FBI has issued a warning of vishing attacks happening against the employees of US companies, of all levels. The warning read about hackers stealing the login credentials of employees’ VPN access to their corporate networks, and gaining elevated privileges for further exploitations and reconnaissance.
Stealing VPN Credentials Via Vishing
Vishing or voice phishing is a technique where the threat actor impersonates a higher official or as an entity to lure the targets into doing something. In this case, as the FBI warned through a TLP: WHITE Private Industry Notification last week, hackers are stealing credentials.
Threat actors here are using vishing techniques to lure employees into logging into their phishing sites. They’re attacking employees of all levels, and get more privileged ones later on for better access. Here, the FBI’s warning came with an example where the threat actor has stolen an employee’s VPN credentials, which he used for accessing his company’s network.
Also, they find and target employees from chatrooms, and later the big fishes who have the ability to change usernames and emails of others. Gaining access, they can exploit the networks even with limited privileges to disturb others. This vishing advisory is the second one coming from the FBI in the last year, with the first one in August 2020.
Thus, to safeguard themselves from such attacks, the FBI listed out security practices every employee can follow;
- Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
- When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
- Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
- Network segmentation should be implemented to break up one large network into multiple smaller networks which allow administrators to control the flow of network traffic.
- Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.
