What Is a Phishing Attack?

What are the types of phishing attacks?

What Is Whaling Phishing?

How Whaling Phishing Is Distributed

How Whaling Phishing Attacks Work

1. First, an attacker would do research about the potential target, his role in the company, and his relationship with other employees.
2. Secondly, based on the data the attacker has found, he will create a tailored phishing email that looks like a legitimate email. Remember from the previous part, that is how HR and Finance departments from Seagate and FACC Cyber Heist were tricked.
3. From there, the attacker will attempt to deceive and convince the target into clicking on the link or attachment to gain access to the system. Once the victim clicks on the link, the attacker will need to bypass security measures, inject a malicious payload, and ultimately steal data and sensitive information.

Examples of Whaling Attacks

Detecting a Whaling Attack

How to Protect Your Organization From Whaling Phishing With Hornetsecurity

Wrap Up

FAQ

In today’s complex infrastructure, there are a lot of software and hardware dependencies. As a vendor, you are not always in control of all dependencies, but leverage them for your product or service to work properly.

Using third-party dependencies and integrating external components into your product opens up potential vulnerabilities and attack vectors. Attackers might exploit weaknesses in the supply chain to gain unauthorized access to customers’ networks and compromise the data.

That is what happened with the recent SolarWinds supply chain attack, a malware activity done by hackers. This article goes deep on supply chain attacks and how you can protect your infrastructure in the best way.

Let’s break down the fundamentals first.

What is a Supply Chain Attack?

Imagine you are a vendor offering your software product to your customers. In order to provide product updates, you use third-party components because it is more convenient to utilize something that is already in the market rather than developing it from scratch.

You are in control of your product and you ensure it is developed and tested by following software development best practices. However, the product you use for distributing updates on the customer side is under the control of another supplier or vendor.

Now, attackers – are sneaky, unethical people. They exploited that third-party product, found vulnerabilities, and gained remote access to your customer network. That is what a supply-chain attack is. It involves attackers targeting your customers through third-party dependencies or components you use to make your product fully functional.

That is precisely what occurred in the fairly recent SolarWinds attack, the IT management platform. The attacker injected malicious code into an update of SolarWinds and gained remote access to thousands of servers, affecting both private and government institutions.

An interesting sidenote is that the attackers injected their code into the actual build pipeline, so that when the new version was signed as being an official SolarWinds update, it also contained the malicious code.

What is a Supply Chain Attack?

A supply chain attack can occur through one of the most common methods, phishing. Phishing is a malicious practice used by hackers to deceive individuals into opening malicious links or attachments, with the aim of tricking them into revealing sensitive data.

It is mostly delivered via email but also can be delivered via SMS or voice. One of the ways where people get tricked is via QR scams. Here is all you need to know about QR Code Scams.

We conducted an analysis of the impact of different malware activities and published it in our Cyber Security Report 2023 and Ransomware Attacks survey.

There are four phases of how a supply chain attack occurs, including compromising the vendor, injecting malicious code, distributing it to customers, and data theft. Here is the flow.

1. Compromising the vendor. Hackers compromise vendors by exploiting third-party dependencies and external update components.
2. Injecting malicious code. Hackers inject malicious code into an external component used for distributing updates. The code acts as a backdoor to connect to remote machines.
3. Distributing it to customers. The injected update will be distributed to customers’ sites in the next update cycle.
4. Data theft. Now, when the update is distributed, attackers can access remote systems and make compromises and data theft.

Examples of Supply Chain Attacks

There are several supply chain attacks that occurred in the past few years that helped us as cybersecurity professionals to learn, but also provided opportunities for vendors to strengthen their security. In this section, we will list some examples of recent supply-chain attacks.

One of the latest supply-chain attacks occurred just recently, in July 2023. British Airways, BBC, and UK pharmacies (along with nearly 500 other companies) suffered a supply chain attack after attackers exploited MOVEit, managed file transfer software. British Airways spokesperson confirmed it in one of their public statements told to The Register „We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.”

In 2019, hackers injected malicious code into Asus’ software ASUS Live Update Utility and infected over one million users worldwide. ASUS Live Update Utility comes by default installed on Asus machines and helps to update hardware and software (BIOS, drivers, etc.).

We already mentioned the SolarWinds attack; it occurred in 2019 by compromising the update process.

Some other supply chain attacks happened to Kaseya (2021), Mimecast (2021), Event-stream (2018), NotPetya (2017), CCleaner Backdoor (2017), and XcodeGhost (2015).

