Last week, news broke that several Fortune 2000 Enterprise Office 365 accounts were hit with a persistent and powerful wave of brute force cyberattacks.
The attacks — which were used to launch money wiring schemes against corporate accounts — were spread across 67 different IP addresses, and 12 different networks. Security experts believe that this was a new type of highly organized “cloud-to-cloud” business attack. A total of 48 businesses were targeted in total according to one cybersecurity firm. Based upon our own internal research at Apex Technology Services, we believe the number is far larger.
Evidence suggests that the hackers were able to break into targeted accounts using spoofed versions of employee usernames, which is a sign that the brute force attacks were part of a larger campaign.
Hackers, in other words, may have already had access to users’ private credentials — and merely used the hosted cloud platforms to break through and gain access to vulnerable accounts.
There are a few types of attacks we have seen recently:
- Brute force attacks on Microsoft Office 365 which allowed hackers to get into user accounts.
- Spoofed email made to look like a legitimate user but coming from a slightly misspelled or altered domain name.
- Attacks based on common or shared passwords. For instance, a user may use the same password and Microsoft Office 365.
We are aware of numerous situations as of late where wire transfers totaling hundreds of thousands of dollars were sent to hackers. Some attacks have been successful, and some have not. One business we are working with, for instance, accidentally wired money to a hacker and is now trying to get it back. Another business became aware of the hackers' intentions and avoided wiring any money.
In light of this information, business leaders need to be on full alert for signs of suspicious emails asking for financial transfers, data and other valuable assets.
Here is an example of what happened to a client of ours: (details omitted)
A hacker registered a fake email address that looked like a real account. The hacker registered “[email protected]” when the legitimate user’s account is actually "[email protected]."
In this example, the domain yale.org is not registered. So it was spoofed by the sender on the server.
Upon tracing the email, the following information became apparent:
- The email originated from server oxuslxaltgw11.schlund.de with an IP of xxxx (from Germany);
- It was then relayed to mout.perfora.net with an IP of xxx (from PA USA);
- Then, the email was sent onto the Microsoft Office 365 servers which received the message and sent it to recipients [email protected] and [email protected].
- The email address [email protected] can be replied to and likely can fully send / receive email.
As you can see, the remote user’s credentials were compromised here — allowing the attacker to read a business correspondence and learn that wire transfers were regularly sent to and from the targeted account.
The attacker was hoping that the user receiving the emails wouldn’t notice the difference between the two accounts. He/she then asked for a tremendous sum of money.
Fortunately, the end-user was able to identify the email address as being potentially malicious and asked for verbal authentication. The attacker then told her he was unable to verbally authorize the account because he was on vacation.
The user then pulled up her colleague’s contact information, and asked about the wire transfer. The end-user was completely unaware of the request.
Fortunately, no check or wire transfer was initiated. At this time, we do not believe that the attacker has access to any of our client’s servers. It appears that no user credentials were compromised, either. We do suspect that the client’s mobile device and/or computer was comprised, which allowed the attacker access to sensitive information in the first place.
Here’s the scary part, though: The attacker may still have access to the email address. As such, further monitoring will be required to avoid future complications.
Here are some ways to prevent this type of attack:
1) Use verbal authentication: Always have a second channel available for authenticating money transfers. Email is not a sufficient method of sending wire transfers and checks out. This system should be used for inter-office communication, and for vendors.
2) Enforce strong passwords: First and foremost, make sure that all employees are actually using passwords to protect their email systems. Passwords should be at least 10 characters long, and should have a combination of upper and lower case numbers and symbols.
3) Use two-factor authentication: The more types of authentication you use, the stronger your accounts will be. If possible, protect email accounts with biometric securities like voice or fingerprint readers. An easier way is to use text messaging, with the Microsoft Authenticator application.
The next step is to notify your team about email best practices:
4) Avoid opening suspicious email attachments: Hackers can easily gain access to another person’s account by simply sending an email with embedded malware. So before opening any attachments make sure that you know who the sender is. And if it comes from outside of the company, then check the sender’s address and domain name to make sure that it’s coming from a reputable source.
For example, suppose you get an email from the address [email protected], which contains a link to a .pdf file.
Do not open this type of email.
Why? The domain name is extremely suspicious, and it doesn’t look like it’s coming from a reputable source. This is unlikely to even be a company otherwise it would have a name in the email address. What’s more, the sender’s address is a very generic email address. It can be applicable to any company. It’s also a good idea to scan emails that come in from your own team members, to avoid getting spoofed. Remember: Hackers are getting very good at creating false email addresses that appear to be real!
5) Scan all email links before opening them: Before you click on a link, hover over it first to check the web address or URL. Avoid haphazardly opening any links. Oftentimes, hackers will disguise links with misleading text to get users to click on harmful websites. For further peace of mind, there are free websites that scan URLs that you can access such as Web Inspector.
6) Ask the sender to verify the link: We live in an age with ever-expanding IT services. It’s no problem asking the sender to simply forward the link again, or ask why it’s being passed along to you. If you are unsure, ask the sender for more information or reach out to your security team for further information.
7) Check the attachment file extensions: Check the attachment type and extension. If it has an unfamiliar file extension, then do not download the file. Below are some of the valid file extensions, along with the popular malicious attachment extensions. There are far too many to count so this a short list of examples:
Valid file extensions: .doc, .docx, .xls, .xlsx, .ppt, .pps, .txt, .pdf, .gif, .jpeg, .jpg, zip.
Potentially malicious file extensions: .exe, .vbs, .jar, .bat, .ps1
8) Use your best judgment: These types of attacks are designed to catch end users off-guard. Hackers bank on users not checking the origins of an email. So the best type of protection is to be watchful and inquisitive.
If something doesn’t look right in an email, don’t open it. Ask IT for support, or reach out to the sender over another channel for clarification. And always ignore unsolicited emails.
If you and your staff members follow these instructions, you may be able to avoid a messy and expensive ordeal. And if you don’t you could accidentally wind up with a malware infection — not to mention the likelihood of sending hundreds of thousands of dollars to a cybercriminal by accident.