Categories
Ransomware Social Engineering

Social Engineering Threat Actor Tactics for Data Exfiltration and Ransomware

Threat actors are increasingly employing social engineering tactics to circumvent standard security controls, enabling unauthorized data exfiltration for ransom and extortion. Conventional security configurations, including antivirus and endpoint detection and response (EDR) systems, often fail to detect or prevent these attacks due to their reliance on legitimate tools and human interaction. The primary methods observed are phishing emails and pretext phone calls impersonating technical support.

Tactics, Techniques, and Procedures (TTPs)

  1. Initial Contact
  • Phishing Email Variant: An email is sent to an executive or staff member’s work or personal account, claiming a significant unauthorized charge to their bank account or credit card. It includes a phone number to dispute the charge.
  • Phone Call Variant: A threat actor cold-calls the target, posing as technical support personnel addressing a fabricated issue.
  1. Engagement
  • When the target calls the provided number or answers the call, the threat actor impersonates a legitimate representative (e.g., bank support or IT staff). They offer to resolve the issue by requesting remote access to the target’s computer under the guise of “fixing” a nonexistent problem.
  1. Remote Access Execution
    • The threat actor directs the victim to a legitimate remote assistance website (e.g., hosting tools like AnyDesk or TeamViewer).
    • The victim initiates a remote support session, granting the threat actor control over the system. While the victim can observe overt actions, background processes remain hidden.
  1. Reconnaissance and Tool Deployment
    • The threat actor identifies mapped drives or file storage locations on the system.
    • Self-contained, non-malicious executables (e.g., WinSCP, FileZilla) are downloaded. These open-source tools require no elevated privileges and typically evade detection by standard security controls.
  1. Data Exfiltration
  • Using the deployed tools, the threat actor transfers files from identified locations to an external server.
  • Transfer rates depend on bandwidth; a 1 Gbps connection can exfiltrate approximately 450 GiB per hour. Prolonged sessions maximize data theft.
  1. Post-Exfiltration Actions
  • The threat actor analyzes exfiltrated data for sensitive or regulated content (e.g., case files, SSNs, financial records).
  • Within 1–2 weeks, multiple staff recipients receive a ransomware demand email containing proof of compromise (e.g., file snippets, directory trees) and a negotiation request.

#### Example Ransomware Demand ####

Below is an anonymized excerpt from a recent demand email: 

Subject: Data Breach Notification – Immediate Action Required 

Greetings, 

We have compromised the [ORGANIZATION NAME] database, exfiltrating over 10 GB of proprietary and confidential data, including case files, client SSNs, passports, immigration documents, and tax forms (W-9, W-4, 8879). Attached screenshots and a file tree substantiate our claims. 

We are a sophisticated threat group with established platforms for data exposure. However, we propose returning your data upon reaching a financial agreement. In return, we offer: 

– Complete data deletion from our servers with video evidence. 

– Confidentiality of communications. 

– Security recommendations to remediate exploited vulnerabilities. 

Respond to this email to negotiate. Failure to engage within 3 days will result in: 

  1. Notification of your clients with evidence of the breach.
  2. Public disclosure on our website and affiliated media channels.
  3. Encouragement of client litigation against [ORGANIZATION NAME] for data loss.

Law enforcement cannot assist; we operate beyond their jurisdiction. Reply promptly to review the full scope of exfiltrated data and initiate resolution. 

[Attached: Screenshots, File Tree] 

#### End of Example ####

Prevention Measures 

This attack vector requires full human cooperation, making user awareness the primary defense: 

  1. Education Initiatives
  • Social Engineering Awareness: Train staff to recognize panic-inducing tactics and verify claims independently before acting.
  • Technical Support Protocols: Establish and enforce procedures for validating IT support requests through internal channels.
  • Billing Dispute Handling: Instruct staff to contact financial institutions directly for charge disputes, avoiding unsolicited contacts.
  • Incident Reporting: Define clear reporting pathways for suspicious interactions.
  1. Technical Controls
  • Least Privilege Access: Restrict file access to job-essential data, minimizing exposure despite challenges in law firm environments.
  • Session Timeouts: Implement timeouts for remote access sessions (active/inactive) to disrupt prolonged file transfers.
  • Application Control: Limit the applications that can run on your systems to only those that are necessary for business functions.
    • We recommend a two-phased approach to application control: starting with the easier lift of Blocklisting via EDR, then moving to the more comprehensive Allowlisting via Microsoft GPO or dedicated software when resources allow.
  • DNS Filtering: Block all DNS domains related to any non-approved Remote Monitoring and Management tools.

𝗟𝗲𝗮𝗿𝗻 𝗺𝗼𝗿𝗲 𝗮𝗻𝗱 𝘁𝗮𝗸𝗲 𝗮𝗰𝘁𝗶𝗼𝗻:

✔️Download our𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗶𝘃𝗲𝘀: 𝗬𝗼𝘂𝗿 𝗕𝗹𝘂𝗲𝗽𝗿𝗶𝗻𝘁 𝘁𝗼 𝗗𝗲𝗳𝗲𝗻𝘀𝗲-𝗜𝗻-𝗗𝗲𝗽𝘁𝗵” guide and enhance your security posture today:

Detection Strategies 

Standard security tools (e.g., antivirus, EDR) are ineffective against this attack due to their use of legitimate software. For organizations with mature security operations: 

  • Maintain an updated software inventory.
  • Implement continuous monitoring to detect and respond to unauthorized activities promptly.
    • Managed Detection and Response services can provide greater visibility over stand-alone antivirus or even EDR products by themselves
    • These services can also help you implement Application Blocklisting through EDR, specifically targeting Living off the Land Binaries and Remote Monitoring and Management tools that are known to be associated with published Threat Actor activity.

Incident Response Preparation 

  • Pre-Incident Planning: Conduct regular incident response tabletop exercises with stakeholders (e.g., IT, legal, management) to define roles and strategies.
  • External Coordination: Engage breach counsel, incident response teams, and cyber insurance providers in advance to streamline response efforts.
  • Ransomware Payment Considerations: For guidance on ransom payment decisions, refer to expert analyses (e.g., “Do I Pay the Ransom?” by SecurIT360).

Conclusion 

This attack exploits human vulnerabilities and legitimate tools to bypass technical defenses, targeting an organization’s sensitive data. Combining robust user education, access controls, and proactive detection can mitigate risk. Preemptive response planning is critical to managing incidents effectively.

Categories
Social Engineering

Unmasking the Manipulators: Identifying and Avoiding Social Engineering Tactics

Social engineering, a technique involving manipulation to gain confidential information, has seen a significant rise in recent years. As of Q3 2023, it emerged as a preferred method of “human hacking” by threat actors. This escalation, covering various tactics like phishing, smishing (SMS phishing), voice phishing (vishing), along with others, highlights the urgent need for robust mitigation strategies

Some Recent Trends in Social Engineering Attacks include:

Malicious QR Codes:

Social engineering qr codes

What are Malicious QR Codes?

  • A cyberattack where an initially innocent QR code leads to a harmful website or even downloads malware onto your device. Threat actors tend to post these heinous QR codes in various places such as public advertisements, emails, and even physical objects such as public transportation benches, etc.

How do you mitigate against them?

  • Be Paranoid: Avoid scanning QR codes from unknown sources.
  • Verify the URL: If possible, hover over the QR code with your scanner without clicking the link. Once you see the URL, manually type in that URL using a tool like urlscan in your browser to ensure its legitimacy. 
  • Keep Software Updated: Always keep your device’s operating system and security software up to date to assist in protecting against the latest threats posed towards said software.
  • Enable MFA: Utilizing multi-factor authentication will add additional layers of security to your online accounts making it less attractive for threat actors to obtain your information.
    • Monitoring your MFA logs and performing quarterly simulated phishing campaigns are some best practices to utilize in your environment.
    • As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.

Deepfake Recordings:

social engineering

What are Deepfake Recordings?

  • As the hype of Artificial Intelligence continues to rise, Threat Actors are rapidly finding ways to manipulate this technology for malicious gain as well. Deepfake recordings are artificially generated audio or video files that convincingly mimic the voice or video recordings of a specific person saying or doing things that they never actually have. This technological advancement has made it increasingly difficult to distinguish real from fake.
  • Deepfakes are generated from collecting large datasets from the targeted individual. The audio data is then fed into a machine learning model to train it into recognizing the speech patterns along with other vocal characteristics of the target.
  • As a Security professional, you can see the dangers of deep fakes and how a Threat Actor can utilize them to social engineer their way into breaching a company’s data.

How do you mitigate against them?

  • User Education: Staying up to date on the latest TTPs (Tactics, Techniques, and Procedures) especially as technology is forever changing will assist in keeping your data safe. As we all know, Companies are only as strong as their weakest link. Keeping your company’s employees educated can be the difference between a Data Breach and Data Security.
  • Stay Vigilant & Verify Sources:  Be skeptical of audio messages that seem out of character for the speaker. “When in doubt, shout it out” meaning if you get an unexpected message from someone always verify it came from the source before acting on the message.
  • Critical Analysis of Media: Pay attention to the context of the video or image. Often, deepfakes are used in implausible scenarios.
  • Use Technology to your advantage: There are plenty of deepfake detection tools available that one can use to assist in distinguishing manipulated content. Additionally, regularly updating your cybersecurity software can defend against malware that could be used to produce deepfakes.
  • Legal and Policy Awareness: Stay informed about deepfake regulations in your jurisdiction. Support laws and policies aimed at preventing the misuse of deepfake technology.
  • Use of Code Words: Create a unique, private code phrase with your family and close contacts. This phrase should be used as a verification method during unexpected calls to prevent falling victim to scams. 

Typesquatting:

What is Typosquatting?

  • A cybercrime where attackers register domain names that are very similar to legitimate websites (often with just a single letter or character difference).
    • Example: “Gooogle.com” instead of “Google.com”
  • The goal is to deceive users who make typos when entering a website address. The fake website is often designed for credential phishing, where the user connects to the fake website and then inputs their username and password.

How do you mitigate against it?

  • Utilize URL registration tools: As mentioned earlier in this article, tools such as URLVOID.com or urlscan.io can be used to verify if a URL was recently registered (a clear indicator of malicious activity). See the reference list at the bottom of this post for links to the suggested tools.
  • Double-check URLs: Always verify the website address before entering sensitive information. A tool you can use to verify the legitimacy of a URL is ANY RUN Sandbox. This a tool where you can type in the suspect URL into a virtual environment and see where it leads to without risking harm to your physical device.
  • Use Bookmarks: Save your frequently visited websites as bookmarks or favorites to avoid typing the incorrect URL.
  • Educate Yourself and Your Organization: Stay informed about the latest cyber threats and how to properly protect yourself. Perform regular phishing simulations in your environment to ensure your users are always prepared.
    • As a company, your best line of defense is your employees. Making sure they are aware of the latest TTPs will make your defense strategies unquestionably better.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.

Targeted Industries: Professional services, particularly legal firms, manufacturing, and construction, have been prime targets of these type of attacks. These sectors often face Business Email Compromise (BEC) and Ransomware threats that all stem from Social Engineering. 

Notable Attack Groups: Groups like LOCKBIT, BLACKCAT, and newer entities like CACTUS and RHYSIDA have been active recently. RHYSIDA has been known to target the healthcare sector specifically. 

The continuous evolution of social engineering tactics demands a multi-faceted approach to security. By combining policy enforcement, employee education, technological safeguards, and robust response plans, organizations can significantly reduce the risk and impact of these types of attacks. As these threats become more sophisticated, staying vigilant and proactive instead of reactive is the key to safeguarding valuable data and resources. 

Tools Referenced:

Categories
Social Engineering

The Power of Social Engineering: Building Resilience in the Digital Age

Understanding Social Engineering in the Digital Landscape

In an era dominated by technology, the threat landscape for cybersecurity has evolved, with social engineering emerging as a prominent threat. Social engineering involves manipulating individuals to divulge confidential information or perform actions that may compromise security. This article explores the intricacies of social engineering threats and provides insights into effective mitigation strategies.

Social engineering exploits human psychology rather than relying on technical vulnerabilities. Attackers use various tactics, such as phishing emails, pretexting, baiting, and quid pro quo, to deceive individuals into divulging sensitive information or performing actions that compromise security. These tactics often prey on trust, authority, fear, or urgency to achieve their malicious objectives.

The Multifaceted Nature of Social Engineering Attacks

Social engineering is not just limited to a single type. Various tactics have evolved, each with its distinct approach:

  • Phishing: Attackers create seemingly legitimate emails, messages, or websites to trick individuals into providing sensitive information. This can also be targeted towards C-suite level targets in what is known as Whaling.
  • Pretexting: The attacker creates a fabricated scenario to obtain information or access that would otherwise be denied.
  • Baiting: Malicious software or files are disguised as enticing items, luring individuals to download or click on them.
  • Quid Pro Quo: Attackers offer something in return for information, exploiting the natural tendency to reciprocate favors.
  • Tailgating: An attacker seeks physical entry into a restricted area by following someone who is authorized to enter.

By understanding these, we can strategize and create barriers against potential threats.

Key Principles to Foster Digital Resilience

Stay Informed

It’s vital to stay updated on the latest techniques and trends in the world of social engineering. Knowledge acts as our first line of defense. Employers should conduct regular training sessions to educate employees about social engineering tactics. They should also foster a culture of skepticism, encouraging individuals to verify requests before divulging information.

Creating a Robust Organizational Culture

A resilient organization is not just about advanced security software or robust firewalls; it’s about cultivating a culture of vigilance. This involves:

  • Open Communication: Encouraging employees to speak up about suspicious activities without fear of reprimand.
  • Regular Drills: Simulating social engineering attacks to ensure that employees can recognize and respond appropriately.
  • Rewarding Vigilance: Recognizing and rewarding those who successfully identify threats can boost morale and increase overall security consciousness.

The Role of Technology in Enhancing Security

While human awareness and training remain paramount, technology serves as the backbone in countering these threats:

  • Advanced Email Filtering: This helps in identifying and isolating phishing attempts.
  • Two-Factor Authentication (2FA): Adds an extra layer of protection even if login details are compromised.
  • Regular Software Updates: Ensuring that all software, especially security software, is up-to-date to counter any potential vulnerabilities.

Final Thoughts

Social engineering threats pose a significant challenge to cybersecurity by exploiting the human element to breach defenses. By fostering a security-conscious culture, implementing robust technical measures, and staying vigilant, organizations can mitigate the risks associated with social engineering and bolster their cybersecurity posture in an ever-evolving digital landscape. Building resilience is not an endpoint but a continuous journey of adaptation and learning.