Multiple hacking gangs are preying on remote workforces and corporate VPNs through vishing attacks that are more efficient, dangerous and ubiquitous than ever, prompting the U.S. government to issue both a warning and advice on how to thwart them.

“The news has spread throughout the hacker community and multiple groups are now doing this,” said Allison Nixon, chief research officer at Unit 221b.

As evidenced by last month’s Twitter hack, attackers deliver a one-two punch with one hacker calling the victim to dangle a lure. Simultaneously, another hacker types in the stolen user names, passwords and two-factor authentication PIN codes on a fake page that looks like the VPN log-in page from the victim’s corporate IT department.

“In some cases, unsuspecting employees approved 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to [a] help desk impersonator,” the FBI and CISA said in a joint advisory last week that warned security teams to stay vigilant.

The attacks are intended for long-term access during which hackers execute a fraudulent help-desk call and maintain access for several weeks, according to a ZeroFOX Alpha team blog post. They then broker the access and sell it to members of account takeover gangs, either to steal cryptocurrency or for bragging rights. The researchers found that the vishing attackers target mostly financial institutions and cryptocurrency exchanges, telecom and mobile companies, SSO providers and public platforms such as social media sites and code-sharing sites.

One specific vishing gang has a remarkably high success rate, and operates primarily through paid requests or bounties where groups seeking access to specific companies or accounts can hire them to target employees working remotely at home, KrebsonSecurity said in a report. Over the past six months, the vishing gang has allegedly created dozens, if not hundreds of phishing pages that target some of the world’s largest companies.

The techniques used by the vishing gang cited in the report were similar to those of the Twitter attackers, said Nixon, although she stopped short of saying it was the work of the same hackers.

“It almost doesn’t matter anymore,” Nixon said. “The hackers have learned about this technique, it’s spread almost like a fad. Right now, the cool thing is VPN vishing.”

Nixon said the VPN-based vishing attacks are dangerous because they give threat actors entre into the full corporate network, and she believes these groups will only step-up their attacks. “Right now, they are very skilled in intrusion, but they are still learning how best to monetize their efforts,” she said.

The attacks detailed in a Unit221b blog post center around a legitimate employee being required to have multifactor authentication to access the VPN. In most normal situations, a typical corporate user would log on with a username and password and then a one-time PIN would get sent to their cell phone. But, in this case, as the victim logged on to the phish page and gave up their credentials and one-time-password, the hacker would simultaneously enter the same information on to the real corporate VPN.

There’s no question that the industry has seen a rise in phishing attacks that target users outside of email, said Chris Hazelton, director of security solutions at Lookout.

“Receiving a call from a confident, well-spoken actor who’s often using public information from social networks like LinkedIn, or corporate data from already breached corporate directories, goes a lot further than phishing emails with misspellings or incorrect terms,” Hazelton said. “Attackers that calmly and confidently guide targets thru a multistep authentication process that mirrors the real process is something that few users are confident or knowledgeable enough to question as suspicious.”

Fighting back

Security teams should use these new attacks as an opportunity to rethink their VPN log-on policies, said Nixon, explaining that with so many people working from home and entire call centers now working from home and using the corporate VPN, companies are “long overdue” for an overhaul.

Nixon said security teams should start by evaluating their VPN log-on policies and deciding which authentication option works best for them. She said companies can install X.509 certificates on the browser to authenticate. They could also deploy a mobile device management system, which would only authenticate on a company-owned device and on the “real” VPN page. Or finally, they can deploy a hardware-based YubiKey. While the YubiKeys are popular and easy-to-use, they do cost roughly $20 a unit and for a large company that could add up. However, YubiKeys would only authenticate on the “real” VPN page as well, so for a small price tag they can be quite effective. People complain about the extra step or having to carry around a hardware key, but it sure beats the alternative.

Companies should look at a defense-in-depth approach that includes the following: comprehensive security awareness training and education; monitoring and pre-emptive blocking of problem domains, SSO auditing, and employing role-based access best practices for internal panels, ZeroFox researchers wrote. 

“Human susceptibility remains a weak spot in any risk mitigation strategy,” said Charles Ragland, a security engineer at Digital Shadows. “Executing a culture of security awareness in the workplace will help reduce these risks. Train coworkers to be suspicious of emails or phone calls they aren’t expecting, and have simple-to- follow policies in place to report incidents so that they can be properly examined.”