[Heads-Up] A Hacker Is Selling Access To The Email Accounts Of Hundreds Of C-Level Executives

ZDNet’s Zero Day column just reported one of the best reasons why you should step your users through new-school security awareness training yet:

“A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world. The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week.  The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions such as:

  • CEO – chief executive officer
  • COO – chief operating officer
  • CFO – chief financial officer or chief financial controller
  • CMO – chief marketing officer
  • CTOs – chief technology officer
  • President
  • Vice president
  • Executive Assistant
  • Finance Manager
  • Accountant
  • Director
  • Finance Director
  • Financial Controller
  • Accounts Payable

Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user’s role. A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.

The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell. These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

I don’t have to tell you the risks that this brings related to CEO Fraud, also known as Business Email Compromise. ZDNet has the full story:



Credential-Stealing VPN Exploits

A hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch for the flaw in May 2019, but many devices remain vulnerable. The flaw (CVE-2018-13379) can allow an unauthenticated attacker to download system files, including passwords, from vulnerable Fortinet VPNS. In fact, the hacker in this case claims to have already obtained the login credentials for the vulnerable devices on the list. BleepingComputer says this access will most likely be exploited by ransomware operators to gain access to networks.

BleepingComputer adds that a number of well-known public and private sector organizations are on the hacker’s list.

“After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies,” BleepingComputer says. “As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”

The hacker’s post was discovered by a threat intelligence analyst known on Twitter as “Bank_Security,” who told BleepingComputer that thousands of companies around the world were on the list.

“This is an old, well known and easily exploited vulnerability,” Bank_Security said. “Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity.”

In cases where patching these devices isn’t possible or can’t be accomplished quickly, implementing multi-factor authentication can at least mitigate this vulnerability. (And multifactor authentication should be enabled wherever possible, even after the flaw has been patched.) New-school security awareness training can create a culture of security within your organization, enabling your employees to keep up with the latest security threats.


The Risk of the “To” Line

Micropayments company Coil accidentally exposed at least a thousand of its customers’ email addresses by including their addresses in the “To” field of an email, BleepingComputer reports. The email in question concerned updates to the company’s privacy policy (many observers have noted the irony). It’s not clear how many email addresses were exposed, but BleepingComputer suspects it was more than a thousand.

“On taking a closer look, BleepingComputer noticed at least 1,000 emails were included in the announcement,” the publication says. “It is likely other users saw a different set of email addresses listed in the To or CC fields, assuming the mass announcement was emailed in batches of 1,000.”

Coil’s founder and CEO Stefan Thomas apologized in a statement, saying the incident was caused by human error.

“Earlier this evening we sent you an email updating you on changes to our Terms & Privacy Policy,” Thomas said. “Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users’ email addresses were populated alongside yours. This mistake is especially painful as we take privacy extremely seriously — it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.”

BleepingComputer notes that these types of privacy breaches are fairly common, with at least two other incidents occurring in the past few weeks.

“Last week, Rakuten had erroneously emailed multiple customers, stating the customers had earned cashback, only to recall their words later,” BleepingComputer says. “In October, a Home Depot email blunder had exposed hundreds of customer orders and personal information to strangers CC’d in emails.”

It’s not just the incoming mail that can be a problem. The outgoing mail carries its own risks. New-school security awareness training can reduce the risk of both malicious and accidental incidents by teaching your employees to be vigilant when dealing with emails and other forms of communication.


How Many Phishing Sites? Over 2 Million in 2020 (so far)

Google has flagged 2.02 million phishing sites since the beginning of the year, averaging forty-six thousand sites per week, according to researchers at Atlas VPN. The researchers note that the number of phishing sites peaked at the start of the year, which correlates with the start of the pandemic.

“Data also reveals that in the first half of 2020, there were two huge spikes in malicious websites, reaching over 58 thousand detections per week at the peaks,” the researchers write. “The second half of the year seems more stable, which is not a positive thing, as there are around 45 thousand new copy-cat websites registered every seven days.”

Atlas VPN says the number of new phishing sites has been steadily increasing each year since 2015, but it’s now higher than it’s ever been.

