05Aug

Egress: 73% of Orgs Were Victims of Phishing Attacks in the Last Year

August 5, 2021By 0 comment

A survey sponsored by Egress found that 94% of organizations suffered insider data breaches over the past year. The survey offers the following results:

  • “94% of organisations have experienced an insider data breach in the last 12 months
  • “Human error is the leading cause of serious insider data breaches, with 84% of organisations experiencing a security incident caused by a mistake
  • “However, malicious insiders are IT leaders’ biggest worry, with 28% indicating that it’s their top concern
  • “Almost three-quarters (74%) of organisations have been breached because of employees breaking security rules, and 73% have suffered serious breaches caused by phishing
  • “97% of employees say they would report a breach – which is good news for the 55% of IT leaders who rely on employees to alert them to incidents
  • “But it’s not necessarily positive when they do: 89% of incidents led to repercussions for the employees involved
  • “Over half (56%) IT leaders believe that remote/hybrid working will make it harder to prevent data breaches caused by human error or phishing
  • “By contrast, 61% of employees believe they are less, or equally as likely, to cause a breach when working from home”

Egress notes that organizations should be careful about punishing their employees for these incidents after the employees report their errors.

“The research revealed that an overwhelming 97% of employees would report an insider data breach to their employer – which is reassuring for the 55% of IT leaders who rely primarily on employees to report incidents,” Egress says. “However, when employees do speak up about breaches, it can cost them: the research found that 89% of incidents lead to repercussions for the employees involved, including informal and formal warnings, and dismissal. In addition, just 54% of employees said that they feel their organisation’s security culture trusts and empowers them, indicating that many organisations lack a security-positive culture.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.

READ MORE
04Aug

Ransomware Extortion Attacks Continue to Rise in Frequency as Ransom Payments Decrease by 40%

August 4, 2021By 0 comment

Ransomware is having a very odd second quarter of the year as new variants enter the game governments finally take notice and insurers tighten their underwriting requirements.

Every quarter I make certain to cover their Quarterly Ransomware Report articles, as they provide great insight into the current state of attacks, ransoms, variants, and more. But in Coveware’s latest report covering Q2 2021, we see a bit of a different tone.

In the report, we saw a massive downturn in the average ransom payment – just a little over $136K, down 38% from Q1 of this year. And, yet the percentage of ransomware attacks threatening to leak exfiltrated data increased by 5% this quarter, to 81%.

This is a bit counterintuitive; why would payments go down, but threats (that should yield higher payments) increase?

It may have something to do with some of the other points covered in the Coveware article:

  • 4 new ransomware variants slip into the top 10 list, pushing out old players. (When you think of ransomware as a “business”, sometimes the new players on the market will undercut their competition to establish themselves. Could that be it?)
  • REvil ransomware – which has been behind some of the most high profile attacks last quarter – seems to have disappeared. (This could be due to the increasing involvement of governments – including our own – taking notice of the implications and are beginning to put pressure on foreign governments to put a stop to these cybercriminal gangs.)
  • The attacks on critical infrastructure have woken up CEOs who are now paying attention to the realities of modern ransomware attacks and their impact, and are willing to spend whatever it take to keep from becoming a victim.

Whatever the reason for the lowered ransom payments, the Coveware data still suggests that businesses of every size continue to be under attack and should take measures to protect themselves from the three primary initial attack vectors – vulnerabilities (hint: time to get vulnerability management in high gear), remote access via RDP (shut it down and get a real remote solution), and phishing (educate your users with Security Awareness Training so they don’t fall prey to malicious email content).

READ MORE
02Aug

Ransomware Attacks This Year Are Already Higher Than 2020

August 2, 2021By 0 comment

According to the 2021 Cyber Threat Report by SonicWall, 304.7 million ransomware attacks occured in the first half of 2021, already surpassing the total number of ransomware attacks for all of 2020 with 304.6 million (a 151% increase YTD).

