Gallery

A sophisticated China-aligned threat actor is using social engineering to carry out cyberespionage and financially motivated attacks, according to researchers at Trend Micro.

“Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes,” the researchers write. “The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others. However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.”

The threat actor used spear phishing, watering-hole sites, and website vulnerabilities to compromise its victims.

“The group has three primary attack vectors, two of which involve social engineering,” the researchers write. “The social engineering techniques can be broken down into spear phishing emails and watering hole websites. Our telemetry data shows Earth Lusca sending spear phishing emails containing malicious links to one of their targets — a media company. These links contain files that are disguised either as documents that would be of interest to the potential target, or as opinion forms allegedly coming from another media organization. The user eventually downloads an archive file containing either a malicious LNK file or an executable — eventually leading to a Cobalt Strike loader.”

The threat actor used watering-hole sites to target victims who are interested in certain topics.

“In addition to spear phishing emails, Earth Lusca also made use of watering hole websites — they either compromised websites of their targets or set up fake web pages copied from legitimate websites and then injected malicious JavaScript code inside them,” Trend Micro says. “These links to these websites are then sent to their victims (although we were not able to definitively pinpoint how this was done).”

New-school security awareness training can enable your employees to avoid falling for targeted social engineering attacks.

A North Korean threat actor being called “BlueNoroff,” a subunit of Pyongyang’s Lazarus Group, has been targeting cryptocurrency startups with financially motivated attacks, researchers at Kaspersky have found. The campaign, “SnatchCrypto,” is using malicious documents to gain access to internal communications, then using social engineering to manipulate employees.

“If there’s one thing BlueNoroff has been very good at, it’s the abuse of trust,” Kaspersky says. “Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means. Throughout its SnatchCrypto campaign, BlueNoroff abused trust in business communications: both internal chats between colleagues and interaction with external entities.”

This campaign is targeting small- to medium-sized cryptocurrency companies, as the attackers know that these companies often lack the resources to defend against sophisticated attacks.

“According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups,” the researchers write. “The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.”

Seongsu Park, a senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said that companies of all sizes need to be aware of these types of attacks.

“As attackers continuously come up with a lot of new ways to trick and abuse, even small businesses should educate their employees on basic cybersecurity practices,” Seongsu Park said. “It is especially essential if the company works with crypto wallets. There is nothing wrong with using cryptocurrency services and extensions, but note that it is also an attractive target for APT and cybercriminals alike. Therefore, this sector needs to be well protected.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.

The weakest part of your cybersecurity can be identified by looking at how cyberattacks take place, and how well your defenses stand up. But did you know the answer comes from the year 1885?

While cybersecurity is a constantly moving target, there are some constraints put on threat actors that keep their methods and tactics within a real of possible actions. For example, they need to work within the confines of the operating systems used by the victim organization – which only have so many ways to be exploited and taken advantage of. The same is true for users; with 85% of breaches involving a human element, cybercriminals use a combination of establishing urgency and credibility to convince the potential victim to engage with the threat actor’s malicious content.  And while new phishing themes are constantly being created to align with current events, the tactics feel very much the same; it’s pretty much always click the link, open the attachment, or reply to the email.

So, if it’s really as simple as making sure users don’t interact with malicious email content, why are cyberattacks continuing to flourish? Part of the answer lies with organizations that don’t employ their users to play a role in protecting the organization. If users are educated with Security Awareness Training to be mindful of malicious content in their Inbox, they are likely to interact with and fall for phishing attacks.

But just putting users through this kind of training a few times a year isn’t enough.

The core of the problem is that people forget what they’ve learned. Back in 1885, German psychologist Hermann Ebbinghaus hypothesized that memory retention declines over a very short period of time – something now known as the Forgetting Curve. In as little as just 20 minutes, 40% of what’s been learned has already been forgotten.

Source: The Forgetting Curve

He found that repetition in learning over a period of time (in most cases, repetitions were measured in days) actually increases  the % of knowledge retained. You can see below the impact on the percentage of information retained when the information is re-reviewed over time.

