Better, Smarter, Stealthier: How Cyber Breaches Are Evolving
It’s 9 am Friday morning. You arrive at the office, login, check your email and see you’ve received an email from an unknown sender referencing a registration to an upcoming corporate event that you attend annually. You’re intuitively a bit suspicious about its authenticity but the email address appears to check out and the timing would make sense. Reassured, you open the email and click the attachment…the hacker has won. Hackers are getting good, frighteningly good! Which is why we’re more likely today, to become a victim of a cyber attack, than ever before. Cyber criminals are changing their tactics to bypass suspicion, reinforce trust and keep security specialists guessing. As a result, they are greatly improving the efficiency of their attacks and maximizing the return on their criminal efforts, but how exactly?
Companies and their employees are becoming increasingly better at identifying and avoiding phishing emails. In turn, hackers are responding with improved techniques and appear to be shifting to more sophisticated spear phishing methods which are considerably harder to detect due to their individualized nature. These sophisticated attacks are better designed, better timed, and often include some degree of private information that helps build confidence and reinforce trust.
We’ve all received them…tax-related phishing emails during tax season, fake shipping/invoice attachments during the holidays, fraudulent GDPR related emails prompting increased security requirements. While these may be simplified examples of well-timed campaigns, they’re common because they’re effective. They are wrapped in an element of “legitimacy” and catch us when our guards are down.
To demonstrate a more sophisticated example, we recently witnessed a hacker send a fraudulent document request to an insurance brokerage citing the name of the client and timing the request to coincide with the client’s insurance policy term – information that would typically only be known to the client and broker. While this degree of information is typically difficult to obtain, even something as seemingly innocuous as an email signature can later be used to soften a target when perpetrating a hack. In a similar attack we identified a phishing email containing an entire conversation with fraudulent exchanges between the “recipient” (victim) and a fictitious company. This specific attack was particularly well designed, right down to containing the actual email signature of the “recipient” the hacker was impersonating. They’re also getting creative. We’ve even heard stories of cyber criminals impersonating HR managers targeting corporate employees with fictitious performance reviews.
More frightening however is the level of sophistication behind CEO Fraud and Fraudulent Fund transfer requests. In these schemes hackers have also been known to use espionage and man-in-the-middle attacks to sit in wait until they learn of the CEO’s absence (either through shadowed emails or social media posts), before impersonating the CEO and sending their request for a funds-transfer. This has the benefit of appearing more legitimate by referencing their inability to transfer the funds themselves, and also ensures the CEO is not available to verify the request. We spoke to one mid-sized investment advisor that encountered such an attack and the hacker’s references as to the details of the CEO’s whereabouts were unsettling – referencing the specific restaurant, time and client with whom he was meeting. Despite the fact that it was luckily detected, an SEC investigation still followed. In fact, the SEC has recently warned companies against the rise in social engineering attacks and funds transfer fraud, alerting companies to implement adequate security controls. Particularly in the context of public companies, it’s also important to remember that attacks such as these can create a snowball effect resulting in additional damages that can compound corporate losses, as recently discussed here. Reputational damage, regulatory fines, follow-on securities actions and derivative claims are just a few examples.
In addition to improving the design and timing of their attacks, cyber criminals are also developing stealthier malware which can bypass security controls. In what some experts have dubbed “early bird” injection attacks, malicious code is injected prior to the initializing of any application, effectively allowing it to bypass anti-virus scans. Similarly, hackers have already identified numerous ways to bypass security “sandboxes” which are designed to isolate system programs/resources in order to mitigate damage from potentially infected files.
Some of the newest variants of malware however are more interested with remaining entirely undetected altogether. Paul Ferrillo, a cyber-security attorney for Greenberg Taurig, has stated they are seeing an increase in phishing and spear-phishing attacks which are sometimes combined with wiperware. Wiperware is, for all intents and purposes, a self-destruct button that attempts to entirely destroy all evidence of its presence by destroying a victims’ entire hard drive/system in the process. It’s akin to a robber committing arson to hide their robbery. While the best defense against these attacks are regular, isolated, segmented and offline backups, backups themselves can only mitigate the costs associated with restoring the victim’s data. In most cases a forensic investigation will still be necessary in order to determine the extent of the intrusion, and determine if any protected information was in fact exposed. According to Paul, these attacks are particularly frightening, as they make every aspect of the post-breach remediation process, very difficult and very time consuming.
