This past October, Brian Krebs spoke at the BSIMM US Community Conference about a lot of interesting topics, and of particular note was his discussion of contemporary cyber crime. He said there’s a group on the dark web claiming they can infiltrate any corporate VPN, which is a pretty bold claim. The interesting part is how they’re going about it: of all the high tech breaches and techno-scenarios we think and read about, these adversaries simply call employees and ask for their credentials.
The Weakest Link
Professional cyber criminals are an opportunistic bunch, and the onset of COVID-19 and the corresponding increase in corporate VPN usage presented too much of a target-rich environment to resist. How could they go about pillaging? They could try to break encryption, but that's hard and takes resources, if it's even going to work at all. They could start scanning a company’s domains and infrastructure, looking for that one service left open and exposed to the internet with a default admin account and password. But they probably wouldn't bother because they’d know from LinkedIn that the company has some security mavens.
Let’s take a hypothetical company, “Acme,” as an example. Like any company, Acme’s IT people are on LinkedIn—even the newest hires. Hackers obviously know how to make a phone call from another country look like it’s coming from the corporate office or an R&D center, so let’s imagine they decide to give it a try.
"Hello John, this is Mary from Acme IT. I know you've already been here for a bit, but I wanted to say welcome anyway, since I couldn't say it to you personally due to all of this COVID mess. What a mess, huh?
Hey, I've been here for seven years now [information obtained from LinkedIn] and I think you’re going to like it a lot. The people are so cool.
I'm calling because we're seeing some strange activity on your VPN login, so I need to simulate a login from my workstation so I can distinguish good and bad login patterns. We do this when we see something unusual. I need you to log out, and I'm going to log into your account. Ready? Ok, log out. Yep, I see it. Ok, I'm logging in with your account jdoe [first initial and last name of the new employee]. Ok, I need your password. Ok, great it's 2FA'ing me—that's great, it's supposed to do that. Can you open your 2FA validator app and tell me what it's saying? Ok great, I'm recording this traffic pattern. Give me about 10 minutes to finish the trace and then go ahead and log back in. Looking forward to meeting you in person when I visit your local office and all this COVID stuff is over— I can't wait. Thanks!"
If this doesn't work because John was suspicious, the hackers can move on to the next relatively new employee at Acme who they found on LinkedIn, and modify their game a little at the point where they think John caught on to the scheme. If Acme is even aware of this and training its employees, the hackers can afford to wait six months and try again.
Sound far-fetched? It isn’t—apparently, it’s one of the most prolific scams going on. Once logged into the VPN, the hackers identify the most-critical assets and encrypt as much as they can. The ransom required to obtain the decryption key will be 10% of the company’s annual revenues—a number that’s publicly available thanks to 10-K filings with the SEC. To make matters worse, it’s only getting more difficult to prosecute these bad actors as the world becomes less integrated and international law enforcement cooperation deteriorates.
Recently a major software vendor was targeted by an adversary, and senior management implored employees not to try to capitalize on the company’s misfortune, because there will be another similar attack and anyone is a target. This is about the legitimate business community versus the illegitimate community. COVID-19 will eventually be a thing of history, but cyber crime will not.
Keeping an entire organization’s IT staff anxious and hypervigilant probably won't help (plus it's exhausting), but there are a few small things employees can do to help strengthen security.
- We’ve all heard it by now, but never give out a username, password, or any authentication information to anyone, ever.
- Security should be handled at a steady, sustainable pace and in a targeted and relentless manner. The turtle wins this particular race.
- We should all constantly learn about security and be its advocate.
- Nobody’s perfect, and we’ve all had days when we’ve gone into work distracted, but that can unfortunately be taken advantage of. If someone on the team gets a call, an email, or anything that seems suspicious or even unusual, they shouldn’t hesitate to reach out to IT security to ask about it prior to taking any other action.
- Nobody’s saying people shouldn’t use LinkedIn, but we should all remember that LinkedIn doesn’t appear to take many—if any—steps to safeguard its users. Not everyone there is a real person; some of them are personae crafted to ensnare unsuspecting users. The history is not insignificant.
I received this communication—probably from an imposter taking advantage of LinkedIn. Similar to how the scammer in the example above pretended to be an IT person from Acme and built trust before the attack, bad actors know that LinkedIn users are likely to be more trusting of incoming messages on the platform. The following LinkedIn private communication started with questions about my finance background, and then moved onto some pretty suspicious (if not outright illegal) solicitations.
The profile picture isn’t connected to a real name and might even be AI generated.
We’re all currently experiencing an elevated level of stress no matter where you are in the world. This is a good opportunity for traditional and cyber criminals to strike, as global economies take a hit and traditional institutions experience turbulence. Remember to stay calm and learn to recognize threats, and lean on IT departments and friends if need be—whatever it takes to stay safe.
Editor's Note: These reflections on Brian Krebs’ talk at the 2020 BSIMM Community Conference are from Tyson Kamp, application security principal at Axway. If you would like to contribute to the BSIMM Community blog, please send your ideas to email@example.com.