stus

stus

OK, here is something new and really scary.

KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time. My first thought was :"Holy $#!+".

I asked him: "Can you show it to me?", and Kevin sent this to me a few hours ago. Lucky for us, this ransomware strain is not in the wild just yet, but it's on the horizon, so this is your heads-up! If a white hat can do this, so can a black hat.

This new strain uses a smart social engineering tactic to trick the user to give the bad guys access to their cloud email account, with the ruse of a "new Microsoft anti-spam service".

Once your employee clicks "accept" to use this service, it's game over: all email and attachments are encrypted real-time! See it for realz here in 5 minutes and shiver:
YouTube Ransomcloud Demo

What Kevin recommends at the end of this video: "Stop, Look and Think before you click on any link in an email that could potentially give the bad guys access to your data." is now more true than ever.

What Percentage Of Your Users Would Click On That Link?

Organizations are moving millions of users to O365. However, this video proves that being in the cloud does not automatically mean you are secure. The Phish-prone percentage of your users is your number one vulnerability, as they remain to be the weakest link in your IT security, cloud or not.

Here is a way to get your users' phish-prone percentage baseline at no cost

KnowBe4's free Phishing Security Test allows you to choose which environment you want to test:

alt text

If you choose the O365 option, your user will be send this Phishing Security Test (PST) email after you upload the email addresses and whitelist our domain:
alt text

As you just saw, cyber-attacks are rapidly getting more sophisticated. We help you step your employees throuigh new-school security awareness training to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. No need to talk to anyone.

Find out what percentage of your employees are Phish-prone with our free Phishing Security Test (PST). If you don't do it yourself, the bad guys will.

https://www.knowbe4.com/phishing-security-test-offer

stus

Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity
company F-Secure, called the attack "the biggest ransomware outbreak in
history." This is a cyber pandemic caused by a ransomware weapon of mass
destruction.

FedEx Corp, Renault, Russian banks, gas stations in China, and Spanish
telecommunications firm Telefonica which reported 85% of their systems being
down as a result of a cyberattack earlier today, and ironically the Russian
Interior ministry has 1,000 machines encrypted. Even the German Railways
were infected.

Dozens of hospitals in the UK were shut down. Cybersecurity experts have long
used the phrase "where bits and bytes meet flesh and blood," which signifies
a cyberattack in which someone is physically harmed.

SUMMARY:

Yet unknown cyber criminals have taken an NSA 0-day threat and weaponized a
ransomware strain so that it replicates like a worm and takes over the whole
network using the SMB protocol. There is a 2-month old MS patch that needs to
be applied urgently if you have not done that already.

I suggest you immediately look into this and patch your systems before your
users fall for this phishing attack. Here is a blog post with all the
updated details, links to patches, background, workarounds if you cannot patch,
and the blog post is being updated close to real-time:

https://blog.knowbe4.com/ransomware-attack-uses-nsa-0-day-exploits-to-go-on-worldwide-rampage

On the same page is an option to download a no-charge tool to check if your
endpoint security software protects you against ransomware infections, the
tool is called 'RanSim'.

This is a bad one. Let's stay safe out there.

Warm regards,
Stu Sjouwerman,
Founder and CEO, KnowBe4, Inc.

stus

alt text

Internet bad guys are increasingly trying to circumvent your spam filters and instead are targeting your users directly through their smartphone with smishing attacks, which are hard to stop.

The practice has been around for a few years, but current new scams are mystery shopping invitations that start with a text, social engineering the victim to send an email to the scammers, and then get roped into a shopping fraud.

These types of smishing attacks are also more and more used for identity theft, bank account take-overs, or pressure employees into giving out personal or company confidential information. Fortune magazine has a new article about this, and they lead with a video made by USA Today which is great to send to your users as a reminder. An Australian researcher also just published data to suggest cybercriminals are getting better results using the phone these days.

I suggest you send employees, friends and family an email with these two paragraphs about this Scam Of The Week, feel free to copy/paste/edit:

"Bad guys are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interest. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.

Always, when you get a text, remember to "Think Before You Tap", because more and more, texts are used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information. Here is a short video made by USA Today that shows how this works: https://www.youtube.com/watch?v=ffck9C4vqEM

Obviously, an end-user who was trained to spot social engineering red flags (PDF) would think twice before falling for these scams. The link goes to a complimentary job aid that you can print out and pin to your wall. Feel free to distribute this PDF to as many people as you can.

