Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: $100m of Crypto Craziness, €800k of romance fraud, social engineering lessons, and why your backups may no longer save you.
This week’s action: Check your auto-forwarders.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Criminals may not bother with the encryption bit.
As reported in The Register, the FBI and CISA are warning organisations about the emergence of a new cyber gang called Karakurt.
“Karakurt doesn’t target any specific sectors or industries, and the gang’s victims haven’t had any of their documents encrypted and held to ransom. Instead, the crooks claim to have stolen data, with screenshots or copies of exfiltrated files as proof, and they threaten to sell it or leak it publicly if they don’t receive a payment. The US agencies say these demands range from $25,000 to $13 million in Bitcoin, and Karakurt typically sets a one-week deadline to pay up.”
In a traditional ransomware attack, the attackers encrypt your data. Your key response is a reliable backup that you can use to restore your data.
As a result, many attackers have adjusted their techniques to include data theft. Once the data is stolen, your backups won’t save you from the financial and reputational damage, not to mention the data protection implications, of data ending up in the hands of the attackers and being published online. It looks like this latest group are skipping the encryption step and going straight to ‘file copy’.
This is a reminder of why doing the best you can to keep the bad guys out of your systems is so important. Because once they are in, your backups may no longer save you.
2: Our social engineering assumptions are wrong
Proofpoint (an email security company) published a report this week which reveals that many common social engineering assumptions that are wrong.
As reported on CSO Online, the common incorrect assumptions include:
- Attackers do not have conversations with their targets – They sometimes invest the time to get into an email conversation with people to gain their trust, before then launching their attack.
- Attackers do not use legitimate online services such as OneDrive, Google Drive, Dropbox etc – To avoid detection by an organisation’s email security, attackers will frequently store and share their malicious files on legitimate file sharing platforms rather than send them as email attachments.
- Attackers never speak to their victims – Again, to avoid detection by email security technology, attackers frequently send emails to targets that do not contain malicious links or attachments, but instead encourage the recipient to call a fake call centre so the attacker can speak to them directly.
The article is worth a read, and your cybersecurity awareness training should be adjusted to reflect Proofpoint’s recommendations.
3: Romance fraudsters are not lovable rogues
The Irish Independent reported this week that Gardaí (the Irish police force) are warning people to be on the lookout for romance scams, especially on dating apps and on social media.
The article is worth a read, as it contains some excellent advice on how to protect yourself against online fraudsters.
- “Be careful what you share on social media and online dating websites. Do not reveal your full name or home address. Protect your identity.
- Be wary of anyone asking lots of questions about you but not revealing much about themselves.
- They will come across as being the ideal person. They will like what you like. They will want what you want. Their interests will mirror yours. If you like classical 18th century French Poetry, then so will they.”
This last point sounds like any boy chasing after a girl (or boy), but enough about me when I met my-now-wife.
What is also interesting is how the impact on victims described in the article will resonate with any business owner whose business has been the victim of a cyber attack. In both cases, alongside the financial loss, it leaves people feeling vulnerable, hurt and filled with mistrust.
This is the total amount lost by the 31 people in Ireland who reported being victims of romance fraud to the Gardai (the Irish police force) last year and reported in the Irish Independent this week. This works out at an average loss of over €26,000 per victim. The youngest victim was 27 and the oldest was 69. Almost three-quarters of victims were female.
The police believe this crime is under-reported, and the total number of victims and total losses are likely to be significantly higher.
In the latest story of Crypto Craziness, and as reported by Decrypt this week, this is the value of cryptocurrency stolen from the Harmony Protocol by an unknown individual last week. In response, Harmony has offered the individual $1m and a guarantee of no criminal charges if the $100m is returned and they reveal how they committed the crime-that-will-not-be-reported-as-a-crime.
It’s just like what happens in the old world: If you rob €100m from a bank, they will give you €1m if you give it back and tell them how you did it.
1: Check your auto-forwarding rules
Last week’s newsletter from Ireland’s NCSC (National Cyber Security Centre) reported that the German Green Party suffered a breach of their email system recently. While the article referenced by the NCSC is short on detail, one line grabbed my attention:
The accounts “were compromised in such a way that some emails were forwarded to addresses outside the party“.
It sounds like the attackers got into the email system and set up auto-forwarding rules on multiple accounts. This means that even if the attacker’s way in gets blocked (e.g. the password gets changed; Multi-Factor Authentication is turned on), the attacker will still get to see emails coming into or going out of the accounts.
Auto-forwarding should really be called auto-copying, because it automatically sends a copy of emails to the attacker. And this happens without the account holder noticing anything. It is a common method used by attackers to maintain access to an organisation’s emails.
I recommend that on a regular basis, and especially if you suspect that an unauthorised individual has gained access to your email system, you should review all auto-forwarding rules set up on your email system. If you see one that makes no sense, this is a major red flag.
If you use Microsoft 365, this article shows you how to check what is going on: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report?view=o365-worldwide
I recommend you go further and disable the ability for staff to set up auto-forwarding rules in the first place.
- Microsoft 365 instructions are at https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/external-email-forwarding?view=o365-worldwide
- Google Workspace instructions are at https://support.google.com/a/answer/2491924?product_name=UnuFlow&hl=en
Read more: The article mentioned by NCSC is at https://www.securityweek.com/germanys-green-party-says-email-system-hit-cyberattack