The increase in ransomware attacks are due to the shift to remote work, allowing threat actors to take advantage.

In a statement by SonicWall CEO, Bill Conner, commented “In a year driven by anxiety and uncertainty, cybercriminals have continued to accelerate attacks against innocent people and vulnerable institutions. This latest data shows that sophisticated threat actors are tirelessly adapting their tactics and embracing ransomware to reap financial gain and sow discord.”

The spikes in volume of ransomware have occurred in the US at a rate of 185% and 144% in the UK. The top industries being targeted are government (917%), education (615%), healthcare (594%), and retail (264%) companies. June 2021 was the worst month with SonicWall reporting 78.4 million registered ransomware attacks.

These alarming stats should be a warning for your organization. One malicious email could cost your organization millions. It’s important to utilize additional security layers to prevent an attack from ever occurring. The most recommended method is implementing new-school security awareness training to ensure your employees know how to spot and report any suspicious activity.

READ MORE
29Jul

Cybercriminals Are Growing More Organized

July 29, 2021By 0 comment

The cybercriminal underground is becoming increasingly organized, according to researchers at HP. The criminal underground functions like a regular economy, with people selling goods and services such as phishing kits, malware, and access to compromised networks. As a result, the bar of entry is lower since unskilled criminals can buy the things that previously prevented them from engaging in cybercrime.

HP’s report shared the following findings:

  • “75% of malware detected was delivered via email, while web downloads were responsible for the remaining 25%. Threats downloaded using web browsers rose by 24%, partially driven by users downloading hacking tools and cryptocurrency mining software.
  • “The most common email phishing lures were invoices and business transactions (49%), while 15% were replies to intercepted email threads. Phishing lures mentioning COVID-19 made up less than 1%, dropping by 77% from H2 2020 to H1 2021.
  • “The most common type of malicious attachments were archive files (29%), spreadsheets (23%), documents (19%), and executable files (19%). Unusual archive file types – such as JAR (Java Archive files) – are being used to avoid detection and scanning tools, and install malware that’s easily obtained in underground marketplaces.
  • “The report found 34% of malware captured was previously unknown, a 4% drop from H2 2020.
  • “A 24% increase in malware that exploits CVE-2017-11882, a memory corruption vulnerability commonly used to exploit Microsoft Office or Microsoft WordPad and carry out fileless attacks.”

The researchers also observed a “résumé-themed malicious spam campaign targeted shipping, maritime, logistics and related companies in seven countries (Chile, Japan, UK, Pakistan, US, Italy and the Philippines), exploiting a Microsoft Office vulnerability to deploy the commercially-available Remcos RAT and gain backdoor access to infected computers.”

Alex Holland, a Senior Malware Analyst at HP, stated that criminals continue to rely on phishing to gain initial access because it works so well.

“Cybercriminals are bypassing detection tools with ease by simply tweaking their techniques,” Holland said. “We saw a surge in malware distributed via uncommon file types like JAR files – likely used to reduce the chances of being detected by anti-malware scanners. The same old phishing tricks are reeling in victims, with transaction-themed lures convincing users to click on malicious attachments, links, and web pages.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing attacks that slip past your technical defenses.

READ MORE
14Jul

Ransomware Attacks Put Singapore Organizations at Risk of Violation of the Personal Data Protection Act

July 14, 2021By 0 comment

A new court decision sets precedence for all Singapore organizations where ransomware attacks – even without data exfiltration – may be subject to financial noncompliance penalties.

The interesting thing about court decisions is how they provide some valuable context for the rest of us to learn from – if we choose to pay attention. And while this article is about a Singapore company subject to Singapore law, it does shed some light on how courts may treat cases when going up against either applicable law or even cyberinsurers.

HMI Institute was breached and was the victim of a ransomware attack in December of 2019. It was identified that a standard RDP port was left exposed to the Internet, and was used as the initial attack vector via a brute force logon attack. While no data was exfiltrated, systems were encrypted and operations were halted.

