CyberheistNews Vol 8 #30 [Heads-up] WSJ: "Russian Hackers Are Now Able to Turn Off Your Lights"

CyberheistNews Vol 8 #30
[Heads-up] WSJ: "Russian Hackers Are Now Able to Turn Off Your Lights"

Now here is some news that concerns me deeply. I knew it was bad, but I did not know it was this bad.

Rebecca Smith from the Wall Street Journal reported that "Hackers working for Russia claimed “hundreds of victims” last year in a giant and long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said. They said the campaign likely is continuing.

"The Russian hackers, who worked for a shadowy state-sponsored group previously identified as Dragonfly or Energetic Bear, broke into supposedly secure, “air-gapped” or isolated networks owned by utilities with relative ease by first penetrating the networks of key vendors who had trusted relationships with the power companies, said officials at the Department of Homeland Security.

“They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS.

Hundreds of victims, not a few dozen...

DHS has been warning utility executives with security clearances about the Russian group’s threat to critical infrastructure since 2014. But the briefing on Monday was the first time that DHS has given out information in an unclassified setting with as much detail. It continues to withhold the names of victims but now says there were hundreds of victims, not a few dozen as had been said previously.

It also said some companies still may not know they have been compromised, because the attacks used credentials of actual employees to get inside utility networks, potentially making the intrusions more difficult to detect.

Experts have been warning about the Russian threat for some time.

“They’ve been intruding into our networks and are positioning themselves for a limited or widespread attack,” said Michael Carpenter, former deputy assistant secretary of defense, who now is a senior director at the Penn Biden Center at the University of Pennsylvania. “They are waging a covert war on the West.”

Russia has denied targeting critical infrastructure. Yeah, right.

Mr. Homer said the cyberattack, which surfaced in the U.S. in the spring of 2016 and continued throughout 2017, exploited relationships that utilities have with vendors who have special access to update software, run diagnostics on equipment and perform other services that are needed to keep millions of pieces of gear in working order.

The attackers began by using conventional tools, spear phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites—to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.

Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks. DHS is conducting the briefings—four are planned—hoping for more industry cooperation.

If you want to keep your lights on...

I strongly suggest that your Disaster Recovery Team finds out which utility is supplying your power, insist that they step their employees through new-school security awareness training, demand their vendors to do the same, and supply the evidence that this was actually done. You know who to send them to, we have a special discount for power utilities during Q3 to make this a no-brainer for them.
Second Quarter 2018 Top-Clicked Phishing Email Subjects [INFOGRAPHIC]

We've been reporting on the top-clicked phishing email subjects every quarter for a while now across three different categories: general emails, those related to social media, and 'in the wild' attacks that are a result of millions of users clicking on the Phish Alert Button on real phishing emails and allowing our team to analyze the results.

Make Your Users Think Twice

Sharing the latest threats with users is a great way to keep them on their toes. Also we see a lot of similarities in the subjects quarter over quarter, so knowing what the popular ones can help them to stay vigilant and ultimately think twice before clicking. The bad guys continue to take advantage of the human psyche and bypass rational behavior.

Using Human Nature Against Us

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim. In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face-value.

Hackers will continue to become more sophisticated with the tactics they use and advance their utilization of social engineering in order to get what they want,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

Here is your infographic of top messages for the last quarter, share with your users as part of your security awareness program:
Yes, Google's Security Key Is Hackable

Here is a thought-provoking article by Roger Grimes, KnowBe4's Data-Driven Defense Evangelist.

"Ever since Google told the world that none of its 85,000 employees had been successfully hacked since they started implementing Security Keys, like Yubico’s YubiKey, I’ve been contacted by friends and the media about my thoughts.

Apparently as the author and presenter of the 12 Ways to Hack 2FA and an author of a similar CSO column, I’m purported to be an authority on it. I’m not, but I did recently stay at a Holiday Inn. :-)

I’m saying it right here, MFA is awesome!

First, and foremost, any multi-factor authentication (MFA) method should be applauded and supported. I feel almost criminal saying anything bad about any MFA solution. We need to replace as many one factor authentication (1FA) and/or simple password authentication scenarios wherever and whenever we can.

Google is awesome in so many ways, not the least of which is their incredible push to better secure more web sites, using more default HTTPS and trying to fix our digital authentication mess as examples, but also in switching all their users to MFA. The security vendors providing Google Security Key MFA solutions are awesome. Yubico’s YubiKey is awesome. What’s not to love about any company or person trying to improve computer security?

Now that we’ve got the obligatory “I’m not insane” moment out of the way, I’m just as correct to say that there is no doubt in my mind that Google’s Security Key MFA device can be hacked. Just because it hasn’t or didn’t (not sure how you ultimately prove that of course) get hacked, doesn’t mean it can’t be hacked.

Apple computers and devices didn’t get hacked until they became super popular, and now they are. Same thing here.

There is not an authentication solution made that cannot be hacked. That includes what Google has. It includes whatever we come up with in the future. It includes all known biometrics. It includes everything in the computer security world. If a vendor or person tells you they have something that is unhackable, run!

They are either lying or don’t know what they are talking about. Either way, not the sources of authority you should be listening to.

Yes, Google Security Keys Can Be Hacked. Continued at the KnowBe4 Blog:
Don’t Miss the August Live Demo: Simulated Phishing and Security Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, August 1, 2018, at 2:00 p.m. (ET) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users.
  • NEW Upload any Policy and roll it out as a training module for compliance.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting, with great ROI.
  • Delegated Permissions, now part of the Security Roles feature, allows you to create custom admin roles for Target Groups in your organization.
Find out how 19,000+ organizations have mobilized their end-users as their last line of defense.
Save My Spot!
New Training Module: "Safe Travels for Road Warriors". You Can Download the Free Checklist Now

I'm excited to announce a new module that has been quite some time in the making!

A 12-minute animated course with lots of interactivity for those that travel for business—and some very helpful tips for personal travel too.

We believe this is a very good new module. We have been working on it internally for a long time, with input from experts like Kevin Mitnick.

I strongly recommend to step Board members, C-levels, and any business traveler through these 12 minutes. I guarantee that even the most savvy road warriors will learn a few new tricks!

Best of all, we have a brand new Safe Travel Checklist as a free job aid similar to the Red Flags PDF that you have been using for the last few years. Download the PDF now at the KnowBe4 blog:
Going to Black Hat in Las Vegas This Year? Get Your Free Book Signed by Kevin Mitnick!

Check out all the activities KnowBe4 will be doing at Black Hat:
    • Get your free book signed by Kevin Mitnick: Drop by KnowBe4’s Booth #1428, at the Kevin Mitnick Book Signing. Meet the ‘World’s Most Famous Hacker’, get a signed copy of his new book: Wednesday, August 8, 5-7pm at KnowBe4’s Booth.

    • Enter to Win a 34” LG Curved UltraWide Monitor: Join us to see a short demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. You’ll also get your light-up "Axe To Grind With Ransomware” swag!

    • Learn the 11 ways hackers get around your favorite 2FA solution: Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, during the session “11 Ways to Defeat Two-Factor Authentication”, on Wednesday, August 8th, 4:10pm in Oceanside F. You'll learn about the good and bad of 2FA, and become a better computer security defender in the process:
[Live Webinar] Latest Business Email Compromise Scams - Don't Be the Next Victim

The bad guys are getting very creative, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts.

According to the FBI, their efforts have earned them an estimated $12 billion through Business Email Compromise scams, also known as CEO fraud. In addition, these attackers can be working on multiple potential victims at the same time.

Invoice fraud, escrow redirection, payroll fraud, and simple wire transfer fraud are all tools in the attacker's arsenal. Defending against these types of phishing attacks is possible by layering technical and non-technical controls.

Join us in this webinar, as we take an in-depth look at how the latest attacks work and the psychology and mechanics behind them. We will also discuss defensive measures you can take now to defend your organization against these attacks.

In the event you'll learn:
  • The truth about Business Email Compromise
  • How to defend against these attacks using technical and non-technical controls
  • Why building a human firewall is your best last line of defense
Save My Spot! Wednesday, August 15, 2018 2:00 pm ET

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The natural desire of good men is knowledge." - Leonardo da Vinci (1452 - 1519)

"An investment in knowledge pays the best interest." - Benjamin Franklin

Thanks for reading CyberheistNews
Security News
New Report: Phishing Attacks Increase by Half and C-Levels Still Make Mistakes

Half of all businesses have seen the volume of phishing attacks increase over the last twelve months, according to the latest State of Email Security report by Mimecast. 40% of saw the volume of impersonation attacks rise, the report adds.

Despite repeated calls to make cybersecurity a C-level priority, many organizations are not taking heed. According to the report, 20% of respondents said their C-level executives sent sensitive data in response to a phishing attack, and 49% admitted that their management and finance teams aren’t knowledgeable enough to identify and stop an impersonation attempt.

“Email-based attacks are constantly evolving and this research demonstrates the need for organizations to adopt a cyber resilience strategy that goes beyond a defense-only approach. This is more than just an ‘IT problem,’ said Peter Bauer, chief executive officer of Mimecast.

“It requires an organization-wide effort that brings together many stakeholders, puts the right security solutions in place and empowers employees – from the C-suite to the reception desk -- to be the last line of defense.”

Mimecast conducted the research with Vanson Bourne on the state of organizations’ cybersecurity, their expectations and needs and what attacks they’ve seen increase. Findings within the report are based on responses received from 800 IT decision makers and C-level executives globally and reveals attitudes, behaviors, confidence and preparedness levels of security professionals – and the C-suite – when it comes to dealing with these threats. More:,-report
A RAT for Distribution Lists

Remote access Trojans (RATs) are among the more common payloads delivered by malicious spam. Proofpoint last Thursday announced that it had identified a new RAT they're calling "Parasite HTTP."

It's being observed in a campaign targeting the IT, Healthcare, and retail sectors. But given that Proofpoint has also found it being traded in the criminal black market, there's good reason to expect it to appear in other campaigns as well.

Parasite HTTP spreads by phishing. It arrives as a malicious attachment to an email directed to various human-resources-related distribution lists. The criminals are making good guesses at what names those lists might have: hr@[insert an organization's domain name here], recruiting@..., accessibility@..., resumes@..., and so on.

Thus organizations that use such easily guessed distribution list names should be especially wary of the emails they receive to them. The attachments to the phishing emails are baited to look like the sorts of material people on such a distribution list might expect to receive, Curricula Vitae, Resumes, and the like.

Parasite HTTP is also noteworthy for its bag of evasive tricks, which make it more difficult for technical solutions to catch. Some of those features include sandbox detection, anti-debugging capability, and anti-emulation measures.

The RAT is also modular: once it's installed, its controllers can add functionality as they develop it or need it. Any organization would do well to remind its employees that not all Resumes or Curricula Vitae they receive are what they seem to be:
Bank Hacked Twice, Phishing, Insurance, and a 2.4 Mil Lawsuit

There are three things you can do with risk. You can accept it, you can mitigate it, or you can transfer it. Insurance is a way of transferring risk. A court case that arose from a serious phishing incident shows, however, that transferring risk isn't always as easy as it seems, especially given the relative immaturity of the cyber insurance market.

The National Bank of Blacksburg in Virginia suffered two series of cyber robberies. The theft was enabled by successful phishing that gave the hackers (thought to be members of a Russian criminal gang) access to Blacksburg accounts which they accessed through ATMs.

The crooks succeeded in siphoning off a total of about 2.4 million by hitting ATMs they compromised through credentials they obtained by phishing bank employees.

They also were able to pivot through the bank's systems to erase the fraudulent withdrawals. The bank's insurer, Everett National Insurance, would not cover the full 2.4 million loss.

The policy Blacksburg had with Everett had two riders: a "computer and electronic crime" rider with a single loss limit liability of $8 million and a $125 thousand deductible, and a "debit card rider," which limited single loss liability to $50 thousand with a 25K thousand deductible and an aggregate limit of 250K.

The bank is suing its insurer, maintaining that they should cover the full loss. The insurance company regarded the crimes as covered by the debit card rider, presumably since they involved ATM exploits.

Whatever the case's outcome may be, the National Bank of Blacksburg was certainly pwned, and twice. And whatever the outcome, it would have been better had the phishing attempts been turned aside. Some interactive training would, of course, help with employee awareness. It also might serve the kind of wargaming an organization might conduct as it considers what to do with cyber risk: accept, mitigate, or transfer. And whichever it chooses, be sure to read the fine print:
KrebsOnSecurity has the story:
Warn Your Users: Beware of Free Gift Card Phishing Scams

People can’t resist the lure of free stuff. Cyber criminals know this and are always looking for ways to make a quick effortless buck. Put these two together and you have the perfect scenario for a free-stuff scam. The only problem is, the victim comes up empty.

