CyberheistNews Vol 8 #40 [Heads-Up] Instant LinkedIn Hit: "Kevin Mitnick Demos the USB Ninja Cable Attack"

CyberheistNews Vol 8 #40
[Heads-Up] Instant LinkedIn Hit: "Kevin Mitnick Demos the USB Ninja Cable Attack"

The moment this 3-minute video was released on LinkedIn it went viral, had 900 likes, 90 comments, and well over 30K views in no time.

Kevin Mitnick, KnowBe4's Chief Hacking Officer wrote: "I’m excited to share the new #USBNinja cable that uses Bluetooth to command the malicious cable to inject its payload onto a targeted machine. The transmitter range is up to 100m depending on the antenna used.

Mitnick continued with: "My sincere congrats to Olaf, Dennis, Vincent Yiu and the rest of the RFID Team for such brilliant work. This work was borne out of the NSA’s COTTONMOUTH project disclosed by Edward Snowden. For those that are interested in the #USBNinja cable, this was formally codenamed USBHarpoon."

Here is a link where you can see this brand new attack video yourself. Have fun and shiver:
FBI: "Each of us has a role in online safety and security."

The FBI announced: "October is National Cybersecurity Awareness Month, and each of us has a role in online safety and security."

We could not agree more, and below are some free tools for you to train your users.

But first, the FBI continued with: "Connected devices are essential to our professional and personal lives, and criminals have gravitated to these platforms as well. Many common crimes—like theft, fraud, harassment, and abuse—are now carried out online, using new technologies and tactics.

Others, like cyber intrusions and attacks on critical infrastructure, have emerged as our dependence on connected systems revealed new vulnerabilities.

"Successfully mitigating these threats relies on a combination of information sharing, prevention efforts, and enforcement work. Government agencies, law enforcement, the private sector, and individuals all have a role to play.

"National Cybersecurity Awareness Month was created in 2004 by the Department of Homeland Security and the National Cyber Security Alliance to provide a reminder that each of us has the power to make the Internet safer and more secure.

“While the speed at which technology and information move can expose us to new risks online, it also enables a level of sharing and cooperation that can make us more resilient to cyber threats,” says FBI Cyber Division Assistant Director Matt Gorham. “National Cybersecurity Awareness Month isn’t just about understanding the risks, but also emphasizing our collective power to combat them.” Continued at the FBI site:

KnowBe4 is in the trenches with you. This month of October, we are providing a brand new free interactive training module to help your users be more secure on social media.

“Risks of Social Media Sharing” is a module where they will learn:
  • How to identify security problems that can arise from social media usage
  • The potential consequences of when things do go wrong
  • Understand how to use social media safely and securely
  • Test your knowledge with a quick quiz at the end
If you are not a KnowBe4 customer yet, you can send all your users right here:

(Note: if you have a KnowBe4 Gold or higher subscription, this module is also available in the modstore and you can roll it out as a campaign.)

Here is a link to your ready-made October Awareness Training Month Resource Kit:
Find out If Your Domain Has an Evil Twin and Enter for a Chance to Win Beats Headphones

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

Plus, you'll be entered to win two pairs of Beats Solo3 Wireless Headphones, one for you and one for your doppelgänger.

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
This is a complimentary tool and will take only a few minutes.

Domain Doppelgänger helps you find the threat before it is used against you.
A Strong Organization Starts With a Strong Cyber Security Culture

Executives see a strong cyber security culture as an essential element of cyber risk management success.

(ISC)2’s study Building a Resilient Cyber Security Culture lists some of the practices and attributes essential for solid cyber security. Their key findings include:
  • Support from the board and top leaders is essential for the process to work.
  • A strong risk management policy is essential. Without strong policies and performance baselines it is impossible to establish a repeatable process.
  • Clarity about security as it applied across jobs. Clearly delineated job descriptions help impart an understanding of security to applicants and employees.
  • A focus on training and certification. It may well be that qualified, trained people promote a resilient cyber security culture, and equally that a resilient cyber security culture attracts qualified, trained people.
  • An established CISO role. Some businesses operate without a CISO but having an executive in charge of cyber security seems to be essential.
  • User security awareness training. The weakest cyber security link in the average business is the user. Educated users are critical in creating cyber security best practices.
  • Long-tenured security teams. With headhunters on the prowl and job offers always on the table as the result of skill shortage, keeping quality people can be a challenge, but the people carry the culture.
We've often noted that organizations with a strong security culture own the challenge of security. Such organizations build, sustain, and reinforce their security culture through tailored, interactive training. Security Boulevard has the story:
Live Webinar: Cryptomining, a New Major Headache With Hidden Risks

Cryptomining infections are growing exponentially this year. Bad guys are hijacking your network processing power and steal your workstation and server resources. They are using various malware families trying to stay under your radar.

Trying to maximize their criminal profits, they now infiltrate your network and use malicious code to determine the most lucrative attack–cryptomining or ransomware–making these attacks more dangerous than ever. To add insult to injury, they often leave whole libraries of hacking tools and backdoors behind.

Join Erich Kron, KnowBe4's Security Awareness Advocate, and learn more about the combined Ransomware / Cryptomining threat along with real-world examples of how criminals attack your users and network through innovative and devious tactics.

You’ll learn about:
  • Cryptomining and what the real danger is to you
  • The combined cryptomining/ransomware threat
  • How this type of malware spreads
  • What you can do to protect your network
Date/Time: Tuesday, October 16, 2018, at 2:00 P.M. (ET)
Save My Spot!
KCM Live Demo: "See how you can get audits done in half the time at half the cost"

Are regular audits and compliance-related busy work taking up too much of your time? Join us, Wednesday, October 10th at 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
CNBC Covers 2FA Hacking - Featuring KnowBe4 Nationwide

CNBC's Nationwide Nightly Business Report explained the LinkedIn 2FA hack and showed how Kevin's recent exploit worked. Also, CNBC’s weekend show, On The Money, which airs on CNBC and 200 affiliates is planning on running the segment at a later date.

The show has been posted to NBR’s site, and the topic about 2FA comes on around 21:40. You will see both me and Kevin Mitnick in this segment:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The future belongs to those who believe in the beauty of their dreams."
- Eleanor Roosevelt - First Lady (1884 - 1962)

"My interest is in the future because I am going to spend the rest of my life there." - Anonymous

Thanks for reading CyberheistNews
Security News
KnowBe4's Free Phish Alert Button Now Works With Outlook Mobile!

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert button now also works with Outlook Mobile for iOS and Android. This enables your users to report suspicious emails from not only their computer but from their mobile inbox as well.

The Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!

Best of all, there is no charge!
  • Reinforces your organization's security culture
  • Incident Response gets early phishing alerts from users, creating a network of “sensors”
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
This is a great way to better manage the ongoing problem of social engineering. Compliments of KnowBe4. Get yours here:

And some other news you want to know about is the release of our AI-driven Virtual Risk Officer combined with Machine Learning Advanced Reporting:

Last but not least, the new features and training content in the KnowBe4 platform for September!
Credential-Phishing Attempts Highest on Tuesdays

Credential phishing campaigns, in which high-profile individuals are unwittingly falling victim to malicious actors who are looking to gain access into business systems, have proven to be a successful attack vector. According to a new Menlo Security report, Understanding a Growing Threat: Credential Phishing, credential phishing is a quickly growing cyber-attack and is increasingly becoming the preferred entry point for most attackers.

Bad actors try to steal user credentials by tricking them into using their login information on fraudulent sites. By either hijacking an existing login page or creating a highly sophisticated login website that closely resembles an authentic site, attackers easily gain access to the network.

The most common targets are public agencies and political organizations, and the attacks are often sponsored by nation-state groups, advanced persistent threat (APT) cyber-criminals or hacktivists, according to the report.

“Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email,” the report said.

The research found that the most popular phishing lures across Menlo Security’s customer base were associated with OneDrive, LinkedIn and Office 365 logins. Attackers intentionally leverage these work productivity tools because people rely on them to conduct day to day business exchanges.

Apparently, hackers enjoy long weekends, as Friday was reportedly the least popular day for attackers, with only 0.8% of phishing emails being sent out before the weekend. Campaigns start to pick up on Mondays, with 11.3% of URLs distributed. After easing into the week, email disbursements increased to 39.8% on Tuesday.

Interestingly, the attack setup and the percentage of phishing URLs sent on different days of the week remained the same across every industry.

Gaining access to corporate networks is only the beginning of a much larger and more destructive attack, and the report found that credential phishing is so effective that threat actors are able to evade generic threat intelligence solutions. Story continued at:
Massive Phishing Campaign Targets Chrome Extension Developers

A large-scale phishing operation last week attempted to steal login credentials from developers of Google Chrome extensions. Several of the targeted developers told ZDNet that the attackers sent emails posing as a Google employee on the Chrome Web Store Team.

