CyberheistNews Vol 9 #41 [Heads up] FBI Warns About Attacks That Bypass Your Multi-Factor Authentication (MFA)

CyberheistNews Vol 9 #41
[Heads up] FBI Warns About Attacks That Bypass Your Multi-Factor Authentication (MFA)

Last month, the FBI sent a special alert called a Private Industry Notification (PIN) to industry partners about the rising threat of attacks that bypass their multi-factor authentication (MFA) solutions.

"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a PIN that was sent out September 17, 2019.

And they are right, at the moment there are multiple ways to bypass MFA protections. Practically all of them can be broken somehow or another. The FBI alert pointed at things like SIM swapping and using flawed proxies. They gave some examples of recent incidents where MFA protections were bypassed, and money was stolen from individuals and organizations.

MFA Is Still Effective and Recommended. Just Not A Silver Bullet.

The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that organizations use MFA. However, they do want you to know that there now are ways the bad guys can bypass this type of protection.

"Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said.

Continue reading at the blog:
NEW Tool: Can Your Organization's MFA Solution Be Hacked by the Bad Guys? Find out Now!

You already know that using multi-factor authentication (MFA) can decrease your cybersecurity risk, and certainly is a much stronger defense compared to using traditional passwords alone.

However, did you know that all multi-factor authentication (MFA) mechanisms can be hacked, and in some cases, it's as simple as sending a phishing email to compromise your users’ accounts? In fact, according to a Deloitte’s Cyber Threats report, 48% of cybersecurity breaches are NOT preventable by strong multi-factor authentication.

It’s crucial to understand the exact security risks your MFA solution has and how your users may be compromised so you can take action to mitigate those risks and educate and train your users.

Find out how best to defend against MFA hacks

KnowBe4’s new Multi-Factor Authentication Security Assessment (MASA) is the only complimentary assessment tool for IT Pros to uncover the specific attacks and risks your MFA solution may be vulnerable to. MASA helps you gauge your organization’s MFA security readiness and identifies the potential risks associated with your MFA implementation.

MASA leverages direct expertise from one of the market’s leading security evangelists and InfoSec consultants; Roger Grimes, KnowBe4’s data-driven defense strategist. With 30+ years experience in computer security and MFA risk assessments, it’s like having your very own expert consultant.

Here’s how MASA works:
  • You will receive a custom link to take your assessment
  • Answer a series of technology questions relevant to your MFA solution
  • Get an instant high-level snapshot of potential risks with your MFA
  • Receive your in-depth report packed with actionable insights and detailed analysis on specific MFA attacks and tips for your top defenses
Find out how hackable your MFA solution is now before the bad guys do!
Ransomware Forces 3 Hospitals to Turn Away All but the Most Critical Patients

Arstechnica ran this story 10/1/2019: "Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.

All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network's computer system. The hospitals—DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center—are turning away "all but the most critical new patients" at the time this post was going live. Local ambulances were being instructed to take patients to other hospitals when possible. Patients coming to DCH emergency rooms faced the possibility of being transferred to another hospital once they were stabilized.

"A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment," DCH representatives wrote in a release. "Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available." [...]

In related (sad) news, Medical Facility Wood Ranch Medical had to shut down after a ransomware attack that they could not recover from. Now, with the level of automation in hospitals these days, being in a hospital that has no access to its IT systems is potentially a risky affair. Most of these organizations have a barcode for each patient that tracks progress and possible medical adverse effects.

Seven Hospitals in Australia Hit

At least seven hospitals in Australia, meanwhile, were also feeling the effects of a ransomware attack that struck on Monday. The hospitals in Gippsland and southwest Victoria said they were rescheduling some patient services as they responded to a "cyber health incident." Story (and links) continued here:
[TOMORROW] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us tomorrow, Wednesday, October 9 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 28,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, October 9 @ 2:00 pm (ET)

Save My Spot!
"Mishperceptions": The Five Most Common Phishing Myths Busted!

