Page 104 - Cyber Defense eMagazine March 2024
P. 104
where the attacker tries to guess the same password against multiple accounts; credential stuffing, where
the attacker uses known credentials from a breach and uses them against other services where the user
may have an account; and brute forcing, where the attacker guesses multiple passwords against the
same account.
Unlike the adversary in the middle attack example from earlier, this attack requires no interaction on the
part of the victim. Tools like MFASweep and trevorspray, which are both available free and open source
on GitHub, allow attackers to carry out credential attacks and check to see if any accounts lack MFA. An
attacker that finds an account with a weak password and no MFA has found a prime target for a business
email compromise attack.
VPN use for initial access
This tactic is more closely aligned with defense evasion than initial access, but it’s included here because
it’s a common attribute of account takeovers. According to reports from the Huntress Security Operations
Center, about 75% of confirmed attacks against Microsoft 365 identities come from VPNs. A smaller
percentage of attacks come from anonymous proxies, like Tor. While VPNs and proxies are different
technologies, it’s considered that they are similar in terms of impact to partners. Threat actors use proxies
and VPNs to conceal their IP address while performing account takeovers.
Like a good jiu-jitsu counterattack, security businesses can use this tactic to their own advantage as
defenders. Is VPN use normal for their users? If VPN is normal, which types of VPNs should be in use?
Analyzing the IP address from the login can reveal key facts and intelligence that they can factor into the
threat calculus, like the IP’s service provider or if the IP is a known exit node for a shady proxy service.
This allows them to differentiate between a user who logs in while using a common corporate SASE
solution and a user who logs in from Tor. These two events aren’t the same in terms of risk and good
detection programs should be able to recognize it and act accordingly.
Conclusion
Taking a bite out of BEC is about forestalling adversaries at any point along the attack chain. Identifying
and combating tactics that indicate different phases of the attack chain, like persistence, defense evasion
and execution activity, is an effective means of combating business email compromise. Every phase of
the attack chain can telegraph different indicators and presents opportunities for detection. It only takes
one detection to halt what would otherwise be a business-ending event. For businesses' own security
programs, maybe initial access is a great initial place to look!
Cyber Defense eMagazine – March 2024 Edition 104
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.