Wed | Jan 20, 2021 | 2:55 PM PST

The FBI has released a private industry notification detailing how cybercriminals have been exploiting network access and escalating network privilege. 

As remote work has become the norm during the pandemic, many companies have adapted to changing environments and technologies. Due to this, network access and privilege escalation may not be monitored as closely. 

Along with this, more automation services are being implemented across networks. This makes it more difficult to regulate who has access to different points in the network and what type of access they have.

The threat of vishing attacks

The notification from the FBI points out that cybercriminals have changed strategies when it comes to compromising employee accounts or credentials.

Attackers are trying to gain access to all employee credentials, instead of targeting privileged individuals. They have been targeting large companies around the world using social engineering techniques, primarily vishing.

Vishing attacks are voice phishing, which happens during a phone call to users of VoIP platforms. Here is the first vishing example the FBI includes in its notice:

"During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee's username and password. After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees' accounts, thus allowing them to gain further access into the network often causing significant financial damage."

And the second vishing attack example they included:

"The cyber criminals found an employee via the company's chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals. The actors used these credentials to log into the company's VPN and performed reconnaissance to locate someone with higher privileges. The cyber criminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee's login credentials."

Vishing mitigations and expert advice

The rise in vishing attacks and this notice from the FBI have prompted responses from cybersecurity professionals that wish to offer help.

Chris Morales, Head of Security Analytics at Vectra, has this advice:

"Identifying the misuse of user access has largely been treated as a static problem, with approaches that are prevention-oriented or rely on manual entitlements that identify threats the moment they occur, leaving little time to properly respond. This type of access monitoring simply states an approved account is being used to access resources, but it doesn’t define how or why those resources are being used.

Rather than relying only on the granted privilege of an entity or being agnostic to privilege, security operations needs to include context on how entities are utilizing their privileges within SaaS applications like Office 365, e.g. observed privilege. This viewpoint is like how attackers observe or infer the interactions between entities. A defender should think in a similar fashion to their adversaries."

The FBI was also kind enough to include mitigation techniques to use.

  • "Implement multi-factor authentication (MFA) for accessing employees' accounts in order to minimize the chances of an initial compromise.
  • When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
  • Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
  • Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
  • Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports."

It is important to heed the warnings of security professionals and follow these mitigation techniques from the FBI to avoid vishing attacks.