RSA’s Best Social Engineering News

RSA-2019KnowBe4 was at RSA 2019 this year with two booths, in both the North and South Hall. The show was humongous as usual and a torrent of news was released. I was there and it was a challenge to filter out items related to social engineering. Here's my best effort, but to start with, I was interviewed by DarkReading about social engineering and the current most sophisticated techniques the bad guys use. Here is 13 minutes with yours truly:


McAfee Demonstrates DeepFake Video A Potent Social Engineering Tool

“The effectiveness of spear phishing with the scale of spear phishing.” Celeste Fralick showed a rudimentary version that she created, in which a manipulated video of CTO Steve Grobman spoke her words. 

I think you’ll find this McAfee demo interesting. But its 20 min long so the salient points are: 7 min mark introduction of Celeste Fralick; 10:43 real world use of social exploitation; 11:55 min especially where they talk about super spear phishing. Then a real world issue that happened in 1980s at 16:25. This is an interesting video, great for a break:

If you do not have the time, InfoSec magazine has a summary of it here:

[Heads up] Ransomware V2.0 Is Set to Resurge As Your Insurance Now Pays Off The Ransom

Holy Smokes! Ransomware may be poised to return as a top scourge for companies, as more and more of them pay up—it's actually their insurance company that makes the payment—after an attack in an effort to minimize the cost of recovery.

In this new RSA Conference 2019 Threatpost video, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises. According to Zelonis, a new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so. Here is s snippet from the interview:

Tara Seals: "Before we kick off our video interview here, you had mentioned that you’ve been seeing a trend of companies actually paying the ransomware when they get hit by an attack. So, I thought that could be a really interesting place to start our conversation if you wanted to tell me a little bit about what you’re seeing there."

Josh Zelonis: "Yeah absolutely. So one of the trends that I’ve been hearing about more and more is that insurance companies are actually starting to pay the ransoms because it’s costing them less than going and doing the remediation, going back to backups, which may or may not even exist. And so a lot of the time the incident response companies are being brought in to broker the transaction with the adversaries themselves in order to ensure that the payment is made and recovery is possible.

"Now part of the problem, as you might imagine, is that this creates a market where it becomes more and more profitable to use ransomware as a method of attack against an organization. Primarily the reason why this is such a challenge is that we’ve been seeing ransomware [volume] tapering off in the last number of years, and now that it seems that we’re starting to create a market, I expect that we’ll see that turn around and start increasing again." Yikes. Here is the whole interview.

Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise

Don't expect two-factor authentication to always protect your accounts. Google has noticed an unsettling increase in phishing attacks that can defeat the security setup.

Hackers have been refining their email phishing schemes to also nab the one-time passcode from two-factor authentication security setups, Google warned at RSA. "We've seen a big rise in the number of phishable 2FA attacks," Nicolas Lidzborski, a security engineering lead for Gmail, said during a talk at RSA.

Looks like you knew this is the case. Roger A. Grimes, KnowBe4's very own Data-Driven Defense Evangelist presented his "12 Ways to Hack 2FA" at RSA and noted: "Good crowd, room held 500 but it was full, a second room they opened up got full and there was a line around the far corner. RSA under-estimated how many people our talk would draw." See the item below. More:

12 Ways to Hack 2FA

Roger Grimes, Data-Driven Defense Evangelist, KnowBe4, Inc. had already figured out what Google warns against. His presentation at RSA was "12 Ways to Hack 2FA".

Passwords are finally being left behind in favor of two-factor (2FA) and multifactor (MFA) authentication. Some vendors are promoting “unhackable” 5FA solutions. It’s all a lie. All authentication solutions can be hacked. Come learn at least 12 ways 2FA can be hacked, how 2FA really works behind the scenes, what the holes are, how to hack it and how you can defend against those attacks. Here are the slides:

BEC Scammer Gang Takes Aim at Boy Scouts, Other Nonprofits

Agari reported on an exhaustive study of the Scarlet Widow Group, a Nigerian based BEC scammer ring dubbed “Scarlet Widow” who have recently targeted nonprofits, schools (K-12), universities showing considrable deft in business email compromise (BEC) attacks over the past few months.

These are no longer Nigerian Prince spam scams. They are highly sophisticated and highly effective BEC scams that have snagged thousands of nonprofits, schools and Universities. Based in Nigeria the gang dubbed “Scarlet Widow, has hit many targets (over 70% in the US) including the Salvation Army, and Boy Scouts of America.  According to the report, more recently, they have shifted away from getting payment by wire to a scheme of getting victims to purchase gift cards (iTunes or Google Play) and laundering the funds through into instant bitcoin. You can get the rest of the story here from Threatpost.

Cryptography Panel

The much-publicized Cryptographers panel caused a stir as one of the founder of RSA, (The “S” in RSA,  Adi Sha amir was unable to get a visa from the US to attend, so he appeared via a prerecording video. It is still not known if the failure to get a visa was due to the recent government shutdown.

However, the panel discussion took a small diversion to social engineering. “According to Tony Konzer, Security Boulevard, panelist, Paula Januszkiewicz, CEO of cybersecurity consultancy CQURE, shared a social engineering experiment she conducted that illustrates just how much more of a piece of the security puzzle humans are than they were once thought to be.

“As the story went, Januszkiewicz got on a secure elevator in an office building with a man who used a keycard to get on, and she was not questioned at all. Once on the elevator, she commented to the man, whom she had never met, that it was nice to see him again.

As they walked off the elevator on the 6th floor, he said it was nice to see her again, and the two of them then walked into a gathering in which she was clearly an outsider, but no one said anything. She could have easily walked around the office, writing down personal details, copying any exposed passwords and generally obtaining information any hacker would be happy to have.

Januszkiewicz told the RSA Conference audience that she’d been conducting these types of experiments frequently, and she’d only been caught or stopped once. She shares these stories with clients so that they’re clear on just how vulnerable they are, how easily the physical can impact the digital, and how little they can do about it 

“The moral of the story is that despite all the technology and processes, security is often about people, and people open up vulnerabilities,” she said.

The following day, during a keynote panel on the weaponization of the Internet, the conversation shifted to a different kind of social engineering, the kind that involves social media-based manipulation.” Read more here.

Ransomware: The Rise, Death, and Resurrection of Digital Extortion 

McAfee noted that ransomware volume has declined, but it’s evolving. The concept of Ransomware is changing and getting more sophisticated as exemplified by SamSam, and Ryuk and demonstrates the need for a different response. It seems the bad guys will always find an entry vector to get past security and into an organization's files and servers.

For example, Hospitals who might have never before considered themselves a target much like “medics” in the field and finding themselves squarely in the crosshairs.  Fewer people are paying the ransom.  To get around that, the bad guys are much more focused on targeting victims instead of spray and pray.

Bad guys can easily buy RDP creds on the Dark Web. According to John Fokker and Raj, Saman of McAfee they found RDP access for a US international airport’s CCTV and physical security systems. The cost -- ten bucks … almost less than a double latte in SanFran.

Once inside, the tactical play is to quickly grab the domain controller and the main systems and deliver the Ransomware to all stations at once.   RaaS (Ransomware as a service) is growing, but the number of families are getting smaller. Bad guys are partnering!  Remember GandCrab?  To make a more potent weapon, they sent out an RFP for partners and started a close collaboration with NTCrypt!

McAfee noted It’s also remarkable that Gandcrab was able to roll out a new version within 5 hours of the release of the McAfee’s free decryptor. How many legit sec development crews could work that fast?  They end with a recommendation. An ounce of prevention is worth a pound of cure. Disaster Recovery is a priority.  Segment the network.  Harden accounts with 2 Factor Auth. Of course, we advise you to inoculate your employees with new-school security awareness training, so they become the last line of defense. “A human firewall.”

Lazarus Research Highlights Threat from North Korea

As the Nuclear talks with North Korea were winding down, the sharphooters at the Lazurus Group from North Korea were going full steam ahead.

“Lazarus is known to throw down many false flags and several were found in 2018 based in Nambia. However access to the C&C server was very helpful in casting the eye toward Lazurus as the culprit.”

“Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.”

The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.

In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.

In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data. Read the full story at Dark Reading.

Humans Are Key to Improving Cyber-Security, IBM Stresses

SAN FRANCISCO—Some people see humans as the weak link in cyber-security; others see humans as the strongest link. Mary O'Brien, general manager of IBM Security, however, sees humans as both, sitting at the core of what is needed to enable improved cyber-security outcomes.

O'Brien is delivering a keynote at RSA Conference 2019 here today along with Caleb Barlow, vice president, IBM Security, X-Force Threat Intelligence, on how organizations can change their approach to improve cyber-security. A primary element of how that change can happen is education. In a video interview with eWEEK, O'Brien explains what organizations can and should be doing to educate employees about cyber-security and how to reduce risk. O'Brien said there is a need for the cyber-security industry to pivot toward a very agile way of thinking.

"This is agile where we pivot the security industry to be about more than just technology and to be about more than just creating the next tool for next technical problem," she said.  


O'Brien wants organizations to embrace diversity of thought and collaboration to enable staff to feel empowered. She also emphasized the need to infuse security into people, process and technology. Cyber-security awareness should be pervasive throughout an organization, starting from the person at the reception desk, who needs to understand what the risk is of someone getting past them who should not have access to the company.

"Security isn't just the purview of the security team," she said.

One common theme that emerges from technical experts is a need to have security by default integrated into technology. While the idea of having security by default is a good one for process, when the human element is added in, there is added complexity.  

"The randomness of human interaction is where security by default would break down," O'Brien said.

According to O'Brien, the answer to reducing risk is improving education, which can be done in a number of ways. IBM Security runs what are known as cyber-ranges where in-depth exercises, education and training are offered. She said that proper education helps organizations really consider the security of their entire environment.

"You can actually, through continuous education, push the boundary of your security program right out to the periphery of your organization, so that everyone understands they have a part to play," O'Brien said.

The Human Link

O'Brien said security programs will always involve technology, but it's important for organizations to be prepared for adversaries that will look for ways to bypass security technology.

The weak link could be a technical weak link, it could be a person using the technology, or it could be somewhere surrounding the enterprise where the technology is running. In any of those scenarios, she emphasized that humans are a critical link to improving security.

Watch the full video and story with Mary O'Brien at eWeek 

You can sign up and watch many of the videos at RSA for free here:

Here are a few other RSA 'Interesting News' Items:


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews