The Federal Bureau of Investigation is reminding organizations that attackers aren't letting up during the COVID-19 pandemic.
Cybercriminals continue to target employees who have privileged access to their organizations' networks and in some instances are tricking them into gaining access to those networks through fraudulent phone calls that convince them into surrendering their usernames and passwords.
In a Private Industry Notification issued last week, the FBI reiterated the threat, stressing that the pandemic and the work from home orders that came with it, have made it more difficult for companies to effectively monitor network access and privilege escalation on their systems.
The FBI cited one example from 2019 in which attackers vished - or voice phished - employees at a large company through a voice over IP platform and instructed them to log into a phishing website, where they'd be able to capture their username and password.
In another example, the FBI claims attackers used the company's own chatroom on its site and tricked an employee into logging into a fake VPN page. Like the other example, the attackers were able to take those credentials and use them to log into the company's VPN. In this particular case, the “cyber criminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service."
The notice hearkens back to a similar warning issued by the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) last summer. In that warning, the agencies pointed out that cybercriminals were using seemingly legitimate versions of company VPN login pages, URLs that mimic support-[company], ticket-[company], and so on, to trick employees.
The FBI and CISA also said at the time that attackers were disguising themselves as members of the company's IT team and tricking employees into passing along their two factor authentication codes.
Aside from saying attackers have broadened their attacks to target all employees, not just those with sensitive access, the FBI didn't elaborate too much on attackers' techniques and tactics, only that obtaining VPN credentials was the desired outcome.
To prevent scenarios like this the FBI is encouraging organizations to implement a handful of mitigations, some which may already be in place:
- Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
- When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
- Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
- Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
- Administrators should be issued two accounts:one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.
