social engineering

TWiC | This Week in Cybersecurity – Let’s Go Phishing 🎣

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories focused on the latest in phishing campaigns tactics, techniques, procedures, common use cases, and infrastructure being used. Check out the details below.

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The number of phishing attempts that misuse the Microsoft brand jumped 266 percent in the first quarter of 2022 compared to the same period last year, according to a report by researchers at Vade. In the same period of time, fake Facebook messages increased by 177% in the second quarter of 2022. In Q1 2022 compared to the previous year, there were 266 percent more instances of phishing assaults using the Microsoft name. As opposed to the previous year, hackers are ramping up their use of false messages that abuse well-known companies, bringing back the bloom of phishing attempts. According to the phishing research Microsoft, Facebook, and the French bank Crédit Agricole are the three most frequently impersonated companies in attacks. Crédit Agricole, WhatsApp, and the French telecommunications provider Orange are some of the other top names that are misused in phishing attempts. Other well-known brands included Apple, Google, and PayPal.
DUCKTAIL Malware Targeting HR Professionals Through LinkedIn Spear-phishing Campaign

Cybersecurity research has recently learned of an ongoing operation known as DUCKTAIL. This strategy aims to gain control of a company’s Facebook business account that handle its advertising. DUCKTAIL uses a malware component that steals information to hack Facebook Business accounts. This sets DUCKTAIL apart from other malware campaigns that used Facebook as a base of operations in the past. The malware is able to access the victim’s Facebook account by stealing cookies from the victim’s browser and utilizing authentication cookies during authenticated Facebook sessions. This has allowed hackers to access every Facebook Business account that the victim has access to, even ones with restricted access. DUCKTAIL has been using LinkedIn to identify potential targets for these campaigns.
1,000s of Phishing Attacks Blast Off from InterPlanetary File System

The InterPlanetary File System (IPFS), a distributed peer-to-peer file system, has become a hotbed of phishing-site storage. Thousands of emails containing phishing URLs are showing up in corporate inboxes. IPFS uses peer-to-peer (P2P) connections for file and service-sharing instead of a static resource demarked by a host and path. Phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables. According to an anti-phishing expert, security admins need to educate themselves and their staff about how IPFS works.
Evilnum APT Hackers Group Attack Windows Using Weaponized Word Documents

The APT threat actor, Evilnum, has been targeting European banking and investment organizations. Recently their tactics, techniques, and procedures have included spear-phishing emails with attachments like Microsoft Word, ISO, and Windows Shortcut (LNK) files. Researchers discovered other variations of the campaign in late 2022, including ones that employed financial bribes to get victims to open malicious ZIP folders that were coupled with malicious .LNK files. In the middle of 2022, the methodology that was being used to distribute Word documents was altered once more to incorporate a mechanism that tries to connect to an attacker-controlled domain and obtain a remote template.

Stop Phishing
nGuard has been conducting social engineering assessments for almost 2 decades and has the experience and expertise to assess your users against phishing campaigns using a variety of attack methods. Using emails, phone calls, text messages, multi-factor prompt bombing attacks, fake websites, and more, nGuard can thoroughly test your security awareness training program efficacy. Contact your Account Executive or Security Consultant to learn more about how nGuard can help.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft rolling back their decision to not block Office macros by default, phishing campaigns successfully bypassing multi-factor authentication (MFA), a former CIA engineer responsible for the “Vault 7 Leaks” was convicted, hackers targeting industrial control systems, and much more. Check out the details below.

Microsoft Rolls Back Decision To Block Office Macros By Default

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said that it will roll back this change based on “Feedback” until further notice. Microsoft’s customers were the first to notice that Microsoft rolled back this change in the Current Channel, with the old ‘Enable Editing’ or ‘Enable Content’ buttons shown at the top of downloaded Office documents with embedded macros. While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros.
Large-Scale Phishing Campaign Bypasses MFA

Attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional. “While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie – and because the session cookie shows that MFA was already used to login – the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron from KnowB4. This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted. In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. One of nGuard’s most common assessments is Social Engineering. During these assessments our engineers come across applications that require MFA and attempt to bypass the requirement using these techniques and others like MFA Prompt Bombing.
Jury convicts ex-CIA engineer for leaking the agency’s “Vault7” hacking toolset

Joshua Schulte, the former CIA engineer arrested for what’s being called the biggest theft of classified information in the agency’s history, has been convicted by a federal jury. Schulte was arrested in relation to the large cache of documents that Wikileaks had published throughout 2017. That string of CIA leaks known as “Vault 7” contained information on the tools and techniques the agency used to hack into iPhones and Android phones for overseas spying. It also had details on how the CIA broke into computers and how it turned smart TVs into listening devices. A federal jury has found Schulte guilty on nine counts, including illegally gathering national defense information and then transmitting it. As part of his closing arguments, he told the jurors that the CIA and the FBI made him a scapegoat for their embarrassing failure, repeating what his side had been saying from the time he was arrested.
State-backed hackers targeted US-based journalists in widespread spy campaigns

State-sponsored hackers from China, North Korea, Iran and Turkey have been regularly spying on and impersonating journalists from various media outlets in an effort to infiltrate their networks and gain access to sensitive information, according to a report released by cybersecurity firm Proofpoint. In one of the operations, the report found that since early 2021, Chinese-backed hackers engaged in numerous phishing attacks mainly targeting U.S.-based journalists covering U.S. politics and national security. The researchers concluded their report with a warning to journalists to protect themselves and their sources because these types of attacks are likely to persist as state-sponsored hackers attempt to gather more sensitive information and manipulate public perception.
Hackers are targeting industrial systems with new strain of malware

People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported. Lost passwords happen in many organizations. A programmable logic controller — used to automate processes inside factories, electric plants, and other industrial settings, for example, may be set up and largely forgotten over the following years. When a replacement engineer later identifies a problem affecting the PLC, they may discover the now long-gone original engineer never left the passcode behind before departing the company. An entire ecosystem of malware attempts can capitalize on scenarios like this one inside industrial facilities. Online advertisements promote password crackers for PLCs and human-machine interfaces, which are the workhorses inside these environments. nGuard has a wide range of experience securing Critical Infrastructure, SCADA systems, and Industrial Controls Systems for the manufacturing industry. Our penetration testing and compliance assessments can give you the confidence in the security posture of these environments.

TWiC | This Week in Cybersecurity

Over the past week there have been many hot topics in cybersecurity. This edition of This Week in Cybersecurity includes stories covering Microsoft patching the Follina Zero-Day, Apple M1 Kernel security flaws, a record-breaking DDoS attack, a Kaiser Permanente data breach, and US military hackers conducting offensive activities in support of Ukraine. Check out the details below.

Cloudflare Saw Record-Breaking DDoS Attack Peaking at 26 Million Request Per Second: Cloudflare disclosed that it had acted to prevent a record-setting 26 million requests per second (RPS) distributed denial-of-service (DDoS) attack last week, making it the largest HTTPS DDoS attack detected to date. In late April 2022, it said it staved off a 15.3 million RPS HTTPS DDoS attack aimed at a customer operating a crypto launchpad. According to the company’s DDoS attack trends report for Q1 2022, volumetric DDoS attacks over 100 gigabits per second surged by up to 645% quarter-on-quarter.
Microsoft Patches ‘Follina’ Zero-Day Flaw in Monthly Security Update: Microsoft has issued a patch for the recently disclosed and widely exploited “Follina” zero-day vulnerability in the Microsoft Support Diagnostic Tool as part of its scheduled security update for June. It’s a good idea for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. Applying the patch will protect users but the patch only fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document. For more information on this vulnerability, check out nGuard’s last Security Advisory: Microsoft Zero-Day with No Patch! This vulnerability will be commonly exploited via phishing attempts. Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks.
Kaiser Permanente data breach exposes health data of 69K people: Kaiser Permanente, one of America’s leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals. The company revealed in a notice published on its website that an attacker accessed an employee’s email account containing patients’ protected health information on April 5, 2022, without authorization. Sensitive info exposed in the attack includes:
- The patients’ first and last names
- Medical record numbers
- Dates of service
- Laboratory test result information
Design Weakness Discovered in Apple M1 Kernel Protections: Security researchers released details about a new attack they designed against Apple’s M1 processor chip that can undermine a key security feature that protects the operating system kernel from memory corruption attacks. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.
US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command: General Nakasone, the head of US Cyber Command, confirmed for the first time that the US was conducting offensive hacking operations in support of Ukraine in response to the Russian invasion. Speaking in Tallinn, Estonia, the general, who is also director of the National Security Agency, told Sky News that he is concerned “Every single day” about the risk of a Russian cyber attack targeting the US and said that the hunt forward activities were an effective way of protecting both America as well as allies.

URGENT NSA Cybersecurity Advisory

Weak Security Controls

Last week, multiple government agencies released a joint Cybersecurity Advisory to raise awareness about insufficient security configurations, weak controls, and other areas where cyber criminals easily gain access to company networks. This advisory lists out the best practices to protect your systems and goes into them in detail:

Control access.
Harden credentials.
Establish centralized log management.
Use antivirus.
Employ detection tools.
Operate services exposed on internet-accessible hosts with secure configurations.
Keep software updated.

This advisory also details some of the most common ways that attackers are gaining access to internal networks and explains the mitigation efforts that can be taken to prevent such attacks:

Exploit Public-Facing Applications
External Remote Services
Phishing
Trusted Relationship
Valid Accounts

It is essential that all organizations read or review this advisory and become familiar with the list of common exploit paths that attackers take to easily gain access to systems within the internal network. “As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.” This advisory can be reviewed in detail here.

nGuard provides a wide variety of both tactical and strategic security assessments that can assist your organization in becoming more secure across the board. Tactical security assessments like external penetration testing, internal penetration testing, and social engineering can point out easily exploitable flaws that could lead an attacker to gaining some type of network access. Managed security services like vulnerability management and centralized log management provide ongoing protection as your network is being scanned for known vulnerabilities on an ongoing basis. Strategic security assessments give you one on one time with a qualified consultant who can help you build layers of security from the ground up. If you are reading this advisory and have any questions, nGuard is ready to talk with you and see where assistance is needed.

Multi-Factor Prompt Bombing Attacks

What Is It?
Multi-factor authentication (MFA) prompt bombing is a specific social engineering attack that bombards its victims with countless MFA push notifications. Generally, when people think of social engineering attacks, they think of suspicious emails or unexpected phone calls. However, MFA prompt bombing can be an even more effective strategy to gain access to people’s data, due to the fact it specifically uses social engineering tactics that target the human factor. Below are a few different ways these MFA prompt bombing attacks are carried out:

Send a large number of MFA prompt requests in hopes the user accepts to stop the distraction or annoyance.
Send only a small number each day in hopes a user accepts at some point. This method is stealthier and is more likely to fly under the radar as a malicious attack.
Call the user advising them they need to send an MFA prompt and they need to accept it.

The victim may ignore the first few notifications or calls, but at some point, may click accept to stop the annoyance and get back to what they were focusing on – all while not realizing what they have just done.

More and more authentication portals are adding the ability or requirement to

enable MFA notifications as a secondary form of authentication. The Center for Internet Security (CIS) Control 6 – Access Control Management requires MFA for external facing applications, remote network access, and administrative access. This attack is on the rise and will not be going away any time soon.

Recent Attacks Using This Technique
Back in March, nGuard released a Security Advisory about the Lapsus$ Crime Gang infiltrating Microsoft, Okta, and others. It turns out the group utilized this technique to gain access to these organizations. Lapsus$, in their Telegram channel said, “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

The image below shows a conversation from their Telegram Channel discussing how they were going to attempt this attack:

The SolarWinds breach that occurred last year that allowed APT29 (Cozy Bear), a group out of Russia, to create backdoors in 18,000 SolarWinds customer’s environments utilized this very same technique.

nGuard’s Experience with MFA Prompt Bombing
nGuard has been using this attack in our social engineering methodology for quite some time. Using these tactics, nGuard has successfully gained access to client’s VPN portals protected by MFA to obtain internal network access numerous times. nGuard has also used this attack to gain access via an organization’s single sign-on (SSO) page, giving us access to many sensitive internal applications. To protect your organization from this attack you can:

Conduct regular social engineering assessments to reinforce training.
Train employees to only accept MFA prompts when they are actively authenticating to a service.
Train employees to never give out MFA SMS codes to anyone.
Report the unsolicited MFA prompts as fraudulent.
Create alerts for anomalous events such as:
- Time of access
- Geolocation
- Large number of MFA prompts events
Draft a policy that states whether and how personal information is to be requested of employees via telephone.
Conduct employee training to raise awareness of social engineering techniques.
Train employees to identify and report suspicious requests for personal information.
Segment employee workstations from higher security zones in the internal network to reduce exposure of critical internal systems to attack from compromised workstations.

If you want to test your users’ likelihood of falling victim to such social engineering attacks, contact your Account Executive or Security Consultant for more information.