Gallery

Despite good intentions, layered security measures, and efficacy claims by security solution vendors, new data shows that email-based threats are still getting all the way to the Inbox.

Given all that your organization has in place to stop threats from entering into your environment, you’d like to think it all gets stopped. Your security vendors certainly tell you that their solution stops some very high percentage of attacks – likely in the 99-point-something range. And the layered defense you’ve implemented is designed to address attacks from a number of directions, giving you a heightened chance of stopping an attack before it does any damage.

But new data from Acronis in their End-of-Year Cyberthreats Report shows that 11.7% of all attacks still make it to the endpoint. This is a nearly 11% increase from the previous quarter – meaning threat actors are getting better at avoiding detection and obfuscating the malicious nature of their emails.

Part of this “success” may be due to the short lifespan of a given piece of malware – according to the report (emphasis is mine):

The average lifetime of malware samples in November 2022 was 1.7 days, after which a threat would disappear and never be seen again. In Q2 2022, this figure was at 2.3 days, showing that malware is even more short-lived today as attackers use automation to create new and personalized malware with a frequency that overwhelms traditional signature-based detection. Seventy-four percent of the samples observed were seen only once across our customer base.

With this newfound data, it should be obvious that you should expect that malicious emails are going to find their way past your security solutions, making it absolutely necessary for your users to play a part in organizational security by being vigilant when interacting with email and the web – something taught with continual Security Awareness Training.

Researchers at Check Point have shown that Large Language Models (LLMs) like OpenAI’s ChatGPT can be used to generate entire infection chains, beginning with a spear phishing email. The publicly available AI can be asked to write a targeted phishing email with perfect grammar. The researchers generated two emails, one of which directed the recipient to click on a link. The other email asked the user to download a malicious document.

“Note that while OpenAI mentions that this content might violate its content policy, its output provides a great start,” the researchers write. “In further interaction with ChatGPT we can clarify our requirements: to avoid hosting an additional phishing infrastructure we want the target to simply download an Excel document. Simply asking ChatGPT to iterate again produces an excellent phishing email.”

Check Point then used another AI platform, Codex, to write a working malicious macro that could be embedded in an Office document and used to download a reverse shell on the compromised machine.

Check Point notes that the AI is a neutral platform, and OpenAI has done extensive work to prevent it from being used for malicious purposes. The researchers conclude, however, that the platform can be abused to lower the bar for aspiring cybercriminals to launch phishing campaigns.

“[T]his is just an elementary showcase of the impact of AI research on cybersecurity. Multiple scripts can be generated easily, with slight variations using different wordings,” the researchers write. “Complicated attack processes can also be automated as well, using the LLMs APIs to generate other malicious artifacts. Defenders and threat hunters should be vigilant and cautious about adopting this technology quickly, otherwise, our community will be one step behind the attackers.”

New-school security awareness training can help your employees thwart social engineering attacks.

Impersonating Facebook using its own platform against them, a new phishing attack takes advantage of victim’s inability to distinguish legitimate from illegitimate.

This new phishing attack is both simple and brilliant at the same time. Security researchers at Trustwave have identified a Facebook-themed phishing attack that starts with an email posing as Facebook Support claiming a copyright violation.

(Note the poorly-written email and the completely wrong email address; should be red flags from the start!)

The Facebook link within the email is legitimate – it takes victims to an actual page on Facebook titled “Page Support” where the copyright infringement is further confirmed, and an appeal form is offered:

The use of “meta” in the appeal form’s URL is all that’s needed to trick victims into thinking it, too, is legitimate. Victims are taken to this “appeal” form where they are asked to give up their Facebook credentials (you knew it was coming, right?).

Trustwave has uncovered a large number of these kinds of attacks that use a legitimate Facebook page made to look like it’s an official page designed to help the victim through their issues (be it copyright infringement, account recovery, avoiding account suspension, etc.).

There are plenty of obvious flaws with this attack, but in the hurried response to address something like an account suspension, often victims overlook the obvious and focus on the path to fix their unknowingly fictitious “problem”. This is why users within organizations need to be proactively trained to spot these through continual Security Awareness Training designed to not just educate them on broad cyberthreat topics, but by exposing them to real-world campaigns so they know what a phishing attack looks like.

Dec. 27, 2022, The Ohio Supreme Court ruled in favor of an insurance company, determining that its contract to cover any direct physical loss or damage to property did not encompass ransom payments made when a hacker illegally gained access to medical billing software company EMOIs systems and data.

