Our story begins with a customer whose help desk unwittingly assisted a threat actor posing as a credentialed employee.
In this fourth report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a credential phishing and smishing cyberattack that targeted a legitimate, highly-privileged user with social engineering-allowing the cyberattacker to impersonate the victim and weaponize a help desk to remove their multifactor authenticated device and register their own.
Credential-based cyberattacks often begin with cyberthreat actors targeting individuals who they believe are connected to the people who have the credentials they need.
Then they conduct social and dark web reconnaissance to find and wind their way to highly privileged users and gain enough information to impersonate them.
In the past, cyberthreat actors have even been known to impersonate and masquerade as staff, including chief information security officers and other incident response firms.
Many smishing and social engineering attacks employ a rush of push notifications that can overwhelm or confuse a target, causing multifactor authentication fatigue.
In the case of threat actor Octo Tempest, once they gained access, they began wrapping their tentacles around valuable assets and collecting additional credentials by using third-party credential-harvesting tools against cloud and on-premises assets.
Then they modified the normal authentication flow, which allowed them to authenticate as any user in the organization, without requiring their credentials.
Then we examine Octo Tempest's tactics, techniques, and procedures to understand the extent of the compromise and how we were able to help the customer evict the cyberthreat actor completely.
We'll also explore how organizations can educate employees to reduce the chance of social engineering attacks, and share five proactive elements of a Zero Trust approach that can protect against highly motivated, tenacious cyberthreat actors like Octo Tempest.
Many cyberattacks can be prevented-or at least made more difficult to execute-through the implementation and maintenance of basic security controls.
Organizations can strengthen their cybersecurity defenses and better protect against cyberattacks by understanding in-depth the tentacles of a far-reaching credential breach like this one.
Microsoft Incident Response can provide expert guidance to customers when an attack becomes too complex and challenging to mitigate alone-and before an attack happens-to develop a comprehensive incident response plan and ensure security personnel are trained to recognize and respond to social engineering attacks.
With Microsoft's intelligence-driven incident response, customers can access the help they need on a global scale with global incident response, all day, every day-both on-site and remotely.
The proactive and reactive incident response services let customers take advantage of the depth and breadth of Microsoft Threat Intelligence and gain unique access to product engineering.
Read the report to learn more about the cyberattack, including the response activity, and lessons that other organizations can learn to avoid being caught in the tentacles of a social engineering compromise.
With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits.
Read the first blog in the Cyberattack Series, Solving one of NOBELIUM's most novel attacks.
To learn more about Microsoft Incident Response, visit our website or reach out to your Microsoft account manager or Premier Support contact.
Bookmark the Security blog to keep up with our expert coverage on security matters.
This Cyber News was published on www.microsoft.com. Publication date: Wed, 06 Dec 2023 15:28:05 +0000