There used to be a difference in sophistication between nation-state sponsored cyber attackers and mere criminals. Not any more, says a security vendor.
In its latest annual report the Mandiant service of FireEye said the work of some financial threat actors has caught up to the the best well-funded spy agencies can offer.
“Financial attackers have improved their tactics, techniques and procedures to the point where they have become difficult to detect and challenging to investigate and remediate,” says the M-Trends 2017 report, which was released Tuesday. (Registration required).
“Perhaps the most unexpected trend we observed in 2016 is attackers calling targets on the telephone to help them enable macros in a phishing document or obtain the personal email address of an employee to circumvent controls protecting corporate email accounts. To compound the issue, threat groups have also shown increased sophistication when it comes to escalating privileges and maintaining persistence.”
Meanwhile defences of organizations have been slow to respond, the report says. “We have observed that a majority of both victim organizations and those working diligently on defensive improvements are still lacking fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.
“Based on our observations of trends from the past several years, organizations must adopt a posture of continuous cyber security, risk evaluation and defensive adaptation or they
risk significant gaps in both fundamental security controls and – more critically – visibility and detection of targeted attacks. Sophisticated intelligence integration, automation, and threat hunting should be the end-state goal for organizations facing significant business risks and exposure to cyber attacks.”-says the report — but not, it adds, without forgetting basic security controls.
That includes data and key application segregation, network segmentation, and continuous visibility and monitoring of critical systems. These “should remain a primary focus for many IT and security teams.”
At the same time the report urges CISOs to invest in automation and orchestration to help winnow down the number of alerts funnelled to security analysts.
The report also warns that attackers are increasingly finding ways to get around multi-factor authentication, which infosec pros have been relying on to assure logins, to gain access to corporate email. For example, after getting access to OAuth tokens used by Gmail a phishing message was sent to a victim purportedly from Google asking for permission to run Google Scanner because attacks had been detected. If the victim agrees and clicks on a link and then clicks on “Allow,” an OAuth token with full access to read, write, and delete content from the user’s Gmail and Google Drive is granted.
Such activity could be detected by an administrator through G-Suite’s administration panel, which gives access to authorized applications connected to an account and the OAuth token authentications.
In addition, administrators running Microsoft Exchange Web Services on premise and  are being warned that because they don’t have the capability to offer users multi-factor their organization is at risk. Even if their email is not accessible from the Internet attackers move laterally to Exchange servers to harvest emails. This lateral movement often occurs through a web shell backdoor that attackers place on the server, such as malicious active service pages (ASP) content or Internet Server Application Programming Interface (ISAPI) extensions for Internet Information Services (IIS), the report notes.
Mandiant says investigators should review the MSExchange Management application log for successful cmdlet executions of Add-MailboxPermission with Event ID 1. This event identifies the permissions, target and recipient of the delegation. Typical indicators of malicious activity are a single account that has delegated access to more than one mailbox within a short timeframe or if an account has been delegated Full Access.
The report offers a number of recommendations to detect these and other attacks, including enhanced auditing of changes to email or multi-factor authentication infrastructure. One recommendation is using a time-based one-time password (TOTP) hardware token smartphone-based application as a second factor of authentication. Technologies that use SMS or device certificate-based authentication should be avoided.