The incident happened back in 2019 when cybercriminals managed to breach into the software provider which assists medical practices with booking appointments, keeping records and payment management.

The cybercriminals extorted EMOI with a request of three bitcoins worth around $35,000 at the time in order to return its data. After complying and paying their ransom, they were able to regain control over most of their stolen information. To be better protected against future attacks, EMOI improved their network security and process; however, Owners Insurance Company which wrote the policy, denied the claim for any damages sustained during the breach.

The Supreme Court carefully examined whether the defense against “direct physical harm to property” covers losses caused by threats to data, such as software, and not just damage that is done on tangible items like computers. The justices then unanimously overturned a lower court’s ruling after concluding that software is an intangible item which cannot experience any direct physical deficit or destruction.

A small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.

The scam began with a gig economy job offer. “A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home,” the CBS explained. “They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.”

All a prospective “cash processor” needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need “proximity to a bitcoin machine.” If the aspiring cash processors did an Internet search for their prospective employer, they would “find a professional website, with information matching what was provided in the employment agreement.” And it came with a Nova Scotia address, just to lend verisimilitude to the scam.

The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.

“It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account. She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with. ‘It was just kind of like a mad scramble to try and figure out what was going on,’ said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.”

The Royal Canadian Mounted Police has the case under investigation, but of course it’s better to avoid being victimized in the first place. New-school security awareness training can give any team appropriate skepticism about social engineering, however small-scale or subtle it may appear.

This brand new ransomware gang is on the attack and, despite them being new to the game, are coming out of the gate attacking the healthcare sector and asking for millions in ransom.

The Health and Human Services’ Health Sector Cybersecurity Coordination Center (quite the mouthful, which is probably why they simply go by the name HC3 ) released an analyst note last week discussing recent attacks by Royal ransomware against the Healthcare and Public Healthcare (HPH) sector.

According to the note, Royal is not operating in an “as a Service” model, meaning they are keen to take 100% of all ransoms collected – which currently range from $250K to over $2 million. They are focused primarily at hospitals and other healthcare organizations within the United States, using data exfiltration, double extortion tactics to ensure payment, and publishing 100% of all data stolen.

Royal uses a particular set of initial attack methods, including embedding malicious links in malvertising, phishing emails, fake forums, and blog comments – all leveraging the value of social engineering to trick victims into engaging with their malicious content. This kind of trickery is addressed through Security Awareness Training which teaches corporate users how to maintain vigilance – even when interacting with what appears to be a normal email or webpage – and elevate the security stance of the organization by doing so.

A sophisticated scammer group has stolen at least €480 million from victims in France, Belgium, and Luxembourg since 2018, according to researchers at Group-IB. The gang uses a highly detailed scam kit called “CryptosLabs,” which impersonates investment portals from more than forty major European financial entities.

“Right out of the block, the victims are promised high returns on their capital,” the researchers write. “To find the ‘investors’ scammers leave messages on the dedicated investment forums or use legitimate advertising mechanisms on social media and search engines to promote the scheme. To appear trustworthy, such ads feature logos of notable banking, fin-tech, crypto, and asset management companies active in France, Belgium, and Luxembourg.”

After clicking on one of the scammers’ ads, the user will be taken to a webpage where they’ll be asked to enter their contact details.

“Interestingly, the victim doesn’t get immediate access to a fake investment platform. The scammers’ call center verifies the information to identify the most likely targets. Masquerading as personal managers of investment divisions of the companies that victims saw on the social media ads, call-center operators reach out to the victims to clarify further steps, explain how the platform works, and provide credentials to start trading.”

The scammers go to a great deal of effort to interact with their victims professionally, convincing them to continue investing money. The scam kit even shows phony growth charts on the victims’ investments.

“After successfully logging into an investment portal the victim sees multiple made-up graphs and charts all indicating sky-high returns and growth stocks,” the researchers write. “After some time, the victim is contacted by a ‘personal manager’ again to sign a fake engagement document and make a €200-300 deposit to activate the account. Once the victim pays, the money goes straight into the scammers’ pockets. The victim is finally granted full access to a branded fake trading platform. Those who make it that far can see the account balance and multiple juicy investment opportunities in stocks, crypto, NFTs, and contact their ‘personal manager’ at their convenience. Some panels seen by Group-IB offer victims up to 17 different investment strategies. The fake platform does everything to keep the victims happy by showing them made-up exponential growth curves and encouraging them to deposit more funds to multiply their investments.”