CyberheistNews Vol 9 #20 [Heads-Up] If This Is True It's A Disaster. Three Major US Antivirus Companies Breached?

CyberheistNews Vol 9 #20
[Heads-Up] If This Is True It's A Disaster. Three Major US Antivirus Companies Breached?

ARSTECHNICA is getting me worried here. We were all at KB4-CON in Orlando last week, and during the conference, word got to me that security researchers found out that high-profile hackers have breached three US AV companies and are selling the source code. The most annoying thing is that they have alerted the authorities, but no one has mentioned the actual vendors as of yet.

Advance Intelligence, LLC is the InfoSec shop that broke the news, and here is their Executive Summary:

"Fxmsp" is a high-profile Russian- and English-speaking hacking collective. They specialize in breaching highly secure protected networks to access private corporate and government information and they have a long-standing reputation for selling sensitive information from high-profile global government and corporate entities. The group was singled out in a 2018 FireEye report on Internet crime for selling access to corporate networks worldwide, including a global breach of a luxury hotel group—potentially tied to the Marriott/Starwood breach revealed last November.

In March, the group “stated they could provide exclusive information stolen from three top antivirus companies located in the United States,” AdvIntel’s researchers reported in a blog post going live today. “They confirmed that they have exclusive source code related to the companies' software development.” And the group offered privately to sell the source code and network access to all three companies for “over $300,000,” the researchers said.

AdvIntel subject matter experts assess with high confidence that Fxmsp is a credible hacking collective with a history of selling verifiable corporate breaches returning them profits close to $1,000,000 USD. AdvIntel alerted law enforcement regarding these claimed intrusions.

Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified “the potential victim entities” of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data “through a private conversation,” Boguslavskiy said. “However, they claimed that their proxy sellers will announce the sale on forums.”

Who Is/Are Fxmsp?

According to “ShadowRunTeam,” a high-profile Russian threat actor operating on Telegram, Fxmsp is reportedly a Moscow resident with the first name "Andrey" who started to engage in cybercrime activities in mid-2000 and specialized in social engineering.

Here is the arstechnica article which has some mitigation suggestions.

I will keep you up to date "real-time" if there are new developments through my twitter account.
Russian Cyberspies Are Using One Hell of a Clever Microsoft Exchange Backdoor

A Russian cyber-espionage group has developed and has been using one of the most complex backdoors ever spotted on an email server, according to new research published by cyber-security firm ESET.

The backdoor, named LightNeuron, was specifically designed for Microsoft Exchange email servers and works as a mail transfer agent (MTA) --an approach that no other backdoor has ever taken.

"To our knowledge, this is the first malware specifically targeting Microsoft Exchange," ESET Malware Researcher Matthieu Faou told ZDNet via email. ESET says that LightNeuron has been used for almost five years, since 2014, which again shows the tool's advanced capabilities, being able to avoid detection for so many years.

"Some other APTs use traditional backdoors to monitor mail servers' activity. However, LightNeuron is the first one to be directly integrated into the working flow of Microsoft Exchange," Faou told ZDNet.

Because of the deep level the backdoor works, LightNeuron allows hackers to have full control over everything that passes through an infected email server, having the ability to intercept, redirect, or edit the content of incoming or outgoing emails.

Clever Way of Controlling LightNeuron

According to researchers, the thing that made LightNeuron stand out, besides being the first backdoor for Microsoft Exchange servers, was its command-and-control mechanism.

Once a Microsoft Exchange server is infected and modified with the LightNeuron backdoor, hackers never connect to it directly. Instead, they send emails with PDF or JPG attachments. Using the technique of steganography, the hackers hide commands inside PDF and JPG images, which the backdoor reads and then executes.

Per ESET, LightNeuron is capable of reading and modifying any email going through the Exchange server, composing and sending new emails, and blocking a user from receiving certain emails.

Furthermore, victim organizations will have a hard time detecting any interactions between the operators and their backdoor, mainly because the commands are hidden inside PDF/JPG code and the incoming emails could be disguised as banal spam.

Because LightNeuron works at the deepest levels of a Microsoft Exchange server, removing this backdoor is quite problematic. ESET released a white paper with detailed removal instructions. Full story at ZDNet:
[Live Webinar] Stay Out of the Net: Your Ultimate Guide to Phishing Mitigation

Spear phishing emails remain the most popular attack avenue for the bad guys, yet most companies still don’t have an effective strategy to stop them. This enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more. Don’t get caught in a phishing net!

Learn how to avoid having your end users take the bait.

Join us TOMORROW, Wednesday, May 15, 2019 at 2:00 PM ET when Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will cover a number of techniques you can implement now to minimize cybersecurity risk due to phishing and social engineering attacks. We won’t just cover one angle. We’ll come at it from all angles!

Strategies include:
  • Developing a comprehensive, defense-in-depth plan
  • Technical controls all organizations should consider
  • Gotchas to watch out for with cybersecurity insurance
  • Benefits of implementing new-school security awareness training
  • Best practices for creating and implementing security policies
Date/Time: TOMORROW, Wednesday, May 15, 2019 at 2:00 PM ET

Save My Spot!
Great Budget Ammo: 60 minutes Warns Against Ransomware

We could not have said it better ourselves, but now 60 minutes has done the work for us. This is probably the best ammo you can send to your non-tech executives to explain the ransomware problem, and make sure you get sufficient InfoSec budget.

They explain the problem in detail but not too technical, and certainly highlight the risks for any organization. This is a must-see for your management team!
[LAST CHANCE] See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

Good news! We are excited to announce we have expanded our new KCM GRC product with the new Vendor Risk Management module. KCM now features four modules: Compliance, Policy, Risk, and Vendor Risk!

Join us, Today, Tuesday, May 14th at 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's new KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and save tons of time when it's time for risk assessments and audits.
    • [NEW] Vet, manage and monitor your third-party vendors' security risk requirements.
    • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
    • Quick implementation with pre-built requirements templates for the most widely used regulations.
    • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
    • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
    • Date/Time:
Today, Tuesday, May 14th at 2:00 PM (ET)

Save My Spot!
Half Of SMBs Will Pay the Ransom in a Ransomware Attack

Despite the ability to properly protect against ransomware attacks, the latest data from AppRiver shows SMBs simply aren’t prepared to respond, and will, instead, pay up.

Ransomware is increasing at an alarming rate and from the looks of it, SMBs simply aren’t prepared. According to AppRiver’s 2019 Cyberthreat Index for Business Survey Report, three-quarters of SMBs believe a successful attack would be harmful to their business with only 36% believing they can actually survive a successful attack without sustaining short- and long-term business losses.

And rather than prepare with a strong defense and response plan, the data shows the cybercriminals have the upper hand:
  • 55% of all SMBs state they are willing to pay a ransom to recover encrypted data or to prevent it from being shared
  • Of larger SMB’s with 150-250 employees, 74% are willing to pay ransom with 39% of larger SMBs saying they “definitely would pay ransom at almost any price”
Of the 45% of SMBs stating they are unwilling to pay ransoms, legal, healthcare, and nonprofit industries topped the list. The AppRiver data shows that, despite the availability of solutions to protect, detect, and remediate ransomware attacks, SMBs simply aren’t ready. Instead, SMBs should arm themselves with a simple, yet effective, strategy:
  • Backup – having backed up copies of any impacted data nullifies the need to pay the ransom.
  • Protect – Put email and web scanning in place, along with endpoint protection to keep malware from getting to the user.
  • Train – Educate users with Security Awareness Training to ensure that, should the user interact with malicious content in email or on the web, they are more likely to spot it and not be the next victim of a ransomware attack.
Link to research:
[NEW WEBINAR] Empowering Your Human Firewall: The Art & Science of Secure Behavior

You know that "security awareness" is key to a comprehensive security strategy. But just because someone is aware doesn't mean they care. So how can you design programs that work with, rather than against, human nature? Here's the great news. Creating a security awareness strategy that not only educates, but reinforces good behaviors can be achieved and we'll show you how.

Join us, Wednesday, May 22nd at 2:00 pm when Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4 will unpack a number of key elements from his new book Transformational Security Awareness. What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors.

Drawn from his experience as an awareness practitioner, CISO mentor, researcher, and author, Perry will dive into ideas like how to use "Trojan Horses for the Mind," how to leverage social dynamics to drive behavior and shape culture, and will unveil some exciting new behavior models that will help you stop the bad guys in their tracks.

This presentation will take a deep (and practical) dive into:
  • How to understand and design for behavioral segments
  • How to successfully debug bad behaviors
  • How to influence motivation in three different ways
  • And why it is important to live your awareness program through the eyes of your audience
Date/Time: Wednesday, May 22nd at 2:00 pm (ET)

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"My mother said to me, 'If you are a soldier, you will become a general. If you are a monk, you will become the Pope.' Instead, I was a painter, and became Picasso." - Pablo Picasso

"Never underestimate the power of dreams and the influence of the human spirit. We are all the same in this notion: The potential for greatness lives within each of us." - Wilma Rudolph

Thanks for reading CyberheistNews
Security News
Deepfake Videos – An Increasing Cyber Threat for Corporate Clients

Insurance Business Mag had an interesting take on your users being the victim of social engineering by deepfakes. Your cyber insurance policy is not likely to pay out in cases like this. Here is the article:

"Deepfakes are fake videos or audio recordings that are made to look and sound authentic with the aid of artificial intelligence (AI) technology. Deepfake technology is readily available and is rapidly improving. Pretty much anyone can create a deepfake to promote their chosen agenda, making it a dangerous tool if used maliciously.

To this point, deepfakes have been most prevalent in the realm of amateur hobbyists. One quick YouTube search will direct you towards countless spoof videos of politicians being made to say funny things. While that’s a light-hearted and common example, deepfake technology could just as easily be used to misinform the public about an event or manipulate shareholders in a corporate context.

“When hackers use AI and automation to create fake videos or recordings of people, and it looks or sounds like people are saying things that they never said – to me, that’s really frightening,” said John Farley, managing director, cyber practice group leader, Gallagher. “They could have a world leader appear to say things that could potentially start a war. They could have a CEO appear to say things about earnings that could drive a stock up or down. It’s pretty wild when you think about the kind of harm that could cause and how a hacker could financially gain from some of that.”

If a cyber criminal used deepfake technology to manipulate a corporate earnings video, which was posted publicly on YouTube, and that spoof video then led to a stock crash for the company – how would the cyber insurance market respond?

“A situation like that might not be covered because many cyber insurance policies require certain triggers before coverage kicks in,” Farley told Insurance Business. “A policy might require a network penetration or a cyberattack before it provides coverage, but, in this case, all that’s happened is a manipulation of an existing video that’s already out in the public. It’s not like the client was attacked, so the cyber insurance policy might not cover that harm or that damage.”

When it comes to deepfake videos, it’s almost impossible to take complete preventative action. What companies can do is learn about the risk and try to mitigate any damage as quickly as possible.

Farley explained: “When it does happen, people need to recognize it immediately and take that video offline as quickly as possible. I’m looking at ways to get ready for this threat and I’ve been building relationships with vendors who focus on that mitigation space. As this threat evolves, it’s crucial for all good cyber insurance brokers to think about new ways clients can be covered for the risk.”
Phishing Tactics Are Always Improving

Phishing is consistently the top infection vector for cyberattacks because it works so well, according to Gary Davis, McAfee’s Chief Consumer Security Evangelist. Davis told the Tech Nation podcast that attackers are fully aware that targeted spear phishing attacks will get them into an organization if they put in enough effort.

“They know that if they write it well enough and it looks like it’s from somebody you know and trust, that you’re gonna do the action they’re looking for, which is gonna enable them to get access to the information they’re trying to get access to,” Davis said.

He added that these attackers have more than enough incentive to constantly improve upon their techniques, since this is how they earn a profit.

“They’re in it to make money, right?” he said. “It’s a for-profit business, for lack of a better word. So, they’re always gonna be trying to figure out more effective ways to dupe people into, to either dupe people or just take advantage of people without their knowledge, and do it for as long as they can.”

Davis concluded that most people are complacent about social engineering attacks until they’re directly affected by one. It’s often difficult to take a threat seriously unless you see it in front of you.

“Nobody wants to be a victim of scam or identity theft,” Davis said. “Nobody ever wants to be a victim. We empathize with victims, ‘cause we can put ourselves in their shoes, and it, and that’s unfortunately one of the challenges in our space is, I think a lot of the reasons why people aren’t better about things like password hygiene and, you know, checking their credit history and stuff like that, is because, well, they don’t think it’s gonna happen to them, they think it’s gonna happen to somebody else.”

Organizations need to make their employees aware of the fact that they will be targeted by these attacks. New-school security awareness training can give your employees experiential knowledge of social engineering attacks before they fall victim to one. McAfee has the story:
A New Sextortion Campaign Claims to Have Your Sex Tape

Sextortion scammers are sending emails threatening to send a sex tape of the victim to the victim’s family and contacts unless they pay the scammers $1,500 in bitcoin, Larry Abrams at BleepingComputer reports. The scammer claims to have secretly recorded the video “a long, long time back.” They add that they’ll delete everything if the victim sends the bitcoins within one day. Abrams says the best approach is to simply dismiss these emails.

“While receiving one of these emails can be anxiety provoking, always remember that these are just scams and you should not believe anything they state,” he says. “Instead, just mark it as spam and delete the email.”

These scams use urgency and fear to manipulate their victims into acting irrationally. Some people might be tempted to pay the money just in case, since the scammer says they’ll be left alone if they do so. This strategy won’t actually work, however, since scammers often come back for more once they’ve identified someone who is willing to pay. New-school security awareness training can teach your employees about the tactics scammers use to get inside their victims’ heads. BleepingComputer has the story:
Old Scams Are Reborn in the Cloud

Fraudsters are increasingly utilizing legitimate services like AWS, Azure, Alibaba cloud, and Google Docs to host their scams, according to Abhinav Singh from Netskope. Singh says there are three main reasons why attackers are being drawn to cloud applications.

First, these services offer cheap and user-friendly hosting, allowing attackers to easily reconstruct their sites under a different URL if they get shut down. Netskope researchers observed tech support scam campaigns hosted on Alibaba, AWS, and Azure which quickly switch between randomly generated URLs.

Second, these links are better at getting through spam filters. Attackers can place their malicious links in Google Docs and then send out emails containing benign links to these Docs. After users open the document, they’ll be socially engineered into clicking on the malicious link from there.

Finally, most people aren’t inherently suspicious of links to cloud hosting services, since they trust the companies behind them. Singh notes that malicious Google Docs links are particularly effective against Android devices, since most Android devices have the Google Docs app pre-installed.

As a result, clicking a Google Docs link will open the file in the app, presenting the user with a “clean and seamless” user interface. “Scammers adopting cloud services was inevitable,” writes Singh. “It provides them scale, helps them avoid content filtering, and gives them a new channel where users might have their guard down.

While currently only being used for long-running scams targeting individuals, these techniques could also be used to target business who use services such as Google Drive. We should begin educating users and putting controls in place to protect ourselves against the onslaught of attackers abusing cloud services.” Netskope’s findings highlight the latest instance of attackers using legitimate services to increase the efficiency of their scams. New-school security awareness training will help your employees combat these attacks by teaching them to never click on untrusted links or attachments. Netskope has the story:
What KnowBe4 Customer Say

"I deal with companies that promise a lot and deliver little. This is not the case for your company. I know we are not a big KnowBe4 customer; however, your company treats us like we are fortune 500 company. I want to tell you we have renewed our licensing with your company. In fact, we purchased more licenses.

"Besides having a great product, John Biglin, Lead Channel Customer Success Manager is one of the key reasons why we renewed. His professionalism and knowledge of the threats should be appreciated by his supervisor and your senior management team. John and I have never met; however, when I call and ask questions, he goes the extra mile to provide outstanding service. Please tell John thanks for the support." - W.M., IS/IT Manager
The 10 Interesting News Items This Week
    1. 0365 accounts used to send millions of spams:

    2. How to make a YouTube comment bot trained by a neural net:

    3. 'Stockpile coins and banknotes': Sweden tells its citizens to squirrel away hard cash under their beds in case of a cyber attack:

    4. Protecting political campaigns from hacking. Microsoft offers protection for campaigns:

    5. A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree:

    6. SECURITY: Experts assess damage after first cyberattack on U.S. grid:

    7. Developers at Microsoft's GitHub are being held to ransom:

    8. This password-stealing malware just evolved a new tactic to remain hidden:

    9. “MegaCortex” ransomware wants to be The One:

    10. Cybercrime organizations work just like any other business: Here's what they do each day:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews