Adversaries are constantly looking for new victims to make profits and companies are well suited targets (understand, with deep pockets). This year, CERT-XLM dealt on average with 15 incidents per month, and guess what are the most common kind of attacks observed? – drumroll – Business Email Compromise (BEC) and Ransomware, again.
BEC for the win
With the widespread move to Office 365 for business email, it has never been easier for users to access their mailboxes from anywhere, using either devices managed by their organization or personal devices.
And the same is true for adversaries, once they gained access to professional email accounts. Phishing attacks are still their primary attack vector to obtain credentials, but CERT-XLM has observed the use of stealers, the exploitation of unpatched CVEs, or they “simply” go shopping online on the darknet.
In typical scenarios, adversaries will look in the mailbox for conversations involving money transfers of some sort. They will then hijack the conversation, impersonating the victim or its contacts, usually mentioning something along the line of “our IBAN changed, please do the transfer there”.
Adversaries might operate from the user’s mailbox directly or use lookalike domains. CERT-XLM even had to deal with both actors’ identities being usurped, but overall, the patterns are always the same. To go undetected, adversaries will often create Inbox Rules to hide email exchanges from the compromised user. From a forensic perspective, we will also see the adversaries connecting from improbable locations, at unusual time of the day, and usually using a VPN service.
How to defend against this
The first mandatory step is to enforce multi-factor authentication on all exposed services such as Microsoft 365. For all your users, without exception. This will make things harder for adversaries to effectively use stolen credentials and compromise accounts.
Conducting user awareness trainings is still important to prevent phishing attacks. They should be vigilant of unsolicited emails, stay wary of attachments and be able to identify fake Office 365 login pages. You might think it obvious but consider when users use their smartphones to access their professional emails. On these devices, many indicators that make it easy to spot a phishing attempt are either not present or difficult to check. Moreover, unless the devices are strictly managed, you will have no access log to Internet warning you that someone in your organization accessed a phishing website.
Lastly, you should monitor sign-in activities to cloud services. Look for connections out of business hours, from unusual countries, or originating from “well-known” network providers (looking at you, M247).
The good news is that Excellium Services CSOC has Use Cases available to detect such activities!
Ransomware groups are alive and kicking
Ransomware groups have been around for many years and never stopped making headlines. But recently, we have seen some of them evolve to be able to exploit vulnerabilities on exposed services sometimes hours only after the vulnerability had been disclosed. Or even before, as was the case with the Cl0p ransomware group and the MOVEIt vulnerability (CVE-2023-34362).
This proves that some ransomware groups have highly skilled technical people working on finding vulnerabilities, and enough staff or affiliate to perform mass exploitation afterwards.
Generally speaking, adversaries know as well as your IT team that when a critical vulnerability is discovered on an exposed device, time is of the essence. They will try to develop or use exploits as fast as possible to breach your infrastructure, before you manage to apply a patch, or a mitigation is available. Consequently, the usual mantras of defense in depth, including monitoring and patching, are still the most important to keep your company as secure as possible.
In addition, recent attacks CERT-XLM dealt with show that some ransomware groups shifted their focus solely on data extortion and threat of data publication – most of the time only hours after the initial access – instead of encrypting as much assets as possible and trying to sell a decryption key. This may show that companies are getting better prepared nowadays to face and recover from a major incident, and that ransomware groups must find new ways to get the most money out of an attack.
How to defend against this
CERT-XLM watches for vulnerability disclosure daily and notify customers for each critical vulnerabilities discovered. However, to avoid sending too many notifications and thus ending up in the spam folder, CERT-XLM has defined strict criteria for TLP : Clear notifications. To be notified, a vulnerability :
- Must be rated critical,
- Must impact a service usually exposed on the Internet,
- Must impact an asset used widely in enterprise,
- Have Remote Code Execution capability.
For instance, we will not send a notification for a vulnerability affecting the management interface of a device, since those interfaces are really not supposed to be exposed on the Internet. So keep an eye out and patch as soon as possible, as such notifications are not to be taken lightly.
Once adversaries gain a foothold inside an organization, they will follow common attack patterns that you must be able to detect. From their initial access, discovery, lateral movements, elevation of privileges and data exfiltration are amongst them. So watch for CSOC’s alerts regarding internal scans in your network, installation of suspicious services or out-of-business hours activities. They can indicate adversaries having a foothold inside your organization and trying to locate interesting assets. Such alerts should be treated carefully by your teams.
Keep a set of offline backups as well, as they might be your last resort to recover from a ransomware attack. Ransomware groups are often aware and knowledgeable regarding “warm” backup solutions and will attempt to destroy them. You might also need these backups to help forensic investigations determine when the adversaries got access to your network, possibly enabling you to go back faster and securely to normal activities once the entry point has been discovered.
Keep in mind that the simplest, fastest, and most effective way to avoid your data leaking to the Internet once a breach of your infrastructure has been detected might be to shut down your Internet connection. However, this will probably have a serious impact on your activity until mitigations are in place, and in some case might not be advisable. But, in most scenarios, the longer you hesitate, the more likely the attack will end up into a ransomware being deployed and all your sensitive data stolen. So be prepared for this eventuality!
Business Email Compromise and Ransomware are the most frequent incidents we deal with. The CSOC team is your first ally to detect ongoing threat. Follow their advice regarding equipment onboarding in your SIEM and trust their roadmap to implement Uses Cases as they know as mush as we do where the adversaries should be stopped first.
Invest the time needed to investigate any alerts the CSOC should send, and if needed, the CSIRT team can help you resolve an incident in the most secure way and give you key recommendations to avoid similar incidents in the future.
Evaluate the mitigation you can put in place to save your business from a ransomware attack, including shutting down Internet. And lastly, keep an up-to-date inventory of your devices and services exposed on the Internet and watch for any vulnerability impacting them. Patch or apply mitigations as soon as possible and do not waste time isolating them in case of doubt. Because adversaries also keep a close watch on new or old vulnerabilities, and they will exploit them if given the opportunity.
- The Most Prolific Ransomware Families: 2023 Edition – DomainTools | Start Here. Know Now.
- 3 Common Initial Attack Vectors Account for Most Ransomware Campaigns (darkreading.com)
- Backup Repositories Targeted in 93% of Ransomware Attacks – Infosecurity Magazine (infosecurity-magazine.com)
- Clop ransomware likely testing MOVEit zero-day since 2021 (bleepingcomputer.com)