Employee-Targeted Social Engineering Continues to Infiltrate Corporate Systems: ZTNA Can Help
Social Engineering Attacks on the Rise
In this case, an individual claimed responsibility for the attack and shared images of various compromised resources with the New York Times, and reportedly to Uber security practitioners on the company’s internal Slack channel. Google Workspace (formerly G Suite), Amazon Web Services, Slack, VMware, Windows, OneLogin, and other mission-critical tools are all among the allegedly compromised systems. Importantly, the threat actor also raided Uber’s HackerOne bug bounty application, which provides full accounts of potentially undisclosed or unresolved vulnerabilities in Uber’s applications.
Uber says a contractor had their account compromised by the attacker, who likely purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware. These types of credentials are frequently stolen from organizations after employee endpoints are infected with info-stealer malware, such as Redline. Threat actors can then use these credentials to gain access to the internal network.
In this instance, the individual responsible claims to have gained access to the rest of the network by bombarding an Uber staff member with an onslaught of multi-factor authentication (MFA) requests, a practice known as “prompt bombing.” The threat actor then contacted the employee claiming to be from Uber’s IT staff, and encouraged the employee to accept the MFA request. The hallmark of this attack style is the repeated spam of push notifications to victims until the user is so overwhelmed that they grant access to stop the notifications.
This MFA approval granted the hacker access to Uber’s VPN and allowed them to scan the company’s network. From here, the hacker identified a PowerShell script containing hardcoded credentials for a Thycotic privileged-access management (PAM) administrator account, which subsequently provided access to compromise the internal systems.
Attack on Uber Is More of the Same
These shared tactics, techniques, and procedures (TTPs) continue to ravage corporate systems. While the actual method in which information is stolen varies in several respects from previously reported attacks against high-profile organizations, the theory behind it is the same: By combining the use of credential theft collected by malware, along with social engineering, threat actors can convince employees to provide access to restricted systems and information.
In some cases, threat actors used urgency to fool company employees into giving away their credentials. Employees received text messages warning about expired passwords or schedule changes. These messages came with a link to “log in” that directed employees to a spoofed login page, where the threat actors captured the login entries. Attackers leveraged this information to gain access to the network, then to scour the network for valuable data to exfiltrate.
In other types of social engineering attacks, threat actors sometimes leverage sophisticated voice phishing, or “vishing” attacks, impersonating trusted organizations, such as IT or tech support staff.
Do VPNs Allow Too Much Access?
While traditional Virtual Private Networks (VPNs) are still widely used as an encrypted tool for remote access, they also introduce potential blind spots. For example, VPN solutions cannot protect against an account being broken into and they allow too much access if breached. VPNs also provide numerous vulnerabilities for exploitation, creating a domino effect of network resources that are increasingly at risk in the face of today’s modern threats.
As more organizations recognize the limitations of VPNs, they are seeking alternatives to this increasingly outdated and porous means of providing remote access to a network. In particular, many security leaders have begun to consider a Zero Trust Network Access (ZTNA) approach. The main advantage of ZTNA is to provide least-privileged access through micro-segmentation and to require even known user accounts and devices to continuously verify they are trustworthy.
Can Zero Trust Reduce Damage From Social Engineering Attacks?
At the foundational level, implementing a zero-trust approach to network access lets administrators limit an individual’s access to necessary resources only, rather than the entire network, shrinking the potential attack surface. This granular permissions control mitigates the impact of social engineering and credential-stealing attacks.
However, leveraging ZTNA to combat social engineering goes beyond VPN replacement. This approach is deeply rooted in an interconnected security strategy. At the forefront of this strategy is ensuring a tight interlock between the ZTNA solution and endpoint security agents. This can be accomplished by aggregating access management and endpoint security control via a single control plane, managing a predetermined number of monitored devices. This method solidifies a lock-step procedure to endpoint protection and ZTNA, by leveraging access management and endpoint security from the same tenant.
Taking this a step further, mandatory user re-authentication when accessing private resources guarantees the use of continuous authentication to manage the release of information. It also minimizes the amount of “runway” a threat actor may have obtained via illegal access.
Built-in threat protection through Intrusion Detection Systems (IDS) can strengthen these defenses, helping to identify malicious activity and destination reputation analysis. Network defenders gain the ability to understand if actors from known malicious destinations are attempting to access network resources, even when attackers impersonate confirmed users with stolen credentials. This helps security teams to push back and prevent social engineering attacks as they occur.
These zero trust fundamentals work together to challenge social engineering threats by ensuring granular access control, limiting the negative consequences a social engineering attack can have on an organization.
Adding UEBA: Better Together
A common theme in these attacks is human error. As such, the use of User and Entity Behavior Analytics (UEBA) is another weapon to combat this aspect of social engineering.
UEBA is a powerful tool that notes normal user conduct patterns and then alerts administrators when abnormal behavior occurs. This anomalous behavior is often the first indication of malicious activity, such as intrusion by a threat actor via a credential-stealing or social engineering attack.
With UEBA and ZTNA working together, a deviation in behavior can trigger a temporary denial of access to network resources, affecting only compromised accounts, until security can flush out the threat actor. Enabling the interlock between ZTNA and UEBA lets administrators quickly identify aberrant behavior and take action to ensure critical resources are not compromised.
Utilizing these tools cooperatively also provides the opportunity for the early detection of (and response to) unusual and unauthorized data exfiltration. This activity is often an indicator of a network imposter or a ransomware attack on an endpoint. The goal is to detect and respond swiftly before the compromise infects the rest of the network.
To learn more about harnessing the power of ZTNA to combat social engineering and other growing threat vectors, and harnessing BlackBerry® solutions with Cylance® AI, click here.
This is a developing story and Uber is sharing incident response details, here.