Nowadays, most people are aware of the risk posed by malware - it is a broad attack vector that most organisations are used to dealing with in some capacity. However, while this may have caused such techniques as old-fashioned social engineering to fall to the back of the corporate mind, they still pose considerable risk for the simple reason they still work. Especially with the globe in the grip of coronavirus, it is easier for bad actors to play on emotions, exploiting people’s fears in particular, to encourage targets to click on malicious links.
One of the most tried and tested social engineering tactics is the prevalent use of business email compromise (BEC) that targeted eCrime groups still rely on. This method entices victims allowing the adversary easy entry to critical data. Whether their objective is financial gain, data exfiltration or disruption of services, these attacks have clearly demonstrated their effectiveness. Hands-on-keyboard techniques as well as credential theft - with credential dumping, valid accounts and account discovery - are all seeing more extensive use. These methods are typically deployed in more sophisticated attacks where a human adversary is working towards a specific objective, posing risks to most organisations regardless of size.
The first thing to note in discussing the human component of cyberattacks is the distinction between malware and malware-free. Malware vectors, where malicious files are written to the target disk, are typically what organisations will be used to defending against. These attacks are simpler to block and are usually prevented by traditional anti-malware software. Malware-free attacks, on the other hand, are methods which do not result in file or file fragments being written to disks. This category is broader and covers techniques where code is executed from memory or where stolen credentials are used. Malware-free techniques are typically much harder to detect as they rely on a human component where behavioural detection and human threat hunting are the only proven method of intercepting attacks. Concerningly, CrowdStrike’s Global Threat Report noted a trend towards malware-free techniques in the last year, increasing from 40 per cent to 51 per cent. The report also noted this trend was particularly prevalent in EMEA and North America where more highly-skilled actors are able to deploy such attacks.
Bad actors in disguise
As might be expected from the trend toward malware-free attack techniques in the last year, valid credentials were a key component of numerous cyberattacks in 2019. Through obtaining and leveraging credentials, malicious actors were able to gain access to systems, move laterally across organisations and establish persistence within them. From a defender’s perspective, however, attacks using this technique will appear to be valid by legitimate users on the network. The risk of compromise via these methods will inevitably persist for organisations that continue to rely on basic user IDs and passwords for authentication. Even the adoption of more sophisticated authentication frameworks, such as Two-Factor Authentication (2FA), does not entirely remove this vulnerability. Compromises exploiting vulnerabilities in authentication technology demonstrate that this is a blindspot in need of urgent attention. A similar technique used by bad actors is known as email thread hijacking. Simply put, bad actors can hijack email content to present themself as legitimate parties known to the defender. Adversaries steal a victim’s email content, by identifying email threads by the subject line (e.g., Re:), and generate a reply to the thread. This method has a much higher chance of recipients opening malicious attachments or links simply by virtue of the sender appearing to be someone that the defender knows - and the subject line referring to a prior conversation they had engaged in.
Simple but effective
Commonly, phishing emails and texts contain spelling and grammatical errors. When a suspicious message hits the inbox, checking the email address and spelling is crucial in identifying whether it is a genuine message. Another clue to whether an email is authentic is that an official organisation like a bank or hospital rarely advises users to download or click on links.
With coronavirus being the top of every businesses agenda, it is extremely easy for eCrime groups to lure users into clicking or downloading malicious files. From pretending to be healthcare organisations to impersonating neighbourhood watches, bad actors have no bounds. Often the emails are extremely simple and offer a solution or a cure to the virus. Once initiated, a multitude of damage is downloaded on to the devices which can completely halt a business in its tracks.
An example, detailed on the CrowdStrike blog, of these types of attacks is an email impersonating the Ministry of Health from Colombia. The message claims to have a document that details the locations where there are confirmed cases of Coronavirus, which they encourage users to download. If downloaded, the device is infected with a payload which is a remote accessibility tool (RAT) that can steal credentials from Google Chrome, Firefox, Thunderbird and Microsoft Outlook. It can also record the user’s keystrokes.
Protect the network
For network defenders, social engineering techniques need to be kept front of mind. Corporate infrastructure that may not typically fall within the scope of “cybersecurity”, such as telephone networks, are part of what makes social engineering techniques so dangerous. Through these channels, which infrequently fall into cybersecurity protocols, malicious actors can entice victims to open an email or click on a malicious document that results in compromise. Although this is a technique typically deployed against businesses for financial gain, 2019 showed examples from groups supported by nation-states. To combat this manifold threat, educating users is key. Technology is, of course, integral to detecting and stopping intrusions, but it is ultimately the end user that these attacks exploit. As such, user awareness programs can be initiated to combat the continued threat of phishing and related social engineering techniques.
In summary, the human component of cyberattacks has always presented a challenge for defenders. The nature of hands-on-keyboard attacks makes detecting and resolving compromises using these methods considerably harder. As the recent trend towards malware-free attacks encourages the use of social engineering techniques among bad actors, organisations will need to take measures to mitigate the risk. Organisational awareness programs go a long way in teaching end users how best to avoid these sorts of attacks. For IT decision-makers, the onus is on them to lead from the front and ensure best practice filters throughout the rest of their organisation.
Zeki Turedi, Technology Strategist EMEA, CrowdStrike