We have just seen the FBI warn users of popular webmail accounts that passwords and even MFA can be defeated by new attacks.,The US government’s cybersecurity agency has added its voice to the mix, alerting to new email threats and advising Windows users to stop using SMS based multifactor authentication (MFA).
CISA’s advice is intended for CISOs and enterprise users, given “multiple reports of a large-scale spear-phishing campaign targeting organizations in several sectors, including government and information technology (IT).” But it applies broadly.
Spear-phishing is malicious big brother to the more common scattergun phishing emails we all receive weekly. It targets specific individuals and organizations, and so can be harder to detect and is certainly more likely to trick users.
According to IBM, “spear phishing is one of the most effective forms of phishing because cybercriminals tailor their scams to be as convincing as possible to their targets… Researchers found that spear phishing accounted for less than 0.1% of the emails but led to 66% of successful breaches. While the average breach caused by phishing costs USD 4.76 million according to the Cost of a Data Breach report, spear phishing attacks can climb as high as USD 100 million.”
CISA says a foreign threat actor, “often posing as a trusted entity,” is now crafting its spear-phishing attack with emails “containing malicious remote desktop protocol (RDP) files to targeted organizations to connect to and access files stored on the target’s network.” This opens the risk of tunneling via one desktop out to the wider enterprise, or even “deploying malicious code to achieve persistent [network] access.”
CISA has issued a top-ten list of ways in which organizations can boost security to fend off such attacks. It’s a mix of generic with more specific measures related to Windows remote desktop protocol. But all enterprises—whether nor not they feel vulnerable—should bear these measures in mind:
- Restrict Outbound RDP Connections
- Block RDP Files in Communication Platforms
- Prevent Execution of RDP Files
- Enable Multi-Factor Authentication (MFA)
- Adopt Phishing-Resistant Authentication Methods
- Implement Conditional Access Policies
- Deploy Endpoint Detection and Response (EDR)
- Consider Additional Security Solutions
- Conduct User Education
- Hunt For Activity Using Referenced Indicators and TTPs
While some of this is very specific, the key points are more generic and should be the default for all. Top of the list is enabling multifactor authentication, with CISA advising users to “avoid SMS MFA whenever possible,” warning that “it is important to avoid SMS-based MFA, as it can be vulnerable to SIM-jacking attacks.”
As Kaspersky warns, “SIM swap fraud is becoming an increasing concern across the United States and other countries with high smartphone penetration rates. These subtle attacks on mobile phones often go unacknowledged until it is too late.”
As with the FBI’s advice on webmail attacks, any MFA is always better than none, and that includes SMS one-time codes. But where you can use something stronger, you should. Within corporates that’s likely some form of software authenticator, but outside the enterprise passkeys are best. Enable these wherever you can. It provides the security of a physical key without the faff, linking credentials to a secure device.