Let's stay safe out there,

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc.

alt text

stus

alt text

It's suddenly all over the news. In hindsight, it was a matter of "not if, but when".

Sophos just warned against a new hybrid worm that combines the ETERNALBLUE exploit and cryptomining.

ETERNALBLUE is the infamous escaped NSA code that was used in the WannaCry worm, so the combination of this method of breaking in, followed by a cryptomining payload, has been dubbed WannaMine.

WannaMine attacks aren’t new, but the Sophos Support team has recently had a surge in the number of enquiries from people asking for advice about the issue. Sophos posted a 13 minute video interview.

Here are the quick Questions and Answers, based on the video.

Q. Is WannaMine like WannaCry? Is it ransomware that scrambles my disk?

A. The name “WannaMine” is a coined term (pun intended) that refers to a malware family that uses the network spreading capabilities of WannaCry to deliver cryptomining malware rather than ransomware.

Q. What is cryptomining malware? Is it as dangerous as ransomware?

A. Cryptomining is when crooks secretly get your computer to do the calculations needed to generate cryptocurrency, such as Bitcoin, Monero or Ethereum; the crooks keep any cryptocoin proceeds for themselves.

To make money with cryptomining, you need a lot of electricity to deliver a lot processing power on a lot of computers.

By illegally installing cryptominers inside your network, the crooks therefore steal your resources to do their work.

Q. Can cryptomining damage my computer?

A. We’ve seen stories of mobile phone batteries bulging due to overheating when the device was deliberately forced to do mining calculations for hours on end.

However, WannaMine doesn’t run on mobile phones – it attacks Windows computers.

Nevertheless, even if no permanent damage is done, you’ll probably find your laptop batteries draining much faster than usual, your fans running flat out, and your laptop being noticeably hotter than usual.

Also, if malware like WannaMine can penetrate your network, you are at serious risk of other malware at the same time, including ransomware.

We frequently see evidence of cryptomining left behind on computers that were zapped by ransomware, so don’t ignore WannaMine infections if they show up – where one crooks goes, others will surely follow.

Q. If I don’t own any cryptocoins and I’m not part of the cryptocurrency scene, am I still at risk?

A. Yes.

WannaMine malware attacks aren’t trying to locate your digital cryptocurrency stash and steal it.

They want free use of your computer for cryptomining calculations of their own, whether you’re interested in cryptocurrency or not.

Q. Can security software prevent WannaMine attacks?

A. Yes.

Exploit prevention software (e.g. Sophos Intercept X) can block the ETERNALBLUE attack to prevent malware like this from entering your network in the first place.

Anti-virus and host intrusion prevention software (e.g. Sophos Endpoint Protection) can stop the malicious processes that allow the WannaMine attack to proceed, even if the exploit triggers at te start.

Network security software (e.g. Sophos XG Firewall) can block the network activity required for malware like WannaMine to work.

Q. What else can I do?

A. Patch promptly, and pick proper passwords.

WannaMine malware typically includes the same ETERNALBLUE exploit that was abused by WannaCry and allowed it to spread. This exploit was patched last year in Microsoft update MS17-010, so a properly patched network wouldn’t be open to the exploit in the first place.

If the ETERNALBLUE hole is already closed, WannaMine can try to spread using password cracking tools to find weak passwords on your network.

Sophos said: It only takes one user with poor password hygiene to put your whole network at risk.

Here are three things you can do about this right now

Re-test your whole network for Patch MS17-010 and make 100% sure that all machines are indeed updated
Step your users through new-school security awareness training, and have them do the new Strong Passwords Module.
Download the free Weak Password Test tool, and immediately scan AD for passwords that need to be beefed up.

How weak are your user’s passwords? Are they... P@ssw0rd?

KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. WPT tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.

Here's how Weak Password Test works:

Reports on the accounts that are affected
Tests against 10 types of weak password related threats
Does not show/report on the actual passwords of accounts
Just download the install and run it
Results in a few minutes!

This will take you 5 minutes and may give you some insights you never expected!

