{"id":23560,"date":"2023-12-09T16:01:18","date_gmt":"2023-12-10T00:01:18","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/12\/09\/news-17290\/"},"modified":"2023-12-09T16:01:18","modified_gmt":"2023-12-10T00:01:18","slug":"news-17290","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/12\/09\/news-17290\/","title":{"rendered":"Protecting credentials against social engineering: Cyberattack Series"},"content":{"rendered":"

Credit to Author: Microsoft Incident Response| Date: Mon, 04 Dec 2023 17:00:00 +0000<\/strong><\/p>\n

Our story begins with a customer whose help desk unwittingly assisted a threat actor posing as a credentialed employee. In this fourth report in our ongoing Cyberattack Series<\/a>, we look at the steps taken to discover, understand, and respond to a credential phishing and smishing (text-based phishing) cyberattack that targeted a legitimate, highly-privileged user with social engineering\u2014allowing the cyberattacker to impersonate the victim and weaponize a help desk to remove their multifactor authenticated device and register their own.<\/p>\n

Highly privileged users at risk<\/h2>\n

Credential-based cyberattacks often begin with cyberthreat actors targeting individuals who they believe are connected to the people who have the credentials they need. Then they conduct social and dark web reconnaissance to find and wind their way to highly privileged users and gain enough information to impersonate them. In the past, cyberthreat actors have even been known to impersonate and masquerade as staff, including chief information security officers (CISOs) and other incident response firms. Cybercriminals use trust, context, and emotion to trick people with smishing links. At that point, they don\u2019t need to hack, they just log in. Many smishing and social engineering attacks employ a rush of push notifications that can overwhelm or confuse a target, causing multifactor authentication fatigue. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.1<\/sup> All the pings, clicks, swipes, buzzes, texts, and taps can weigh on a target, causing them to believe an access attempt is legitimate. And cyberthreat actors don\u2019t let up. By the end of June 2023, we observed approximately 6,000 multifactor authentication fatigue attempts\u2014per day\u2014every day.2<\/sup><\/p>\n

\n
\n

\t\t\tWhat is smishing?\t\t<\/p>\n

\t\t \t\t\tLearn the different types of phishing attacks<\/span> <\/span> \t\t<\/a> \t<\/div>\n<\/p><\/div>\n

Untangling the tentacles of a cyberattack<\/h2>\n

In the case of threat actor Octo Tempest, once they gained access, they began wrapping their tentacles around valuable assets and collecting additional credentials by using third-party credential-harvesting tools against cloud and on-premises assets. They searched through the customer\u2019s SharePoint and email system for sensitive information about IT processes and VPN architecture. Then they modified the normal authentication flow, which allowed them to authenticate as any user in the organization, without requiring their credentials.<\/p>\n

In this report, we examine the factors contributing to the cyberthreat actor\u2019s initial incursion and explore what could have happened without prompt tactical mitigation efforts. We walk through mitigation efforts step by step. Then we examine Octo Tempest\u2019s tactics, techniques, and procedures (TTPs) to understand the extent of the compromise and how we were able to help the customer evict the cyberthreat actor completely. We\u2019ll also explore how organizations can educate employees to reduce the chance of social engineering attacks, and share five proactive elements of a Zero Trust<\/a> approach that can protect against highly motivated, tenacious cyberthreat actors like Octo Tempest.<\/p>\n

Preventing cyberattacks<\/h2>\n

Many cyberattacks can be prevented\u2014or at least made more difficult to execute\u2014through the implementation and maintenance of basic security controls. Organizations can strengthen their cybersecurity defenses and better protect against cyberattacks by understanding in-depth the tentacles of a far-reaching credential breach like this one. Microsoft Incident Response<\/a> can provide expert guidance to customers when an attack becomes too complex and challenging to mitigate alone\u2014and before an attack happens\u2014to develop a comprehensive incident response plan and ensure security personnel are trained to recognize and respond to social engineering attacks. With Microsoft\u2019s intelligence-driven incident response, customers can access the help they need on a global scale with global incident response, all day, every day\u2014both on-site and remotely. The proactive and reactive incident response services let customers take advantage of the depth and breadth of Microsoft Threat Intelligence and gain unique access to product engineering. It also means customers can benefit from the longstanding Microsoft partnerships with government agencies and global security organizations for the latest, most comprehensive intelligence available.\u00a0Read the report<\/a><\/strong>\u00a0to learn more about the cyberattack, including the response activity, and lessons that other organizations can learn to avoid being caught in the tentacles of a social engineering compromise.<\/p>\n

What is the Cyberattack Series?<\/h2>\n

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each cyberattack story, we will share:<\/p>\n