Business Email Compromise (BEC) has kept our Security Operations Centre analysts busy over the last year. So much so that, when we perform a compromise assessment on enterprise customers it is rare that we do not find at least one account showing signs of suspicious behaviour.
We have built scripts that enable us to hunt through customers’ Office 365 estates looking for tell-tale signs of compromise, such as forwarding of mail, inbound email rules and executables uploaded to SharePoint. We even built our own detection rules that we apply to all OGL customers in the hope of identifying these cyber-criminals early and stopping them before they have managed to exfiltrate data or plan and launch the next attack.
Until recently these attacks were largely the domain of Nigerian cyber-criminals and tended to target businesses indiscriminately. Once they had compromised an account, they would monitor the conversation looking for information such as invoice payments before inserting themselves into the conversation and then try changing bank details for invoice payments.
Many of these are successful because they are hard for users to spot as the cyber-criminal is using a valid account with access to detailed information so they bypass many of the warning signs that we have been training users to look out for. Compromised Emails are also used to launch attacks against other businesses that might be working in the supply chain.
It is estimated that these sorts of attacks netted Nigerian cyber-criminals in excess of $1.3 billion according to the Justice Department in the US.
The NCSC and the FBI have had a number of successes recently, taking down these gangs and there is an interesting story about a recent cyber-criminal being arrested in Dubai with £40 million in cash: https://www.bbc.co.uk/news/world-africa-53309873.
With this amount of money involved it was always going to attract attention from other groups. Agari, an email security company, have noted a new group called Cosmic Lynx (next month’s Defence Report will cover threat groups and naming). Cosmic Lynx appear to be Russian and instead of indiscriminately attacking victims this group appear to be much more targeted in their approach.
We expect to see more cyber-criminal outfits to enter this space over the next 6 months especially if the return on investment continues to be so attractive.
Our advice to all customers is to turn on two-factor authentication, turn off legacy protocols, monitor for signs of malicious behaviour and train staff to identify invoice fraud.
In other news, we recently alerted managed customers of an ongoing attack on the Australian Government and their critical infrastructure. From the threat intelligence we received most of these attacks were targeting un-patched SharePoint and Citrix gateway vulnerabilities.
We have also alerted customers to the rise in phishing attacks using HMRC and Covid-19 in the subject.
We had a busy weekend with the announcement of critical vulnerabilities in F5 and Palo Alto products, both of which are remotely executable and our threat intel provider is reporting both are being actively exploited by cyber-criminals and need patching ASAP.