Recent findings from Google Cloud's Mandiant threat intelligence team have spotlighted the activities of UNC3944, a sophisticated threat group leveraging personal data for social engineering attacks and physical threats. “Mandiant noted the threat actors spoke with clear English and targeted accounts with high privilege potential. Additionally, it has been noted that they already possessed the personally identifiable information (PII) of [their] victims to bypass help desk administrators' user identity verification. Mandiant observed use of verification information, such as the last four digits of Social Security numbers, dates of birth, and manager names and job titles with associated co-workers. The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks.” “UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections. The social engineering techniques went beyond the call centers as extensive SMS phishing campaigns were also observed.” “Evidence also suggests UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” Since the attackers are conducting extensive reconnaissance on their targets and using personally identifiable information (PII) to bypass security protocols like user verification at help desks, conduct MFA reset scams, and make threats, organizations looking to proactively mitigate their risk of being targeted should reduce the availability of their employees’ exposed personal data. Removing this data from brokers and people search sites limits the ease with which threat actors can access and exploit this information in these kinds of attacks. https://lnkd.in/dSYQiCMA #socialengineering #PII #personaldataremoval
Optery’s Post
More Relevant Posts
-
Great report from Google Cloud's Mandiant threat intelligence team. One of easiest and cost efficient ways CISOs and their teams can be proactive in guarding against social engineering attacks is to remove employee PII from data broker websites. These sites make crafting up a social engineering attack as simple as a Google search. It's a win win that benefits both the company and the employee personally. #socialengineering #cybersecurity #ciso
Recent findings from Google Cloud's Mandiant threat intelligence team have spotlighted the activities of UNC3944, a sophisticated threat group leveraging personal data for social engineering attacks and physical threats. “Mandiant noted the threat actors spoke with clear English and targeted accounts with high privilege potential. Additionally, it has been noted that they already possessed the personally identifiable information (PII) of [their] victims to bypass help desk administrators' user identity verification. Mandiant observed use of verification information, such as the last four digits of Social Security numbers, dates of birth, and manager names and job titles with associated co-workers. The level of sophistication in these social engineering attacks is evident in both the extensive research performed on potential victims and the high success rate in said attacks.” “UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections. The social engineering techniques went beyond the call centers as extensive SMS phishing campaigns were also observed.” “Evidence also suggests UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” Since the attackers are conducting extensive reconnaissance on their targets and using personally identifiable information (PII) to bypass security protocols like user verification at help desks, conduct MFA reset scams, and make threats, organizations looking to proactively mitigate their risk of being targeted should reduce the availability of their employees’ exposed personal data. Removing this data from brokers and people search sites limits the ease with which threat actors can access and exploit this information in these kinds of attacks. https://lnkd.in/dSYQiCMA #socialengineering #PII #personaldataremoval
To view or add a comment, sign in
-
-
B.Tech (Computer Science) 2024 Graduate | Ex Software Engineer Intern @HERE Technologies | DSA | OPP | JavaScript | Python | Java | AWS | Docker
Unveiling the Stealthy Tactics: How Cyber Adversaries Snatch Credentials from Your Browser and How to Fortify Your Defense🔒 Imagine an intruder gaining control of a user's system—unrestricted access to execute commands. What's their next target? You guessed it right—hunting for more credentials! And where's the first stop in this malicious quest? The treasure trove of saved credentials in the victim's web browser. Web browsers, in an effort to enhance user experience, store passwords in an encrypted format within specific files on the system. Each browser has a designated location for these files, such as Google Chrome's AppData\Local\Google\Chrome\User Data\Default\Login Data. Despite encryption, attackers can decrypt and obtain the original passwords. Here's a glimpse into the common attack flow: Attack Flow: Infiltration of a user's device. Navigation to the browser's 'credential store' path. Accessing the credential file (an SQLite file). Executing a SQL query to extract the encrypted password. Passing the encrypted password to Windows Data Protection API. Retrieving the decrypted password. Utilizing the stolen credentials to move laterally or elevate privilege. In real-time attacks, especially in ransomware incidents, this process is often automated through infostealer malware, resulting in lightning-fast theft and transmission of credentials to the attacker's server. How can SOC analysts counter this? Recognize the serious risk of employees storing work passwords in browsers. On managed devices, consider disallowing password storage in browsers. Detect and monitor non-browser processes attempting to read credential store files, signaling potential suspicious activity. Implement endpoint protection and anti-malware capable of identifying infostealer activity. In the event of confirmed browser credential theft, swift incident response is crucial. Isolate the system from the network promptly, and invalidate stolen credentials or tokens. If this added some value, follow me at Raghav Tiwari for more such content! Ignore Hashtags! #CyberSecurityInsights #BrowserSecurity #DefendAgainstCyberThreats #InfoSecAwareness #CredentialProtection #CyberDefenseStrategies #SecurityAwareness #IncidentResponse #StayCyberSafe #FollowForMoreInsights
To view or add a comment, sign in
-
-
Global Sector Lead - Chemical Engineering @ Jackson Hogg | Connecting Top-tier Talent with Extraordinary Opportunities
It's important to be aware of the security threats facing businesses in today's digital world. 💻 Recently, Okta, a cloud-based identity management platform, warned of social engineering attacks targeting super administrator privileges. 🚨 The attacks involve an individual impersonating an IT admin, requesting privileged access on behalf of a company executive, or asking for assistance with a password reset. 🔑 Okta recommends that companies create policies and procedures to protect their data and accounts. 🔒 They also recommend enabling multi-factor authentication, which can help to verify a user's identity and help protect against malicious account takeovers. 🔐 By taking the appropriate steps, businesses can protect themselves against social engineering attacks and better secure their data. 🔃 #SocialEngineering #SecurityThreats #MultiFactorAuthentication
To view or add a comment, sign in
-
Unveiling FlawedAmmyy: A Close Look at its Notorious Activities and Capabilities 🕵️♂️💻 In the realm of cybersecurity, FlawedAmmyy stands as a formidable threat, its activities and capabilities shrouded in mystery and danger. Let's dive deep into this notorious RAT (Remote Access Trojan) and uncover its secrets. #FlawedAmmyy #Cybersecurity #RAT 🔍 Exploring FlawedAmmyy's Activities: FlawedAmmyy operates in the shadows, silently infiltrating systems and granting unauthorized access to cybercriminals. Its malicious activities range from data exfiltration to remote control of compromised machines. With each clandestine move, it jeopardizes the security and privacy of individuals and organizations alike. 💻 Unveiling its Capabilities: This insidious RAT boasts a plethora of capabilities, allowing attackers to execute commands remotely, exfiltrate sensitive data, and maintain persistent access to compromised systems. Its modular design enables customization, making it a versatile tool in the hands of cybercriminals. 🕵️♂️ The Elusive KGB Connection: Speculation abounds regarding FlawedAmmyy's origins, with whispers of potential ties to the infamous KGB. While concrete evidence remains elusive, the sophistication of its operations suggests the involvement of well-resourced entities, adding an air of intrigue to its menacing presence. ⚖️ Legal Action Against FlawedAmmyy: Victims of FlawedAmmyy infections have legal avenues to pursue justice. From reporting incidents to law enforcement agencies to filing civil lawsuits against perpetrators, taking legal action is crucial in holding cybercriminals accountable for their actions and seeking restitution for damages. 🛡️ Defending Against FlawedAmmyy: To defend against FlawedAmmyy and similar threats, organizations must adopt a multi-layered cybersecurity approach. This includes deploying robust endpoint protection, implementing network segmentation, conducting regular security audits, and developing comprehensive incident response plans. In conclusion, FlawedAmmyy represents a significant cybersecurity threat, its activities veiled in secrecy and danger. By shedding light on its nefarious operations, organizations can better prepare themselves to defend against its insidious attacks. Stay vigilant, stay secure. 🛡️🔒 #CyberSecurity #StaySafe #FlawedAmmyy #DigitalThreats 🛡️💻🔒 Learn More: https://lnkd.in/djrdxPUw
