CyberheistNews Vol 8 #41 [Heads-Up] Add Wi-Fi Proximity to Your Cyber Attack Concern List

CyberheistNews Vol 8 #41
[Heads-Up] Add Wi-Fi Proximity to Your Cyber Attack Concern List

The latest attack from the Russian GRU involves both traditional spear phishing and Close Access attacks in an attempt to thwart an investigation of their nerve agent attack in the UK.

The nerve agent attack purportedly involved Russia’s military intelligence agency GRU wanting to dispose of a UK-based Russian spy and his daughter. The organization responsible for investigating the attack – the Organization for the Prohibition of Chemical Weapons (OPCW) – came under two attacks.

Officials say that four Russian GRU officers tried a Close Access attack – where they attempted to hack into the OPCW network through its Wi-Fi network by parking a car close to the organization’s headquarters looking for unsecured devices on the network that could be compromised to gain access.

This attack technique allows attackers to obfuscate who they are by originating the attack on the organization’s own network. When that failed, the GRU reportedly followed up with a spear phishing attack impersonating Swiss federal authorities to target OPCW employees directly in order to access OPCW computer systems.

It’s easy to dismiss stories like this, as the criminals in this case were government-sponsored attackers. You don’t think of your organization as a target for these kinds of attacks. But, it’s important to keep in mind that cybercriminals use these very same tactics.

The Close Access attack is less likely, as cybercriminals tend to want to remain in hiding, attacking from afar – but the intent to access your network to gain control over systems, applications, and data is relatively consistent across attacks.

Stopping "close access" attacks requires shoring up your Wi-Fi security, which includes requiring authentication. Protecting against spear phishing attacks involves a layered security approach that includes email scanning, endpoint-based protection, and new-school security awareness training to educate your users on common social engineering tactics and scam methods used.
A Trio of Wealthy Russians Made an Enemy of Russian President Vladimir Putin. Now They’re All Dead.

The Wall Street Journal just came out with a rather chilling tale.

"Nikolai Glushkov—found strangled to death with a dog leash in March—had been the last survivor of three men, once rich and powerful, who helped build the political system that brought Mr. Putin to the presidency. But the trio fell out of favor and fled to England. There they tried to mount opposition to their former protégé, only to see their efforts disrupted by costly litigation—and untimely deaths."

Putin is ruthless in a variety of areas, including cyber warfare. Now, let's have a fresh look at the most recent American top five national security threats, and we find cybersecurity in the second slot. I'm pretty sure the list is almost the same for every western country.

The top five areas of concern that keep senior officials awake at night fall into the categories of critical infrastructure, cybersecurity, terrorism, border security, and drones. China, Iran, North Korea, and Russia are the countries with both the intent and capability to attack the U.S. in cyberspace.

Now, exactly where are we most vulnerable, which verticals are looked at as soft targets? There is a new FICO benchmark that may shed some light on this.

Adam Janofsky at the WSJ mentioned in their cybersecurity newsletter: "Corporate cybersecurity teams have few ways to measure their success and gauge how they compare to their peers." It's a new benchmark you can use to assess how you are doing. But it starts out with an unexpected not-so-pleasant surprise: Tech and Finance Industries score poorly on the new security benchmark. Full story with links at the KnowBe4 blog:
[Last Chance] Live Webinar: Cryptomining, a New Major Headache With Hidden Risks

Cryptomining infections are growing exponentially this year. Bad guys are hijacking your network processing power to steal your workstation and server resources. They are using various families of malware trying to stay under your radar.

Trying to maximize their criminal profits, they now infiltrate your network and use malicious code to determine the most lucrative attack–cryptomining or ransomware–making these attacks more dangerous than ever. To add insult to injury, they often leave whole libraries of hacking tools and backdoors behind.

Join Erich Kron CISSO, KnowBe4's Security Awareness Advocate, and learn more about the combined ransomware / cryptomining threat along with real-world examples of how criminals attack your users and network through innovative and devious tactics.

You’ll learn about:
  • Cryptomining and what the real danger is to you
  • The combined cryptomining/ransomware threat
  • How this type of malware spreads
  • What you can do to protect your network
TODAY ~ Tuesday, October 16, 2018, at 2:00 P.M. (ET)
Save My Spot!
How Bad It Can Get: "Heathrow Fined for USB Stick Data Breach"

This is astounding. The unencrypted USB found in a parking lot last year contained not only PII, but it also contained national security info related to airport security:
  • A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
  • Routes and safeguards for Cabinet ministers and foreign dignitaries
  • The exact route the Queen took when using the airport and security measures used to protect her.
Several other sources I read yesterday stated there was additional security information on the USB like data from an ultrasonic radar that scanned the airports' perimeter gates.
Because the incident happened in Oct 2017 before GDPR, another older data law was used for enforcement and determining the fine. Don't be that guy, this type of info should never make it on a USB in the first place, lock those ports. Official story at the BBC:
Live Webinar: How to Make Your Cybersecurity Awareness Program Stick Year-Round

National Cybersecurity Awareness Month (NCSAM) is here and hopefully you've had some great events and success stories. But no matter how good it has been, a 'once-and-done' event will never create sustainable behavior change in your organization. Don't fall victim to the tendency to put all your energy, budget, and hopes into NCSAM.

In this webinar, KnowBe4's Chief Evangelist and Strategy officer, Perry Carpenter, will share practical strategies for creating awareness programs that work year-round.

You will learn:
  • The benefits and limitations of NCSAM
  • Reasons why employees make secure or insecure decisions
  • Thoughts on how marketers, public relations departments, behavior scientists, and storytellers approach motivating behavior change in others
  • How to create an impactful and sustainable security awareness training program
Date/Time: Wednesday, October 24, 2018 at 1:00 PM (ET)
Save My Spot!
Find out If Your Domain Has an Evil Twin and Enter for a Chance to Win Beats Headphones

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as “safe” domains for your organization.

Plus, you'll be entered to win two pairs of Beats Solo3 Wireless Headphones, one for you and one for your doppelgänger.

This is a complimentary tool and will take only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.
National Law Review: "The Importance of Cybersecurity Training"

Excellent post at the NLR. Forward this to your legal team. Here is an excerpt:

"According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite.

"Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data.

"Employee training is one of the least expensive and most effective tools an organization can use to reduce the risk of a cyberattack. This training can be both formal and informal. Formal training would include training on your organization’s policies and procedures as well as specific incident response training.

"For informal training, organizations should consider periodic e-blasts to employees detailing current threats and simulated phishing attacks with follow-up feedback." We could not possibly agree more, and this is also powerful budget ammo. Full story, and remember to forward to Legal:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The purpose of art is washing the dust of daily life off our souls." - Pablo Picasso

"I am enough of an artist to draw freely upon my imagination." - Albert Einstein

Thanks for reading CyberheistNews
Security News
Clueless: 64% of Working Adults Don’t Know What Ransomware Is

Ransomware is one of the new scourges of the net and every IT pro is fighting to protect users from attacks. However, a new study shows that the majority of working adults don’t know what ransomware is.

Our friends at Proofpoint’s Wombat Security division have published their 2018 User Risk Report, which surveyed 6,000 working adults. The study was conducted in the US, UK, Australia, Italy, France, and Germany. Participants were tested on their knowledge of cyber-security and if they know end-user actions to protect data and systems.

A whopping 64% are still clueless

The results show 64 percent of respondents do not know what ransomware is. Participants were asked about their understanding on phishing, Wi-Fi security, social media, passwords, and more. Basic understanding of cybersecurity seems to be lacking in the working public. 32 percent said they did not completely understand what malware is.

In other areas, it was a mixed bag of results. 67 percent know about phishing and what it is, but only 33 percent of people use a password manager. Furthermore, 21 percent admit to using the same password across all their accounts.