Source: The Forgetting Curve

Applying this to cybersecurity, it becomes clear that a) even if users are put through some form of training, they will forget most or all of what they’ve learned (and will click the malicious link sometime in the future), and b) it takes continual Security Awareness Training to ensure users retain best practices, good cyber hygiene, and a vigilant state of mind when interacting with unsolicited (and potentially malicious) email content.

Video game maker Electronic Arts (EA) has stated that around fifty high-profile accounts for the soccer game FIFA 22 were hacked after attackers manipulated the company’s customer service employees.

“Over the last few weeks we’ve been made aware of reports that high-profile player accounts are being targeted for takeover,” the company said. “Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.”

Some of the hacked accounts belonged to real soccer/football players and professional video game streamers. EA is still working to restore accounts to their rightful owners.

“At this time, we estimate that less than 50 accounts have been taken over using this method,” EA said. “We are currently working to identify rightful account owners to restore access to their accounts, and the content within, and players affected should expect a response from our team shortly. Our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.”

EA notes that “[t]here is always a human factor to account security,” and the company is taking the following steps to mitigate these attacks in the future:

“All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

“We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

“Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.”

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.

A new joint cybersecurity advisory from CISA, the FBI, and the NSA cautions organizations against Russian-based attacks and provides mitigations to be implemented.

It’s one thing to see an advisory that simply says “hey, we’re seeing bunch more attacks.” But when you also see 8 pages of recommended security measures and a statement encouraging “the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting”, you know they know something you don’t.

This is exactly what is in yesterday’s cybersecurity advisory entitled “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure”.

While the advisory isn’t focused on a specific threat, it does begin with some general statements of what’s been observed:

Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks.

 Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.

Even if you’re not a “critical infrastructure” organization, this advisory is solid reading. It offers real-world examples of Russia-based attacks, vulnerabilities used, observed tactics and techniques mapped to the MITRE ATT&CK Framework, and practical guidance to shore up your Detection, Incident Response, and Mitigation efforts.

In general, the advisory makes the following high-level recommendations:

• Be prepared – this includes minimizing security gaps and creating a detailed incident response plan
• Enhance your organization’s cyber posture – this includes implementing best practices across identity and access management, protective controls, as well as vulnerability and configuration management
• Increase organizational vigilance – this includes staying updated on threats and ensuring users are educated through continual Security Awareness Training

The growing interest in new cryptocurrencies and the potential to get in early on Amazon’s supposedly forthcoming crypto has scammers taking victims for thousands of dollars.

Investing in cryptocurrency is seen by some as a legitimate means to make money on gains, as well as other crypto-financial vehicles that include staking, pooling, and farming. So, it makes sense that scammers are looking for ways to rob their victims of cryptocurrency rather than risk breaking into bank accounts, using stolen credit card details, etc.

In a new crypto token scam documented by security researchers at Avast, scammers are posting ads looking like they are from legitimate news sources on the web informing the reader of a “presale” of the Amazon token “$AMZ”.

Source: Avast

The websites used look clean and professional and don’t hint much at all that they aren’t Amazon’s. With pages that promote Prime membership benefits, a roadmap for the token, and a clear call to action to “Buy Token” (note: one of the red flags!), this scam gets “buyers” to cough up any of a number of accepted cryptocurrencies as payment.

Source: Avast

Once an account is created, victims are even provided a fake “portfolio” page, providing additional opportunities to “purchase” these nonexistent tokens.

Source: Avast

This is a very creative and well-executed scam. We’ve covered a similar scam back in 2019 with Facebook’s Libra cryptocurrency. The difference with this new scam is the professionalism in the execution. And, while the goal is to simply take the victims legitimate crypto as payment, it could just as easily be attempting to get the victim to download and open/install a malicious document. Organizations should still be wary of such scams, as the potential for corporate impact is real. Users undergoing Security Awareness Training will see the scam for what it is at the start – the URLs the “legitimate” news ads point to are as bogus as they come – making it important to enroll users in continual training to be sure they don’t fall for these and similar scams.

More than half (55%) of phishing attacks target IT departments, according to research commissioned by OpenText. Additionally, nearly half of survey respondents said they had fallen for a malware phishing attack.