“To take a look at the wider perspective, Atlas VPN analyzed phishing site data since the first quarter of 2015,” the researchers explain. “Our findings revealed that the year 2020 is, in fact, the year with most new phishing sites to date. Even though 2020 is not yet at an end, it already has a record-high number of scam websites detected, amounting to 2.02 million sites, according to Google’s data. This was a 19.91% increase from 2019 when malicious site volume reached 1.69 million. The average year-by-year change in phishing websites reveals a 12.89% growth since 2015. Also, in 2020, all three quarters had more malicious site detections than any of the previous year’s quarters. The second quarter of 2020 has the highest number of phishing sites ever recorded, at over 635 thousand.”

The researchers attribute the spike in 2020 to the COVID-19 pandemic, as people are spending more time online and emotions are running high.

“It is quite easy to correlate the pandemic with the increase in phishing attacks, not only because of the increased internet usage but also due to the panic,” they write. “Panic leads to irrational thinking, and people forget basic security steps online. Users then download malicious files or try to purchase in-demand items from unsafe websites, in result becoming victims of a scam.”

Google and other companies do a good job of tracking down malicious sites, but attackers can easily scale their operations and set up new sites to stay ahead of efforts to shut them down. New-school security awareness training can enable your employees to spot these sites on their own.


2021 Prediction: Expect Ransomware Attacks Will Increase in Frequency and Variety

A new forward-looking report from security vendor FireEye Mandiant predicts the greatest single cyber threat today is only going to become a greater menace next year.

With 2020 being a dumpster fire of a year, we’re all looking for some good news to shed some light at the end of this tunnel we’re living in. But with the bad guys evolving their tricks and growing more greedy by the day, there’s apparently no good news on the cybersecurity forefront.

According to the FireEye Mandiant report A Global Reset: Cyber Security Predictions 2021, you should expect to see ransomware grow and develop in scale, scope, effectiveness, and impact. FireEye Mandiant’s chief cyberthreat consultant Jaimie Collier expects ransomware to evolve and expand. “We’re seeing the affiliate models expand, where different threat actors combine leading to a huge amount of specialization within the overall process. Some of the actors develop the ransomware, but work with others that specialize in gaining the initial access, and post-compromise exfiltration; all leading to a broader criminal ecosystem.”

We’ve already seen massive growth in the frequency of ransomware attacks this year, as well as previously unthinkable ransom amounts both demanded and paid. So, hearing that it’s only going to get worse next year is as big a warning as you’re ever going to get.


One-Third of Employees Say Their Company Has No Cybersecurity Measures in Place While Working from Home

At a time when organizations should be implementing additional security measure to ensure the logical perimeter of their network is protected, new research shows companies aren’t prepared.

You’d think everyone would have this figured out by now; the bad guys have been stepping things up to take advantage of users working remotely making it necessary to increase your cybersecurity stance.

But according to new research covering how organizations are managing their cybersecurity risk around remote work during COVID paints a very disturbing picture. According to the report, an average of about one-third of organizations are mandating any of the obvious security measures for employees when working remotely:

  • 65% of organizations are not mandating a secure WiFi be used
  • 69% aren’t requiring Multi-Factor Authentication (MFA)
  • 69% aren’t using a VPN

The most disturbing is that 34% of employees say their employer hasn’t implemented any of these measures.

This isn’t good.

Organizations with a remote workforce need to double down on implementing a layered security strategy that takes into account the specific areas of risk that exist when a user works from home. Most importantly is the need for Security Awareness Training. According to the research, 68% of organization’s provided no training to their remote workforce. But, given the nature of cyberattacks, the use of social engineering, and the prevalent need for users to engage with malicious content before it can be weaponized, training them to be watchful for such attacks and maintain a state of vigilance is a key step towards keeping your remote workers – and the organization – secure.


Remote Workers Continue to Put Organizations Critically at Risk of Cyberattack

The Insecurity of the remote worker, their devices, personal networks, and bad cybersecurity habits create a massive threat surface for cybercriminals to easily take advantage of.