By Joanna Huisman, KnowBe4's new SVP Strategic Insights & Research. "The bad guys know that the easiest way into your organization is through your employees. This is not an opinion. Of all the breaches that occurred in 2018, Over 90% were the result of human error. Criminals were provided access by unsuspecting, and I would argue, under-educated, un-aware employees.

Simulated phishing attacks are an important part of managing this problem, but sometimes these tests are blamed for employees feeling afraid to take any action because it might damage their career…or cause an uncomfortable conversation with their manager. Here are a few key phishing misperceptions I have been able to pull out from the thousands of organizations I have engaged with over the past 4 years. Don’t let your thinking and action be misguided by these misperceptions:"
  • Misperception 1: One phishing campaign a quarter will get the job done.
  • Misperception 2: Phishing campaigns alone can change behavior.
  • Misperception 3: If you have a low click rate, you’re covered.
  • Misperception 4: You’ll only need to run campaigns for a few months.
  • Misperception 5: Employees will only see this as punitive.
Above five points have a thoughtful comment based on Joanna's years in the trenches as the Gartner Analyst who was in charge of the Magic Quadrant of the awareness training space.

This is a strongly recommended blog post that will take you 4 minutes to read, and has powerful ammo to get your awareness training program in place, funded, and/or reinforced. And it comes with a book recommendation!:
[EVENT TODAY] See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us today, Tuesday, October 8 @ 2:00 pm (ET), for a 30-minute live product demonstration of the KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements within your organization and across third-party vendors and ease your burden when it’s time for risk assessments and audits:
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with 80+ pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY Tuesday, October 8 @ 2:00 pm (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Happy National Cybersecurity Awareness Month 2019! Here are a bunch of free resources:

PPS:KnowBe4 now sponsors the CISO Minute, every Monday at 8am, presented by Theresa Payton, Former White House CIO:
Quotes of the Week
"The limits of the possible can only be defined by going beyond them into the impossible."
- Arthur C. Clarke, Science Fiction Writer

"Limitations live only in our minds. But if we use our imaginations, our possibilities become limitless."
- Jamie Paolinetti, Writer / Director

Thanks for reading CyberheistNews
Security News
Microsoft: Iranian Hackers Targeted a 2020 Presidential Campaign

The Iranian hackers also targeted current and former US government officials, journalists, and Iranians living abroad. Microsoft disclosed today that Iranian state-sponsored hackers tried to hack into email accounts belonging to current and former US government officials, and members of a 2020 US presidential campaign.

The attacks have taken place "in a 30-day period between August and September," Tom Burt, Corporate Vice President, Customer Security & Trust at Microsoft, said.

Microsoft's Threat Intelligence Center (MSTIC) linked the attacks to a group the company calls Phosphorous (other names are APT35, Charming Kitten, and the Ajax Security Team). The group has been linked to Iran's government in reports from multiple cyber-security vendors.

Burt said the group operated in different stages. It first made more than 2,700 probes to identify consumer email accounts belonging to specific Microsoft customers.

Once the group had a list of high-value targets, it went after 241 of those accounts, which included "accounts are associated with a U.S. presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran."

Of these, the hackers breached four.

"These four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials," Burt said. The company has notified all users about the hacks, and has helped victims secure accounts.

How the Hackers Got in

Microsoft said the Iranian hackers gained access to the four accounts by first getting access to the victim's secondary email inbox, which the victim used as a secondary email for the Microsoft account.

Hackers then reset the password for the Microsoft account, and used the reset link they received in the secondary inbox to take control of the primary Microsoft account.

This is Microsoft's second high-profile brush with Phosphorus. In March, Microsoft sued and gained control over 99 web domains the same hacker group was using for spear-phishing campaigns. The domains impersonated well-known brands, such as Microsoft, Yahoo, and others. Full article at ZDNet:
Redirection as Misdirection

A phishing campaign is using URL encoding to bypass security filters, BleepingComputer reports. URL encoding is a method used to convert non-ASCII characters in URLs into hexadecimal representations so they can be sent over the Internet. For example, the “£” symbol is translated into %C2%A3, while a space is usually translated into a plus sign or %20.

