Page 35 - Cyber Defense eMagazine January 2023
P. 35
properly installed and configured—the attacker was simply able to trick the legitimate user into satisfying
the MFA request.
Attackers have found considerable success overwhelming their targets with repeated MFA requests. The
data shows that a significant percentage of users eventually accept the request—even if just to make the
notifications stop. Many rationalize that it’s probably a member of the IT team making an update or
change, and don’t think twice about it. But the unfortunate truth is that attackers are simply annoying
users into causing a potentially serious breach. It’s a cunning tactic—one that preys on human nature.
Stopping this requires MFA users to adapt alongside the bad actors. How? Organizations can disable
push notifications in favor of a Fast Identity Online (FIDO) compliant solution, which helps alleviate the
risk of an overwhelmed employee simply granting access without thinking. Other options include number
matching, which requires the user to enter numbers from the identity platform into the MFA app to approve
the authentication request. While less seamless, this option requires active engagement from the user,
greatly reducing the risk.
Identity Attacks Are Not Slowing Down
It’s become almost a mantra in the cybersecurity industry, but—as has been the case for some time—
identity-based attacks continue to rise. In Q3, they accounted for 59% of all incidents detected by the
Expel SOC, up from 56% in Q2—already a concerningly high number. Business email compromise (BEC)
and BAC attacks were among the most common tactics, and accounted for 55% of all incidents identified,
underscoring the fact that attackers continue to find success with social engineering tactics.
There is hope on the BEC front, though. All of the BEC attacks our SOC detected targeted Microsoft 365,
and many experts believe that Microsoft’s decision to disable Basic Authentication by default in Q4 may
help address the problem. Attackers have become extremely adept at exploiting the weaknesses inherent
to Basic Auth, and Microsoft’s decision will likely force them to shift to new techniques. It may not be a
long-term solution, anything that impedes attackers is a step in the right direction.
Attackers Put a New Spin on Old Tactics
There are a few additional findings worth noting—particularly in areas where attackers are evolving their
tactics. Ransomware continues to be a significant problem, but attackers are increasingly turning to
zipped JavaScript or ISO files, abandoning the use of visual basic for application (VBA) macros and Excel
4.0 macros, which were previously the most popular ways to gain entry to Windows-based environments.
In fact, zipped JavaScript files accounted for 46% of all pre-ransomware incidents, underscoring the need
to keep a watchful eye out for suspicious files. (By the way, this shift is likely thanks to Microsoft’s decision
to block macros by default in Microsoft 365 applications.)
Attackers have also refined their social engineering tactics, and themes having to do with “invoices,”
“order confirmations,” “payment,” and “requests” are now among the most commonly used in email
subject lines in phishing attempts. The most common, though? Blank subject lines. These terms create
Cyber Defense eMagazine – January 2023 Edition 35
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