The emails asked developers to fill out a Google Form with their postal addresses or face having their accounts suspended. The link contained in the email redirected the victim to an identical spoofed version of Google’s account login page, where they would be prompted to enter their credentials.

This phishing campaign mirrors another that took place last summer, in which attackers gained access to developers’ Google accounts and used them to insert adware into legitimate Chrome extensions. Last week’s campaign probably had a similar goal, and Chrome users should be on the lookout for any abnormal activity as they browse the web in the weeks to come.

Due to the widespread nature of this operation, it’s very likely that some extension developers were compromised. It should be noted that Google does not use Google Forms to manage account settings, and any developers who have recently filled out such a form should immediately change their passwords and inspect their extensions for any altered code.

Additionally, users should always hover over hyperlinks before clicking them. In this case, the attackers used a very suspicious-looking URL which might have alerted victims to the fact that they were not being taken to a Google Form. New-school, interactive security awareness training can give users the skills and knowledge required to detect these threats. ZDNet has the story:
Getting Them to Bite Is All in the Bait

Phishing scams arrive via email every day. Phishing emails are getting harder to detect because the bait is being carefully crafted and is more appealing to targets. Their success lies in getting a bite on the bait.

Here are some notes on the kinds of phishbait people are seeing. The recent trend is all about plausible, routine matters that have a degree of urgency about them.

After scanning thousands of phishing emails over the past 18 months, Webroot found that subject lines focused on urgency. What's represented as urgent is of secondary importance. Gary Hayslip, Webroot's CISO, noted that employees are “quick to open malicious emails, even when they should be on the alert.”

People want to help, and they are curious. These qualities make phishing attacks successful. Regardless of technology in place, phishing emails make their way into email boxes.

Attackers want victims to feel urgency with an "act-now" come-on. "Invoice" is a good one for financial phishing. "Action required" is often seen concerning services: no one wants to see an interruption of a subscription, a business tool, or even cable service because the provider didn't receive the information they needed.

Or perhaps someone expects a delivery from Amazon or another shipper, and impatiently clicks a link for what they think will be the latest status. Here's one interesting note: spearphishing of executives is showing better grammar and usage than one sees in the usual mass-market spam.

Training and awareness are at the root of preventing successful phishing attempts. Train your employees to be aware. DarkReading has the story:
What KnowBe4 Customers Say

"Hello Stu, WE LOVE IT! We just recently had everyone go through the training and it was very well received with good feedback. This week we launched a level 1 phishing test and the vast majority of people have called my office to see if we actually sent an email or if it was a scam. Many of them quoting their training as helping to identify the problems with the email they received.

"This has been a real blessing in helping to get our staff up to speed on the general awareness of their actions and our security risks. I also noticed that there is FERPA and Harassment training that other departments are interested as well. We very much appreciate all your institution does for us. Thank you so much! :-)"
- O.A., Technical Services Supervisor

"Hi Stu, as I told Angela… I LOVE this product! It’s priced right, intuitively laid out and our team has been able to gain efficiencies because of it. I can’t think of a single product in the last five years that has genuinely left me with the feeling of “customer delight”.

"Looking forward to how you will make this product even better in the future! If you send out t-shirts to customers or do that kind of thing, I’ll be proud to wear some KnowBe4 garb when I attend the CSA conference in December. Thanks for taking the time to reach out."
- C.E., Security Engineer, CISSP

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Russian hackers were caught in the act — and the results are devastating:

    2. How Russian Spies Infiltrated Hotel Wi-Fi To Hack Victims Up Close:

    3. The Big Interview - Kevin Mitnick, by InfoSec UK's Eleanor Dallaway:

    4. Phished credentials caused twice as many breaches than malware in the past year:

    5. BEC-as-a-Service: Hacked accounts available from $150:

    6. How to become a machine learning engineer - A cheat sheet:

    7. The Morning After: Did China hack Apple and Amazon?:

    8. Supply Chain Security is the Whole Enchilada, But Who's Willing to Pay for It?:

    9. Advanced Persistent Threat Activity Exploiting Managed Service Providers:

    10. 'Desperate' North Korea turns to APT hack attacks for cash:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews