CyberheistNews Vol 9 #31 Louisiana Declares Cybersecurity State of Emergency

CyberheistNews Vol 9 #31
Louisiana Declares Cybersecurity State of Emergency

A series of ransomware attacks on school district systems leads the governor to declare the state's first cybersecurity state of emergency.

Louisiana is no stranger to declarations of emergency, but it never had one for a cybersecurity emergency — until this week. A series of attacks on school districts around the state led Governor John Bel Edwards to issue the declaration that brings new resources and statewide coordination to what had been a collection of local cybersecurity events.

By issuing the formal declaration, the governor allows statewide resources from the Louisiana National Guard, Louisiana State Police, Louisiana Office of Technology Services, and Louisiana State University, led by the state Office of Homeland Security and Emergency Preparedness, to be brought to bear on defense, analysis, and remediation efforts. These state resources will join federal resources that have already been briefed, as well as local cybersecurity teams, to address the attacks.

This is not the first time a state emergency declaration has been issued for cyberattacks; in 2016, Colorado governor John Hickenlooper declared a state of emergency due to attacks on that state's department of transportation. For more, continue here at StateScoop:
Going to Black Hat in Las Vegas Next Week? Get Your Free Book Signed by Kevin Mitnick!

Check out all the activities KnowBe4 will be doing at Black Hat 2019:

Get Your Free Book Signed by Kevin Mitnick: Drop by KnowBe4’s Booth #1354 to meet the ‘World’s Most Famous Hacker’ and get a signed copy of his book. Wednesday, August 7, from 5:00 to 7:00 pm at Booth #1354.

Enter to Win a YETI Tundra Cooler & Tumbler Set: Watch a demo of how to train and phish your users with the innovative KnowBe4 Security Awareness Training platform or see how to how to prioritize reported emails with the PhishER platform for your chance to WIN. You can also collect your GONE PHISHIN’ hat swag!

Learn How to Leverage Social Dynamics to Drive Behavior and Shape Culture: Join Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, during his session “The Art and Science of Driving Secure Behavior”, on Thursday, August 8th at 3:40 pm in Business Hall Theater B. We will unveil some exciting new behavior models that will help you stop the bad guys in their tracks:
Q2 2019 Top-Clicked Phishing Email Subjects From KnowBe4 [INFOGRAPHIC]

KnowBe4 reports on the top-clicked phishing emails by subject lines each quarter in three different categories: subjects related to social media, general subjects, and 'In the Wild' - we get those results from the millions of users that click on our Phish Alert Button to report real phishing emails and allow our team to analyze the results.

LinkedIn Continues to Fool Users

Last quarter, more than half of all social media-related phishing emails imitated LinkedIn messages. This trend has been increasing quarter over quarter, likely because there is a perception that they would be legitimate coming from a professional network. It's a significant problem because many LinkedIn users have their accounts tied to their corporate email addresses.

Such a high percentage increases corporate risk of a phishing attack, ransomware breach or other social engineering-related threat. Social media sites in general are being used by cybercriminals as phish bait more and more each quarter. According to recent research from Vade Secure, social media phishing attacks are up by more than 70%.

Download the new InfoGraphic at the KnowBe4 blog and send it to your users:
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, Tuesday, August 6 @ 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, August 6 @ 2:00 PM (ET)

Save My Spot!
80% of Organizations Don’t Use DMARC Making Them Susceptible to Email Spoofing

DMARC’s ability to confirm a sending domain’s identity seems like a no-brainer, and yet most organizations aren’t taking advantage of this protective service to stop phishing attacks. You *do* need to configure it correctly though, and many don't.

We’ve covered Domain Message Authentication Reporting and Conformance (DMARC) before on this blog – it’s a great additional layer to your inbound email security that ensures that the domain purported to be the sender is actually them. It’s a cost-effective and can be an effective way to keep more phishing emails that use domain spoofing away from your users.

So, everyone is using it then, right?

According to the 2019 Global DMARC Adoption report from DMARC vendor 250ok, use of DMARC is dismal. As shown below, nearly 80% aren’t using DMARC, almost 12% have a none policy (which simply allows every email in and is, but does provide reporting on what domains were and were not authenticated), and only a combined 8.4% of organizations worldwide have some level of enforced DMARC policy in place to actively stop spoofed emails. Continued at the KnowBe4 blog:
[NEW] Ransomware Simulator Tool Now With Two New Ransomware Scenarios

The bad guys are continuing to evolve their approach to evading detection and deploying ransomware as evidenced by two of the most prevalent ransomware families - GandCrab and Rokku.

That’s why we’ve updated our Ransomware Simulator tool “RanSim” to include two new ransomware scenarios! These new scenarios simulate ransomware strains that operate much like GandCrab and Rokku attacks on the local machine that encrypt users’ files and demands a crypto-ransom in exchange for the keys.

Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 15 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:
  • 100% harmless simulation of real ransomware and cryptomining infection scenarios
  • Does not use any of your own files
  • Tests 16 different types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
This is a complimentary tool and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

Download the New RanSim Now:
How to Get More InfoSec Budget: This Week's Documentary and Book Reviews

Last week, Netflix premiered “The Great Hack” which is based on the Cambridge Analytica scandal. They reminded us of the golden expression: “If you don't pay for the product you are the product.” The threat of more than 5,000 data points connected to each one of us is scary to say the least.

I don’t think the issue is we didn’t know we were being tracked but we failed to realize the number of data points are collected and triangulated and how that potentially can disrupt the voting process of a democracy. I watched it and it's warmly recommended.

This very technology can of course also be used—and perhaps already is—by internet criminals as a social engineering tactic. Your users need to be inoculated against this. Wired had a great piece on it:

“The film is bookended by professor David Carroll’s quest to get his own data back from Cambridge—a story WIRED told in depth—but focuses mainly on former Cambridge employee Brittany Kaiser and her abrupt and somewhat baffling decision to turn against her employer. Directors Amer and Noujiam follow her starting a few days after she quit the company in 2018.

At one point she says the systems social media enabled and Cambridge used to influence democratic elections constitute “weapons grade” technology.” Here is the Official Trailer. Send this link to the people who hold the budget strings:

InfoSec Budget Book of the Week Recommendation

And while we talk about getting more InfoSec budget, here is the Book of the Week recommendation. "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats". Fast Company has an interview with author Richard Clarke, who served under six presidents and was appointed the U.S.’s first counterterrorism czar.

He makes a strong point for more InfoSec budget: "It’s all about money. The companies that have achieved cybersecurity have spent somewhere between 8 and 10% of their IT budget every year. And the companies that are being hacked are down at the other end of the spectrum, spending 3 or 4%. If you spend 3 or 4% of your IT budget on cybersecurity, you’re going to be hacked. You already have been, and you don’t know it. So it is about money."

He contimues: "I think what’s interesting to me about ransomware is it’s picking off the low-hanging fruit. You know there’s that old joke that you don’t have to outrun the bear, you just have to, if there are three or four of you running, you just to run faster than the other guy. Well, that’s kind of the case with ransomware. Ransomware is picking off the slow runners. Ransomware is picking off the people who are spending 3 to 4% of their IT budget on security."

Here is the interview which to some degree functions as the CliffsNotes for the book and which you should send to your C-Level execs:

Get the book here, I am reading it myself now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"There are no constraints on the human mind, no walls around the human spirit, no barriers to our progress except those we ourselves erect." - Ronald Reagan, 40th US President (1911 - 2004)

"To bring anything into your life, imagine that it's already there."
- Richard Bach, Writer (Born 1936)

Thanks for reading CyberheistNews
Security News
Evading Email Gateways Via WeTransfer

A phishing campaign is abusing the legitimate file hosting site WeTransfer to get malicious links through email filters, according to Jake Longden at Cofense.

The attackers send real WeTransfer notifications via email, which inform recipients that someone has shared a file with them. WeTransfer notifications let users include a comment in such emails to give the link context, and attackers are using this feature to tell the victim that the file is important.

When a victim clicks the link to receive their file, they’ll be taken to a WeTransfer page that will in turn download an HTML file. Opening this file will take the victim to the phishing page, which in this case spoofs an Office 365 login page.

The important thing to note here is that the entire delivery method is legitimate, so most email filters aren’t watching out for this behavior.

“As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites,” Longden writes. “The PDC has observed this attack method to bypass multiple gateways.”

As security technologies adapt to known vectors of attack, threat actors are increasingly taking advantage of legitimate services to carry out phishing attacks. New-school security awareness training can help your employees keep up with new phishing techniques. Links at the KnowBe4 Blog:
HoneyTrap, the Oldest in the World Now as Iranian Catphish on LinkedIn

Iranian state-sponsored hackers are increasing their targeting of civilian targets amid escalating tensions between the US and Iran, according to Zak Doffman at Forbes. Doffman cites a report released by FireEye last week, which revealed that the Iran-linked threat actor APT34 is spreading malicious documents on LinkedIn to deliver three new strains of malware.

FireEye describes one case in which the attackers used a LinkedIn profile that posed as a researcher at the University of Cambridge. They used this profile to send messages concerning job opportunities to people on LinkedIn. At some point in the conversation, they would send the victim a download link for a Microsoft Excel file. This file would install a backdoor which could perform data exfiltration and arbitrary command execution on the victim’s system.

FireEye notes that social media platforms in general provide an avenue for attack that can bypass an organization’s email defenses. LinkedIn in particular is a popular target for nation-state espionage operations, and Iranian threat actors have been active on the site before. LinkedIn users tend to have a higher level of trust for unsolicited messages, and the structure of the professional networking site encourages users to connect and converse with people they don’t know personally.

Iran isn’t solely interested in espionage, however. Doffman points to warning from CISA last month which warned that Iranian APTs could turn their more destructive cyber capabilities toward the US.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” CISA’s statement said. “These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

The vast majority of these attacks succeed due to a security lapse by an employee, such as falling for a phishing attack or using weak or recycled passwords. However, employees can’t be expected to follow security best practices if they don’t know what to do or which threats to watch out for.

New-school security awareness training can teach your employees how to protect themselves in an evolving threat landscape. Forbes has the story:
OSINT – a Hacker’s First Asset in Targeted Attacks

Before a cybercriminal wants to engage in a targeted attack against a particular organization or individual, they’d like to know a few things first. That’s where OSINT comes into play.

The term OSINT is short for open source intelligence – referring to any bit of information that can be gathered by attackers for free. This is normally details collected on the Internet (e.g., company and title from LinkedIn, etc.), but, technically, can include offline information. These valuable pieces of information are collected using a variety of tools and methods that, in general, do not tip off the victim of the OSINT activity in the slightest.

The goal of any targeted attack is to make it look as legitimate as possible. This involves using as many contextual cues as are available to improve the illusion of legitimacy and lower the potential victim’s defenses. While I’ve given two examples of OSINT that can easily be collected, curiosity normally drives most security professionals to wonder what other kinds of details are relatively simple to find.

The OSINT Framework is a visually-represented collection of what data is able to be collected and by which tools. Continued at the KnowBe4 Blog:
What KnowBe4 Customers Say

"Stu, very happy. Thanks for checking in! A night and day better experience from previous products I've used in this space and happy to be a reference for you." - U.D., Chief Information Officer

"Hi Stu, Thanks for the note that it's not an automated email. We all get enough of those that they don't all get answers. We're planning to start the automated phishing tests today. I'm enjoying working with Ashleigh Dunham and it's great having somebody to give me a hand getting this up and running. That means that this actually all gets done correctly."
- W.D., IT Manager

"Hi Stu, I appreciate you reaching out to ask how things are going. We’ve run our baseline campaign only to find out that we really need your training material to make this an effective program. I’m currently working on trying to get approval to purchase the Platinum level of content."
- K.T., IT Infrastructure Manager

"Things are going great! This has been the smoothest roll out of any software or service I’ve been involved with. Looking back to when we had our kickoff call, my goal was to be ready to enroll users during July. Here we are in July and I have all of my users enrolled, a baseline phishing test complete, 30% of my users have completed their initial training and I have a schedule setup for regular phishing and upcoming training as well. The interface is easy to use, it seems very well thought out, and I’ve been impressed. Thank you for your help and support."
- H.J., Network Administrator
The 10 Interesting News Items This Week
    1. Infosecurity Magazine: "93% of Organizations Cite Phishing as Top Threat":

    2. NSA Launches Cybersecurity Arm to Defend The U.S. From Foreign Adversaries:

    3. Norsk Hydro Cyber Attack Could Cost up to $75M in Damages:

    4. Fighting Deepfakes Gets Real | Forbes:

    5. Why Continuous, Long-Term Security Awareness Training Will Build Tomorrow’s Cybersecurity:

    6. 66 percent of SMBs don't believe they’re vulnerable to a cyberattack:

    7. MyDoom: The 15-year-old malware that's still being used in phishing attacks in 2019:

    8. Listen to this IBM Watson-driven AI chat up a frustrated telemarketer for 15 minutes:

    9. It’s not just the Russians anymore as Iranians and others turn up disinformation efforts ahead of 2020 vote:

    10. APT-doxing group exposes APT17 as Jinan bureau of China's Security Ministry:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews