Staying ahead of and responding to modern threats can be daunting for organizations, especially in this ransomware age we are living in. Phishing is a gateway and continues to be the top attack vector identified by our research and threat analysts. Our security team immediately reviews alerts and communicates guided recommendations, helping clients stop threats in their tracks before evolving into a much larger issue.
We continually scan for new types of threats and in our research have noticed a growing pattern, specifically around phishing attacks. The scale of phishing has grown exponentially in recent months, from just a few users to over 300,000 in a single run.1 We are sharing some of the top cyber incidents from September as a warning of possible attacks and providing our recommendations on how to keep your organization safe.
Microsoft Shares Findings of Large-Scale Phishing-as-a-Service Operation
This month, Microsoft released its findings of a large-scale phishing-as-a-service (PhaaS) operation called BulletProftLink or Anthrax. The organization sells phishing kits, email templates, hosting and automated phishing services. They are responsible for many of the enterprise attacks we are seeing, and their email templates are successful at mimicking these well known brands and services.
Microsoft describes PhaaS as a model similar to ransomware-as-a-service or software-as-a-service. It “requires attackers to pay an operator to wholly develop and deploy large portions or complete phishing campaigns from false sign-in page development, website hosting, and credential parsing and redistribution.”1
Microsoft has seen double extortion with this PhaaS model, as the cybercriminals are posting the data that they find on the dark web for sale as well as encrypting it so that the organization needs to pay twice. They’ve seen the BulletProofLink organization maintain control of all credentials that are resold on the dark web, allowing the operator to profit twice, from the sale of the PhaaS used and the credentials stolen.
Attack Warning Published: September 2021
Impact: While this is a warning from Microsoft, phishing attacks can cause great damage to organizations of any size, and it’s best to implement security practices to try to prevent and identify these types of attacks.
Learn more about the BulletProftLink operation and how Microsoft Defender can help in Microsoft’s blog.
Ransomware Attack Cancels Howard University Classes
Howard University shared that they experienced a ransomware attack on September 3, 2021, causing critical systems to be shut down. All hybrid and online classes were suspended due to this attack. The university proactively moved systems offline after they detected suspicious activities in their systems.
The university shared that “to date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
End users are an important defense in the fight against ransomware. At Pondurance, we stress the importance of security awareness training for all employees and provide our recommendations for teachers and students to follow in this checklist.
Attack Discovered: September 3, 2021
Impact: Hybrid and online classes were canceled and the university WiFi was taken offline during the investigation.
Learn more about the breach from NPR.
U.S. Government Warning for Conti Ransomware
The U.S. government has been tracking Conti ransomware and seen an increase in activity. In a joint advisory release, they shared that Conti has hit more than 400 organizations in the U.S. and internationally. “In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.”2
The advisory calls for increased cybersecurity including multifactor authentication, network segmentation and keeping software and operating systems up to date.
In May, Conti attacked Ireland’s national health service. The attack involved crypto-locking systems used by the Health Service Executive and disrupted patient care across the country for an extended period of time. Conti claimed to steal 700GB of patient data including personal documents, phone numbers, contacts, payroll and bank statements as well as demanding $20 million in ransom.2
At Pondurance, we’ve seen Conti ransomware many times and shared a warning about the bad actors exploiting Microsoft Exchange vulnerabilities in this blog.
Attack Warning Published: September 22, 2021
Impact: The CISA, FBI and NSA encourage organizations to increase their cybersecurity postures to avoid crippling attacks like Conti against Ireland’s healthcare system.
Access the CISA advisory on Conti ransomware here.
Recommendations on Keeping Your Organization Safe From Phishing
Phishing attacks are growing in frequency, and it’s best to prepare now rather than clean up later. Below are a few of our top security tips for email clients:
- Enable multifactor authentication for all users.
- Identify sensitive data and create policies to help prevent users from accidentally or intentionally sharing sensitive or electronic protected health information data. (Not supported on all email clients.)
- Set up and review alerts for risky logins, risky users and rule changes. (Not supported on all email clients.)
- Conduct user security awareness training focused on safe browsing habits and identifying phishing emails.
- Monitor for breach data associated with your organization by registering at HaveIBeenPwned.com. Our best practices for using this free service are in our blog.
- Always patch or update any software or operating systems to mitigate vulnerabilities that bad actors take advantage of.
Encourage all across your organization to operate under the assumption that an attack will occur. Having an incident response (IR) plan in place such as using an existing IR retainer or reaching out to your cyber insurance policy provider for a recommended list of IR service providers that can help you prepare for and respond to incidents, such as phishing, that lead to ransomware attacks.
Sources:
- Catching the big fish: Analyzing a large-scale phishing-as-a-service operation, Microsoft, Sept. 21, 2021.
- Conti Ransomware Attacks Surging, US Government Warns, HealthCareInfoSecurity, Sept. 23, 2021.
