BLOG

Cybersecurity Ventures released a new report that showed cybercrime is going to cost the world $8 trillion USD in 2023.

If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.

“We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it. Link to article where you can download the report and see the VIDEO:

https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/

Researchers at Armorblox warn that a phishing campaign is impersonating DHL with fake shipping invoices.

“The subject of this email aimed to instill an automatic level of trust through the inclusion of the well-known and trusted brand name, DHL, reading: ‘DHL Shipping Document/Invoice Receipt,’” the researchers write. “The inclusion of a legitimate brand name within the email subject encourages victims to open the email in a timely fashion, assuming the email is a legitimate communication from the brand that needs attention. At first glance, the email seems to be a legitimate communication from international shipping company, DHL, with the sender name and email address reading DHL and dhl@vaimti-yacht[.]com respectively.”

The emails look like legitimate DHL notifications, and they were able to bypass security filters.

“The body of the email continues to impersonate the well-known brand, through the inclusion of the company logo and brand colors and signature pertaining to the DLP customer service department,” Armorblox says. “The email looks like a notification from DHL, notifying recipients about a parcel sent by a customer that needed to be rerouted to the correct delivery address. The body of the email has one simple call to action for the recipient, to view the attached document and confirm the destination address of the parcel shipment.”

The emails instructed users to open the Excel attachment, which asked them to enter their Microsoft account credentials in order to view the phony invoice.

“The goal of the targeted attack was for victims to follow the prompted instructions within the email body and open the attachment,” the researchers write. “The attachment included within this email attack was named Shipping Document Invoice Receipt to further instill trust in the unsuspecting victims that the attachment was a legitimate file from DHL and the “copy of DHL receipt for tracking”, as referenced in the body of the email. The information and language used within the email led victims to click the attachment, unsuspecting that the attachment had malicious intent.”

New-school security awareness training can enable your employees to recognize social engineering attacks.

Government workers are prime targets for social engineering attacks, according to Kaitlyn Levinson at GCN. Attackers use different tactics to target government employees in specific roles. Levinson quotes Rita Reynolds, Chief Information Officer for the National Association of Counties, as saying that customer-facing county employees might be more likely to assume that requests are legitimate, since they deal with so many people each day.

“Hackers prey upon the customer service aspect of county employees,” Reynolds said. “That desire to be prompt and successful in filling the request can oftentimes result in a county employee maybe not paying closer attention to the authenticity of the email.”

Reynolds added that county agencies should implement security best practices outlined by the Cybersecurity and Infrastructure Security Agency (CISA).

Levinson writes, “CISA advises organizations to use phishing-resistant multi-factor authentication, which goes beyond security measures such as one-time passwords and uses FIDO/WebAuthn authentication or PKI-based MFA, to close the gaps that bad actors could squeeze through.”

Arun Vishwanath, Chief Technology Officer of Avant Research Group, explained that even technical employees are vulnerable to phishing attacks. IT employees may become complacent and assume they’ll be able to recognize phishing emails.

Meredith Ward, director of policy and research for the National Association of State Chief Information Officers, told GCN that government organizations should ensure that their employees are aware of these types of attacks.

“The reality is that there is no one protection tool or technology that can prevent or respond to every cyberattack,” Ward said. “The human factor plays a large part in this discussion, and human awareness is but one tool states have to thwart cyberattacks.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize social engineering attacks.

Reuters describes a cyberespionage campaign carried out by the hitherto little-known threat group researchers track as “Cold River.” The group is circumstantially but convincingly linked to Russian intelligence services (possibly the FSB, although that’s unclear) through its Russophone operations and the location of at least one of its personnel in the northern city of Syktyvkar, capital of the Komi region. The effort involved attempted social engineering of US nuclear researchers at the Department of Energy’s Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The campaign peaked in August and September, as Russian President Putin’s nuclear threats reached their peak. It’s unknown whether the campaign enjoyed any success: Reuters says that both the Department of Energy and the FSB declined to comment. The report says:

“Cold River, which first appeared on the radar of intelligence professionals after targeting Britain’s foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.

“’This is one of the most important hacking groups you’ve never heard of,’ said Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike. “’They are involved in directly supporting Kremlin information operations.’”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the social-engineering aspect of the campaign. “Hopefully all employees in our nation’s critical infrastructure are already using phishing-resistant multi-factor authentication,” he said. “That will put down a large percentage of phishing attacks, but we can expect Russian phishing campaigns to keep getting more sophisticated over time. That’s why all organizations should aggressively train their employees in how to recognize, stop, and report phishing attacks.”

We call this process “social engineering,” and it’s become prominent in cyberspace, but it really represents an update of old spycraft: identify, approach, compromise, and recruit a target. Counterintelligence officers might take note: new-school security awareness training can help make your people more resistant to the adversary.

Despite good intentions, layered security measures, and efficacy claims by security solution vendors, new data shows that email-based threats are still getting all the way to the Inbox.

Given all that your organization has in place to stop threats from entering into your environment, you’d like to think it all gets stopped. Your security vendors certainly tell you that their solution stops some very high percentage of attacks – likely in the 99-point-something range. And the layered defense you’ve implemented is designed to address attacks from a number of directions, giving you a heightened chance of stopping an attack before it does any damage.

But new data from Acronis in their End-of-Year Cyberthreats Report shows that 11.7% of all attacks still make it to the endpoint. This is a nearly 11% increase from the previous quarter – meaning threat actors are getting better at avoiding detection and obfuscating the malicious nature of their emails.

Part of this “success” may be due to the short lifespan of a given piece of malware – according to the report (emphasis is mine):

The average lifetime of malware samples in November 2022 was 1.7 days, after which a threat would disappear and never be seen again. In Q2 2022, this figure was at 2.3 days, showing that malware is even more short-lived today as attackers use automation to create new and personalized malware with a frequency that overwhelms traditional signature-based detection. Seventy-four percent of the samples observed were seen only once across our customer base.

With this newfound data, it should be obvious that you should expect that malicious emails are going to find their way past your security solutions, making it absolutely necessary for your users to play a part in organizational security by being vigilant when interacting with email and the web – something taught with continual Security Awareness Training.

Researchers at Check Point have shown that Large Language Models (LLMs) like OpenAI’s ChatGPT can be used to generate entire infection chains, beginning with a spear phishing email. The publicly available AI can be asked to write a targeted phishing email with perfect grammar. The researchers generated two emails, one of which directed the recipient to click on a link. The other email asked the user to download a malicious document.

“Note that while OpenAI mentions that this content might violate its content policy, its output provides a great start,” the researchers write. “In further interaction with ChatGPT we can clarify our requirements: to avoid hosting an additional phishing infrastructure we want the target to simply download an Excel document. Simply asking ChatGPT to iterate again produces an excellent phishing email.”

Check Point then used another AI platform, Codex, to write a working malicious macro that could be embedded in an Office document and used to download a reverse shell on the compromised machine.

Check Point notes that the AI is a neutral platform, and OpenAI has done extensive work to prevent it from being used for malicious purposes. The researchers conclude, however, that the platform can be abused to lower the bar for aspiring cybercriminals to launch phishing campaigns.

“[T]his is just an elementary showcase of the impact of AI research on cybersecurity. Multiple scripts can be generated easily, with slight variations using different wordings,” the researchers write. “Complicated attack processes can also be automated as well, using the LLMs APIs to generate other malicious artifacts. Defenders and threat hunters should be vigilant and cautious about adopting this technology quickly, otherwise, our community will be one step behind the attackers.”

New-school security awareness training can help your employees thwart social engineering attacks.

Impersonating Facebook using its own platform against them, a new phishing attack takes advantage of victim’s inability to distinguish legitimate from illegitimate.

This new phishing attack is both simple and brilliant at the same time. Security researchers at Trustwave have identified a Facebook-themed phishing attack that starts with an email posing as Facebook Support claiming a copyright violation.

(Note the poorly-written email and the completely wrong email address; should be red flags from the start!)

The Facebook link within the email is legitimate – it takes victims to an actual page on Facebook titled “Page Support” where the copyright infringement is further confirmed, and an appeal form is offered:

The use of “meta” in the appeal form’s URL is all that’s needed to trick victims into thinking it, too, is legitimate. Victims are taken to this “appeal” form where they are asked to give up their Facebook credentials (you knew it was coming, right?).

Trustwave has uncovered a large number of these kinds of attacks that use a legitimate Facebook page made to look like it’s an official page designed to help the victim through their issues (be it copyright infringement, account recovery, avoiding account suspension, etc.).

There are plenty of obvious flaws with this attack, but in the hurried response to address something like an account suspension, often victims overlook the obvious and focus on the path to fix their unknowingly fictitious “problem”. This is why users within organizations need to be proactively trained to spot these through continual Security Awareness Training designed to not just educate them on broad cyberthreat topics, but by exposing them to real-world campaigns so they know what a phishing attack looks like.

Dec. 27, 2022, The Ohio Supreme Court ruled in favor of an insurance company, determining that its contract to cover any direct physical loss or damage to property did not encompass ransom payments made when a hacker illegally gained access to medical billing software company EMOIs systems and data.

The incident happened back in 2019 when cybercriminals managed to breach into the software provider which assists medical practices with booking appointments, keeping records and payment management.

The cybercriminals extorted EMOI with a request of three bitcoins worth around $35,000 at the time in order to return its data. After complying and paying their ransom, they were able to regain control over most of their stolen information. To be better protected against future attacks, EMOI improved their network security and process; however, Owners Insurance Company which wrote the policy, denied the claim for any damages sustained during the breach.

The Supreme Court carefully examined whether the defense against “direct physical harm to property” covers losses caused by threats to data, such as software, and not just damage that is done on tangible items like computers. The justices then unanimously overturned a lower court’s ruling after concluding that software is an intangible item which cannot experience any direct physical deficit or destruction.