“The most common form is a standard untargeted mass phishing attack,” the researchers write. “Nearly one in five of the respondents to the IDG survey said they either were definitely targeted by such an attack (37%) or suspect they were (42%). Next most common is a malware attack, where the user gets an email with an attachment — usually a Microsoft Office document — that launches malware if clicked on. Among the respondents, 44% confirmed they were the victim of such an attack and 23% suspect so.”

Many respondents also said that malware phishing attacks are very hard to identify.

“Malware attacks joined search engine phishing and clone phishing as the most difficult types of attacks to recognize and avoid, all cited by around one-third of the respondents,” the researchers write. “Search engine phishing involves fake websites that show up in search engine results, including in paid ads. Often posing as some type of financial institution, the sites then entice users to enter personal information, including banking credentials.”

The report found that the consequences of phishing attacks range from data breaches, lost revenue, downtime, legal troubles, and reputational damage.

“More than a third (37%) cited exposure of sensitive data, and 32% said they’ve suffered lost productivity,” the researchers write. “One in five had suffered a loss of revenue from phishing, and nearly as many (19%) had had to pay legal or regulatory fines. Perhaps worse, more than one-third (37%) reported that their organization had suffered downtime lasting longer than a day as a result of phishing attacks. Larger organizations (500 to 999 employees) were far more likely to report such downtime, at 44%, versus 14% for small companies (25 to 100 employees). Larger organizations are also more likely to report negative consequences from phishing, especially exposure of sensitive data: nearly half (49%) of all the respondents from large companies, versus 35% for medium (100 to 499 employees) and 16% for small companies.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing attacks.

New data shows a huge disparity between the likelihood of cyberattack against U.K. organizations and their employee’s cybersecurity awareness and vigilance.

New data put out by security vendor Armis paints a rather disconcerting picture of U.K. workers when it comes to their role in aiding the organization’s cybersecurity efforts. According to Armis, despite the fact that a majority of workers (60%) have stated they’ve personally experienced a cyberattack, only 27% of them recognize the cyber risk associated with interacting with email and the web. In addition, one in 9 employees (11%) don’t care about cybersecurity at all!

What makes this issue of users not being aware of or concerned about cyberattacks is the number one type of attack experienced by users (according to Armis): phishing. With more than one-quarter (27%) of U.K. workers experiencing phishing attacks using social engineering to trick victims into giving up credentials, credit card data, and more, it’s imperative that users are made to be part of the organization’s security stance.

And given we’ve seen how U.K. workers have posed a cybersecurity risk historically, this new data is alarming.

This should be a wake-up call to business leaders and cybersecurity executives that your workers are your weakest link and your greatest risk. Workers need to be placed in continual Security Awareness Training that educates them on various kinds of cyberattacks they may face, while reinforcing their role as part of the organization’s cyber defenses.

A phishing campaign is impersonating Pfizer with phony request-for-quotation (RFQ) emails, according to Roger Kay at INKY. The email lures had fairly convincing PDF attachments that didn’t contain any malicious links or malware, and instead prompted the user to reach out to the scammer for more details.

“They both claimed that Pzifer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer,” Kay says. “The PDF was three pages long and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good. The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point.”

Kay notes that the attackers used several measures to help the emails bypass security filters.

“In this particular attack combination, the black hats used both high and low tech to evade anti-phishing radar,” Kay writes. “The high tech involved newly created and freeware domains, set up to send phishing emails that would not trigger rudimentary email defences (i.e., DMARC analysis of DKIM and SPF records). The low tech was a simple PDF attachment with no poison links or malware in either the attachment or the email itself. These elements were designed expressly to not trigger anti-phishing analysis.”

Kay concludes that users should be suspicious of unsolicited emails like this, especially if they appear to come from major companies.

“Recipients should be aware that large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects,” Kay says. “If a recipient is in a sales department and does business with Pfizer (or, in a similar situation, any other company), they should get in touch with their contact directly by telephone or an initiated email to determine whether the RFQ is legitimate. It is also highly unlikely that a Pfizer employee would use a freemail account for official business.”

New–school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing emails that slip past your technical defenses.