Let’s approach the same issue with a positive outlook. Thanks to some cybersecurity researchers, they discovered vulnerabilities in a few products and communicated them with vendors to prevent supply chain attacks.

In 2020, security researchers discovered chained vulnerabilities in Atlassian apps connected through SSO (Single sign-on). It affected Jira, Confluence, GetSupport, Partners, Developers, and Training.

In 2021, cybersecurity expert Alex Birsan breached Microsoft, Apple, Tesla, and Uber, injecting harmless code and distributing it to end users. He did this to demonstrate supply chain vulnerabilities.

All vendors managed to fix the vulnerabilities and communicated them to their customers.

Diverse Sources of Supply Chain Attacks

Effective Strategies and Countermeasures to Prevent Supply Chain Attacks

You can harden your infrastructure by implementing proper IT Security measures. However, there are different layers we need to keep an eye on.

Firstly, you should ensure that all third-party and external components are fully patched. Install the latest available updates for every single product that plays any role in your infrastructure.

During the code development process, it is essential to promote and use secure development practices among software developers. That includes implementing secure coding guidelines, validating inputs, and encoding outputs – just to name a few.

You can also use Software Composition Analysis (SCA) to analyze third-party components and libraries for known security vulnerabilities.

After completing your code, it is crucial to conduct a thorough code review and use static analysis. Static analysis helps identify potential security vulnerabilities and common coding errors.

Additionally, make sure to implement continuous security testing to maintain the highest level of security in your development process.

How to get there? Besides implementing software and hardware security layers, security awareness training is a must-have. You should ensure that your IT teams are properly trained, with an emphasis on continuous education. Non-trained stakeholders are a threat to any organization.

Monitoring helps you stay proactive, while logging provides insights into failed and successful attempts.

Build trust with your suppliers and ensure that they strictly follow security and software development practices. Verify if they are ISO certified.

Develop a security incident response plan. Be ready just in case a supply-chain attack happens. This will help you to react and have honest communication with your partners and customers.

Securing Your Chain: Methods for Detecting Supply Chain Attacks

Detecting a supply chain attack is a challenging process since it includes not only your product but also other third-party components that are not fully in your control.

The first thing you should implement is proper monitoring. Monitoring helps you stay proactive by detecting any suspicious activities, unauthorized access, and changes in your infrastructure. Usually, monitoring goes hand in hand with SIEM (Security Information and Event Management) – which is the next important factor.

If you utilize SIEM in your infrastructure, you will be able to collect logs from different systems and analyze them accordingly. By using monitoring and SIEM, you can detect patterns in anomaly behavior.

Additionally, monitoring and SIEM, help you to analyze end-user behavior, perform network traffic analysis, and anomaly detection, and assess all potential layers of your infrastructure.

You also should implement Digital Signature Verification. That technology will help you to maintain the authenticity and integrity of software components and updates through signatures and certificates.

Remember, we mentioned security awareness training in the previous section!? The best way to get trained in IT is by experiencing things firsthand. So, you should simulate supply chain attacks in your network and challenge your organization. This practice ensures that you are well-prepared, well-educated, and able to implement security testing and enhancements.

You should definitely collaborate with cybersecurity companies, professionals, and the wider community to stay informed about supply chain attacks. In the beginning, we mentioned cybersecurity researchers who discovered supply chain vulnerabilities. Having someone like Alex Birsan as your contact is of great value.

As you can see, there are various proactive approaches, and it takes utilizing all of them to stay safe and effectively mitigate potential risks from supply-chain attacks.

For an overall look at cybersecurity risks gained from analyzing 25 billion emails, see our free Cyber Security Report 2023.

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service to train your employees in deterring cyber threats and securing your critical data.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

At Hornetsecurity, we are dedicated to ensuring your safety from both security and backup perspectives. We highly recommend exploring The Backup Bible, our comprehensive backup guide.

Wrap Up

Any software or physical product has different dependencies that are not under the control of a single vendor. Imagine a physical server where the mainboard is manufactured by Dell, but other components such as CPU, and Ethernet cards are developed by other vendors.

It is the same with software products. To develop it, you use a third-party development environment and tools developed by other vendors.

An attacker may exploit these third-party components and gain unauthorized access to your customer’s infrastructure and steal sensitive data. One of the recent supply chain attacks happened to SolarWinds. The attackers injected malicious code into the update mechanism of SolarWinds Orion, distributed it to customers in the next update cycle, and infected thousands of customers.

In this article, we covered fundamental information to get into the topic, stay safe, and mitigate it.

FAQ

What is Golden Ticket Attack

How a Golden Ticket Attack Works

Strategies to Identify Golden Ticket Attacks

How to Defend Against Golden Ticket Attacks

1. User awareness and training provide a great preventative measure against any form of attack against your organization. Promote phishing campaigns since 95% of attacks occur by opening a malicious email;
2. Regularly patching and Monitoring Domain Controller account activity. Apply security patches promptly and perform continuous vulnerability scanning to be one step ahead of the attackers;
3. Discover any Indicators of compromise (IoCs) of both the DC and KRBTGT accounts by detecting unusual behavior such as password resets, repeated authentication requests, or account lockouts;
4. Monitor TGTs lifetime. Although threat actors like to keep Golden Tickets with short expiry to avoid detection, it is useful to pay attention to any excessive issuance of TGTs and the presence of forged tickets. A good practice is to compare the expiration times of TGTs with the usual values to identify any anomalies or abnormally long duration.

Conclusion

Frequently Asked Questions

The world of cyber security facts is filled with surprises. Did you know that 95% of breaches are caused by human error? Or that 70%+ of attacks are financially motivated, with less than 5% coming from espionage? It might sound unusual, but these are some of the cybersecurity facts we wish we had known sooner.

In this article we’ll dive into interesting statistics to help us understand the cyber security facts shaping business approaches to security and what you can do to protect your organization.

Cyber Security Facts

If you had to guess which cyber-attack flavor cost businesses the most money globally, most people would have said ransomware. It’s in the news (although only the gigantic ones make mainstream news nowadays), and most people remember the Colonial Pipeline attack shutting down gas access for the Eastern seaboard of the US for several days.

That particular attack seems to have been the one bringing ransomware into everyone’s awareness. Up until last year, ransomware was however NOT the biggest cash cow for the criminals, it was Business Email Compromise (BEC), and only last year (according to FBI’s latest report) was BEC overtaken by financial fraud.

The total loss (of the reported statistics in the FBI report) for BEC was $2.7 billion in 2022, compared to $3.31 billion for financial fraud. The culprit here is clearly cryptocurrency scams, accounting for $907 million in 2021, and a whopping $2.57 billion in 2022. Total loss to all cybercrime in 2022 was $10.3 billion.

But those cyber security facts from the FBI are only the tip of the iceberg. Mandatory reporting is still far from ubiquitous globally so many crimes go unreported.

When a business falls victim to ransomware, the average cost of recovery is exceedingly high. In this scenario, simply paying the ransom won’t miraculously restore your systems to a functional state. Moreover, there’s no guarantee that the criminals will return your vital data.

How much are the bad guys making on ransomware? Chainalysis’s mid-2023 update indicates that they’ve extorted at least $449.1 million in the first half of 2023, and on track for about $898.6 million for the whole year.

A scary cyber security fact in the FBI report is the age of the victims. The most targeted are the ones less likely to be familiar with technology and cyber security overall – the older generation.

Another surprising cyber security fact for many people is that your password doesn’t matter. For many years we’ve been advocating for long, complex passwords, that must be changed frequently. Turns out that all of that was misleading, and just incentivizes users to use the same password on every site (because who can remember a different password for each service), and then adding a number or month to the end when they are forced to change it.

This password re-use leads to considerable danger when a low security site, with no sensitive data, is breached, and the criminals then take those usernames and passwords and try them against your critical business services.

The solution here is moving away from passwords to passwordless, FIDO2 hardware keys or strong biometrics such as Windows Hello for Business. On the way to passwordless nirvana, make sure every user uses MFA, preferably with an app on their phone.

Barbarians at the gate

According to Verizon’s latest Data Breach Investigations Report (DBIR) 83% of breaches involved external actors. That means that slightly less than 1/5 of data breaches are insider jobs. This has been reflected in other reports and it’s a risk most businesses don’t take seriously enough. Having a strong insider risk program is crucial, and it needs to be based on more than just Data Loss Prevention (DLP) technical controls.

Remember, insider risks is a spectrum from someone inadvertently breaking a rule about emailing business data to a personal email address “to work at it over the weekend”, to inappropriate language, to harassment, to theft of intellectual property or sabotage.

A recent example is a UK IT security analyst whose company was hit by ransomware. He set up an email address that closely mimicked the attackers, and then changed the bitcoin address for the ransom payment.

Insider risks are real, and your organization needs to have a good program in place to manage it.

Attributing attackers to specific countries isn’t always easy but it’s no surprise that the top four are Russia, China, Iran, North Korea according to Microsoft’s Digital Defense Report 2022.

That report also focuses on cyber influence operations – misinformation and disinformation. You’ll find two approaches here, one disseminating false or misleading information, and the other simply flooding the information space with different stories, leading to an inability to even spot the true signal in the noise.

Another interesting cyber security statistics in the DDR looked at characteristics of organizations that suffered a ransomware attack. 68% of those business didn’t have an effective vulnerability and patch management process, 60% didn’t use Endpoint Detection and Response (EDR), 60% didn’t have a SIEM, 76% lacked an effective response plan, 44% didn’t have immutable backups, and 92% didn’t have an effective DLP solution.

In our own 2022 survey we found that 1 in 20 companies had a ransomware attack, wherein 14.1% lost data, and 6.6% had to pay the ransom. The vector for initial breach was overwhelmingly email / phishing at 58.6%, followed by compromised endpoints at 16.4%. It’s crucial to combine a strong email security hygiene solution to keep most malicious emails out of users’ inboxes, with regular user training to not fall for the few that do end up in their inboxes.

An interesting find is that 86% of ransomware cases involve the threat of leaking the exfiltrated data. Often called double extortion, this combines encrypting the data in the first place, making it inaccessible to your business (unless you pay to get the decryption key), plus threatening to make the stolen data public.

There are even cases where attackers skip the encryption phase, and simply threaten to leak the data. How efficient this is a threat will vary between industries, the company that was breached and the nature of the data itself. Some businesses aren’t likely to pay, whereas others not only can’t afford to have the data leak, but they may also face legal and regulatory consequences if the data is made public.

Another interesting change we’ve seen recently is the shift from “brand name” ransomware actors, to smaller groups (it’s mostly the same people, with shifting loyalties) because those known names often end up on sanctions lists, particularly if they’re in Russia, disincentivizing businesses from paying in the first place.

The takeaway here is to apply a zero-trust approach to securing your business, verifying each connection and authentication. Also, applying policies to only allow connections from managed devices is a good idea, or at least enforce stricter policies for personal devices.

How to Protect Yourself from Cyberattacks

Given the picture these “fun” cyber security facts paints, let’s see how you can protect your business.

Since the primary vector for the initial foothold are phishing emails, ensuring that as many of those as possible never reaches your users’ inboxes is vital – using a competent, cloud based (for swift updates), machine learning-based, email hygiene solution is step one. No protection will catch 100% of all emails however, and thus you need to train your users to spot suspicious emails – improving your “human firewalls”.

This training must be ongoing, an hour once a year is soon forgotten and results in very little behavioral change, phishing simulations on the other hand are much more impactful. These are mimicked phishing emails, but instead of a compromise when a user clicks the link or opens the attachment, they get a reminder of the risks and are then scheduled for short video trainings to spot the suspicious signs next time around.

A huge benefit of Hornetsecurity’s Security Awareness Service is that it automates the targeting, and scheduling of training based on each user’s Employee Security Index (ESI), relieving an already stretched IT team from the burden of scheduling simulations and training.

In other words, check every authentication and connection against a policy engine – don’t assume that because the connection is on a trusted network, it’s safe. Once a user is connected to a service or data, they should only have the access they need.

Build your cyber security approach on the assumption that despite your great defenses and well trained “human firewalls”, sooner or later an attacker will get in. Have strong security tools in place for visibility so you can catch them before they get too far in your network.

Finally, don’t get complacent, secure is not a destination, it’s a never-ending journey, and eternal vigilance is the price of not being compromised.

For an overall look at cybersecurity risks gained from analyzing 25 billion emails, see our free Cyber Security Report 2023.

To properly protect and train your employees against cyber security threats, use Hornetsecurity Security Awareness Service as we work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

FAQ

The Soviet Union, Plex, and the son of a mob boss don’t seem like they would be associated, but they have one thing in common: keyloggers.

A keylogger is software or hardware specifically engineered to monitor and record the keystrokes of a device. The primary intent of keylogger use is to gather sensitive information, such as usernames and passwords, and exfiltrate this information for criminal or judicial use.

There has also been a rise in using legitimate keylogging for parents monitoring their children’s devices.

History of keyloggers

Keylogging has not been contained to just computers; the earliest form of a keylogger dates back to the 1970s during the Cold War. IBM Selectric typewriters were the most common typewriter across the workforce as the transition to an electric typehead rapidly increased type speed. With the introduction of new technology comes the opportunity for the exploitation of new technology.

The Soviet Union developed a device, later known as the Selectric bug, to track the location of the printer head ball by measuring minor magnetic disturbances. The data captured by the device would then emit short bursts of radio waves to a nearby listening post. This bug was so sophisticated for the time that it was almost impossible to detect. The Selectric bug was found within 16 IBM Selectric typewriters used within the US embassy in Moscow during the GUNMAN project in the 1980’s.

With the increase in accessibility of personal computers during the ’90s and ’00s, keyloggers became more sophisticated. They no longer needed to rely on hardware-based exploitation; they could be deployed as software and relay information to the attacker over the internet. This opened the market for criminals to target home users and businesses for fraud.

In the early 00s, the FBI exploited the system of Nicodemo Scarfo Jr, the son of a prominent mob boss in Philadelphia. The agents installed the keylogging software onto his computer, recording the PGP passphrase and allowing the FBI to decrypt digital files. The use of a keylogger by authorities broke open the case they had been building against the mob, resulting in the deconstruction of a large illegal gambling and loan shark operation.

More recently and one of the most significant breaches of sensitive information via the use of a keylogger was that of LastPass. In 2022, a senior engineer at LastPass was the victim of a keylogger attack that resulted in the exfiltration of the secure access keys to the entire company’s encrypted password vault AWS backups. This engineer was one of only four employees with this level of access, demonstrating sophisticated attacks that carry dire consequences. The attacker accessed the engineer’s home network by exploiting his outdated Plex server, a home multimedia system. Once the attacker had infiltrated their network, they could implant the keylogger malware onto the engineer’s devices.

Types of Keyloggers

We can see several iterations of physical and digital keyloggers from the examples in the history of keyloggers.

How Does It Work?

The method of how the keylogger can monitor and extract information successfully will vary based on the two types above.

Hardware-based keyloggers directly intercept data through the physical layer, exploiting data as it passes through an input device to the computer. This data is usually stored as plaintext keystrokes within the memory of the small device pending the exfiltration from the attacker.

The latest version of a software-based keylogger seen is the Snake Keylogger, first detected in late 2020. Snake keylogger is usually spread through Microsoft Office document macros or weaponized PDF documents, and it will upload stolen data via SMTP, FTP, or Telegram. This is the most common method of infection for software-based keyloggers.

The payload for the infected document aims to inject an encrypted DLL file into the system. This helps the file avoid detection from most antivirus systems and allows the executable to be decrypted for content delivery. To further avoid detection, the Malware will obfuscate its code with randomly generated strings. For continued execution, the payload implements a kernel driver to inject code into startup and child processes. These processes exploit the API callback function to monitor low-level keyboard input events. This type of keylogger is considered a kernel mode keylogger, the more sophisticated software-based version. This type of exploit will allow for keylogging, clipboard data extraction, and screenshotting.

Phishing or spear phishing are the main entry points for keyloggers in the modern workplace. Having the right tools available to protect your organization proactively and consistent user education phishing campaigns are critical. We at Hornetsecurity work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

Uses of Keyloggers

To adequately protect your cyber environment, consider the use of Hornetsecurity Advanced Threat Protection, which has a keylogger detector function, as well as a Security Awareness Service to train your employees in deterring cyber threats and securing your critical data.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

FAQ

Spyware Definition – What Is Spyware?

What are the Different Types of Spyware?

How Does Spyware Work

Problems Caused by Spyware

Spyware will have an impact on availability and confidentiality. Spyware that runs as an executable will use system resources, such as CPU, memory, and bandwidth, which may slow down the host computer. Additionally, the continuous popups and banners and constant redirections caused by adware and web browser hijackers often render the web browser unusable.

Most spyware collects private and confidential information, which is transmitted to third parties. This compromises the confidentiality of the data stored on the system. At an individual level, these data can include victim’s behaviors, personal information, banking details and text and call data, but it can also include business information, such as credentials for the organization’s internal resources or tools.

These data can be used to gather information and access the organization’s systems and to craft and deliver phishing and spoofing campaigns. Also, spyware opens the door to introduce different malware on the infected host.

How to Detect On Your System

How to Remove Spyware From Your System

To properly protect your employees against spear phishing, use Hornetsecurity Security Awareness Service as we work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

FAQs