Email still remains the dominant initial access vector into corporate resources for adversaries.
The reliance on email as a communication tool within corporate environments makes it an enticing target for cybercriminals seeking to infiltrate networks. Phishing, a deceptive technique where attackers masquerade as trustworthy entities to manipulate individuals into divulging sensitive information, remains a prevalent threat. Email phishing campaigns no longer rely on simple password grab, but seek to compromise the account even through the additional protective measures.
One of the primary challenges in mitigating email-based threats is the adaptability of attackers. As cybersecurity defenses evolve, so do the tactics employed by malicious actors. As the industry is moving from on-premise to cloud, so do the attackers modify their tooling and techniques. With cloud connected services, the legacy company network perimeter, which can be relatively easily managed, watched and hardened, becomes a blurred line and instead, each individual remote device with access to the cloud resources is a potential intrusion vector. To remain ahead, security solutions must also keep with the changes, become platform agnostics and protect at multiple stages of the killchain.
Within our threat research on the DNS level, we’re seeing evolving trends in the adversaries tricks and techniques. Among the most common are phishing attacks with capability of bypassing multifactor authentication, malicious attachments designed to evade antivirus checks and advertisement abuse for malware delivery.
Search engine and advertisement abuse
Dangerous techniques we frequently see in our threat detections are malware infections originating from sites masked as legitimate, commonly used software - like VLC media player, WinRar, Notepad. Attackers have been successfully abusing search engine or social media advertising to push fake download sites to the top of search results when users look for the tool installers, spreading trojans and infostealers to both end-users and enterprise employees.
One particularly interesting campaign targeted employees in marketing positions with fake offers of AI tools - Google Bard or new version ChatGPT. These phishing sites were spread via sponsored posts on social networks, aimed at people managing company social pages. Upon convincing the person to download and install the malware, it compromised the company account and used the saved credit card and ad budget to spread further malicious campaigns.
Two factor authentication bypasses
Main mitigation against unauthorized access is using multi factor authentication. While highly effective against password theft, this protection is not bulletproof and also impairs the user's comfort. With MFA enabled, the password alone can no longer let the attackers in. But if the user already has a live authenticated session, its token stored in the browser or memory can still be stolen and abused.
QR code phishing, or Quishing, is gaining popularity among fraudsters when stealing user accounts and payment information. QR codes are often used by services to make the sign-in process and sharing information more user-friendly. A common example can be signing your account into a new device, where instead of typing the username and password, you can simply scan the presented QR code from the app and seamlessly log in.
The basic scam involves masking the phishing link into the QR code, which is not human readable. While users are nowadays aware of inspecting the target URL before clicking, QR doesn't offer this preview directly. If the code is presented in a convincing way under a reputable logo, the user may be tempted into opening the link by scanning it. It also naturally redirects users to use their phone, where vigilance is lower in general and security measures may not be present.
A more sophisticated method of abusing QR code is for seamless account takeovers. QR codes can speed up the login process for supported services by scanning the code with an authentication app on the phone. This code is dynamically generated, unique for each user who visits the login page. If the attacker requests a login, presents the user with the issued QR code and they scan it with their authenticator, the attacker will gain their active logged in session without needing a password or second factor.
When logged in into an account, the browser or operating system retains an authentication session to avoid disrupting users with constantly requiring their password again. If someone gets hold of the session secret or token, they can access the account without need for password or any second factor authentication.
When multifactor authentication became enforced on most sensitive places, stealing the password via phishing or social engineering is no longer enough to breach an account. Attackers react to this by targeting the authenticated session itself instead of the password.
A common case is using a malicious domain that serves as an intercepting proxy between the legitimate service and the user. When the user opens the link, they are presented with a login site of the original service and everything works as it should, including the prompt for the second factor. Except all communication is also intercepted by the attacker and once the multifactor authentication is confirmed by an unsuspecting user, the session cookie is immediately stolen by the attacker.
This technique is highly dangerous, as the phishing site is indistinguishable from the original, the user will receive a real validation request from the second factor provider and the only clue is the malformed domain in the URL.
InfoStealer malware in general is a tool used by adversaries to gather sensitive information from victims' devices. Once infected, the malware looks for configuration (for example installed antivirus) and device information and steals account credentials, saves browser data, cookies, login sessions, and even payment cards and cryptowallets. These data sets are then either directly used to further compromise the user and pivot further into the network, or sold on forums as so called infostealer logs. Among the most prevalent types are families Redline, Vidar, FormBook and LummaC2, each with “commercial” support and constantly evolving functionality.
Over 60000 devices get compromised with infostealer malware every week, including not just end-users, but employees of Fortune 500 companies, whose credentials are personal data are then sold on hacking forums and marketplaces. Infection by an infostealer is one of the most severe incidents, as it results in theft of all credentials and sensitive system information present on the device, which can be easily used for further attacks and pivoting into the network. Many cases of critical security incidents in large companies, including domain-wide ransomware, often originated from unmitigated infostealer infection.
Infostealers are spread by various channels. To compromise a corporate environment, email phishing is the most common vector, attempting to trick the user into opening malicious files masqueraded as an invoice, payroll or new update for the internal system application. The second frequently seen technique is distribution via impersonated sites of legitimate software tool downloads.
As 95% of the attacks rely on using domain names at some stage of the killchain and the protective DNS resolver can seamlessly cover any network connected device, DNS4EU is a viable solution to even the odds in the cyber threat landscape.