Malicious actors are showing an increasing level of sophistication in their attacks, and it’s working. What is also interesting is how they’ve adapted to our defenses and are working their way around them. Hacking has reached a new level.
Every couple of years, we form a general idea of the current mode of attack. A few years ago, it was this: The bad guys sent emails with links that led to sites where malware was downloaded to a client machine. Then the malware, or a live hacker it contacted, would work across the network until it reached material worth exfiltrating, which would then be sent out across the internet. Then the hackers would try to monetize the theft.
Last week, the FBI and the CISA sent out a joint cybersecurity advisory about a new rash of attacks. Look at how the evildoers’ strategy and tactics have changed!
The New Tricks
First, instead of using phishing, they’re using vishing. In fact, it’s more than vishing; its spear vishing. First, the bad people scour the web for information about employees at targeted firms and the firm itself. Once they have that information, they telephone employees at the companies, targeting new employees’ mobile phones.
At this point, they take advantage of COVID. They tell the new hires, who are working at home, that the employees’ must upgrade their VPN credentials. Attacking people working at home has a major advantage, in that the employee can neither ask the person in the next office about the call, nor mention it in conversation afterwards.
The vishing has become much more sophisticated. First, as soon as possible, all the phone numbers the hackers are calling from are spoofed to imitate real numbers within the target organization. Since the users are at home, these will usually be PSTN numbers, not extensions. Next, the callers themselves are both sophisticated and armed with information about the user and the organization. They chat for a bit and get even more information for what, for example, company assets are usually called.
Go to Our Secure Website…
The hackers don’t ask for credentials to be revealed over the phone. They direct the users to an “IT site” supposedly within the organization. The bad guys have registered domain names, often in the form of support-(company) or something similar. The sites look exactly like company sites, and the URL contains the real company name. They even get SSL certificates. The user is asked to enter credentials on the site, including their second factor of two-factor authentication! A second hacker, working with the social engineer, then immediately uses the credentials and the second factor to access the company’s network.
Once inside the network, the hackers try many things, in addition to finding data to exfiltrate. They go after other credentials, more personal information about employees, and more accounts. They even attempt to register more devices, such as burner phones, on the network.
On the other end, how the intrusions are monetized is changing, too. Some hackers are offering their intrusion skills for hire over the dark web, for example. Industrial espionage agents must love this.
What Can Be Done?
For the enthusiast, there are many more meaty details about this new paradigm out on the web. Distinguished security journalist Brian Krebs has lots of information, in addition to the security advisory itself, which is a little hard to find otherwise.
What can be done? The FBI and CISA have a list of suggestions, and Krebs argues that physical security keys like those made by Yubico can’t be impersonated by material collected on a fake website. Clearly, attack surface research and more user training on vishing wouldn’t hurt, either.