09Aug

79% of Employees Have Knowingly Engaged in Risky Online Activities in the Past Year

August 9, 2021By 0 comment

With employees not believing that it’s important to personally worry about cyber security risks, they also tend to believe they’re not a target, new data suggest as the reason for the risky behavior.

In most cyberattacks, the employee plays some role – clicking on a malicious attachment, giving up their corporate credentials to an impersonated logon page on the web, or taking specific action because they were fooled into believing their CEO or boss told them to. So, it’s important for employees to not engage in risky online behaviors.

But according to new data from security vendor Thycotic, employees simply aren’t prepared and educated to think about corporate risk, let alone their role in helping to mitigate that risk. In their newly released Balancing Risk, Productivity and Security report, Thycotic point out some specific insights that clearly point to how and why employees are creating risk:

  • 45% see the organization being at little or no risk of cyberattack
  • 51% say IT should be solely responsible to protect the organization from cyber threats
  • 79% of employees have engaged in one or more risky activities that include sharing credentials with colleagues, using the same password across multiple sites, using unauthorized personal devices to conduct work, and allowing family members to use their corporate device

One of the reasons is clear from the report’s data: 56% of employees have received no Security Awareness Training in the last year. Over half of employees aren’t having the concept of needing to be vigilant continually reinforced – so it’s no wonder these organizations are seeing employees introduce risk regularly.

If you want a vigilant and cyber security-minded employee, you need to continuously teach them about the importance of cyber vigilance. Otherwise, you’re going to end up with an organization that is demonstrated by the Thycotic data.

READ MORE
04Aug

Ransomware Extortion Attacks Continue to Rise in Frequency as Ransom Payments Decrease by 40%

August 4, 2021By 0 comment

Ransomware is having a very odd second quarter of the year as new variants enter the game governments finally take notice and insurers tighten their underwriting requirements.

Every quarter I make certain to cover their Quarterly Ransomware Report articles, as they provide great insight into the current state of attacks, ransoms, variants, and more. But in Coveware’s latest report covering Q2 2021, we see a bit of a different tone.

In the report, we saw a massive downturn in the average ransom payment – just a little over $136K, down 38% from Q1 of this year. And, yet the percentage of ransomware attacks threatening to leak exfiltrated data increased by 5% this quarter, to 81%.

This is a bit counterintuitive; why would payments go down, but threats (that should yield higher payments) increase?

It may have something to do with some of the other points covered in the Coveware article:

  • 4 new ransomware variants slip into the top 10 list, pushing out old players. (When you think of ransomware as a “business”, sometimes the new players on the market will undercut their competition to establish themselves. Could that be it?)
  • REvil ransomware – which has been behind some of the most high profile attacks last quarter – seems to have disappeared. (This could be due to the increasing involvement of governments – including our own – taking notice of the implications and are beginning to put pressure on foreign governments to put a stop to these cybercriminal gangs.)
  • The attacks on critical infrastructure have woken up CEOs who are now paying attention to the realities of modern ransomware attacks and their impact, and are willing to spend whatever it take to keep from becoming a victim.

Whatever the reason for the lowered ransom payments, the Coveware data still suggests that businesses of every size continue to be under attack and should take measures to protect themselves from the three primary initial attack vectors – vulnerabilities (hint: time to get vulnerability management in high gear), remote access via RDP (shut it down and get a real remote solution), and phishing (educate your users with Security Awareness Training so they don’t fall prey to malicious email content).

READ MORE
29Jul

Cybercriminals Are Growing More Organized

July 29, 2021By 0 comment

The cybercriminal underground is becoming increasingly organized, according to researchers at HP. The criminal underground functions like a regular economy, with people selling goods and services such as phishing kits, malware, and access to compromised networks. As a result, the bar of entry is lower since unskilled criminals can buy the things that previously prevented them from engaging in cybercrime.

HP’s report shared the following findings:

  • “75% of malware detected was delivered via email, while web downloads were responsible for the remaining 25%. Threats downloaded using web browsers rose by 24%, partially driven by users downloading hacking tools and cryptocurrency mining software.
  • “The most common email phishing lures were invoices and business transactions (49%), while 15% were replies to intercepted email threads. Phishing lures mentioning COVID-19 made up less than 1%, dropping by 77% from H2 2020 to H1 2021.
  • “The most common type of malicious attachments were archive files (29%), spreadsheets (23%), documents (19%), and executable files (19%). Unusual archive file types – such as JAR (Java Archive files) – are being used to avoid detection and scanning tools, and install malware that’s easily obtained in underground marketplaces.
  • “The report found 34% of malware captured was previously unknown, a 4% drop from H2 2020.
  • “A 24% increase in malware that exploits CVE-2017-11882, a memory corruption vulnerability commonly used to exploit Microsoft Office or Microsoft WordPad and carry out fileless attacks.”

The researchers also observed a “résumé-themed malicious spam campaign targeted shipping, maritime, logistics and related companies in seven countries (Chile, Japan, UK, Pakistan, US, Italy and the Philippines), exploiting a Microsoft Office vulnerability to deploy the commercially-available Remcos RAT and gain backdoor access to infected computers.”

Alex Holland, a Senior Malware Analyst at HP, stated that criminals continue to rely on phishing to gain initial access because it works so well.

“Cybercriminals are bypassing detection tools with ease by simply tweaking their techniques,” Holland said. “We saw a surge in malware distributed via uncommon file types like JAR files – likely used to reduce the chances of being detected by anti-malware scanners. The same old phishing tricks are reeling in victims, with transaction-themed lures convincing users to click on malicious attachments, links, and web pages.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing attacks that slip past your technical defenses.

READ MORE
06Jul

WhatsApp Phishing Scams Significantly Increase

July 6, 2021By 0 comment

The Southwark Police in London have warned of a spike in WhatsApp phishing scams, according to Paul Ducklin at Naked Security. The station tweeted, “We have seen a surge in WhatsApp accounts being hacked, if you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why. “

Ducklin notes that users of WhatsApp and similar messaging services are more likely to view messages as trustworthy, since they appear to be coming from an acquaintance.

“Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place,” Ducklin writes. “That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.”

Ducklin adds that users should be suspicious of unsolicited or strange messages from contacts, especially if the messages sound urgent or try to get you to click on a link.

“Never trust messages simply because they come from a friend’s account,” he says. “Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them. If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.”

Two-factor authentication (2FA) is an essential layer of defense, but Ducklin stresses that attackers can still bypass this measure via social engineering.

“If you’ve turned on 2FA on your various accounts, good for you,” he writes. “It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.”

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for these attacks.

READ MORE
02Jul

35% of All Security Incidents are Business Email Compromise Phishing Attacks

July 2, 2021By 0 comment

With the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared.

According to new data from security vendor GreatHorn, in their 2021 Business Email Compromise ReportBEC is not just alive and well, but is changing from the traditional focus of solely using malwareless social engineering tactics.

  • Spoofing – 71% of BEC attacks use a spoofed email account or website to establish credibility. This can be in the form of display name, a lookalike domain, or even a compromised account.
  • Spear Phishing – 69% of BEC attacks utilize spear phishing, likely to increase their chances of reaching the right persons within an organization who have influence over money. According to the report, Finance is targeted 57% of the time, with CEOs next (22%) and IT third (20%).
  • Malware – 24% of BEC attacks still leverage malware as part of the attack. This one is interesting because it denotes the cybercriminals intent of gaining internal access, likely to gain elevated privileges and access financial applications to perform discovery (e.g., get the details on a big payment coming in and then defraud the company paying by using a second BEC attack on their finance people).

At the end of the day, BEC is nothing more than a targeted phishing attack using very specific social engineering tactics to gain the trust of the recipient to get them to engage in some financial transaction. According to the report, 71% of orgs feel their users are prepared to identify a phishing email, and yet 43% of the very same orgs said they experienced a security incident in the last 12 months.

Sounds like an opportunity for some better continual Security Awareness Training to keep those folks in Finance, the C-Suite, and IT (as well as everyone else in the organization) up to date on the latest BEC tactics and scams.

READ MORE
30Jun

Yet Another Disk Image File Format Spotted in the Wild Used to Deliver Malware

June 30, 2021By 0 comment

Disguised as an invoice, cybercriminals use a Windows-supported disk image to obfuscate malware from email gateways and security scanners. The question is how viable will it be?

The bad guys are in constant need to find ways to evolve their art as the good guys improve their security solutions to respond to current attack methods. Historically, we’ve seen a number of image files used including virtual hard disks and ZIP files, as well as .ISO, .IMG, and .DAA files. But, as security solutions get wise and use AI to simply determine “has this user EVER received an image file???” to flag an email, the bad guys need to look for a new format.

According to a recent article from security vendor Trustwave, they’ve spotted a WIM (Windows Imaging Format) file disguised as an invoice or consignment note in the wild.

6a0133f264aa62970b026bded8bd05200c-pi

 

 

 

 

 

 

 

 

Source: Trustwave

The WIM format is one developed by Microsoft. The WIM file contains a single executable – the Agent Tesla malware. Because Windows 10 and above support this filetype, it’s possible that it can be directly opened by the recipient.

This one seems a little out there, as the user experience to detonate this malware involves first extracting the WIM file’s contents (and “extracting” is a very foreign concept to most users). So, it seems the bad guys are relying on the recipients unwitting-ness to simply click the affirmative buttons blindly to install the malware.

Users can easily be educated about such tactics using continual Security Awareness Training that keeps them updated on the latest types of scams, phishing methods, and more.

READ MORE
25Jun

Threat Actors use Google Ads to Target People Migrating to Encrypted Messaging Services like Signal and Telegram

June 25, 2021By 0 comment

Researchers at eSentire warn that threat actors have been using Google Ads to target people migrating from WhatsApp to other encrypted messaging services, particularly Signal and Telegram.

“According to eSentire’s security research team, the Threat Response Unit (TRU), this latest campaign relies on the use of malicious Google Ads and web pages that replicate the legitimate download page for secure chat applications, such as Signal,” the researchers write. “Using the fake Signal page, this malicious campaign’s objective is to socially engineer victims into downloading and executing Redline Stealer. Stolen information can be sold on the dark web or directly used in further intrusions and fraud campaigns. Similar malicious Google ad campaigns have recently been observed using AnyDesk, DropBox and Telegram as lures.”

