Every day, I see the failure in our technology. I’m sure you see it as well. Since the day we started receiving email, we have failed at protecting recipients from scams, phishes and other email messages that they don’t want. I remember the infamous email-based computer worm, the “ILOVEYOU virus,” that infected fellow IT friends back in 2000.
Those victims should have known better than to click on an email that said ILOVEYOU, but they did and had to clean up afterwards. We hope that our antivirus or endpoint protection software alerts us to problems. In reality, it often does not. When technology fails, it’s likely because the attacker made an end run around it by targeting humans. Here are four ways they do it.
1. The targeted human attack
Several types of attacks target humans. One is the targeted human attack. A recent video showed how SocialProof Security CEO Rachel Tobac hacked film producer Jeffrey Katzenberg. She first targeted someone in Katzenberg’s firm that he would trust by using public databases and other research. She then called him by spoofing the colleague’s phone number and directed him to a phishing email that used a lookalike email address of the colleague. Once Katzenberg opened the email and clicked on the link it contained, Tobac had access to everything on his laptop that he was signed into, including all his contacts.
This process is not new. Hacker Kevin Mitnick stated that he compromised computers solely by using passwords and codes that he gained by social engineering. I still own a dog-eared copy of his Washington area who’s who guide of executives and their assistants that was taken as evidence by the FBI. I bought it years ago in a fundraiser as a unique souvenir of security history. Back then this information was found in books. Today it’s easily accessible online.
2. Fraudulent wire transfer email
Another human attack is the fraudulent wire transfer email. My own city fell to this scam. In 2020 over $600,000 was lost in a fraudulent wire transfer scam:
“In January 2020, Fresno officials wired roughly $324,473 to who they believed was the contractor building a new police station in the city. Less than two months later, in early March, the city sent another $289,254. All told, it cut $613,727 in electronic payments. The invoices looked identical to previous ones, except for one crucial aspect: the account number where the money would be sent was different.”
The attackers took time to know how the invoices would look and the processes would work. Techniques to do this range from analyzing news sources and public council meetings to knowing what vendors were active and expecting payments. I’m speculating that email accounts of key employees were breached, allowing the attacker to see what large electronic payment processes were occurring during the normal course of business and thus more susceptible to fraudulent transactions.
3. Tricking users into handing over credentials
In the past, many of these attacks and scams would deliver the payload directly to your email box. How many of us have disabled the preview pane in Outlook to protect end users from direct attacks using a macro- or code-based attack? Now the attacker must be more ingenious, putting the attached payload in a cloud property, spoofing email addresses and domains to entice the user to click on the link.
As we move to cloud applications, attackers are also switching methods of attacks and trying to trick users into handing over credentials, requesting application authorization to add a malicious app to their existing Microsoft 365 applications.
4. Bypassing multi-factor authentication
Any authentication process should require multi-factor authentication (MFA) to the log in. Whether you use Authy, Google authentication, Microsoft authenticator application, Duo.com, or a keyfob, the devil is often in the implementation details. For example, the FBI recently released an advisory regarding Russian state-sponsored cyber actors that gained access to a network first by bypassing and abusing a two-factor process provided by Duo.com and then performed lateral movement in the network by using a Windows Print Spooler vulnerability (PrintNightmare CVE-2021-34527).
As the advisory states:
“Russian state-sponsored cyber actors gained initial access [TA0001] to the victim organization via compromised credentials [T1078] and enrolling a new device in the organization’s Duo MFA. The actors gained the credentials [TA0006] via brute-force password guessing attack [T1110.001], allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.
Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation [TA0004] via exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\hosts, redirecting Duo MFA calls to localhost instead of the Duo server [T1556]. This change prevented the MFA service from contacting its server to validate MFA login—this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to “fail open” if the MFA server is unreachable. Note: “Fail open” can happen to any MFA implementation and is not exclusive to Duo.”
If you are a Duo user, ensure that you set a reasonable period for inactive users and send them to the trash as well as remove them from Active Directory. Have a process to remove users from your organization appropriately include moving or archiving email, and other resources unique to that user to a different user in the organization. Bottom line review your multi-factor settings and ensure that you wouldn’t be caught in this sort of bypass attack.
Copyright © 2022 IDG Communications, Inc.