The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms. The COVID 19 pandemic has forced the broad adoption of telework, cyber-criminals and threat actors are attempting to exploit possible misconfiguration and lack of monitoring for remote network access and user privileges. During the vishing attacks (voice phishing performed during phone calls) using VoIP platforms, employees were tricked into accessing fake web pages and entering their corporate usernames and passwords.
After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage. The cybercriminals found an employee via the company’s chatroom, and then convinced them into logging into a fake VPN page to reveal their credentials
What to do?
- Use Multi-factor Authentication (MFA) for all employee accounts.
- Adopt the least privilege principals for all employees.
- Actively monitor the IT environment for unauthorized access or modifications.
- Establish network segmentation and issue two accounts for administrators, one for Email and another for system changes.
- Include vishing exercises within your robust security awareness, behaviors, and culture programs to ensure employees are aware of current dangers and can take the appropriate actions to reduce the risk of an attack by unauthorized people
What can you do to when this happens to you?
- If you determine your network has been breached and/or compromised, immediately shut down and identify any malware present.
- Determine if any data has been modified or exfiltrated.
- If data has been stolen notify all parties affected including local law enforcement data crimes division and the FBI,
- Reinstate the network from a known “clean” backup
Ionut Arghire on January 18, 2021 Security Week