Singapore’s Personal Data Protection Act (PDPA) specifically requires organizations to “make reasonable security arrangements to protect the personal data in the server from the risk of unauthorized access, modification and disposal.”

In the case of HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4, the courts found that HMI Institute did not demonstrate having the necessary “reasonable security arrangements” due to the fact they were breached.

What this means for Singapore organizations is that “Absence of data exfiltration does not necessarily mean that an organisation cannot be found in breach of the PDPA,” according to the case docket.

Ransomware generally infiltrates an organization via RDP, vulnerabilities or phishing attacks. RDP is easy – shut it off. Vulnerabilities are a bit tougher – patch, scan, and find compensating controls. Phishing can be simple to address with Security Awareness Training that teaches users how to see malicious emails for what they are and avoid interacting with them, thereby stopping an attack in its’ tracks.

READ MORE
06Jul

WhatsApp Phishing Scams Significantly Increase

July 6, 2021By 0 comment

The Southwark Police in London have warned of a spike in WhatsApp phishing scams, according to Paul Ducklin at Naked Security. The station tweeted, “We have seen a surge in WhatsApp accounts being hacked, if you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why. “

Ducklin notes that users of WhatsApp and similar messaging services are more likely to view messages as trustworthy, since they appear to be coming from an acquaintance.

“Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place,” Ducklin writes. “That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.”

Ducklin adds that users should be suspicious of unsolicited or strange messages from contacts, especially if the messages sound urgent or try to get you to click on a link.

“Never trust messages simply because they come from a friend’s account,” he says. “Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them. If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.”

Two-factor authentication (2FA) is an essential layer of defense, but Ducklin stresses that attackers can still bypass this measure via social engineering.

“If you’ve turned on 2FA on your various accounts, good for you,” he writes. “It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for these attacks.

READ MORE
02Jul

35% of All Security Incidents are Business Email Compromise Phishing Attacks

July 2, 2021By 0 comment

With the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared.

According to new data from security vendor GreatHorn, in their 2021 Business Email Compromise ReportBEC is not just alive and well, but is changing from the traditional focus of solely using malwareless social engineering tactics.

  • Spoofing – 71% of BEC attacks use a spoofed email account or website to establish credibility. This can be in the form of display name, a lookalike domain, or even a compromised account.
  • Spear Phishing – 69% of BEC attacks utilize spear phishing, likely to increase their chances of reaching the right persons within an organization who have influence over money. According to the report, Finance is targeted 57% of the time, with CEOs next (22%) and IT third (20%).
  • Malware – 24% of BEC attacks still leverage malware as part of the attack. This one is interesting because it denotes the cybercriminals intent of gaining internal access, likely to gain elevated privileges and access financial applications to perform discovery (e.g., get the details on a big payment coming in and then defraud the company paying by using a second BEC attack on their finance people).

At the end of the day, BEC is nothing more than a targeted phishing attack using very specific social engineering tactics to gain the trust of the recipient to get them to engage in some financial transaction. According to the report, 71% of orgs feel their users are prepared to identify a phishing email, and yet 43% of the very same orgs said they experienced a security incident in the last 12 months.

Sounds like an opportunity for some better continual Security Awareness Training to keep those folks in Finance, the C-Suite, and IT (as well as everyone else in the organization) up to date on the latest BEC tactics and scams.

READ MORE
30Jun

Yet Another Disk Image File Format Spotted in the Wild Used to Deliver Malware

June 30, 2021By 0 comment

Disguised as an invoice, cybercriminals use a Windows-supported disk image to obfuscate malware from email gateways and security scanners. The question is how viable will it be?

The bad guys are in constant need to find ways to evolve their art as the good guys improve their security solutions to respond to current attack methods. Historically, we’ve seen a number of image files used including virtual hard disks and ZIP files, as well as .ISO, .IMG, and .DAA files. But, as security solutions get wise and use AI to simply determine “has this user EVER received an image file???” to flag an email, the bad guys need to look for a new format.