Wireless networks are an avenue for attack, but 44 percent say they have no password protecting their home network. 66 percent did not change the default password provided by the router.

YIKES! Get those training campaigns in gear.
Companies Need to Prepare for the Aftermath of Phishing Attacks

Phishing campaigns are growing more sophisticated as industries become increasingly aware of the threat they pose. Some of these attacks are so clever and meticulously crafted that many will inevitably succeed.

But when the crooks phish, what are they phishing for? Usually credentials, of course, but why do they want them? Very often they want them for quick theft of funds, as is the case with business email compromise. But there’s actually a range of things the attackers could be after.

A researcher at Endgame, Devon Kerr, described that range in an essay posted by SecurityWeek.

Phishing is the most common delivery mechanism for malware like ransomware, cryptojackers, and keyloggers. However, attackers also use phishing to establish a foothold in a network to carry out long-term attacks. While user awareness is the best last line of defense against phishing, organizations need to be able to detect attackers after they’ve gained access to the network.

Attackers can gather a significant amount of seemingly benign information about a network even without having administrative privileges or access to more than one computer. They can learn the hostnames of other devices, which subnet they are on, which pieces of software are installed, and much more.

This information can then be used to facilitate further attacks within the network or to improve additional spear phishing attempts. Security teams should take steps to prevent this type of activity, including restricting unnecessary privileges for applications and monitoring the network for reconnaissance commands.

Defenders should also track metadata about their organization’s cloud services, since security teams often lack access to the cloud-based evidence. If an employee’s cloud application credentials are stolen, the attacker can steal sensitive information directly from the cloud, unbeknownst to defenders.

By establishing a pattern of typical user behavior from the information available to them, defenders can identify unusual logins to flag for further investigation.

Organizations should take every measure possible to ensure that phishing attempts are thwarted, and that attackers are detected if they succeed. One small mistake or lapse in judgment by an employee can be the catalyst for a major cyberattack.

New-school awareness training can make your employees more resistant to social engineering, reducing the likelihood that they will fall for phishing attempts.

Kerr’s points are interesting and well-worth consideration. No serious observer would deny that every organization should be prepared to mitigate the effects of phishing, and use such defensive tools as are available. But in one other respect his conclusion is simply too pessimistic: he suggests that employee training can too often be an exercise in futility.

Not so, unless you take the view that training can’t go beyond half an hour of "death-by-PowerPoint" in the break room, once a year. For an organization that owns its security challenges, interactive security awareness training keeps your users on their toes with security top of mind.

SecurityWeek has the story:
Vishing Scams are Increasingly Difficult to Detect

Phone scams are becoming more convincing as attackers devise new ways to sound legitimate. KrebsOnSecurity recently spoke with several readers who'd been targeted by voice phishing, or vishing, and found that even tech-savvy people familiar with such scams often struggle to recognize them. Vishing scams take advantage of the lack of authenticating information in a phone call.

Scammers use freely-available tools to spoof the number displayed by caller ID, posing as faceless employees from institutions such as banks and government agencies. Matt Haughey, creator of the community Weblog MetaFilter and writer at Slack, told KrebsOnSecurity that he fell for a vishing scam that left him with just $300 in his account.

Haughey said he received three calls in quick succession from the number used by his credit union. When he picked up on the third call, a female voice informed him that the credit union had blocked two suspicious charges to his debit card made in Ohio. She then read him the last four digits of his card, which were correct.

When Haughey told her that he would need a new card immediately, the caller read out his entire home address. Now fairly convinced that the call was legitimate, Haughey proceeded through the card replacement process, providing the caller with the answer to his security question, his card’s CVV, and his current PIN.

Soon afterwards, he learned that his account had been nearly emptied. Fully-automated scams can also be very persuasive, according to "Jon," a KrebsOnSecurity reader with over thirty years of professional experience in cybersecurity. Jon received an automated call, supposedly from AT&T, which informed him that his account was about to be suspended for non-payment.