FlawedAmmyy: A close look at the notorious activities and capabilities of the RAT | Cyware Hacker News
cyware.com
To view or add a comment, sign in
-
https://lnkd.in/gSuHhAiH Hackers Acquire Corporate Logins From SMS #Phishing And Support Desk Calls A financially driven threat group, UNC3944 has frequently employed phone-based #socialengineering and SMS phishing attacks to gain credentials and escalate access to target organizations. The #hacking group has been observed to target a wide range of #businesses, including #hospitality, #retail, #media and #entertainment, #financialservices, and #telecommunication and #business process outsourcer (#BPO) firms. According to #Mandiant, due to the group’s geographic diversity, it has shown a larger concentration on stealing huge amounts of confidential data for extortion and they appear to be familiar with Western commercial practices. Additionally, UNC3944 has routinely used freely accessible tools, legal software, and #malware that can be purchased on #darknet forums. #cloudsecurity #cyberawareness #informationsecurity #riskmanagement #cybersecurityawareness #asis #ciso #securityawareness #globalsecurity #cybersecurity #technology #homelandsecurity #security #RAS #rso #threatintelligence #darkweb #helpdesk #ITsupport #cloud
Hackers Acquire Corporate Logins From SMS Phishing And Support Desk Calls
https://cybersecuritynews.com
To view or add a comment, sign in
-
"These threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module SIM swap attacks, to obtain credentials, install remote access tools, and or or bypass multi-factor authentication MFA." https://lnkd.in/gxGxdzgb #cybersecurity #threats #attacks #socialengineering #scatteredspider #industrialcyber #icssecurity #ics
FBI, CISA warn of Scattered Spider hackers targeting commercial facilities, adopt social engineering techniques - Industrial Cyber
industrialcyber.co
To view or add a comment, sign in
-
The researchers said in a Mandiant (now part of Google Cloud) report that a group known as UNC3944’s tactic is to contact corporate help desks and claim to be employees having network access trouble and need their passwords reset or a new multi-factor authentication #MFA code. Once in an IT network they escalate their access privileges until they can launch #malware, steal data or install #ransomware. In addition, UNC3944 often achieves privilege escalation by targeting password managers or privileged access management systems. The report has suggested to stop using SMS text as a MFA verification option, block external access to Microsoft Azure and Microsoft 365 administration features, and require video verification of a help desk caller who wants a password reset. The help desk should verify the face of the user by comparing it to an internal system or security badge system where a photo of the user is stored. Additionally, the help desk should make sure the user shows a form of ID on the video call, like a driver’s license. Mandiant has observed the group’s targeting has broadened beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services. https://lnkd.in/ggn4eUPT Saya University ❤️ #GoSaya #cyberattack #socialengineering #humanrisk #cybersecurityawareness #サイバーセキュリティ #サイバーセキュリティ教育 #サイバー攻撃 #標的型メール攻撃 Jonathan Hiroshi Rossi Yoshitaka Kashiwagi Crystal Lopez
UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety | Mandiant
mandiant.com
To view or add a comment, sign in
-
𝗢𝗽𝗜𝘀𝗿𝗮𝗲𝗹, also referred to as #OpIsrael, is a yearly synchronized cyber attack in which hacktivists direct their efforts towards Israeli governmental and private websites using 𝗗𝗗𝗼𝗦 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 and other techniques. This campaign was instigated by Anonymous hackers in 2013, aligning with 𝗛𝗼𝗹𝗼𝗰𝗮𝘂𝘀𝘁 𝗥𝗲𝗺𝗲𝗺𝗯𝗿𝗮𝗻𝗰𝗲 𝗗𝗮𝘆, and has persistently occurred on an annual basis ever since. 