Every day I see the failure of our technology. I’m sure you see it too. From the day we started receiving emails, we’ve failed to protect recipients from scams, phishing, and other emails they don’t want. I remember the infamous email-based computer worm, the “ILOVEYOU virus”, which infected other computer friends in 2000.
These victims should have known not to click on an email that said ILOVEYOU, but they did and had to clean up afterwards. We hope that our anti-virus or endpoint protection software will alert us to problems. In reality, this is often not the case. When the technology fails, it’s likely because the attacker has circumvented it by targeting humans. Here are four ways to do it.
1. Targeted Human Attack
Several types of attacks target humans. One is the targeted human attack. A recent video showed how Rachel Tobac, CEO of SocialProof Security, hacked into film producer Jeffrey Katzenberg. She first targeted someone at Katzenberg’s company whom he trusted using public databases and other research. She then called him spoofing the colleague’s phone number and directed him to a phishing email that used an email address similar to the colleague. Once Katzenberg opened the email and clicked on the link it contained, Tobac had access to everything on his laptop he was logged into, including all of his contacts.
This process is not new. Hacker Kevin Mitnick said he compromised computers only using passwords and codes he obtained through social engineering. I still have a dog-eared copy of his Washington area guide to executives and their aides that was taken as evidence by the FBI. I bought this years ago at a fundraiser as a unique memento of security history. At the time, this information was in books. Today, it is readily available online.
2. Fraudulent wire transfer email
Another human attack is wire transfer scam email. My own town fell for this scam. In 2020, over $600,000 was lost in a fraudulent wire transfer scam:
“In January 2020, Fresno officials wired approximately $324,473 to who they believe was the contractor building a new police station in the city. Less than two months later, in early March, the city sent An additional $289,254. The invoices appeared identical to the previous ones, except for one crucial aspect: the account number where the money would be sent was different.”
Attackers took a long time to figure out what the invoices would look like and the processes would work. Techniques for doing this range from analyzing sources of information and public board meetings to knowing which suppliers are active and awaiting payment. My guess is that the email accounts of key employees were hacked, allowing the attacker to see which important electronic payment processes were occurring in the normal course of business and therefore more susceptible to fraudulent transactions.
3. Encourage users to hand over their credentials
In the past, many of these attacks and scams sent the payload straight to your email inbox. How many of us have disabled the preview pane in Outlook to protect end users from direct attacks using a macro or code-based attack? Now the attacker has to be more resourceful, placing the attached payload in a cloud property, spoofing email addresses and domains to trick the user into clicking the link.
As we move to cloud apps, attackers are also changing their attack method and trying to trick users into handing over credentials, asking for app permission to add a malicious app to their Microsoft apps. 365 existing.
4. Bypass Multi-Factor Authentication
Any authentication process should require multi-factor authentication (MFA) for login. Whether you use Authy, Google Authentication, Microsoft Authenticator app, Duo.com, or a key fob, the devil is often in the implementation details. For example, the FBI recently issued an advisory regarding Russian state-sponsored cyber actors who first gained access to a network by circumventing and abusing a two-factor process provided by Duo.com, and then performed a sideways movement in the network using a Windows Print Spooler Vulnerability (PrintNightmare CVE-2021-34527).
As the review states:
“Russian state-sponsored cyber actors got initial access [TA0001] to the victim organization via compromised credentials [T1078] and enroll a new device in the organization’s Duo MFA. The actors have acquired the letters of nobility [TA0006] via brute force password guessing attack [T1110.001], allowing them to access a victim account with a simple and predictable password. The victim’s account had been unenrolled from Duo due to a long period of inactivity, but was not disabled in Active Directory. Because Duo’s default configuration settings allow new device re-enrollment for inactive accounts, actors were able to enroll a new device for that account, complete authentication requirements, and gain access to the victim network.
Using the compromised account, Russian state-sponsored cyber actors performed a privilege escalation [TA0004] via the exploitation of the “PrintNightmare” vulnerability (CVE-2021-34527) [T1068] to gain administrator privileges. The actors also modified a domain controller file, c:windowssystem32driversetchosts, redirecting Duo MFA calls to localhost instead of the Duo server. [T1556]. This change prevented the MFA service from contacting its server to validate the MFA login, effectively disabling MFA authentication for active domain accounts, as Duo for Windows’ default policy is to “fail” if the server MFA is inaccessible. Note: “Failed to open” can happen to any MFA implementation and is not exclusive to Duo.”
If you are a Duo user, make sure to set a reasonable period for inactive users and send them to the trash as well as delete them from Active Directory. Have a process for removing users from your organization appropriately, including moving or archiving email and other resources unique to that user to another user in the organization. Ultimately, look at your multi-factor settings and make sure you wouldn’t get caught up in this type of bypass attack.
Copyright © 2022 IDG Communications, Inc.