Part of protecting the CTRL Community is to promote good security practices and raise awareness of current security trends. CTRL Group hope this will bolster your overall understanding of cybersecurity attacks across the globe. In 2022, CTRL Group’s Security Operations Centre continue to monitor the ever-evolving threat landscape 24/7; observing breaches and critical security incidents.
Below are recommended mitigation actions by CTRL Group.
Attackers Impersonating CEOs in Virtual Meetings
The FBI has released a security alert warning that organizations and individuals are being increasingly targeted in Business Email Compromise attacks (BEC) on virtual meeting platforms such as Zoom or Microsoft Teams.
BEC attackers are known for using various social engineering methods to compromise business email accounts with the end goal of redirecting payments to their own bank accounts. Businesses of all sizes and individuals are targeted. The success rate is usually very high due to the fact the attackers usually pose as someone to earn the victims’ trust, like a business partner or a C-Level executive.
In its recent security alert, the FBI said scammers have been observed exploiting the use of virtual meeting platforms as part of the work from home global trend caused by the COVID-19 pandemic. Between 2019 and 2021, there has been an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to perform unauthorized transfers of funds. The criminals are utilising compromised emails of C-Level executives to infiltrate virtual meetings, where they either blame technical problems for lack of video/audio, use a still picture of the relevant C-Level exec they found online, or use deep fake technology to instruct employees to transfer funds into fraudulent accounts.
According to data collected in 2020, BEC attacks caused financial losses of roughly $1.8 billion in the United States, out of $4.2 billion reported in total.
CTRL Group recommend the following mitigation strategies:
- In the case of a meeting hosted in an outside virtual meeting platforms not normally used by your business, verify the meeting’s legitimacy prior to joining.
- Requests for changes in account or personal information changes should be verified with in secondary channels or by using a two-factor authentication.
- When receiving an invite for a virtual meeting, make sure the URL is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Do not supply login credentials or personal information of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from. Pay special attention to common tactics such as “.com” instead of “.com.au”, or “.c0m” instead of “.com”.
- Promote cyber awareness among your employees, for example by simulating phishing campaigns.
- Monitor your financial accounts on a regular basis for irregularities.
Criminals Escalating SI Swap Attacks to Steal Millions
A new report states that criminals have escalated SIM swap attacks to steal millions by hijacking victims’ phone numbers. Data from FBI’s Internet Crime Complaint Centre (IC3) suggests that the number of complaints about SIM swap attacks have increased almost fivefold since 2018.
SIM swap fraud (also known as SIM hijacking, SIM jacking, or SIM splitting) is a type of account takeover fraud that allows cybercriminals to take control of their victims’ phone numbers by tricking phone service providers into swapping the victim’s phone number to an attacker-controlled SIM card, either by using social engineering or with the help of one or more bribed telecom employees.
After the SIM is ported, the criminals will receive the victims’ calls and messages, making it very simple to bypass SMS-based MFA, steal credentials, and take control of their victims’ accounts. Most of the SIM swapping attackers are financially motivated, usually targeting their victims’ online banking or cryptocurrency accounts to steal money or lock them out of their other accounts and demand ransom in exchange for giving them back.
The US Federal Communications Commission (FCC) recently announced it will promote rules to thwart these attacks, due to the increase of reports and the significant financial harm they cause. FBI’s report mentions that during 2021 there have been over 1,600 complaints of SIM swapping attacks, causing losses of more than $68 million, mostly stolen through virtual currency accounts. The reported losses for the years 2018-2020 were $12 million.
How can you protect yourself from SIM swapping attacks? Follow these tips:
- Do not provide your mobile number account information over the phone to representatives that request your account password or code. Verify the call by dialling the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone numbers, addresses, or anything regarding your financial assets. This especially applies to social media websites and forums.
- Where applicable, use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts. Also, use a variety of unique and complex passwords for these accounts.
- Try and avoid storing passwords, usernames, or other information for easy login on mobile device applications, as they can be stolen by hackers.
FBI Shares LockBit Ransomware Technical Details, Defence Tips
The FBI has released technical details and indicators of compromise associated with the LockBit ransomware attacks in a new flash alert published recently. The alert contains information to help organisations block the ransomware gang’s attempts to breach their networks.
The LockBit ransomware gang has been very active since September 2019 when it launched as a ransomware-as-a-service (RaaS), with gang representatives promoting the operation, providing support on Russian-language hacking forums, and recruiting ‘initial access brokers’ to breach and encrypt networks in exchange for a cut of the ransom fee, a trend that has been gaining popularity recently by many cybercriminals on the dark web. They are also notorious for employing a wide variety of tactics, techniques and procedures, creating significant challenges for defence and mitigation.
The LockBit gang has been recently trying to recruit insiders to act as their initial access brokers and provide them with access to corporate networks via Virtual Private Network (VPN) and Remote Desktop Protocol (RDP).
To protect against the ransomware threat:
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have complex and unique passwords, and enforce change policy every 90 days or less.
- Require multi-factor authentication for all sensitive services or highly priviliged accounts.
- Keep all operating systems and software up to date.
- Remove unnecessary access to administrative shares.
- Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
- Enable protected files in the Windows Operating System to prevent unauthorised changes to critical files.
- Segment networks to prevent the spread of ransomware.
To hinder the ransomware operators’ network discovery efforts:
- Use a network monitoring tool to identify, detect and investigate abnormal activity within your network.
- Implement time-based access for accounts set at the admin level and higher.
- Disable command-line and scripting activities and permissions, except for specific services or users who require it as part of their BAU.
- Maintain offline backups of data, and regularly maintain backup and restoration. Ensure all backup data is encrypted, immutable, and covers the relevant parts of the organization’s data infrastructure.
Paying the ransom fee is not recommended and does not guarantee receiving all your files back or any assurance of not getting hit again by the same attacker or other ransomware gangs. However, if you choose this solution, CTRL Group recommend consulting with a cybersecurity company as soon as possible to protect your network from similar attacks in the future and to perform incident response procedures.