CyberheistNews Vol 9 #3 Your Boss NEEDS to Read This WSJ Article About Our Power Grid and How the Russians Hacked it With Phishing

CyberheistNews Vol 9 #03
Your Boss NEEDS to Read This WSJ Article About Our Power Grid and How the Russians Hacked it With Phishing

In a Jan 10, 2019 article, the Wall Street Journal reconstructed the worst known hack into the USA's power grid revealing attacks on hundreds of small contractors.

The title is very apt: "America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It".

It's so relevant because it describes a very effective supply-chain attack that could happen to your own organization as well. The article focuses on the spear phishing and watering hole attacks that compromised small contractors and giving the attackers a footprint to hack further up the power grid chain. Remember the Target hack?

The Wall Street Journal pieced together this account of how the attack unfolded through documents, computer records and interviews with people at the affected companies, current and former government officials and security-industry investigators. Some experts believe two dozen or more utilities ultimately were breached.

It's a must-read because this is the No.1 vulnerability that leads to the dreaded data breach. If I were you I would sit down with your management team do the following exercise:
  • Identify the top 5 suppliers that would cause downtime or serious disruption of your production if they were to get hacked or were off the air
  • Find out if they only require once-a-year awareness training just to be compliant
  • To keep their business as your supplier, require them to sign up with KnowBe4, and deliver you the evidence that their users have stepped through the 45-minute module and get sent simulated phishing attacks once a month. As you see, I'm dead serious here.
This excellent WSJ reporting demonstrates again that your own employees need to be the strongest human firewall possible, and that your suppliers also need to be part of that same defense-in-depth strategy.

Here is the link to that article, so you can cut & paste it. This may be the most important article related to InfoSec your C-levels read this year. Make sure they do:

This is also available as a separate blog post with links:

Let's stay safe out there.
Scam of the Week: "When Users Add Their Names to a Wall of Shame"

Eric Howes, KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: "If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization.

There are ways to find out. One way is to sign up for a free Phishing Security Test, run a simulated phishing campaign against your own users, and see who clicks.

There is another way, of course. You can wait for gullible users in your organization to out themselves when they add their names to a virtual "wall of shame." And it might happen sooner than you think, because the bad guys are now running phishing campaigns that afford your users the opportunity to do just that. Here's the setup.

Full story and ready-to-send cut & paste blurb for your users at the KnowBe4 blog:
NEW Tool: Find out Which Users in Your Organization Are Putting You at Risk... Before the Bad Guys Do

The bad guys are constantly coming out with new ways to hack into your network and steal your organization’s confidential information. Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen or weak passwords. And, a new survey from Dark Reading shows 44% of organizations say users pose the greatest threat to data security!

Find out if your users are putting a big target on your organization’s back.

KnowBe4’s Password Exposure Test (PET) is a new and complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users.

PET makes it easy for you to identify users with exposed emails publicly available on the web, and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!

With Password Exposure Test you can:
  • Search and identify any of your users with exposed emails, account information, or passwords available on the web
  • Quickly isolate password security vulnerabilities and easily identify high-risk passwords being re-used within your organization
  • Generate a detailed report on user accounts affected. You can download the summary report as a PDF or Excel file directly within the tool
Password Exposure Test can help you identify which users may be putting your organization at risk before the bad guys do. Get your results in a few minutes!

Find out your Password Exposure Risk now. There is no charge:
It Only Takes 1 Click: “Unremarkable” Phishing Attack Results in European Diplomatic Data Breach

A three-year-long cyber-attack led to the successful breach of the all communications between all EU member states, putting countries and their futures at risk.

The EU’s diplomatic network is a secure means by which member states can exchange some of the world’s most sensitive information – literally having impacts on a geopolitical scale. A report by antiphishing vendor Area 1 Security highlights the attack targeting this network, attributing it to the Strategic Support Force (SSF) of the People’s Liberation Army (PLA) of China.

The SSF focused its efforts on the weakest link in the chain – in this case, the Ministry of Foreign Affairs for Cyprus. Through what Area 1 refers to as “technically unremarkable” attack techniques, a simple phishing scam was all that was needed to compromise the network, giving China access to details that can be used to either expose, embarrass, or take advantage of themselves.

This is one of those stories you can’t help shake your head at. With the criticality of the data and the secrecy required around it’s communication, one would think every point of access within this diplomatic network would have more than appropriate security measures in place.

A focus on training employees (via security awareness training) to be on the lookout for phishing emails, social engineering tactics, and suspicious links or attachments is all that was needed to thwart this kind of data breach. Details:
[NEW PRODUCT] You'll Want to See This Brand-New Phishing Threat Response Product PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Wednesday, January 23, at 2:00 pm (ET), for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Wednesday, January 23, at 2:00pm (ET)
[Heads-Up] Data Breach Guaranteed: Ransomware and File Thief Combined in Nasty Hybrid Malware

A new malware attack has been detected in the wild. This nasty combines two known pieces of malware: the Vidar data harvesting malware followed by GandCrab ransomware.

Vidar exfiltrates a wide variety of data, including passwords, documents, screenshots, stored 2FA information, and cryptocurrency wallets. and sends that to its C&C server. Next, GandCrab encrypts the infected system and displays a ransom demand. This demonic duo adds insult to injury.

Following the trails of a malvertising campaign targeting users of torrent trackers and video streaming websites, malware researchers found that Fallout Exploit Kit was used to spread a relatively new infostealer called Vidar, which doubled as a downloader for GandCrab.

Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. Even if the cybercriminals do not use the stolen data themselves, they can sell it on underground forums. Here is a diagram how this was put together:
Live Demo: KCM GRC - Get Your Audits Done in Half the Time

KCM GRC simplifies the challenges of managing your compliance, risk, and audit projects enabling you to efficiently manage GRC initiatives, and understand at a glance what items need to be addressed.

Join us today at 1:00 PM (ET), for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, January 15th at 1:00 pm (ET)
Ohio’s New Data Security Law Seeks to Minimize the Risk of Data Breach Impacting Insurers and Their Customers

Following in the footsteps of North Carolina, the new Ohio law looks to regulate the cybersecurity practices, reporting, and notifications of its insurance industry.

Modeled after the NAIC Insurance Data Security Model Law, MDL-668, Ohio lawmakers are looking for ways to protect both Ohio businesses in the insurance sector, as well as the customer data they use.

Every business is susceptible to cyber attack, phishing, social engineering scams, and fraud – and that includes insurers. This is the position taken by the Ohio legislature, who have unanimously passed a bill that will put additional burden on insurers and those businesses that maintain, process, or store nonpublic data owned by the insurer.

It’s no surprise to see legislation like this (and expect to see more of it) in the wake of data breaches like Marriott’s in 2018 exposing the personal data of over 500 million customers. Lawmakers are realizing that companies holding a material amount of nonpublic information about their customers are responsible to ensure the security of that data.

The new law requires insurers to put measures in place that include:
  • An information security program
  • Risk assessment and management
  • Board of directors' oversight
  • Third-party service provider due diligence and monitoring
  • Notice and investigation of cybersecurity events
  • and Annual certification to the Superintendent of Insurance
Continued at:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I'm super excited about the PhishER release. It's a brand-new KnowBe4 product that helps your team prioritize and manage potentially malicious messages reported by your users. Identify and respond to email threats fast. This is a huge time-saver. Scroll down and see the live threat map that shows employees reporting suspicious emails with the Phish Alert Button:
Quotes of the Week
"Life is a tragedy, if we consider it close. And a comedy, if you look at it from far away."
- Charlie Chaplin - Actor, Filmmaker (1889 - 1977)

"Life is really simple, but we insist on making it complicated."
- Confucius - Philosopher (551 - 479 BC)

Thanks for reading CyberheistNews
Security News
Email Security Gap Analysis: Survey Finds Phishing Is the No. 1 Attack That Worries IT Pros Most

There are a few companies that frequently report on so-called "email security gap analysis" numbers: Mimecast, Proofpoint and Cyren. They are all IT security companies that have email filtering products, and mostly the reports they publish are about competing filtering products. They want to show these numbers are high, suggesting that their own products are better.

KnowBe4 has been reporting on these gap analyses, because it shows that there's much more unwanted traffic that lands into your users' inbox than you'd like. For instance, Mimecast in December 2018 claimed the gap—meaning spam, phishing and malware making it through—was 12 percent. December 14, Cyren claimed the miss-rate was 10.5%, and earlier in 2018, Cyren showed it was a whopping 15%.

Turns out that these numbers vary over different time periods, which of course could very well coincide with major spam campaigns starting and ending. Continued:
Finra Punishes Former Schwab Broker for Lying About Role in 800K CEO Fraud Scam

A former broker for Charles Schwab & Co. was fined 5 grand and suspended for 90 days by Finra for lying to Schwab about a CEO Fraud attack in which he wired nearly 800K to someone impersonating one of his customers.

Deming Payne, who resigned from Schwab in September 2017 after admitting that he violated firm policy regarding the documentation of outbound calls, is no longer employed in the securities industry.

The Financial Industry Regulatory Authority Inc., in its letter of acceptance, waiver and consent, said that in August 2017, Mr. Payne received requests via email from an individual posing as a customer to process eight wire transfers from the customer's account.

In total, wire transfers totaling 794,860 dollars were made in response to the imposter's requests, Finra said.

It said that Mr. Payne failed to obtain verbal verification of the instructions from the actual customer, who was unaware of the imposter's requests, even though the requests presented several red flags. OUCH. More:
Victims of SIM Swapping Are Raising Awareness

A group of people who were victims of SIM swapping attacks have launched an initiative to help other victims recover from these attacks and prevent more people from falling victim, according to Lorenzo Franceschi-Bicchierai at Motherboard.

Tech entrepreneur Robert Ross is leading the initiative, which he calls StopSIMCrime. Ross lost $1 million last year when his Coinbase and Gemini accounts were emptied by an attacker who had taken over his phone number.

SIM swapping is a form of social engineering in which an attacker collects information about a victim. The attacker will then call the victim’s cell phone carrier while impersonating the victim and request a new SIM card with the same phone number.

Ross and the others also want to pressure cell phone providers into doing more to prevent SIM swapping. “This is a major problem that’s growing fast,” Ross told Motherboard. “I really believe this is being enabled by the carriers.”

Until the companies take action to prevent these scams, people will have to rely on security best practices to stay safe. These include being careful about disclosing personal information online and using authenticator apps for two-factor authentication, rather than relying on SMS. Organizations can use new-school security awareness training to educate their employees about these practices. Motherboard has the story:
Employees Need to be Trained to Recognize Business Email Compromise

Organizations can’t assume that their employees know about common social engineering tactics, according to Steve Zurier at Dark Reading. While these attacks seem obvious to security professionals, many employees aren’t aware of basic attacks.

Zurier cites our friend Chris Hadnagy, founder and CEO of Social-Engineer Inc., and Bob Adams, a cyber resilience strategist at Mimecast, as saying that organizations need to improve employee education to defend against these threats.

Hadnagy says that many employees aren’t aware of the distinction between phishing, spear phishing, and voice phishing. He adds that organizations should have an open and understanding environment with a clear reporting process for BEC scams, so employees who have fallen victim to these scams can alert security before an attacker can cause further damage.

Hadnagy and Adams agree that organizations can use training and phishing tests to measure employees’ security education levels. Adams believes this information can be used to “identify where employees are creating the highest risk and provide them additional training.”

Hadnagy emphasizes that creating a culture of security is a continuous task, and organizations that commit to the long game will see results fairly quickly. Even employees who are more security-aware than most are still vulnerable if they don’t have well-rounded knowledge of threats. If just one employee falls victim to one type of attack, an attacker may be able to compromise an organization.

New-school security awareness training can give your employees up-to-date knowledge and real-world examples of the tools and tactics being used by attackers every day. Dark Reading has the story:
Now LIVE in the KnowBe4 Modstore: Pretexting Videos

Pretexting is a form of social engineering where the attacker lies to obtain restricted information. KnowBe4 is releasing a series of video modules where Kevin Mitnick (world's most famous hacker) and Rachel Tobac (multiple winner of the DevCon social engineer CTF contests) role-play a social engineering attack using pretexting.

A new video module is now available called KnowBe4 Pretexting - "Tech Support" Social Engineering. This is the latest Pretexting module where Kevin and Rachel switch roles and demonstrate how social engineering can be used to get access to information that can lead to compromising your organization's network.

The first in the series is called Fake IT Attack. Here Kevin explains how he is able to steal the local password and the password for the HR system by pretending to be a member of the IT team. And more of these videos are on the way.

I want to see the ModStore!
Smishing Scam Offers Refunds From UK Stores

An SMS phishing scam is offering refunds from popular stores, according to Paul Ducklin at Naked Security. Criminals are sending text messages with links that will supposedly let their targets claim a refund of hundreds of dollars, in this case from Argos, a popular British catalogue retailer. These links contain a number of subdomains, the three leftmost of which imitate the URL of the legitimate Argos website (argos[.]

Ducklin notes that, since we read English left to right, many people will glance at the URL and assume it’s authentic. After clicking the URL, the victim is taken to a nearly identical mock-up of the real Argos mobile login page. When the victim enters their credentials, they’re taken to a second page that requests their payment information.

The only clues that the site isn’t legitimate are the lack of HTTPS and the slightly different URL. Ducklin points out, however, that it’s not hard to obtain a free HTTPS certificate anymore, so the criminals could have easily made this scam far more convincing.

People who are targeted by these scams need to have a heightened sense of awareness that makes them suspicious when they receive a text message containing a link. Attackers have a multitude of ways to induce people into clicking on these links. Naked Security has the story:
Scammers Spoof Apple Support in Vishing Campaign

A phone phishing scam is targeting iPhone users by spoofing Apple’s logo, address, and customer support phone number, Brian Krebs reports. Krebs spoke with Jody Westby, CEO of Global Cyber Risk LLC, who said she’d received an automated call informing her that servers storing Apple user IDs had been compromised, and that she needed to call a 1-866 number immediately.

The caller ID associated with the call said “Apple Inc.,” and the contact card in her recent call index contained the Apple logo, Apple’s support number, and Apple’s address.

Westby knew something was wrong, so she immediately went to Apple’s website and asked customer support to give her a call. When a real Apple representative called her several minutes later and confirmed his identity by referencing her case ID number, he told her that Apple had not previously called her.

More concerning, however, is the fact that when Westby ended the call with Apple support, the phone call was indexed as the same contact that had called her earlier in the day. Krebs says that you should always obtain a company’s phone number straight from a legitimate company source, rather than relying on a number offered in an email, text, or phone call.

“If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller,” he writes. “If you want to reach your bank, for example, call the number on the back of your card. If it’s another company you do business with, go to the company’s Web site and look up their main customer support number.”

Employees should be wary of unsolicited phone calls, even if they purport to come from a legitimate source. Krebs adds that the most important thing in these situations is “to just hang up the moment the caller starts asking for personal information.” Organizations can invest in new-school security awareness training to teach their employees to implement security best practices as they carry out their duties. KrebsOnSecurity has the story:
Scammers Are More Successful Than in the Past

The number of scam victims in the US is higher than in past years, data from the Better Business Bureau shows. Kevin McAllister at the Wall Street Journal writes that scammers are extremely skilled at adapting new technology to target human vulnerabilities.

The increased use of online payment methods, including cryptocurrency, has made it much easier for scammers to collect their victims’ money. McAllister references a Wall Street Journal investigation that found that out of 1,450 digital coin offerings in 2018, 271 exhibited signs of being fraudulent.

Attackers have also made use of the mobile payment app Venmo, either by hacking users’ accounts and stealing their money or by using the app to drain money from stolen credit cards.

McAllister also points to romance scams as a particularly distressing type of manipulation. If these scams aren’t identified before they take hold, they can take a heavy emotional toll on the victim. “Detecting—and ultimately avoiding—a romance scam involves the same kind of due diligence that can keep you out of trouble with cryptocurrencies or peer-to-peer mobile payments,” he writes. The Wall Street Journal has the story:
What KnowBe4 Customers Say

"Thank you very much for bringing this product to market. You have a great team supporting this wonderful idea and I’m proud to have you count my organization as one of your customers!!" Thanks,
F.S., Director of Information Technology

"Hi Stu, Loving the product and insight it has brought to our [click-happy] users! Thank you for reaching out!" Thanks,
H.J, IT Security Analyst

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Marriott Faces Massive Class-Action Lawsuit Over Hotel Reservation Data Breach:

    2. NotPetya an ‘act of war,’ cyber insurance firm taken to task for refusing to pay out:

    3. Threat of a Remote Cyberattack on Today's Aircraft Is Real:

    4. U.S. initiative warns firms of hacking by China, other countries:

    5. Forbes - "Phishing: Why We Should Teach Employees To Be Skeptics":

    6. Here's the Hacking Humans Podcast Directory. The best podcast about social engineering:

    7. National Counterintelligence And Security Center Launches Campaign To Help Private Industry Guard Against Threats From Nation State Actors:

    8. Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets:

    9. Why Fixing The Internet Isn’t *That* Hard:

    10. The Dark Overlord was recruiting employees and looking for attention before 9/11 data dump:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Standup Don McMillan shares his Greatest Charts. They include Nerd vs Geek, Printer Ink Price, USB Configurations, Network Security Expert Career Path, First Thing You Do When You Get Out of Bed, The Facebook Proof, Shopping With My Wife, and The Key to a Long Happy Marriage. Keep Laughing!:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews