The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts and credentials for network access and privilege escalation from US and international-based employees.
Vishing (also known as voice phishing) is a social engineering attack where attackers impersonate a trusted entity during a voice call to persuade their targets into revealing sensitive information such as banking or login credentials.
According to the TLP:WHITE Private Industry Notification (PIN) shared on Friday [PDF], the threat actors are using Voice over Internet Protocol (VoIP) platforms (aka IP telephony services) to target employees of companies worldwide, ignoring their corporate level.
“During COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technology,” the PIN reads. “With these restrictions, network access and privilege escalation may not be fully monitored.”
Phishing sites used to collect VPN credentials
During the attacks, the attackers tricked the targeted employees into logging into a phishing webpage they controlled to harvest their usernames and passwords.
In multiple cases, once they gained access to the company’s network, the threat actors gained greater network access than expected allowing them to escalate privileges using the compromised employees’ accounts.
This allows them to gain further access into the infiltrated networks, oftentimes being able to generate significant financial damage.
“In one instance, the cybercriminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cybercriminals,” the FBI said.
“The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges.
“The cybercriminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service.
“The cybercriminals used a chatroom messaging service to contact and phish this employee’s login credentials.”
Second corporate vishing warning in one year
This is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of them have become teleworkers.
In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning remote workers of an ongoing vishing campaign targeting companies from several US industry sectors.
“In mid-July 2020, cybercriminals started a vishing campaign — gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access,” the agencies said at the time.
“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks.”
In the August attacks, the threat actors also used maliciously crafted sites cloning the targeted companies’ internal VPN login pages which also enabled them to harvest two-factor authentication (2FA) or one-time passwords (OTP).
After tricking the victims into approving the OTP or 2FA prompts, the scammers gained control of their cellphones and bypassed 2FA and OTP authentication in a SIM swap attack.
To help companies and employees mitigate this type of phishing attacks, the FBI shared a series of recommendations:
- Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
- When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
- Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
- Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
- Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.
To read the original article: