Account Takeover & Zero-Day Attacks Keep Infosec Pros Wary

Dealing with incursions is a constant battle for information security professional across multiple industries including financial services. Two of the more formidable challenges center on account takeover and zero-day vulnerability attacks.

ATO attacks, which involve pinching an individual’s credentials and using them to send emails from the user’s real account, are a common method used by bad actors trying to compromise a business because the emails are less likely blocked by security systems that rely on domain, sender or IP reputation.

ATO attacks have multiple objectives.  Some attackers try to use the hacked email account to launch phishing campaigns that go undetected, some attackers steal credentials of other employees and sell them on the darknet, and others use the account to conduct reconnaissance to launch personalized attacks. “The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise attack from the real employee’s email address,” Asaf Cidon, vice president of email security at the Campbell, Calif.-based Barracuda Sentinel, explained.

To better understand the extent of ATO attacks, Barracuda Networks ran a study of 50 randomly selected organizations over a three-month period (April-June 2018). The research revealed of the 60 total ATO incidents, 78% resulted in a phishing email, typically with the goal of infecting additional email accounts; 22% of ATO incidents compromised employees in sensitive departments (HR, IT, finance or legal. There are specific departments attackers have a strong preference to go after, because they are most lucrative targets for information and financial theft.

Overall, in each month four to eight organizations reported at least one account takeover incident. On average, a compromised company had at least three separate account takeovers linked to the original incident.

According to the Barracuda report, In the phishing emails, the goal of the attacker was typically to infect additional internal and external accounts. The email usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the email appear as if the employee is sending an invitation to a popular web service.

Another 17% of incidents used the platforms for sending spam campaigns. Attackers favor exploiting compromised accounts for launching spam because they come from reputable domains, from the correct IP, and from real people that have a legitimate email history. Therefore, they are less likely stymied by email security systems relying on domain, sender or IP reputation.

Five percent of incidents involved the attacker asking the recipient to download an attachment. This attack is effective because most email security systems do not scan internal traffic for threats.

Most of the compromised employees were in either entry-level or mid-management roles. This demonstrates that account takeover is not just targeting high level employees.

Clifton, N.J.- based cybersecurity firm Comodo in its blog warned zero-day, aka Day Zero or 0-day, which refers to a computing vulnerability often sought by the hackers to exploit, are becoming more common.

Recently a security researcher on Twitter called SandboxEscaper disclosed a zero-day vulnerability attack targeting Windows.

Comodo added any security patches to fix Windows vulnerabilities should come as no surprise to anyone. “It is not clear whether the bug has the capability to affect all the versions of Windows OS, such as Windows 7.”

The vulnerability is a local privilege escalation flaw in the Microsoft Windows task scheduler that’s caused by errors in the handling of Advanced Local Procedure Call systems. Will Dormann, vulnerability analyst at CERT/CC verified the bug, acknowledging that the zero-day flaw works well in a fully-patched 64-bit Windows 10 system. The CERT note read, “Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain system privileges.”

ALPC is a local system, which enables high-speed inter-process communications, thereby limiting its effect. “However, an online fraudster can trick a victim into downloading a nefarious app, normally through a phishing scam, and may use it to exploit the vulnerability,” Comodo noted.

Microsoft issued a statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”