The security community knows that most successful attacks don’t involve highly technical vulnerability exploits but instead aim to trick a human into making a mistake. Vanbreda Risk & Benefits (a Belgian cyber insurer) reported in March 2022 that 90% of their cyber claims were due to a human mistake [i].
But categorizing these attacks as “simple” or “low sophistication” is underestimating the adversary. While early phishing attacks were relatively simple, criminals have adapted and improved, using specialization, teamwork, and a highly dynamic underground attack-service economy.
What is worrying is the trend of attacks moving away from infrastructure that the organizations can control. Instead of directly targeting organization infrastructure, attackers now try to find valid login details elsewhere (e.g., botnet logs, dark web sales, etc.) or deliver an attack attempt via a personal channel (e.g., SMS- or voice phishing). Consequently, it is much harder for organizations to detect and respond to these attacks.
Here are two breaches from last year, illustrating the techniques and tactics of actual breaches. Note that these attacks were successful against companies with very good security programs.
Twilio, a technology company in Silicon Valley, experienced a breach in August 2022, affecting around 300 customers[ii].
The attackers could send SMS messages to Twilio employees, posing as company IT administrators requesting a reset of the employee SSO (single sign-on) account password and linking to a valid-looking SSO login page.
Impressively, attackers uncovered Twilio employee phone numbers and matched the employee names with the correct number. It is unknown where they found this information but buying it on a darknet forum is a distinct possibility. Additionally, they had a robust attack infrastructure in place and were able to cycle fake login pages as the old ones were blocked by Twilio.
Impact on defensive measures
- Using SMS as the initial attack vector bypasses existing (email-based) anti-phishing protection.
- Having multiple fake login pages on plausible domains (twilio-sso.com, twilio.net, twilio.org) extended the reach of the attack and showed it was targeted and well-prepared.
- A digital risk protection tool (detecting typo-squatting DNS or darknet sales of Twilio data) might have helped here. Twilio does have a threat intelligence function, but it focuses on threat actor tactics, techniques, and procedures.
- Password complexity and lockout rules are useless in this case.
- Twilio employees had the right idea, reporting the attack to the IT department. Either they had the proper training, thought it was a bug, or were already security sensitive. Twilio still thinks it can do better and is planning additional training related to social engineering.
- Multi-factor authentication (MFA) might have stopped the attack, but that’s not certain. Depending on the type of MFA, practical bypass techniques might exist. Twilio did implement FIDO2 tokens shortly after the attack. See the breach below for more information on MFA bypass techniques and FIDO2.
In May 2022[SC1] , Cisco experienced a breach in which malicious actors gained access to privileged Cisco systems. They were quickly detected because of some careless moves post-compromise. Cisco shut the attackers down before there was any impact on customers. What is most interesting to us here is the initial attack vector[iii].
The attackers first gained access to the personal google account of a Cisco employee. This employee had Cisco credentials saved in his browser, which were synced to the google account, giving the attackers the password.
Because Cisco has MFA enabled, knowing the password alone is not enough. The threat actors used a combination of voice phishing (the affected employee received multiple calls, where the criminals tried to trick the employee into leaking sensitive information) and MFA fatigue (where they generate so many push messages to your phone until you click yes, either accidentally or to get rid of the alerts). One of these MFA bypass attempts was successful, and the attackers gained access to the Cisco VPN.
After this, the attackers elevated privileges and downloaded a bunch of known security tools. That is an unusual step, as it is sure to alert the defensive team. Indeed, at this point, the Cisco incident response team stepped in and shut the attack down. It is strange that the hackers made such a silly mistake. A possible explanation is that the attackers were specialized in gaining access (so-called “initial access broker” or IAB), which they then sell on criminal fora. They might have gone out of their competence zone and made a mistake that alerted the defenders.
Impact on defensive measures
- It is unclear how the criminals gained access to the personal google account. Plausible scenarios are: leaked in another breach, in a botnet log, or via phishing. It is unlikely Cisco could have prevented this, as the leak was related to the personal account and not to an account that could be linked to Cisco.
- Password complexity and lockout rules are unlikely to have helped.
- There is an option to disable the built-in chrome password manager, but we would not do that without a valid internal alternative. To have a password leaked this way might seem unlikely. We think it’ll happen more because of the convenience of the chrome password manager and the increasing specialization in the criminal ecosystem, with parties focussing specifically on this use case.
- Cisco has MFA enabled, but the attackers managed to bypass it. They tried at least two techniques:
- Voice phishing (vishing): multiple English-speaking people with different accents called the affected employee over several days. They posed as people in the support organization trusted by the user and tried to trick the employee into divulging sensitive information on the phone.
- MFA fatigue: sending multiple push messages to the victim’s phone until they accept, either accidentally or in an attempt to silence the device.
At least one of their attempts succeeded, resulting in the breach. This is interesting because it shows the weaknesses of the common types of MFA.
Of note are the FIDO2 MFA tokens, which are not vulnerable to the above attacks. However, they come with their challenges in cost and token management. It is up to the individual organization to make a suitable trade-off regarding cost, manageability, and security.
The above breaches affected two highly technical companies with comprehensive and successful security programs. As the security industry continues to improve and remove the (technical) low-hanging fruit, attackers will increasingly look for other creative ways to break through the defence.
There seems to be a trend to move away from the infrastructure of the target organization, first attacking indirectly instead. The two breaches above involve a phase where the target organization cannot see or influence the ongoing attack (e.g., phishing via the personal employee phone or password leakage via an account compromised elsewhere). These kinds of attacks will likely increase, and the defensive side will have to move beyond the organization's boundary to protect its vital assets.