Phishing, Endpoint/Device Security, Threat Management

Attacker-controlled devices can launch lateral phishing attacks, Microsoft warns

A logo sits illuminated outside the Microsoft pavilion on the opening day of the World Mobile Congress at the Fira Gran Via Complex on Feb. 22, 2016, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Microsoft on Wednesday reported on a new multi-phase phishing campaign where an attacker-controlled device joined the targeted network and was able to move laterally.

In a blog post, the Microsoft Defender Threat Intelligence Team said in the first phase of the campaign, the attackers stole credential at organizations located in Australia, Singapore, Indonesia, and Thailand. The stolen credentials were then used in the second phase, in which the attackers leveraged the compromised accounts to run lateral phishing attacks.

The researchers found that the second stage of the campaign was successful against victims that did not implement multi-factor authentication (MFA). In cases where the organization did not use MFA, the attacker was able to register a device using freshly stolen credentials. The researchers noted that device registration is on the rise and that the easy availability of pen testing tools designed to execute this technique will lead to more such cases in the future.

Phishing has become the most common and effective method used by threat actors to get initial access into a victim’s environment, said Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows. De Blasi said many phishing campaigns that are detected are amateur attempts at exploiting their targets’ cognitive biases, they instill a sense of urgency or fear into the email recipient. Despite their low sophistication, these campaigns are widely profitable for threat actors who have consistently used the same methods for many years.

As such, De Blasi said it becomes necessary to study a threat actor’s innovative and multi-staged strategy when security researchers observe new and sophisticated phishing attempts. The use of stolen credentials to add an attacker-controlled device into a targeted environment demonstrates that the attack was well-planned in advance, and was carefully executed to increase the number of compromised victims.

“These observations suggest that the threat actor behind this campaign likely possesses financial and technical resources to develop new offensive techniques and, in turn, it makes it realistically possible that it was politically motivated,” De Blasi said. This campaign also serves as a powerful reminder of the importance of enabling MFA on every work-related device, which can ensure a minimum level of account security. Although not a bulletproof method, MFA can go a long way in preventing many cyberattacks and should be mandated on corporate accounts.”

Roger Grimes, data driven defense evangelist at KnowBe4, added that he does not put a lot of faith in MFA being the ultimate panacea in perfectly protecting networks, especially in the way that most MFA works today. Grimes said that there’s strong MFA, but most of it, especially as pushed by the major players, is easily bypassed and phished around.

“The spokesperson is selling MFA like it’s the perfect protector that all defenders need to get to stop hackers,” Grimes said. “The right way to be selling MFA is to make sure you are not using easily phishable MFA, and that using MFA will decrease computer security risk, and for that reason alone, is reason enough to have it. But articles like this one unfortunately perpetuate the idea that getting MFA is this Holy Grail that will put down all attackers. And it’s just not. It’s important to communicate appropriate expectations. Because if you push the idea that MFA is going to defeat all hacking, and the customer moves to MFA, and still gets hacked, there are going to be questions and frustrations."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.