Download Now:

https://info.knowbe4.com/weak-password-test

Warm regards,

Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.

alt text

stus

The moment this 3-minute video was released on LinkedIn it went viral, had 900 likes, 90 comments, and well over 30K views in no time.

Kevin Mitnick, KnowBe4's Chief Hacking Officer wrote: "I’m excited to share the new
#USBNinja cable that uses Bluetooth to command the malicious cable to inject its
payload onto a targeted machine. The transmitter range is up to 100m depending on the antenna used.

"My sincere Congrats to Olaf, Dennis, Vincent Yiu and the rest of the RFID Team for
such brilliant work. This work was borne out of the NSA’s COTTONMOUTH project
disclosed by Edward Snowden. For those that are interested in the #USBNinja cable,
this was formally codenamed USBHarpoon."

Here is a link where you can see this brand new attack video yourself:
https://blog.knowbe4.com/knowbe4s-chief-hacking-officer-kevin-mitnick-demonstrates-the-usb-ninja-cable-attack

Warm regards, Stu

stus

alt text

This starts to be more than a bit concerning. The faces in this post look like pretty normal humans. They could be social media shots. However, they were generated by a recent type of algorithm: generative adversarial network, or GAN.

Nvidia researchers Tero Karras, Samuli Laine, and Timo Aila posted details of the method to produce completely imaginary fake faces with stunning, almost eerie, realism.

GANs employ two "dueling" neural networks to train a model to learn the nature of a dataset well enough to generate convincing fakes. When you apply GANs to images, this provides a way to generate often highly realistic still fakes you could use for extremely hard to detect social engineering attacks, especially combined with deep fake videos.

Here is the blog post with the links to the paper, still shots and example videos. Check it out and shiver:
https://blog.knowbe4.com/these-incredibly-realistic-fake-faces-show-how-ai-can-now-mess-with-us

Warm regards, Stu

stus

Let me share some observations after 7 years of building KnowBe4 from scratch into a 100 million dollar company.

We train your employees to recognize social engineering attacks and not fall for hacker tactics that attempt to manipulate them into doing something against their and your interest. In short, we enable your employees to make smarter security decisions, every day.

But what is the basic mechanism behind social engineering? Why exactly does it work? How do you arm yourself against it?
Over the last 15 years, a lot of books have been written about this, and many experts have voiced their opinions. However, here is some hard-won experience from the trenches.

We all know that the bad guys go after your users—the weak link in IT security—because hacking humans is easier and faster than hacking software or hardware. Hacking the wetware can often be done in less than a minute.

OK, so exactly WHY is it so easy to hack the wetware?

Let's have a look at people's behavior in general for a moment and paint a picture in your mind. Two extremes: fully rational on the left and fully irrational on the right. In a business environment, which ideally is driven by both reason and competition, there is of course no pure black or white, these two extremes are really a gray scale and employees operate hopefully left from the middle.

GrayScale

How do the bad guys manipulate behavior? They attempt to influence—essentially bypass—rational behavior ("I'm not clicking that!") and force the user to the right into more irrational behavior ("I'm clicking that now!")

In other words, they are pushing your users from rational behavior that's based on a cycle of observation, deciding, and acting, into a more irrational short circuit that's a knee-jerk reaction consisting of only observation -> action without the decision step.

Here is an example of this in real-life battle

Since the 1950s, U.S. Navy fighter pilots have been trained to understand and follow the OODA Loop: Observe, Orient, Decide and Act.

From Wikipedia: The OODA loop is the decision cycle of observe, orient, decide, and act, developed by military strategist and United States Air Force Colonel John Boyd. Boyd applied the concept to the combat operations process, often at the operational level during military campaigns.

OODA-LOOP

Top Guns use the OODA loop in dogfights, and use a series of them in very short succession. Here is how that looks, Check out the US Navy's Blue Angels in action:

But the OODA loop can be applied in a number of ways, including business in general and here is how it applies to social engineering:

1. Observation Your end user is active in your organization getting their tasks done. Suddenly the end user observes something that seemingly they need to do something about, either to prevent a negative consequence or benefit from an opportunity. (The attacker's first attack vector).

2. Orientation in business refers to human judgement to put this into context with past experience and business understanding, to quickly predict what to do next. ("Hmm, I see phishing red flags here...")