𝗖𝗼𝗺𝗺𝗼𝗻 𝗔𝘁𝘁𝗮𝗰𝗸 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 * Distributed Denial of Service (DDoS) Attacks occur when a server or network is flooded with excessive traffic, disrupt services, cause downtime, and lead to financial losses for the targeted organizations. * Hacktivists may takeover social media accounts associated with Israeli organizations or public figures to disseminate propaganda, spread misinformation, or promote their ideological agenda. * Website Defacement involves hackers gaining unauthorized access to a website's server and altering its content to display messages, images, or slogans reflecting the attackers' views. * Social Engineering Methods involves manipulating individuals to reveal confidential information or take actions that jeopardize security. * Data Breach attacks aim to steal sensitive data from Israeli organizations, including government agencies, businesses, or individuals, and then leak this information publicly. These data breaches can expose confidential information, compromise privacy, and damage the reputation of the targeted entities. 𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀 ✅ Set up firewalls and routers to block harmful traffic linked to DDoS attacks. ✅ Ensure that all systems software is regularly updated with the latest security patches. ✅ Implementation of strong authentication mechanisms, such as multi-factor authentication (MFA) or CAPTCHA. ✅ Employ email filtering and anti-phishing software to automatically detect and prevent malicious emails that include phishing links, malware attachments, or fraudulent requests. ✅ Regularly train employees on security awareness to teach them about common social engineering tactics like phishing emails, pretexting, and baiting. ✅ Apply robust access controls and least privilege principles to control access to sensitive data exclusively to authorized individuals who need it for their job tasks. ✅ Deploy data loss prevention (DLP) solutions to monitor and enforce policies governing the use, storage, and transmission of sensitive data. ✅ Set up account recovery options, such as recovery email addresses or phone numbers, to regain access to social media accounts lockout. 𝗥𝗲𝗺𝗲𝗺𝗯𝗲𝗿, 𝗰𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀 𝗲𝘃𝗲𝗿𝘆𝗼𝗻𝗲’𝘀 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆. 𝗟𝗼𝗼𝗸𝗶𝗻𝗴 𝗳𝗼𝗿 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗣𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻? Visit our website https://cytechint.com/ to learn about our comprehensive cyber security solutions designed to safeguard organizations of all sizes. #OpIsrael #Cybersecurity #OnlineSafety #DataProtection
To view or add a comment, sign in
-
-
For cybersec folks, helpful write-up by Mandiant/Google linked below regarding the high level "attack chain" that may have( in part) been involved in the in recent MGM Resorts Breach. TLDR / take-aways from the front of the chain: Make sure to think through social engineering resiliency at your service desk lines esp. around 2FA support assistance (e.g. bypass code issuance) as well as educating users about spotting SMS phishing "smishing" threats in BYOD mobile space. "A hallmark of UNC3944 incidents is the use of smishing messages sent to employees of targeted organizations for stealing valid credentials. In the majority of cases where we identified the initial access vector, UNC3944 obtained access to the victim environment after a successful smishing attack. After obtaining credentials, the threat actors have also impersonated employees on calls to victim organizations' service desks in an attempt to obtain multi factor authentication (MFA) codes and/or password resets. During these calls, the threat actor provided verification information requested by the help desk employees, including usernames, employee IDs, and other types of personally identifiable information (PII) associated with employees. Notably, the threat actors often asked the service desk support to repeat the question and paused for significant lengths before answering, likely due to the threat actor looking through notes or attempting to search for the answer to the question posed." https://lnkd.in/gBTd_6V5 #cybersecurity #attackchain #ttps
To view or add a comment, sign in
-
-
Traditional multi-factor authentication is not enough for BPO contact centers. Researchers at Stanford University found that 88% of security breaches had an element of human error. The same research determined that 25% of breaches resulted from social engineering or phishing emails. Continuous MFA is entirely unphishable as no keys or codes can be handed to an attacker in the event of a phishing attempt, making phishing-resistant biometric MFA the next big requirement in contact center security. #identitysecurity #biometrics #contactcentersolution https://lnkd.in/eZbCr3jj
Phishing-Resistant MFA Will Be The Next Requirement In Contact Centers
twosense.ai
To view or add a comment, sign in