The researchers believe the attackers were taking advantage of the millions of people migrating from WhatsApp to other encrypted messaging apps following a widely undesirable update to WhatsApp’s terms of services in January.

The researchers also note that observant users could have recognized that the pages were malicious if they knew what to look for.

“Evidence that the fake, ad-based Signal page is malicious is as follows: Most of the links do not work on the fake Signal page but do on the real Signal page,” the researchers write. “Secondly, the download button on the fake page (the one button that works) depends on an unknown php script controlled on the server side; the fake Signal page delivered an outdated version of Signal when TRU attempted the download, potentially a result of the server detecting the security tools used. Thirdly, the top-level domains for the fake Signal download page are not standard top-level domains. Finally, all the suspicious ads share a hosting provider, NameCheap. An analysis of registration and hosting parameters across a sample of suspicious sites of the ‘same structure’ (as defined by Urlscan) demonstrates the potential for multiple malvertising campaigns.”

New-school security awareness training can enable your employees to recognize social engineering tactics.

eSentire has the story.

READ MORE
24Jun

[HEADS UP] Over 400% Increase in Ransomware Victims

June 24, 2021By 0 comment

According to a recent report by OODA Loop, “Mandiant claims to have detected a 422% increase in victim organizations announced by ransomware groups via their leak sites year-on-year between the first quarter of 2020 and Q1 2021.”

In research recently conducted by Talion, 3/4 of consumers and security professional want ransom payments to be prohibited. This is due to the number of victims consistently increasing with no end in sight of these type of attacks stopping anytime soon.

Mandiant also discovered that victims over 600 European organizations were widespread across several different types of industries.

As more attacks and more monday is demanded, ransom payments have been more of a controversial subject. We recently reported that the average ransom amount has increased to $170,000, an increase from $80,000 average in 2019.

Cyber insurance is also blamed by security professionals as it only encourages more attacks to continue in the future with no repercussions. It is highly recommended to implement frequent phishing tests and new-school security awareness training to prevent your organization from becoming the next victim.

OODA Loop has the full story.

READ MORE
23Jun

80% of Ransomware Victim Organizations Experience a Second Attack

June 23, 2021By 0 comment

The impact of ransomware attacks is much more than just the sensationalized cost of ransoms. New data spells out how victim organizations have suffered at the hands of ransomware.

With the future of ransomware looking pretty bleak, it’s important for organizations like yours to have a realistic understanding of just how impactful a single successful ransomware attack can be to your business. In Cyberreason’s Ransomware: The True Cost To Business report, there are a number of shocking stats that provide insight into what the operational and business aftermath of an attack looks like. According to the report:

  • 53% reported that their brand suffered
  • 66% reported a significant revenue loss
  • 42% reported that cyber insurance did not cover losses
  • 46% had some or all of their data corrupted even after paying the ransom
  • 25% had to close their doors for a period of time before reopening

And the kicker is:

  • 80% of those who paid the ransom experienced another attack

According to Cyberreason’s CEO, Lio Div, “prevention is the best strategy for managing ransomware risk and ensuring your organization does not fall victim to a ransomware attack in the first place.” Phishing remains one of the primary initial attack vectors, demanding that organizations prevent phishing attacks by engaging users with Security Awareness Training to keep them up-to-date on current phishing attacks, scams, social engineering methods, and campaign themes.

READ MORE
21Jun

Tax Organizations Need to Focus on Cybersecurity

June 21, 2021By 0 comment

Tax preparation companies and tax agencies are increasingly facing scams, fraud, and other attacks, according to Robert Capps, Vice President of Marketplace Innovation at NuData Security. On the CyberWire’s Hacking Humans podcast, Capps explained that the digitization of taxes has increased the need for tax organizations to focus on cybersecurity.

“If you’re dealing with an agency, a physical organization that is processing your taxes, you drop off the packet, they hand you your taxes, and then you sign, and they get mailed in or even electronically delivered on your behalf – those organizations really need to be taking security into account,” Capps said. “Where taxes, you know, more than a decade ago were all on paper, tax return fraud was the result of breaking into someone’s office and stealing boxes of paperwork. Now that’s all digital. And so whoever’s preparing your taxes or assisting with your taxes really needs to take computer network security into account, and that isn’t always the case, right? Some folks are not as computer-literate as we might want them or expect them to be, given their position.”

Capps noted that attackers also use social engineering and malware to go after corporations as well as individuals.

“On the other side of the coin, corporate tax fraud is an issue, and getting information from an employee through social engineering or getting malware onto their computers in the office can create all kinds of havoc not just at tax time, but also attacking bank balances,” Capps said. “And you see unrequested international wire transfers out of corporate accounts to third-party accounts in another country that can’t be recovered. Those things are all problems when we talk about the corporate side of the fraud, when companies are defrauded by these same individuals.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to avoid falling for scams and other social engineering attacks.

READ MORE