According to a recent article from security vendor Trustwave, they’ve spotted a WIM (Windows Imaging Format) file disguised as an invoice or consignment note in the wild.

6a0133f264aa62970b026bded8bd05200c-pi

 

 

 

 

 

 

 

 

Source: Trustwave

The WIM format is one developed by Microsoft. The WIM file contains a single executable – the Agent Tesla malware. Because Windows 10 and above support this filetype, it’s possible that it can be directly opened by the recipient.

This one seems a little out there, as the user experience to detonate this malware involves first extracting the WIM file’s contents (and “extracting” is a very foreign concept to most users). So, it seems the bad guys are relying on the recipients unwitting-ness to simply click the affirmative buttons blindly to install the malware.

Users can easily be educated about such tactics using continual Security Awareness Training that keeps them updated on the latest types of scams, phishing methods, and more.

READ MORE
25Jun

Threat Actors use Google Ads to Target People Migrating to Encrypted Messaging Services like Signal and Telegram

June 25, 2021By 0 comment

Researchers at eSentire warn that threat actors have been using Google Ads to target people migrating from WhatsApp to other encrypted messaging services, particularly Signal and Telegram.

“According to eSentire’s security research team, the Threat Response Unit (TRU), this latest campaign relies on the use of malicious Google Ads and web pages that replicate the legitimate download page for secure chat applications, such as Signal,” the researchers write. “Using the fake Signal page, this malicious campaign’s objective is to socially engineer victims into downloading and executing Redline Stealer. Stolen information can be sold on the dark web or directly used in further intrusions and fraud campaigns. Similar malicious Google ad campaigns have recently been observed using AnyDesk, DropBox and Telegram as lures.”

The researchers believe the attackers were taking advantage of the millions of people migrating from WhatsApp to other encrypted messaging apps following a widely undesirable update to WhatsApp’s terms of services in January.

The researchers also note that observant users could have recognized that the pages were malicious if they knew what to look for.

“Evidence that the fake, ad-based Signal page is malicious is as follows: Most of the links do not work on the fake Signal page but do on the real Signal page,” the researchers write. “Secondly, the download button on the fake page (the one button that works) depends on an unknown php script controlled on the server side; the fake Signal page delivered an outdated version of Signal when TRU attempted the download, potentially a result of the server detecting the security tools used. Thirdly, the top-level domains for the fake Signal download page are not standard top-level domains. Finally, all the suspicious ads share a hosting provider, NameCheap. An analysis of registration and hosting parameters across a sample of suspicious sites of the ‘same structure’ (as defined by Urlscan) demonstrates the potential for multiple malvertising campaigns.”

New-school security awareness training can enable your employees to recognize social engineering tactics.

eSentire has the story.

READ MORE
24Jun

[HEADS UP] Over 400% Increase in Ransomware Victims

June 24, 2021By 0 comment

According to a recent report by OODA Loop, “Mandiant claims to have detected a 422% increase in victim organizations announced by ransomware groups via their leak sites year-on-year between the first quarter of 2020 and Q1 2021.”

In research recently conducted by Talion, 3/4 of consumers and security professional want ransom payments to be prohibited. This is due to the number of victims consistently increasing with no end in sight of these type of attacks stopping anytime soon.

Mandiant also discovered that victims over 600 European organizations were widespread across several different types of industries.

As more attacks and more monday is demanded, ransom payments have been more of a controversial subject. We recently reported that the average ransom amount has increased to $170,000, an increase from $80,000 average in 2019.

Cyber insurance is also blamed by security professionals as it only encourages more attacks to continue in the future with no repercussions. It is highly recommended to implement frequent phishing tests and new-school security awareness training to prevent your organization from becoming the next victim.

OODA Loop has the full story.

READ MORE