3. Decide using the data and orientation toward rational, productive behavior. ("I'm not clicking that!")

4. Action putting that decision in motion. (User clicks on the Phish Alert Button instead)

Even without the heart-pounding thrill of barrel rolls and live-ammo contact with the enemy, the OODA Loop is a powerful weapon for everyone if they apply it correctly.

The exact anatomy of social engineering

The game for the bad guys is to get inside the OODA Loop and cut out the decide step. That is the exact anatomy of social engineering: subversion of the decision-making process.

The bad guy wants your user to react without much (or any) rational thought. The click, or the opening of the attachment, is action based on emotion, a good example is the attacker artificially creating shock (Celebrity Death!) in the mind of your user.

In the past, some people have tried to describe this process with terms like "influencing or activating the subconscious" which contains a hard-wired series of behavior patterns, like yanking your hand off a hot stove.

What they really tried to describe was the omission of the "decide" step in the OODA Loop.

So, how to arm your users against human hacking?

Educate them about social engineering. Show them how it works. Train them how the bad guys try to manipulate employees. Explain the exact mechanism so that they actually understand it, and are able to apply what they learned in their work environment.

A trained employee is much harder to fool, and dramatically less gullible when they are confronted with attack vectors that try to social engineer them. Step your users through new-school security awareness training.

Get a quote and find out how surprisingly affordable this is for your organization.

https://info.knowbe4.com/enterprise_get_a_quote_now

stus

The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.

If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.

This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.

SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In their recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.

Your Executive Summary

Your executive summary is that basically this SamSam strain avoids detection using three advanced techniques.

It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
It requires a password to be entered by the threat actor to run in the first place.

It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.

By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.

Do You Want The Good News Or The Bad News?

The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail.

The Two Problems: Open RDP Ports And Social Engineering

Gangs like SamSam and Crysis use two main attack vectors to get in. RDP ports and social engineering your users, normally through email attachments. Let's take a look at RDP first.

RDP Attack

A typical RDP attack goes through the following steps: An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

They try to brute-force the RDP connection, and once the system is accessed they return multiple times to quickly compromise the machine. These repeated attempts are generally successful in a matter of minutes.

Once they gain access the attacker goes lateral in the network and infects critical machines, but does not get the ransomware code executed... yet.

Social Engineering Your Users

Recent research shows that between 10.5% and 15% of malicious email makes it through the filters. This gap analysis is the best proof that you should train your end users and create an additional security layer that you could call your Human Firewall.

Five Things You Can Do About This Right Away:

When is the last time you tested the restore function of your backups? You want to do that ASAP, and make sure you have weapons-grade backups at all times.
Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
Do a no-charge Phishing Security Test and find out what percentage of your users is Phish-prone. Use that percentage as a catalyst to start a new-school security awareness training program, which—by survey—your users are actually going to appreciate because it helps them stay safe on the internet at the house.

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc
alt text

stus

We've been reporting on the top-clicked phishing email subjects every quarter for a while now across three different categories: general emails, those related to social media, and 'in the wild' attacks that are a result of millions of users clicking on the Phish Alert Button on real phishing emails and allowing our team to analyze the results.

Make Your Users Think Twice

Sharing the latest threats with users is a great way to keep them on their toes. Also we see a lot of similarities in the subjects quarter over quarter, so knowing what the popular ones are can help them to stay vigilant and ultimately think twice before clicking. The bad guys continue to take advantage of the human psyche and bypass rational behavior.

Using Human Nature Against Us

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim. In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face-value. Hackers will continue to become more sophisticated with the tactics they use and advance their utilization of social engineering in order to get what they want,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

Here is a visual representation of top messages for the last quarter.

Warm regards, Stu

stus

After monitoring this new outbreak for 24 hours, I came to the conclusion we were dealing with cyber warfare, and not ransomware. Two separate reports coming from Comae Technologies and Kaspersky Lab experts confirm this now.

NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past. Note that Shamoon actually deleted files, NotPetya goes about it slightly different, it does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same.

Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who.

You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:

It never bothers to generate a valid infection ID
The Master File Table gets overwritten and is not recoverable
The author of the original Petya also made it clear NotPetya was not his work

This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.

Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware."

Cybersecurity has moved from tech to a CEO and Board-level business issue

You did not sign up for this, but today it is abundantly clear that as an IT pro you are have just found yourself on the front line of 21-st century cyber war. Cybersecurity has moved from tech to a CEO and Board-level business issue. I strongly suggest you have another look at your defense-in-depth, and make sure to:

Have weapons-grade backups
Religiously patch
Step users through new-school security awareness training.

stus

alt text

In a Jan 10, 2019 article, the Wall Street Journal reconstructed the worst known hack into the USA's power grid revealing attacks on hundreds of small contractors.

The title is very apt: "America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It".

It's so relevant because it describes a very effective supply-chain attack that could happen to your own organization as well. The article focuses on the spear phishing and watering hole attacks that compromised small contractors and giving the attackers a footprint to hack further up the power grid chain. Remember the Target hack?

The Wall Street Journal pieced together this account of how the attack unfolded through documents, computer records and interviews with people at the affected companies, current and former government officials and security-industry investigators. Some experts believe two dozen or more utilities ultimately were breached.

It's a must-read because this is the No.1 vulnerability that leads to the dreaded data breach. If I were you I would sit down with your management team do the following exercise:

Identify the top 5 suppliers that would cause downtime or serious disruption of your production if they would get hacked or were off the air
Find out if they only require once-a-year awareness training just to be compliant
To keep their business as your supplier, require them to sign up with KnowBe4, and deliver you the evidence that their users have stepped through the 45-minute module and get sent simulated phishing attacks once a month. As you see, I'm dead serious here.

This excellent WSJ reporting demonstrates again that your own employees need to be the strongest human firewall possible, and that your suppliers also need to be part of that same defense-in-depth strategy.

Here is the link to that article one more time, so you can cut & paste it. This may be the most important article related to InfoSec your C-levels read this year. Make sure they do:

https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc

alt text

stus

alt text

This starts to be more than a bit concerning. The faces in this post look like pretty normal humans. They could be social media shots. However, they were generated by a recent type of algorithm: generative adversarial network, or GAN.

Nvidia researchers Tero Karras, Samuli Laine, and Timo Aila posted details of the method to produce completely imaginary fake faces with stunning, almost eerie, realism.

GANs employ two "dueling" neural networks to train a model to learn the nature of a dataset well enough to generate convincing fakes. When you apply GANs to images, this provides a way to generate often highly realistic still fakes you could use for extremely hard to detect social engineering attacks, especially combined with deep fake videos.

Here is the blog post with the links to the paper, still shots and example videos. Check it out and shiver:
https://blog.knowbe4.com/these-incredibly-realistic-fake-faces-show-how-ai-can-now-mess-with-us

Warm regards, Stu

stus

alt text

Our friends at Proofpoint reported that last week employees in the United States have been bombarded by a spam attack that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.

Starting around May 2018, there have been a number of attack waves pushing different versions of sextortion threats.

There have been sextortion scams where the criminals claimed they were from China, where the hackers claimed they intercepted a user's computer cache data, where the hackers claimed to have hacked all of a victim's online accounts, where crooks claimed they hacked the victim's phone, or where crooks claimed to have recorded the user via his webcam while visiting adult sites.

These themes vary almost on a weekly basis, as scammers professionally test different themes and tactics to determine the best ROI. And they've been making money hand over fist.

But this week, sextortion scams took another dangerous turn. Security researchers at Proofpoint blogged they've seen a variation of a sextortion scam campaign that included a download link at the bottom of the blackmail message.

The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.

Users who downloaded and ran these files would be infected by the AZORult malware, which would immediately download and install the GandCrab ransomware. Even if the user had no intention of paying the sextortion demand, curious users would still end up being held for ransom if they were careless enough to follow the link and ran the files they received.

You should warn your users to delete these emails, or better yet, click on the (free) Phish Alert Button and report them your organization's IT Incident Response team.

I suggest you send the following to your employees in high-risk jobs specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting more and more dangerous with sextortion scams. They now send you an email that claims they have a video of you watching an inappropriate website, and that you can download that video and see it for yourself. But if you do, your computer gets infected with ransomware! If any of this type of emails make it through the spam filters, please follow our organization's email security policy, and Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert button now also works with Outlook Mobile for iOS and Android. This enables your users to report suspicious emails from not only their computer but from their mobile inbox as well.

(If you’re running Office 365 and want to give your end-users the ability to report suspicious emails from from their mobile inbox, you can enable the official Outlook Mobile app for iOS or Android directly from the KnowBe4 console. )

The Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!

Best of all, there is no charge!

Reinforces your organization's security culture
Incident Response gets early phishing alerts from users, creating a network of “sensors”
Email is deleted from the user's inbox to prevent future exposure
Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)

This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!

Here is a link you can cut and paste into your browser to get the Phish Alert Button https://info.knowbe4.com/free-phish-alert

Warm regards, Stu

stus

The moment this 3-minute video was released on LinkedIn it went viral, had 900 likes, 90 comments, and well over 30K views in no time.

Kevin Mitnick, KnowBe4's Chief Hacking Officer wrote: "I’m excited to share the new
#USBNinja cable that uses Bluetooth to command the malicious cable to inject its
payload onto a targeted machine. The transmitter range is up to 100m depending on the antenna used.

"My sincere Congrats to Olaf, Dennis, Vincent Yiu and the rest of the RFID Team for
such brilliant work. This work was borne out of the NSA’s COTTONMOUTH project
disclosed by Edward Snowden. For those that are interested in the #USBNinja cable,
this was formally codenamed USBHarpoon."

Here is a link where you can see this brand new attack video yourself:
https://blog.knowbe4.com/knowbe4s-chief-hacking-officer-kevin-mitnick-demonstrates-the-usb-ninja-cable-attack

Warm regards, Stu

stus

I'm excited to announce the actual release of a new tool to help protect your organization from the bad guys.

Phishing is still the most widely used cyber attack vector, and criminal attack campaigns often use spoofed websites to deceive your users so they simply allow the bad guys to take over your network.

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results you can now generate an online assessment test to see what your users are able to Domain Doppelganger recognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:

Search for existing and potential look-alike domains
Get a report with aggregated results that includes risk indicators, and
Generate an online “domain safety” quiz based on the results to administer to your end users
This is a complimentary tool and will take only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here:

Copy & paste this link into your browser:

https://www.knowbe4.com/domain-doppelganger

Warm regards, Stu

stus

We've been reporting on the top-clicked phishing email subjects every quarter for a while now across three different categories: general emails, those related to social media, and 'in the wild' attacks that are a result of millions of users clicking on the Phish Alert Button on real phishing emails and allowing our team to analyze the results.

Make Your Users Think Twice

Sharing the latest threats with users is a great way to keep them on their toes. Also we see a lot of similarities in the subjects quarter over quarter, so knowing what the popular ones are can help them to stay vigilant and ultimately think twice before clicking. The bad guys continue to take advantage of the human psyche and bypass rational behavior.

Using Human Nature Against Us

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim. In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face-value. Hackers will continue to become more sophisticated with the tactics they use and advance their utilization of social engineering in order to get what they want,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

Here is a visual representation of top messages for the last quarter.

Warm regards, Stu

stus

The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.

If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.

This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.

SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In their recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.

Your Executive Summary

Your executive summary is that basically this SamSam strain avoids detection using three advanced techniques.

It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
It requires a password to be entered by the threat actor to run in the first place.

It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.

By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.

Do You Want The Good News Or The Bad News?

The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail.

The Two Problems: Open RDP Ports And Social Engineering

Gangs like SamSam and Crysis use two main attack vectors to get in. RDP ports and social engineering your users, normally through email attachments. Let's take a look at RDP first.

RDP Attack

A typical RDP attack goes through the following steps: An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

They try to brute-force the RDP connection, and once the system is accessed they return multiple times to quickly compromise the machine. These repeated attempts are generally successful in a matter of minutes.

Once they gain access the attacker goes lateral in the network and infects critical machines, but does not get the ransomware code executed... yet.

Social Engineering Your Users

Recent research shows that between 10.5% and 15% of malicious email makes it through the filters. This gap analysis is the best proof that you should train your end users and create an additional security layer that you could call your Human Firewall.

Five Things You Can Do About This Right Away:

When is the last time you tested the restore function of your backups? You want to do that ASAP, and make sure you have weapons-grade backups at all times.
Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
Do a no-charge Phishing Security Test and find out what percentage of your users is Phish-prone. Use that percentage as a catalyst to start a new-school security awareness training program, which—by survey—your users are actually going to appreciate because it helps them stay safe on the internet at the house.

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc
alt text

stus

Let me share some observations after 7 years of building KnowBe4 from scratch into a 100 million dollar company.

We train your employees to recognize social engineering attacks and not fall for hacker tactics that attempt to manipulate them into doing something against their and your interest. In short, we enable your employees to make smarter security decisions, every day.

But what is the basic mechanism behind social engineering? Why exactly does it work? How do you arm yourself against it?
Over the last 15 years, a lot of books have been written about this, and many experts have voiced their opinions. However, here is some hard-won experience from the trenches.

We all know that the bad guys go after your users—the weak link in IT security—because hacking humans is easier and faster than hacking software or hardware. Hacking the wetware can often be done in less than a minute.

OK, so exactly WHY is it so easy to hack the wetware?

Let's have a look at people's behavior in general for a moment and paint a picture in your mind. Two extremes: fully rational on the left and fully irrational on the right. In a business environment, which ideally is driven by both reason and competition, there is of course no pure black or white, these two extremes are really a gray scale and employees operate hopefully left from the middle.

GrayScale

How do the bad guys manipulate behavior? They attempt to influence—essentially bypass—rational behavior ("I'm not clicking that!") and force the user to the right into more irrational behavior ("I'm clicking that now!")

In other words, they are pushing your users from rational behavior that's based on a cycle of observation, deciding, and acting, into a more irrational short circuit that's a knee-jerk reaction consisting of only observation -> action without the decision step.

Here is an example of this in real-life battle

Since the 1950s, U.S. Navy fighter pilots have been trained to understand and follow the OODA Loop: Observe, Orient, Decide and Act.

From Wikipedia: The OODA loop is the decision cycle of observe, orient, decide, and act, developed by military strategist and United States Air Force Colonel John Boyd. Boyd applied the concept to the combat operations process, often at the operational level during military campaigns.

OODA-LOOP

Top Guns use the OODA loop in dogfights, and use a series of them in very short succession. Here is how that looks, Check out the US Navy's Blue Angels in action:

But the OODA loop can be applied in a number of ways, including business in general and here is how it applies to social engineering:

1. Observation Your end user is active in your organization getting their tasks done. Suddenly the end user observes something that seemingly they need to do something about, either to prevent a negative consequence or benefit from an opportunity. (The attacker's first attack vector).

2. Orientation in business refers to human judgement to put this into context with past experience and business understanding, to quickly predict what to do next. ("Hmm, I see phishing red flags here...")

3. Decide using the data and orientation toward rational, productive behavior. ("I'm not clicking that!")

4. Action putting that decision in motion. (User clicks on the Phish Alert Button instead)

Even without the heart-pounding thrill of barrel rolls and live-ammo contact with the enemy, the OODA Loop is a powerful weapon for everyone if they apply it correctly.

The exact anatomy of social engineering

The game for the bad guys is to get inside the OODA Loop and cut out the decide step. That is the exact anatomy of social engineering: subversion of the decision-making process.

The bad guy wants your user to react without much (or any) rational thought. The click, or the opening of the attachment, is action based on emotion, a good example is the attacker artificially creating shock (Celebrity Death!) in the mind of your user.

In the past, some people have tried to describe this process with terms like "influencing or activating the subconscious" which contains a hard-wired series of behavior patterns, like yanking your hand off a hot stove.

What they really tried to describe was the omission of the "decide" step in the OODA Loop.

So, how to arm your users against human hacking?

Educate them about social engineering. Show them how it works. Train them how the bad guys try to manipulate employees. Explain the exact mechanism so that they actually understand it, and are able to apply what they learned in their work environment.

A trained employee is much harder to fool, and dramatically less gullible when they are confronted with attack vectors that try to social engineer them. Step your users through new-school security awareness training.

Get a quote and find out how surprisingly affordable this is for your organization.

https://info.knowbe4.com/enterprise_get_a_quote_now

stus