matters would be to limit the human spirit."
- Stephen Hawking

Thanks for reading CyberheistNews
Security News
30-second Survey: "I wish I had a tool to..."

When an end-user fell for a social engineering attack, ever had that feeling: "I just wish I had a tool to...." but lacked that tool? Take 30 seconds and let us know what that tool would be?

Please let me know at this link to Surveymonkey. It may be redirected, so please copy and paste this in your browser:

Thanks very much in advance!
Did You Know About Our YouTube Channel? Please Subscribe.

We frequently post awareness videos and other useful public service announcements on our YouTube Channel. We have general videos about the company, news coverage, customer testimonials, helpful videos for how to use the platform and how to stay safe online. Please take a sec and hit subscribe. Thanks!
Healthcare Cyber Attacks Outpace Investments in Personnel, Education and Resources

Recognizing that healthcare organizations are facing constant cyber attacks, the 2018 Impact of Cyber Insecurity on Healthcare Organizations study examines the myriad of cybersecurity-related challenges and how organizations are (or are not) addressing them.

Results show the security stakes are high, with 62 percent of the 627 executives surveyed admitting to experiencing an attack in the past 12 months, and more than half losing patient data as a result.

According to publicly available data, breaches in the last year hit a new all-time high. Of five industries tracked, the Medical/Healthcare industry last year accounted for more than 23 percent of total breaches in 2017, resulting in the exposure of more than five million patient records. Only the business sector saw more successful attacks, with HCOs following second for the fourth year running.

Who is attacking? What do they want? How are they doing it?

Notably, organizations surveyed are equally concerned with external attacks (63 percent) as they are with employee negligence or malicious insiders (64 percent). And what are the bad guys after? When asked, respondents highlighted these top five items:
  • Patient medical records (77 percent)
  • Patient billing information (56 percent)
  • Log-in credentials (54 percent)
  • Passwords and other authentication credentials to systems, servers or applications (49 percent)
  • Clinical trial and other research information (45 percent)
Education, Resources and Process

Fifty-two percent of those surveyed agreed that a lack of employee awareness and training affects their ability to achieve effective security. In addition, 74 percent cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.

According to responses, only 51 percent of organizations have a dedicated CISO and 60 percent surveyed don’t think they have the right cybersecurity qualifications in-house.

On top of the lack of education, training and resources, only half of organizations (51 percent) have any type of incident response program at all. This means half of all organizations have no process or remediation plan in place to respond to, mitigate, or prevent attacks from happening again and causing extensive damage. More detail at HelpNetSecurity:
It’s the Year 2018, and Even Ransomware Is Agile. Here Is "The New Cerber"

Early February experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab, advertised in the Russian hacking community on the dark web.

The malware developers started by publishing an MVP: "minimal viable prodyct", and improved it quickly as they went along.

Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile,” reads an upcoming report to be released by Check Point.

Early versions of the GandCrab were full of bugs and mistakes from a developers stand point, said Michael Kajiloti, team leader, malware research at Check Point. “They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner.”

Researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the ransomware strain. It has been estimated that the GandCrab strain has managed to infect approximately 50,000 computers, most of them in Europe in less than a month, asking from each victim for ransoms of $400 to $700 in DASH cryptocurrency.

“GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” explained Yaniv Balmas, security research at Check Point.

Balmas compares GandCrab to the notorious Cerber family, and the expert also added that GandCrab authors are adopting a full fledged agile software development approach, the first time in ransomware history.

“For those behind GandCrab, staying profitable and staying one-step ahead of white hats means adopting a never-before-seen agile malware development approach, said Check Point.”

“Check Point made the assessment after reviewing early incarnations of the GandCrab ransomware (1.0) and later versions (2.0).” More at:
1 In 3 Michigan Workers Tested Opened Fake 'Phishing' Email

Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password.

The Phishing Security Test was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training.

Phishing schemes—in which hackers try to deceive email recipients by posing as legitimate entities—can lead to identity theft and other problems.

Phishing was how Russian-linked players stole the emails of Hillary Clinton's presidential campaign chairman John Podesta.

Michigan's Office of the Auditor General made 14 findings in the audit, including five that are "material"—the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network.

Ouch. Time to step those users through new-school security awareness training: Read more at:
Security Culture and Vulnerability

"A Delivery Attempt Was Made," as those who follow KnowBe4 understand, is the single most common phishbait phrase used in subject lines. It's important to train employees to recognize the kind of phishing that comes through mass spam.

Attackers who target your business specifically, however, can tune their subject lines to make them more plausible to your employees. This sort of social engineering makes the scammer's approach more plausible. Since social engineering is tuned to your organization's culture, your culture should be tuned to resist it.

Regular, realistic phishing awareness training can build a resilient culture. See Channelnomics for the story:
Technical Controls Inadequate Protection Against Phishing in the UK

Anti-virus tools, firewalls, and other software-based security layers are all important pieces of the puzzle defending a business against cyber attack.

They're not, however, proof against social engineering, because that is fundamentally a human and not a technical problem.

Studies in the UK show that phishing remains the biggest security concern of business development managers, and much the same could be said elsewhere. Low-level employees, often inexperienced and usually accustomed to following instructions, are more likely to fall victim to untargeted "mass-market" phishing spam.

Higher level employees are likely to be the victims of targeted and carefully crafted spear phishing attacks. The result is the same in either case: misplaced trust is abused and money is lost. See the story in ITPro:
Trained Staff as Security

A look at phishing patterns by researchers at Google, the University of California, Berkeley, and the International Computer Science Institute found that phishing was more effective at compromising a business than a data breach. Employees who are aware of the threat of social engineering provide an indispensable layer of security.

Awareness training should be regular and realistic. It cannot be confined to an annual training session conducted by PowerPoint in a conference room. Instead, it should use training emails at least as carefully tuned to the employees' interests as actual attack messages would be. The goal should be to teach, not to punish. Dark Reading has the story:
How Vulnerable Is Your Network Against Ransomware Attacks? Find Out for a Chance to Win!

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s free Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection.

Plus, you'll be entered to win an awesome 34-Inch Curved UltraWide LG Monitor.

To make it even better, we’ll pick 3 winners!

RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros.

Find out if you’re vulnerable now!
What Our Customers Are Saying About Us

"Hi Stu, Thanks for the personal check-in. I should be surprised to get such a note, but I’m really not given the exceptional experience I’ve had with KnowBe4 to this point. The care and attention that I’ve received genuinely makes me feel like you all are just as invested in our success as we are.

Which is contrary to my experience with product and services purchases over the course of my career. Truly appreciative to work with such a great group of people and company such as yours. Thanks again and keep up the good work! P.W. - Awareness Program Administrator

Stu, Thanks for checking in. So far I have been very impressed with the website and the ease and flexibility with which we can create a campaign. I also feel that the ASAP section is the best online onboarding tool I have used – great job on this! - C.W. IT Manager
Interesting News Items This Week

Zenis Ransomware Encrypts Your Data & Deletes Your Backups:

ISPs Caught Injecting Cryptocurrency Miners and Spyware in Some Countries:

APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware:

Similar tax fraud phishing reported in UK:

Cybercriminals launder money through mansions, private islands and crypto currency:

Phishing Scam Spoofs Orange County Mayor, and Targets Residents:

DHS warns of new Russia hacks as US sanctions Russia over election interference:

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials:

Fortnite accounts are being hacked to make fraudulent purchases:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews