Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: Ransomware encryption is so 2022, Microsoft 365 login pages are destined for Greatness, and we need to be politely paranoid.
3 – Ransomware encryption is so 2022.
Ransomware gangs are increasingly focusing their efforts on stealing data rather than encrypting data, as they realise that the fear of data being publicly disclosed can be enough to get their victim to pay up.
This is according to a recent article in The Register, which was reporting on a joint advisory from the FBI, CISA and the Australian Cyber Security Centre (ACSC) about the techniques of one particular gang called BianLian.
Key takeaway: There is a lot of advice within the advisory about how to reduce the risk of being BianLian’s next victim. Step 1: Confirm with your IT people that they have blocked or severely restricted the use of Remote Desktop Protocol (RDP).
2 – Our Microsoft 365 login pages are destined for Greatness
A new phishing-as-a-service (PaaS) offering named “Greatness” has been used in several attacks against Microsoft 365 users over the last 12 months, enabling cyber attackers to fool staff into thinking they are logging into their employer’s genuine Microsoft 365 service. The service also fools the user into entering their MFA security code, which it then uses immediately so the attacker gains access to the victim’s account before the MFA security code expires.
This detailed report from Talos, recently mentioned by KnowBe4, describes the step-by-step process and includes screenshots to show how realistic the scam looks.
The scam starts with a phishing email. According to Talos, the email “typically contains an HTML file as an attachment and, under the pretext of a shared document, leads the victim to open the HTML page. [This displays] a blurred image that shows a spinning wheel, pretending to load the document. The page then redirects the victim to a fake Microsoft 365 login page, usually pre-filled with the victim’s email address, and the custom background and logo used by their company [on their genuine Microsoft 365 login page].”
Key takeaway: Talos does not recommend ways to defend against this attack, apart from ‘buy our products’, so here’s my Top 3:
- The attack starts with a phishing email: Make sure your staff receive regular awareness training so they know what to look out for, especially to check the URLs of websites. And bring this particular scam to their attention now.
- The attack usually involves an HTML file attachment: Block HTML file attachments. As I’ve discussed in the past, there are very few genuine business reasons for these types of attachments.
- The attacker may not be in the same part of the world as your staff: If you can, restrict access to your Microsoft 365 environment to specific IP addresses or geographies. This is possible through the use of ‘Conditional Access’ rules on Microsoft 365.
None of these are fool-proof, but they significantly reduce the risk.
1 – We need to be politely paranoid
It could take 5 minutes for a scammer to fool us into thinking we are speaking to a loved one on the phone.
This is according to a recent episode of 60 Minutes by CBS News in the USA, where Rachel Tobac, CEO of Social Proof Security, demonstrated how an attacker can use freely available online tools and Artificial Intelligence to fool someone into thinking that they are speaking to a loved one or colleague on the phone. Rachel used an online tool to make it look like their phone call was coming from a different phone number, and an AI-powered app to mimic someone else’s voice. It took them about 5 minutes. The recipient of the call genuinely thought they were speaking to their colleague. The full report by CBS News (about 15 minutes long) also discusses the many ways that we are targeted by attackers who are trying to get their hands on our money.
Key takeaway: In our new AI world, it is becoming increasingly difficult to trust anything that we read, see, or hear. As Rachel says, we need to be “politely paranoid”:
- If the call, text, email, or message is dire, urgent (or too good to be true), it’s likely to be a scam.
- Use a different method of communication to check it’s real.
PS Thanks to Paul Burke for sending this my way.
PS I talk about these news stories, and delve into how to manage cyber risks and regs without losing your sanity, on the “Cybersecurity Without Insanity” podcast.
All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.