We already are seeing projections that the current remote workforce isn’t going anywhere and a majority of workers will remain remote in the future. So it’s critical that organizations make certain their remote workers are secure using the same standards as would be used if the worker was in the office. But new data from security vendor Bitdefender paints a rather bleak picture about the stat of cybersecurity for remote worker and their working environment. In their report, The ‘New Normal’ State of Cybersecurity, it’s found that the remote worker is anything but secure:

  • 87% have the WinRM service still enabled (allowing remote session attacks)
  • 64% have unpatched vulnerabilities that are older than 2018 on their devices
  • 56% of attacks on remote workers involve port scanning
  • Covid-related attacks are on the rise, with 4 in 10 emails on the topic are fraud, phishing, or malware

There’s one last stat that makes it clear where the source of this insecurity lies: 93% of employees are still using old passwords. This and the preceding stats directly point to a lack of the organizations communicating with and educating the user on cybersecurity issues like the need to patch personal devices, properly securing their device with even the OS firewall, and good password hygiene.

Organizations wanting to significantly reduce this massive threat surface should be investing in Security Awareness Training for their users to train them on the need for having a security mindset, the importance to themselves and the organization, and ways to better secure their device, network, email, and employer.


Spotting Retail Scams During the Holiday Season

People need to be particularly vigilant for scams as we approach the holiday shopping season, according to Laura Brooks at Tessian. Scammers always take advantage of seasonal trends, and the shopping season creates perfect opportunities for them to strike.

“Consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries,” Brooks writes. “Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages and prey on individuals who are not security savvy. What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments.”

Brooks adds that vendors also need to be wary of phishing attacks, particularly those that lean heavily on targeted social engineering.

“Vendor impersonation (also called vendor email compromise) is a persistent threat that many businesses are facing right now – one that has increased since the shift to remote working,” Brooks says. “In fact, Tessian research revealed that over a third (34%) of the phishing attacks organizations received between March – July 2020 purportedly came from an external supplier, while 26% supposedly came from a customer.”

Brooks concludes that user education is an “incredibly important” measure in combating phishing and other social engineering attacks.

“Hackers prey on the people-heavy nature of the retail industry,” Brooks says. “Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.”

New-school security awareness training can enable your employees to recognize social engineering tactics in their personal and professional lives.


Why Use Malware When Cybercriminals Can Use Social Engineering?

Researchers at Malwarebytes warn that a malvertising campaign they call “malsmoke” has stopped deploying exploit kits and is now using social engineering attacks to trick users into installing malware. The threat actor behind this campaign generally targets high-traffic adult websites. In the latest campaign, the attackers began using web pages that purport to contain an adult video, and inform users that they’ll need to install a Java plugin in order to view the video.

“Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead,” the researchers write. “The new campaign is tricking visitors to adult websites with a fake Java update. This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software.”

The use of social engineering also gives the attackers flexibility in how they target their victims, and enables them to improve upon their techniques in the future.

“The threat actors could have designed this fake plugin update in any shape or form,” Malwarebytes says. “The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.”

Malwarebytes concludes that social engineering schemes will remain relevant, since they’re cheaper and often more efficient than technical exploits.

“In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable,” the researchers explain. “As far as web threats go, such schemes are here to stay for the foreseeable future.”

Technical vulnerabilities can always be patched, but humans need to receive education to combat social engineering attacks. New-school security awareness training can help your employees stay ahead of these evolving tactics.


Ransomware Attacks Officially Hit a New Low and Go Where No Cyberattack Has Gone Before: Death

The past few months have seen ransomware quickly evolve to a place of ingenious sophistication, rampant greed, indifferent destruction, and the sad loss of life.

Your organization should be laser focused on stopping ransomware from ever taking hold. This warning comes as we watch cybercriminal gangs take the simple “encrypted data held for ransom” game to new levels I never though I’d see.

Ransomware attacks have increased in frequency seven-foldextortion is now a part of nearly every attack to ensure prompt payment, and seeing ransoms in the millions is now, well… not uncommon. In fact, we’ve seen a ransom as high as $34 million already.

And in September, the world of ransomware experienced its’ first ever death. If anything is a signal to lay off attacks on healthcare, that was it. And yet, healthcare remains a ransomware target.

In some ways, it feels like we’re losing the battle.

What’s needed is for all organizations – including healthcare – to look at the root causes of why ransomware attacks are successful. When it comes down to it, it’s users that are needed as part of the attack – users that engage in unscrupulous phishing attacks. This is something that can easily be avoided – with the right education. Organizations who put their users through Security Awareness Training add the user to the layered security strategy, allowing for the user themselves to act as the last line of defense against these increasingly menacing ransomware attacks.

I fear it’s only going to get worse, but it can get better if users work in concert with your cybersecurity strategy. And they can only do that if you train them how to.