This translation is usually handled automatically by the browser. In this campaign, the links in the phishing emails are Google redirects that query a long string of these encoded characters. When a user clicks on the link, the characters will be translated into a URL and the user will end up on a phishing site designed to steal Microsoft Office 365 credentials.

The attackers are using this technique because many email security filters won’t recognize the encoded characters as a URL. Attackers will always find a way to get past technical defenses, so users need to know how to identify phishing emails without assistance. In this case, the phishing email posed as a notification about an invoice and disguised the encoded URL with a hyperlink that said “View Invoice.”

Typos in the email could have tipped off an observant user, but any email like this should be treated with extreme skepticism. New-school security awareness training can ensure that your employees can spot the red flags and seek assistance before clicking on the link. BleepingComputer has the story:
Ransomware Incident to Cost Danish Company a Whopping 95 Million Dollars

Catalin Cimpanu for ZDNet's Zero Day reported: "Demant, one of the world's largest manufacturers of hearing aids, expects to incur losses of up to $95 million following what appears to be a ransomware infection that hit the company at the start of the month. This marks one of the most significant losses caused by a cyber-security incident outside of the NotPetya ransomware outbreak."

Demant's troubles began at the start of the month, on September 3, when in a short statement on its website, the company said it was shutting down its entire internal IT infrastructure following what it initially described as "a critical incident." What really happened on the company's network, we'll never know, as Demant never revealed anything except that its "IT infrastructure was hit by cyber-crime."

Per its own statements, all the company's infrastructure was impacted -- and impacted severely. This included the company's ERP system, production and distribution facilities in Poland, production and service sites in Mexico, cochlear implants production sites in France, amplifier production site in Denmark, and its entire Asia-Pacific network.

Incident Has Long-Lasting Effects on Demant's Business

But while the company's staff have been recovering IT infrastructure, the biggest losses came from the impact of not having access to these systems in the first place. The company reported "delays in the supply of products as well as an impact on our ability to receive orders." Furthermore, "in our hearing aid retail business, many clinics across our network have not been able to service end-users in a regular fashion." Full Story:
What KnowBe4 Customers Say

"Mr. Sjouwerman, Good morning. Thank you for your email. We are delighted with KnowBe4’s training and phishing services here. Jason Griffiths has been a delight to work with and I appreciate him checking in on me to make sure everything is running smoothly on my end. Thank you for creating a much needed training. Enjoy the rest of your day."
- V.V., Manager of Program Integrity & Implementation

"Hi Stu, Thank you for reaching out. So far, I'm having a great experience with KnowBe4. Zac has been very helpful in assisting me set up our training and campaigns. I deployed the first training module and included the Inside man video series and our staff is loving it!"
- K.D., Manager, Information Systems

PS: Here are KnowBe4's Fresh Content and Feature Updates for September 2019. There is a bunch of new cool stuff:
The 10 Interesting News Items This Week
    1. This Is a BIG DEAL. 17 Cybersecurity Products the Cyber Insurance Industry Says Are Worthwhile. KnowBe4 Is Designated 2019 Cyber Catalyst SM Solution:

    2. Is That Email Really From "The Boss"? BBB whitepaper about Business Email Compromise:

    3. 'Lost Files' Data Wiper Poses as a Windows Security Scanner:

    4. Report: Nation state hackers and cyber criminals are spoofing each other:

    5. Cyber-Attacks Hit Defense Contractors in Europe and North America:

    6. Disinformation for Hire: Russian PR Firms Co-Opt Western Media, Tech Firms:

    7. FakeUpdates hackers are back to spread ransomware:

    8. New Adwind Campaign targets US Petroleum Industry:

    9. A third of industrial plants have no response plan for cyberattacks. Yikes:

    10. Perry Carpenter's book "Transformational Security Awareness" was just reviewed as an RSA Security Book of the Month:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews