NCSC Alert: Mass credential harvesting phishing campaign active in the UK
The National Cyber Security Centre (NCSC) have reported they are investigating an automated, ongoing, and widespread phishing campaign designed to steal users’ credentials, whilst phishing isn’t new, it is very successful for the attackers.
In their 2020 Q1 reportCyber Security company Rapid7 advised that “a whopping 96% of all MDR incidents involve stolen credentials”, which clearly shows the importance of collecting those user credentials for the attackers.
This campaign isn’t the standard send an email from go0gle.co.uk where the domain has slightly been altered to try and avoid the user noticing the difference, this is from legitimate email accounts that your users have previously had conversations with.
Last week, one of our financial services customers mentioned that they have had four companies they work with regularly send them phishing emails due to those companies email accounts being breached. With many users still working in unfamiliar setting and do not have the routine of being in the office, there is a higher chance of users making mistakes, especially when they are from legitimate email addresses.
There are several ways you can mitigate the risk, however as with everything in cyber security, design a layered approach and don’t rely on one particular tool to protect you fully.
Below I have detailed three options you have:
Credential Theft Protection
I am still surprised today how little this is used in the UK, as this is a simple, cost effective way to stop user credentials being submitted to malicious websites.
In my example below, we utilise the feature on the Palo Alto Networks firewall.
In the URL policies, you are able to whitelist known websites where users should be able to submit their credentials such as Office 365, the firewall will then block valid Active Directory (AD) credentials being submitted to any other website.
This is an incredibly good option for users in the office or using full tunnel VPN.
Two-Factor Authentication (2FA)
Whenever I start a new engagement with an organisation, I always complete a cyber security review. This is gap and risk analysis that allows us to start to map out improvements to their posture, especially as around 70% of organisations have no 2FA in place.
This solution is not new and everyone working in Cyber Security has been talking about it for years, yet still organisations don’t implement it. I generally ask why and get one of two answers - either ‘we have just never got round to it’ or ‘we tried it and users didn’t like it ' - (these are often senior members of the organisation).
There are various free solutions such as Microsoft's that come with AD or you can use a solution like Okta which can deliver a single 2FA solution across all of your user accounts, Microsoft, Salesforce, VPN, etc.
Correlate Security Logs
In the event an attacker finds a way to bypass your prevention, which can happen as new vulnerabilities are identified, you need to be able to identify it has happened before any damage is done. For example, I was recently involved in a case where conditional policies in Intune could be bypassed in certain circumstances.
My suggestion to tackle this is outlined below (previously this was for large corporates or organisations with big chequebooks but due to a large change in commercials all organisations can benefit from it):
SIEMCollect ALL of your logs, every log you can think of, DHCP, DNS, Firewall, End Point, Office 365, Okta, LDAP, AD.
- Correlate ALL of your logs
- Users cannot time travel (yet!) so if one of your user's credentials are being used, it is highly likely it will be in a different location to where your user is working from, so the IP, the geolocation, will be different.
- If your user logs in to their VPN in UK and then the same ‘user’ logs in to their Office365 account in US one minute later - you'll know this is impossible and is highly likely to suggest the user's credentials have been stolen.
- In this case correlating your VPN and Office365 logs will identify the breach, the logs independently, wouldn’t identify anything.
- Phishing is a problem.
- Reduce the risk by implementing prevention in a layered approach.
- Correlate logs in case your prevention is bypassed.
- If you would like to book a cyber security review to understand where your gaps are and to get help creating a roadmap to design a layered approach to security, please do get in touch - its also free!