No company wants to lose money because of an employee error. The tedious process of hiring, background checking, interviewing, etc., is meant for making the best choices in hiring assets who fight the cause of the enterprise. Insider threats, however, can come out of any department and cost the company not only millions in losses but also, its reputation.
To train employees, an employer makes several opportunities available by scheduling awareness exercises during work hours, so the employees are well aware of to-dos and don’ts. However, despite all the attempts, it fails to strengthen the employees to act in accordance with basic cyber hygiene.
Increasing Insider Threats
Cyberattacks due to Insider threats have increased by 44% in comparison with the past two years. The time taken to mitigate risk from incidents arising from insider threats increased from nearly 77 days to over 85 days on average.
Employees knowingly or unknowingly allow cybercriminals to successfully attack the digital infrastructure, leading to the compromise of data and bringing in regulatory actions.
Insider Threats outlined in a post by CISA says it can be –
- A contractor, vendor, or custodian to whom the organization has given access to its data
- Someone who was given the company device to work
- May be trusted by the organization
Addressing how an employee poses a risk to the company the post by CISA read that the employee in question could have authorized access or have an understanding of the organization which could be used adversely.
This use could be in the hands of the employee or another individual who may either trick or bribe an employee into releasing access-related data. Negligence is among the prime reasons an employee allows an opportunistic hacker to find a way to system data.
The Airbus cyber attack was claimed by a cybercriminal named USDoD who confessed to breaching the systems by exploiting the credentials of an insider. The arrested member of the lapsus group, Arion Kurtaj was known to bribe office insiders to gain entry into the organizations’ systems. Let’s understand the incidents better as unfolded by the culprits themselves.
Airbus Cyberattack: An Insider Threat Used to Exfiltrate Company Data
A cybercriminal USDoD was active on the now-closed RaidForums as NetSec. He spoke with DataBreaches an Infosec website about how he started hacking at age 11, was trained into better hacking, and eventually attacked organizations against whom he holds grudges.
USDoD announced that they were successful in exfiltrating 3,200 records belonging to Airbus vendors using employee credentials of a third-party Turkish airline. The Turkish employee was found by Hudson Rock, a cybercrime firm.
While discussing mitigation of similar incidents, Alon Gal, Chief Technology Officer at Hudson Rock told The Cyber Express, “Monitoring for info-stealer infections is a critical aspect of preventing data breaches like the one experienced by Airbus.”
It is time, organizations such as Airbus which is Europe’s multinational aerospace corporation serving defence, security and other organizations with critical services and infrastructure follow security protocols such as monitoring of info-stealers.
Infostealers or Information-stealing malware are found advertised on the dark web for a small price and several evasion detection benefits. Some are even sold for subscription to make it more affordable along with a manual with step by step instructions to steal system data with minimal technical expertise.
In the Airbus cyberattack, USDoD completed their mission of stealing the login credentials of an employee in other words, an insider threat who was unaware of what was going on with their account behind their back.
How an Insider Threat is Chosen by a Hacker: USDoD’s Answer
In the interview, when USDoD was asked about targeting NATO and CEPOL. The answer was, “I have already accomplished access to NATO and CEPOL, so Phase 1 of operations is finished and now I will pivot to Phase 2.”
He said that he needs to study and exploit the weak spots of the above-mentioned organizations in Phase 2. He gained access to NATO and CEPOL by registering using fake credentials and posing as legitimate staff.
He chose CEPOL because it is an e-learning platform for law enforcement and is associated with Europol. His modus operandi involves participating in vendor websites to study the workings of it so he can understand the defense mechanism in place.
Explaining the same he said, “NATO uses custom and modified versions of endpoint security and AV. Plus they have their own version of policy, browser, etc. So put both together and I can take them down because I know their methods and I know how they protect themselves. This is enough for me to get more access.”
USDoD targeted a third party, the Turkish Airlines employee for his credentials because that let him have access to Airbus. Even though this may seem like a long shot, hackers find this limited access enough to exfiltrate sensitive user records and post them online on breach forums.
Where Does Security Stand in Such Scenarios? Spotting Imposters
Investigating the method employed by USDoD who was himself surprised at being approved by the website admin as a user of the service, is a prime attack tactic needing keen attention. Seeing the name of a senior employee or someone from the management requesting access can lead to creating pressure on the website administrator.
They would approve the request of someone posing as a senior staff as they are of a lower designation and would risk losing their job if they denied access to senior staff. The process of cross-checking the applications of each and every employee is the need of the hour, as this scenario highlights.
No matter who is on the other side, it must made clear to all employees and website administrators that no access request must be approved before checking with proof to make sure it is a genuine request sent by the person who is who he says he is.
To avoid becoming an insider threat, careful measures must be taken to verify the authenticity of each applicant regardless of their designation or social status. The concerned person can be called on their contact number, they must be emailed to their alternate email address as provided on company records and should be asked to confirm via an OTP or on personal office chat messaging service for verification.
Social Engineering via Impersonation, a Favorite Tool to Fool Insider Threats
The InfraGard cyberattack was claimed by USDoD which allowed him to pilfer information of over 80,000 members. InfraGard was targeted by USDoD as it works as a bridge between businesses and the FBI. If this is the prime focus of hackers to target a critical infrastructure by targeting a vendor or third party, then it is time to train and manage vendor cybersecurity as their own.
Because what is at stake is not just the vendor data but also the information belonging to the client and their customers. Similar to gaining access to the portal of NATO as claimed by USDoD, he applied to become a member and aimed to get accepted on InfraGard. Which he did!
This time, he impersonated the CEO of a financial firm who was not a member but whose application, USDoD expected would likely be accepted, read the interview of the hacker on DataBreaches.
To his surprise, the interview read, his application was accepted without any further vetting.
Trial and Error to Perfect Social Engineering Using Insider Threats
The impersonator was cautious not to get caught while posing as the CEO of a well-known company. “First, I created a sketchy application with some false information and submitted it to see how InfraGard would respond,” USDoD stated.
He improvised his technique by using the feedback he received when rejected by the company. He wrote, “Once I saw what they said was wrong with my application, then I knew what I had to be accurate about.”
Adding more importance to the need to vet access and registration requests is the statement by USDoD that read, “I was very surprised though, that they accepted the final application because I did not use the professional email for the CEO I was impersonating.”
He created a fake email on Tutanota emailing platform impersonating the CEO. He claimed that the email ID was – [email protected]
USDoD stated that they rely 100% on social engineering attacks. With the next targets usually named on the hacker forums and leak sites of hackers, it is time they keep an eye out for new registrants.
Social engineering attacks involve communications that is based on the intuition and planning of the hackers that manipulate the receiver and trick them into approving requests or performing tasks that let cybercriminals conveniently perform a cybercrime.
MFA Fatigue to Access Uber Data
The famous Uber hack was claimed by teenage hackers who sent several login authentication requests on Slack, the messaging service used by the staff of Uber. The hackers posed as employees of Uber and sent notifications to other Uber staff for over an hour. This caused the target MFA Fatigue also called Multi-Factor Authentication Fatigue.
This fatigue is nothing but a social engineering attack in an attempt to circumvent the MFA feature. The cybercriminal sends several push notifications related to authentication on email, phone, or registered devices.
The victim, on the other side, may get bored, or tired and approve a request from the several ones received on their device to get rid of the notifications. Hackers may use techniques which may seem akin to child’s play involving instigation and persistence trying the patience of the other person so they do whatever is needed to get rid of whoever is bothering them.
No matter how much a company spends on cybersecurity, governments train staff, legal agencies fine the defaulting companies, and threat detection tools are used to prevent attacks, a simple click by an employee or insider threats can potentially dissolve all the effort in a jiffy.
Hence, while every guard must be put in place to tackle cybercriminals, insider threats must be avoided by having the workforce made clear about identity and access management. They should be assured that their jobs will not be taken away if they perform authentication checks on any individual regardless of who they are.
It is not worth losing the data, exposing critical infrastructure to threats, and sacrificing one’s standing in society to an insider threat who was either not trained well or was not capable enough to fight persistent hackers.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.