When it comes to cyber insurance, attacks such as these may also have the potential to create future coverage issues for insureds and insurers alike. If the malware has the ability to entirely disable a computer to cover its tracks, there may be no solid proof that there was any “unauthorized access” at all. It could appear instead (at least initially), as a system malfunction, or equipment breakdown. This could inadvertently result in an inability to trigger coverage under a cyber insurance policy. Luckily neither Paul nor his firm have witnessed any such coverage denials to date, which is promising. It does however stress the importance of securing insurance with an experienced carrier that has a strong claims-reputation and broad policy terms & conditions.
We’ve already mentioned how cyber criminals are shifting their attention from blanketed phishing attacks to more targeted spear phishing campaigns, however they are also increasingly turning their attention to more effective methods. Such as:
- Deploying newer forms of malware such as cryptojacking which can be more difficult to detect and inflict unexpected damage such as increased utility costs. Some insurers have responded by providing "utility fraud" coverage in order to cover such damages.
- Deploying smarter versions of ransomware that can disrupt entire systems/operations (as opposed to simply stealing data). These smarter versions can also intelligently set ransom demands based on the size of the company and quantity (and quality) of information stolen.
- Shifting from email phishing (where most potential victims have their radar up), to social media posts where their victims are less guarded. In one such recent attack, Russian hackers were able to infiltrate the pentagon on their first attempt through a robo sent twitter post.
- Utilizing social media platforms such as Linkedin to collect information (such as email addresses, employment information and client names) to build social profiles of their victims.
- Identifying and exploiting weak links such as IOT connected devices like thermostats and security cameras which may contain weak security controls and/or default passwords. These attacks are also not isolated to large companies – we’re aware of at least one small business that was breached through their IOT connected device.
More frightening however, is the role artificial intelligence will play in future attacks. A recent study conducted by Seymour and Tully for ZeroFox demonstrated the improved efficacy of AI based social media phishing campaigns. These machine generated attacks were able to better identify “soft targets” which were more likely to interact with the phished content. They were also able to utilize data collection to generate more effective content – extracting and leveraging private information such as geolocation information from posted media, and “events” that the target victim may have attended (or may likely attend). The “SNAP_R” AI tool used by Zerofox also had the ability to identify the most opportune times to post based on a users’ interaction history. And, by sending fewer, more targeted posts (as opposed to blanketed phishing posts) it was also able to better avoid detection by Twitter.
Lastly, cyber criminals also appear to be specializing and collaborating. This demonstrates a huge step forward. Kevin Violette at RT Specialty, who is witnessing the emergence of these attacks, describes how they typically unfold; “We recently had one such claim where a client suffered a BitPaymer ransomware attack. This attack however, was promulgated from a separate software called Emotet, which is a banking Trojan”. It’s important to note that, banking trojans doesn't necessarily attack banks, but do gain access to the credentials of the target company's employees due to their use of online banking (while using company devices). “The Emotet trojan gains access to the system, and then a separate BitPaymer ransomware software gets installed into the target company's computer network. The 2 software's are installed by 2 different malicious entities, so it's clear that the entities are collaborating. Due to the method of intrusion, the BitPaymer software will typically get very deep into the network, locking down the main network and all backups. This makes it particularly difficult to eradicate. As a result the ransom demands have been increasing. Affected entities also appear to be more inclined to pay these ransoms, which in turn is fueling an increase in the number of attacks (due to higher success rates)”
With attacks becoming so intelligent and well designed, it begs the question; how can organizations possibly train their employees to become human cyber-threat detectors when the attacks themselves are so sophisticated? Consider this - you’re an employee finishing a 12 hour day, you’re mentally exhausted, your judgement is impaired and you’re rushing to leave the office, just before running out the door you receive a fraudulent email that’s well designed and perfectly timed. How likely are you to click it? Now compound that scenario over an organization with hundreds or thousands of employees encountering these on a regular basis. Employee training has long been heralded as the holy grail of cyber security. For the time being, it still remains a critical component when developing thorough cyber security policies and procedures. But as hackers continue to improve their methods of intrusion, and phishing campaigns become increasingly harder to detect, the importance of employee training will slowly begin to take a backseat to stronger security/software solutions such as advanced sandboxing techniques, improved threat detection and artificial intelligence.