The recorded voice asked him to enter his security PIN to be connected to AT&T’s billing department. Jon saw through the scam because he has been a T-Mobile customer for several years, although his phone number originally belonged to AT&T. However, he says the scam sounded convincing enough that most people would have fallen for it.

Cabel Sasser, founder of a Mac and iOS software company called Panic Inc., told KrebsOnSecurity that he successfully thwarted a scammer who appeared to be calling from his bank by politely telling the caller that he would call back momentarily, and then hanging up. When he dialed in the support number on the back of his ATM card—the same number that had appeared on caller ID—Sasser was connected to a bank representative who confirmed that the previous caller had been lying.

People can only rely on their wits to recognize a phone call as suspicious. Since phone calls require a person’s immediate attention, victims are often unable to verify any information stated in a call until after they’ve hung up. Interactive awareness training is a crucial resource to provide users with the alertness and quick-thinking necessary to defend against vishing. KrebsOnSecurity has the story:

Test your users with KnowBe4's massively upgraded Vishing module!
Not Everything in the Cloud is a Silver Lining

Netskope Threat Protection recently detected a PDF decoy hosted in Google Drive. The PDF decoy impersonated a Denver Colorado law firm. The bait was hosted in Azure blob storage and had all the right credentials, making it very convincing and hard to recognize as phishing.

The PDF decoys arrive by email and are structured to appear as if they contain reliable content and come from a legitimate source. The ultimate goal of this phishing expedition is to steal Office 365 credentials. What makes this attack effective is its design. Since it contains a believable appearance, it has the ability to trick even relatively observant users.

Organizations face an on-going challenge when it comes to educating their employees to recognize legitimate AWS, Azure, and GCP storage so they can tell the difference between phishbait and legitimate sites.

Netskope offered these recommendations to minimize the effect of cloud-based phishing campaigns:
  • Always check the link domain and be able to identify commonly used object storage domains.
  • Use real-time visibility and control solutions to monitor activities across cloud accounts.
  • Get complete malware and threat detection to prevent the spreading of similar threats.
  • Systems and antivirus software should be kept up-to-date.
These are familiar matters, a mix of good digital hygiene and some recommendations about tools. But even the best of best practices need reinforcement if they’re to be effective. New-school, tailored, interactive training is important to building a culture of security. Netskope has the story:
What KnowBe4 Customers Say

"Stu, very happy. I am actually surprised how much value we are getting from your service. Much more than just ‘canned’ training and phishing emails that I thought I was buying. Staff has been very receptive and all feedback from them has been positive.

"The help from Jim Leuze has been fantastic. Especially getting us started and then coming back to help after our initial campaigns concluded. Nice to know I can go back to him for help. He is first rate." Thank you. - Z.S., Information Systems Administrator

"Stu, we have run a baseline phishing campaign and our initial SAT is in progress. I can’t tell you how much I appreciate the customer support we have received as well as the knowledge articles posted on your site. We are looking forward to sending out more phishing/training campaigns and have received positive feedback from our endusers." - S.J., Technology and Information Services

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. 48% of SMB organizations that have experienced a security incident in the last 2 years attribute the events to human error:

    2. KnowBe4 Brings Artificial Intelligence to Security Awareness Training:

    3. The Pentagon's Weapons Are 'Easily Hacked' With 'Basic Tools'. Yikes:

    4. Kevin Mitnick and Stu Sjouwerman on CNBC's National Business Report talking about MFA hacking:

    5. Data Games: Phishing as an Endless Quest for Exploitable Data:

    6. Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials:

    7. Top cybersecurity facts, figures and statistics for 2018:

    8. Brace yourself - Here are the top five national security threats to America:

    9. Security researchers find solid evidence linking Industroyer to NotPetya:

    10. The Pentagon on Friday, Oct. 12, 2018 said there has been a cyber breach of DoD travel records. Hmmm. Not a good plan to piss off a bunch of well-trained killers!
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews