Corporate Cybercrime is Getting Personal What you need to know to protect your company in 2024

Cybercrime is taking an increasingly personal turn. While yesterday’s cybercriminals favored broad, loosely targeted attacks such as phishing and malware campaigns, today’s criminals target individual identities using highly sophisticated tactics. Microsoft observed a surge in cyberattacks targeting identities in 2023, with attempted password-based attacks increasing by more than tenfold. To protect your company from identity-targeting attacks, it’s vital to understand the latest threats, what steps you can take to mitigate your risk, and how Microsoft and Velosio join forces to keep your corporate identities safe.

A Whale of a Problem

In the past, cybercriminals primarily directed phishing scams at lower-ranking employees thought to be more likely to take the bait. Now, however, cybercriminals are more likely to target higher-ranking and more credentialed users within organizations. This trend is part of a strategy known as “whaling,” which is a form of phishing explicitly aimed at high-profile targets like executives, managers, or other individuals with significant access or authority within your organization. These attacks are often more sophisticated and tailored, designed to deceive the targeted individuals into divulging sensitive information or initiating fraudulent transactions.

Similarly, “spear-phishing” is a highly targeted form of phishing, a type of cyber attack involving tricking individuals into divulging sensitive information or taking action that compromises their data security. Unlike general phishing attacks that are typically sent to many recipients with a broad message, spear-phishing is much more personalized and directed at specific individuals or organizations.

Several factors contribute to this shift in focus:

• Access to Sensitive Information
  High-ranking individuals often have access to critical and sensitive information. Targeting these users allows attackers to access valuable data, including financial records, personal information, and trade secrets.
• Authority for Financial Transactions
  Senior personnel often have the authority to approve or execute significant financial transactions. Cybercriminals exploit this by tricking them into authorizing fraudulent transactions.
• Higher Credential Privileges
  Higher-ranking users typically have greater access privileges within their IT systems. Compromising these accounts can allow attackers to move laterally within an organization, accessing a wide range of resources and data.
• Social Engineering
  These attacks often involve sophisticated social engineering techniques. Attackers might use detailed, personalized information (scaped from social media accounts) to make their requests or messages seem legitimate, playing on the trust and authority of the individual.

Organizations need to recognize this trend and implement comprehensive security strategies that include educating all employees, especially those in high-ranking positions, about the risks and signs of targeted cyber attacks. Enhanced security measures, such as multifactor authentication and monitoring unusual activities — especially around high-privilege accounts — are also crucial in mitigating these risks. The Velosio IT security team can help with initial configuration and ongoing monitoring.

The Tempest Rages

Octo Tempest is a financially motivated collective of native English-speaking threat actors that has emerged as a significant concern in the cybersecurity landscape. First detected in early 2022, their initial campaigns focused on mobile telecommunications and business process outsourcing organizations, primarily conducting SIM swaps and account takeovers, mainly targeting high-net-worth individuals for cryptocurrency theft.

The group deploys advanced social engineering tactics, adversary-in-the-middle (AiTM) techniques, and SIM-swapping capabilities. Octo Tempest is proficient in executing carefully crafted social engineering attacks, targeting technical administrators and help desk personnel to gain initial access to organizational networks. Their approach often involves impersonating victims or newly hired employees, manipulating individuals into performing password resets or compromising multifactor authentication methods. Additionally, they have been known to resort to fear-mongering tactics, using personal threats to coerce compliance.

In response to the growing threat posed by Octo Tempest, Microsoft has outlined several defensive strategies. These include a thorough understanding of authentication flows within organizations, vigilant monitoring of administrative changes, and employing robust threat detection tools like Microsoft Defender for Cloud. Microsoft also emphasizes the importance of aligning privileges in Microsoft Entra ID and Azure, implementing Conditional Access policies, and maintaining continuous user education on cybersecurity threats. These are all configurations the Velosio security team can assist with.

It’s All Smished Up

Even if you’ve yet to hear the term “smishing,” you’ve no doubt seen it. Smishing is a form of phishing attack that occurs through SMS (Short Message Service) or text messages. Unlike traditional phishing attacks that primarily use email, smishing exploits text messaging, which can often be a more direct way to reach potential victims.

Here are key aspects of smishing:

• Deceptive Text Messages: In smishing attacks, cybercriminals send text messages that appear to be from legitimate sources, such as banks, government agencies, or well-known companies. These messages often create a sense of urgency or fear, prompting the recipient to take immediate action.
• Malicious Links: The messages usually contain a link that, when clicked, can lead to malicious websites. These sites might be designed to steal personal information, such as login credentials, credit card numbers, or other sensitive data.
• Request for Personal Information: Some smishing texts may directly ask the recipient to reply with personal information, like account numbers, passwords, or Social Security numbers.
• Installation of Malware: In some cases, the links in smishing messages may prompt the download of malware onto the user’s mobile device. This malware can be used to steal information directly from the device or gain remote control.

To protect against smishing, it’s essential to be cautious about responding to unsolicited text messages, especially those that request personal information or urge you to click on a link. Verifying the message’s authenticity through other means (like contacting the organization directly using official channels) can also be a crucial step in prevention. Velosio offers workforce training sessions designed to help users identify suspect communications.

Can’t See the Blizzard for the Trees

Forest Blizzard (STRONTIUM) and Star Blizzard (SEABORGIUM) are prominent state-sponsored cyber threat actors that have become the focal points of Microsoft’s cybersecurity efforts.

Forest Blizzard, linked to Russia’s GRU military intelligence agency, is a state-sponsored group primarily targeting individuals and organizations involved in international affairs, energy, transportation, and information security in the United States, Europe, and the Middle East. This group is adept at exploiting publicly available vulnerabilities, including CVE-2023-23397, to provide unauthorized access to email accounts within Exchange servers. Forest Blizzard’s tactics indicate they are a well-resourced and sophisticated group, constantly evolving their methods to evade detection and attribution. In response, Microsoft has been actively updating its detection and protection systems to combat the evolving threats Forest Blizzard poses.

Star Blizzard also originated in Russia. This actor is notorious for its persistent phishing and credential theft campaigns, leading to intrusions and data theft that appear to support traditional espionage objectives and information operations. Star Blizzard’s operations are characterized by their long-term targeting of organizations in the defense and intelligence sectors, NGOs, think tanks, and higher education.

Microsoft’s Threat Intelligence Center has played a pivotal role in detecting and disrupting Forest Blizzard and Star Blizzard campaigns. The company utilizes its services and frequent software updates to maintain visibility into the actor’s activities and counteract them effectively. This includes disabling accounts used for malicious activities and employing Microsoft Defender SmartScreen to detect phishing domains associated with these actors.

How Velosio Can Help

As cybercriminals grow increasingly sophisticated and targeted in their approaches, organizations need to double down on their efforts to thwart them. Microsoft is doing its part, launching hundreds of product innovations each year designed to keep organizations ahead of evolving threats. A skilled Microsoft Partner can help you take the best advantage of those security innovations. Velosio is a premier Microsoft business partner with an expert team of 450 business professionals, including a dedicated IT security team. We can help you deploy the best practices, Microsoft tools, and continual monitoring and training to keep your business and its personnel safe. Contact us with your questions.