Cyber criminals set up a phony website where victims can select the gift cards of their choice—absolutely free—just for providing some seemingly benign information. That information is often collected when the victim visits a third-party site.

Once on the site, the victim answers questions and is put through various plausible actions to prove they're not robots. Each step of the way, the victim clicks through and provides information to eventually collect a code they can enter for their worthless gift card.

Or they simply give up along the way, after, of course, they've answered a few questions. For very little effort, the scammers get paid. They sell their victims' information to third parties, and are paid for each click the victim makes chasing the free gift card.

Here are rules any organization might share with their employees:
  • Remember there is no such thing as a free lunch.
  • Always check the HTTPS connection and domain name when visiting a webpage, especially if you are entering sensitive personal information.
  • Never share your sensitive data.
  • Do your friends a favor and do not share questionable links.
  • Check if the offer for free stuff is legit by contacting the company making the offer.
In the end, the scammer has made a few bucks and the victim wasted a few hours they'll never get back. And, sorry, there is no gift card. This sort of scam is fodder for the sort of interactive, realistic training an organization with a culture of security can use to raise its employees' awareness of the social engineering threat. Vanguard has the story:
Gmail's Problematic Confidential Mode

Some technical security measures may seem to promise more security than they actually deliver. It's good to understand their limitations, and to make employees aware of those same limitations in regular awareness training. A current case in point may be a recent update to Google's Gmail service.

In April Mountain View introduced several new design features in a new "Confidential Mode." The Electronic Frontier Foundation (EFF) is raising concerns about Confidential Mode's use of what the EFF calls "brittle" security. Full story at the KnowBe4 blog:
Emojis as Phishbait

Who was ever hurt by an emoji? World Emoji Day was celebrated on July 17th, and the little images which many regard as cute and pleasant were widely celebrated. But there's a problem with them, and it involves social engineering. The risk is nothing so sophisticated as, say, steganographic malware concealed within an image.

Instead, it's just that people tend to react to emojis as being sweet, harmless, personal, and credible. There's a tendency to swallow the hook if the phishing email or social media communication has an appealing little smiley face in it. This may be a small thing, but big problems can arise from small errors.

New-school interactive training that raises awareness can help an organization's employees see through this sort of social engineering ploy. Credit Union Times has the story:
What KnowBe4 Customers Say

"Stu, Thanks, this is a great additional feature. I have been using a much more cumbersome process to get employees acknowledgment for our “Acceptable Use Policy.” This will make that chore much easier! Thanks again!"
- J.J., CISSP, ITIL V3 Information Security Officer

"We are doing pretty good. Your onboarding staff are great and Julie White was awesome! She has made this process so much simpler and she very helpful. What a wonderful customer experience she gave us. She got us through setting up the baseline phishing test and subsequent training. That training should be going out soon so I’m anxious to see if this drives down our exposure as much as I believe it will. So, Yes I am so far very pleased with everything so far. Thanks for the follow-up."
- P.R., VP Information Technology

"Stu, Thank you for the inquiry and concern. We love your product so far, we are not using diamond level to its full potential yet, but the USB key tests are coming. I love how I can set up a campaign within a few minutes and I can work on other things while it goes on. Our users “woke up” from the first test so we saw a huge reduction in clicks, now we are seeing the users that truly need the training and KnowBe4 makes it so easy to assign training and the auto reminders for the user and their manager makes follow through hassle free."
- S.R., System Administrator
The 10 Interesting News Items This Week
    1. How Silicon Valley Became a Den of Spies:

    2. The Double-Edged Sword of Artificial Intelligence in Security:

    3. Ethical hacker explains: How the Russian government used disinformation and cyber warfare in 2016 election:

    4. Beware: A Deviously Good Verizon Scam:

    5. Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software:

    6. BUSTED? A blackhat’s revenge exposes a 2-year old patient data hack that Holland Eye Surgery & Laser Center failed to disclose:

    7. Data breach exposes trade secrets of carmakers GM, Ford, Tesla, Toyota:

    8. The Bluetooth “device snooping bug” – what you need to know:

    9. ERP applications under attack: How criminals target the crown jewels:

    10. A Cyber Axis of Evil is Rewriting the Cyber Kill Chain:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews