A NEW TWIST ON 'SPOOFING'
Attack Methodology: Spoofing a business' identity to conduct cyber attacks
Apparent Objective: Anonymity for criminal activity
One complexity of cyber crime is that it isn't clear whether the devices carrying out an attack is doing so at the request of the owner, or whether it has been compromised by a malicious actor.
In this investigation initially undertaken by the SWRCCU, it was reported that multiple cyber attacks against various companies in the UK and abroad were originating from a computer network associated to a UK company.
The reality was in fact different. The UK company was not the attacker, but instead a victim of something different.
Criminals often compromise other computers and use them to carry out attacks, and they even offer access to these computers to other malicious actors. Here, the initial investigation identified victims whereby the attacks had not been conducted by their actual network, but entire IP ranges were registered using their business details such as their name and address. These IP ranges were used to actually carry out the variety of attacks which were being reported.
This was done by criminal actors with the intent to obscure their identity.
A closer look
The actors had set up fake websites posing as the UK victim companies, as well as mail servers which they could use to launch attacks. These fake websites were associated and enquiries were conducted in relation to this association.
A review of a suspect controlled server was carried out. This provided important lines of enquiry:
- Thousands of emails, the majority of which were third party companies emailing the attackers to inform them of port scanning and repeated SSH logon attempts made. Essentially, other companies had seen that IP addresses belonging to these companies had been attacking them, and were asking them to stop.
- A review of emails showed that the controller of the server had used associated accounts to register other IP ranges to conduct attacks, and also to register accounts with Bitcoin exchanges. These Bitcoin exchanges would likely be used to launder money or request ransom demands (most likely from ransomware attacks).
It was strongly suspected that these IP ranges were being set up with the intention of then selling these to other organised criminal groups to conduct cyber-attacks. The case has since been passed on to other law enforcement agencies to further investigate.
Points to consider
From an advice point of view this is a difficult case to offer protective guidance for. It is more important to be aware of how your company can be at risk of being used in attacks, and general criminal infrastructures.
PR management - One area which companies do not often prepare for is how they will handle security incidents from a PR perspective. This aspect should factor into your incident response plans, and should cover as many eventualities as possible. One of the companies whose details had been used to register IP ranges had directly received enquiries around the malicious activities. Although no public accusations or media coverage had occurred, they decided to pre-empt further enquiries by sending out a message supplied by us on their official website, outlining how the attacks were nothing to do with them.
Malicious actors are constantly finding new methods to enact cyber crime. It's vital that your organisation is similarly always working to improve your own cyber security.
User Education and Awareness
If you ask the majority of cyber security professionals what they consider to be the most important aspect that an organisation needs to focus on to secure themselves, chances are 'User Education and Awareness' will be high on the list of many.
For many organisations, they may be confused as to what User Education and Awareness should actually cover. Below are some guidelines around how to enable users to keep an organisation secure, whilst also allowing them carry out their day to day activities.
First of all, we'll take a look at some of the risks of not having sufficient education and awareness policies and procedures in place. Then, we'll outline how those risks can be mitigated.
WHAT ARE THE RISKS?
Removable media and personally owned devices
Without clearly defined policies on the use of removable media and personally owned devices, staff may connect devices to corporate networks that might lead to malware infection and/or compromise of sensitive information.
Legal and regulatory sanction
If users aren't supported in how they handle particular classes of sensitive information, your organisation may be subject to legal and regulatory sanction.
Incident reporting culture
Without an effective reporting culture there will be poor dialogue between users and those responsible for security. This could result in security incidents which could easily have been prevented.
Security Operating Procedures
If security operating procedures don't allow to staff to perform their duties, security can be seen as a blocker and possibly ignored entirely. Alternatively, follow procedures too stringently this might damage legitimate business activity.
Since users have legitimate system accesses and rights, they can be a primary focus for external attackers. Attacks such as phishing or social engineering attempts rely on taking advantage of legitimate user capabilities and functions.
Changes over time in an employee's personal situation could make them vulnerable to coercion, and they may release sensitive information to others. Dissatisfied employees may try to abuse their system level privileges or coerce other employees to gain access to information or systems to which they aren't authorised. Equally, they may attempt to physically deface computer resources.
HOW CAN THESE RISKS BE MANAGED?
Produce a user security policy
Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. Policies and procedures should be described in simple business-relevant terms with limited jargon.
Establish a staff induction process
New users (including contractors and third party users) should be made aware of their personal responsibility to comply with security policies as part of the induction process. The terms and conditions for their employment/contract should be formally acknowledged and retained to support any subsequent disciplinary action.
Maintain user awareness of the security risks faced by the organisation
All users should receive regular refresher training on the security risks to your organisation. Consider providing a platform for users to enquire about security risks and discuss the advice they are given.
Support the formal assessment of security skills
Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on recognised certification schemes. Certain roles such as system administrators/incident management teams may require specialist training.
Monitor the effectiveness of security training
Establish mechanisms to test how effective your security training is, and allow users the opportunity to feedback regarding the training to improve its value.
Promote an incident reporting culture
Your organisation should be seeking to empower staff to voice their concerns about poor security practices and security incidents to senior staff, without fear of recrimination. Training leaders should also seek to appreciate the effort by non-security staff taking time away from their day-to-day work to help protect the organisation.