What is Malware? Definition, Types, Examples, Prevention
April 28, 2024Hacker’s Attacks That Even Global Companies Can’t Avoid
Recently, as hackers’ attacks have become more sophisticated, Microsoft has faced the risk of leaking confidential information and losing competitiveness due to the hacking of senior executive accounts by email.
If these risks are not disregarded, it can lead to significant threats to both individuals and businesses. Learn how to strengthen email security through compliance with international security standards and safeguarding users from diverse cyber threats.
1. Overview
Lately, hackers have evolved in increasingly sophisticated ways. Using techniques such as phishing, social engineering, and complex malware, they target their victims. In this situation, large enterprises, especially those with various amounts of data, are desirable targets for them.
One of the main vulnerabilities targeted by hackers is account takeover. Once they obtain account information, they can access the company’s internal systems, leak confidential information, or use it as a springboard for further attacks, which results in enormous financial losses and credibility for companies.
Even a global enterprise like Microsoft, with assets worth trillions and hundreds of offices worldwide, suffered from such attacks last November. Today, we’re going to take a look at Microsoft’s actual case of damage caused by these incidents.
2. Attack Case Analysis - Account Take-over
In November 2023, Microsoft’s executive email accounts were hacked by the Russian hacking group, Midnight Blizzard (aka Novelium, or APT29). The group is known as a cyber espionage organization that mainly targets government organizations, NGOs, software developers, and IT service providers in Europe and the United States. On January 12, 2024, Microsoft discovered that this hacking group had breached its system and stolen emails from its cybersecurity and legal teams, putting it at risk of leaking sensitive and confidential information to external parties.
The leakage of confidential information can cause serious damage to businesses. If important confidential information falls into the hands of hackers, it can be exploited by competitors or hacker groups. This can significantly weaken the company’s competitiveness and cause legal issues, which can also directly damage its reputation and credibility.
Midnight Blizzard used residential proxies and “Password Spraying” brute-force attacks to target a small number of accounts. A password spraying attack is a method of repeatedly trying commonly used passwords across many user accounts. They coordinated password-spraying attacks on a limited number of accounts to avoid detection, and Microsoft confirmed that MFA (Multi-Level Authentication) was not activated on test accounts, allowing hackers to access the system immediately after entering the correct password.
3. Risk (Damage), Mechanism
What is an Account take-over(ATO)?
7.2.3 Account take-over
ATO is a social engineering attack that uses the account of a real user. After attempting to log in to the stolen email account to browse the email history of the user, the attacker finds confidential information and potential secondary victims. For example, account information stolen from a phishing site can be used by an attacker to send an email asking for remittance account changes or to deliver confidential information stored in the account to an external party.
Account take-over attacks usually occur via email, mainly using 7.2.1 Forged headers, 7.2.2 Look-alike domains, and 7.2.4 Uniform resource locator phishing. 7.2.1 Forged headers are attacks that bypass and steal emails by forging email headers when users reply. 7.2.2 Look-alike domains imitate legitimate domains to deceive users and expose them to attacks. 7.2.4 Uniform resource locator phishing directs users to click on malicious links, leading to installing malicious code or linking them to phishing pages.
For detailed standards, please refer below
7.2.1 Forged header
One type of social engineering attack involves scammers dodging detection by forging account information in a header. Attackers use email header forgery to bypass the destination of emails when a user sends a reply. Through a forged header attack, attackers can intercept emails from normal users that may contain information relating to a company’s credentials and personnel.
7.2.2 Look-alike domain
A look-alike domain is a type of attack where attackers send a malicious email from an email address that on cursory visual examination is remarkably similar to that of a normal, familiar sender. For example, capital ‘I’ and lowercase ‘1’ letters are similar in appearance and this similarity can be abused in an attack.
7.2.4 Uniform resource locator phishing
URL phishing is the theft of the identifier(ID) and password of a victim, in which the attacker creates a phishing page or website to induce the victim to enter account information through the use of a malicious URL or file embedded in an email.
Password Spraying Attack
- Attack Preparation: Gathering substantial amounts of account information from public databases or leaked data
- Password Attempt: Repeatedly inputting commonly used passwords into each account
- Avoiding Detection: Targeting a limited number of accounts at a time to avoid detection, rather than attempting many accounts simultaneously.
4. Attack Case Analysis - Solution
The cases above and attack types can be prevented through email security standards that comply with international standardization. Adopted by the International Organization for Standardization (ITU-T), this standard provides a reliable standard for email security. Firstly, they can be distinguished between preventing account take-over via email itself and preventing secondary attacks caused by stolen accounts. Let’s begin with the former case.
To prevent account take-over via email, adhering to security requirements that mitigate 8.2.1 forged header attacks, 8.2.2 look-alike domain attacks and 8.2.4 URL phishing attacks can effectively counteract such threats.
Countermeasures against Account take-over
8.2.1 Security requirements to counter forged header attacks
- It is required to block or warn users if the email address to be replied to is different when replying to an inbound email.
- It is recommended to verify compliance with the email communication protocol.
When replying to incoming emails, you can reduce damages caused by phishing and fraudulent emails by adhering to security requirements that warn or block you if the email address differs, and enhance the reliability and security of emails by verifying compliance with email communication protocols.
8.2.2 Security requirements to counter look-alike domain attacks
- It is required to inform a user of the level of risk similarity when the sender’s domain is detected as a similar domain based on accumulated email history and to block such emails.
- It is required to apply the difference in the number of email addresses as a criterion for judging fraudulent look-alike email attacks.
- It is required to manage it separately if the top-level domain (TLD) is different.
- It is recommended to enable security managers to directly register fraudulent look-alike email addresses that look suspicious.
Adhering to security requirements to prevent look-alike domain attacks can reduce the risk of confidential information leakage and fraud through phishing emails. Furthermore, by identifying risk levels based on domain similarity, users can be protected, and managing top-level domain (TLD) differences can enhance security measures. Allowing security administrators to directly register suspicious emails also increases the flexibility of security management.
8.2.4 Security requirements to counter uniform resource locator phishing attacks
- It is required to continuously track the final destination of a URL that contains a web page inducing personal information input.
So the account take-over attack can be prevented through such provisions, and information leakage during this attack can be prevented by ‘Security requirements to counter intentional information leakage’ in the email security International Standards 8.3.1.
In the latter case, countermeasures against secondary attacks (Password Spraying Attack) resulting from a stolen account can effectively be prevented by understanding the concept of account take-over attacks accurately, adhering to security requirements: 8.3 ‘Security requirements to counter outbound email threats by user’, and 8.4 ‘Security requirements to counter outbound email threats by attacker’.
Countermeasures against Secondary Attacks Due to Stolen Accounts(Countermeasures against Password Spraying Attacks)
7.2.3 Account take-over (ATO)
- ATO is a social engineering attack that uses the account of a real user. After attempting to log in to the stolen email account to browse the email history of the user, the attacker finds confidential information and potential secondary victims. For example, account information stolen from a phishing site can be used by an attacker to send an email asking for remittance account changes or to deliver confidential information stored in the account to an external party.
8.3 Security requirements to counter outbound email threats by user
8.3.1 Security requirements to counter intentional information leakage
- It is recommended that security managers be able to set conditions for email dispatch.
- It is recommended to have the ability to reconsider email sending if the condition set is not satisfied.
Allowing security administrators to directly set and manage email-sending conditions is crucial in preventing information leakage. This control ensures that sensitive data is not sent without authorization and provides the capability to reconsider email sending if predefined conditions are not met, thereby blocking potential security threats. Such capabilities are essential for protecting the organization’s confidential information and preventing legal and financial damages.
8.3.2 Security requirements to counter unintentional information leakage
- It is required to issue a warning or automatically block users from replying to or sending emails to an email address that has been classified as malicious.
- It is required to convert large attachments within an email to regular ones when transmitting the email from the isolated internal network to the external network.
- It is required to retrieve converted emails with large attachments after safe delivery from an isolated internal network to an external network.
- It is required to allow senders to recall sent emails in order to prevent data leakage.
- It is recommended to encrypt contents of outbound emails that meet certain conditions, such as the IP address that checked emails and the number of times emails were opened.
Features such as warning or blocking emails sent to malicious addresses, securely transmitting large attachments, and preventing data leakage caused by user errors are essential for protecting confidential information and preventing security incidents. These measures are critical for minimizing information leakage and maintaining the organization’s security.
8.4 Security requirements to counter outbound email threats by attacker
8.4.1 Security requirements to counter attacks using account take-over
- It is recommended to allow security managers and users to configure specific IP addresses and countries for accessing email accounts.
The feature to allow or block email account access based on specific IP addresses and countries enhances security by enabling rapid responses to suspected account take-over attempts. By blocking potential attacks beforehand, this measure is vital for the protection of an organization’s confidential information.
8.4.2 Security requirements to counter unauthorized email server access attacks
- It is required to ascertain detailed information about access in order to detect unauthorized email server attacks, and prevent the unauthorized email server from forwarding access requests to the email server.
- It is required to block mail delivery if sender SMTP information does not match that of the recipient.
By identifying detailed information during access attempts and blocking them immediately, unauthorized server access can be swiftly prevented. By blocking emails when the sender’s and recipient’s SMTP information do not match, forged emails can be effectively prevented.
5. Conclusion
6. References
<Ongoing Microsoft Azure account hijacking campaign targets executives>
<X.1236 : Security requirements and countermeasures for targeted email attacks>
https://www.itu.int/net4/itu-t/search#?ex=false&q=targeted%20email%20attack&fl=0&target=All
<Global Email Security Standards>
