Unit 42 Research: BEC Attacks Financial Nightmare for Organizations
Business email compromise attacks come with a high rate of success.
![Email phishing compromise hacking Email phishing compromise hacking](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltee5dfde7b6f72f6c/6524406fa7fcf180681d0b66/Email-phishiing-compromise-hacking.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: What is BEC-as-a-service? Does that mean it’s accessible to more people?
Jen Miller-Osborn: It’s a reference to how the larger BEC community operates. It’s become a profession and older members mentor juniors to bring them up. They also help new people get involved and members tend to freely offer assistance and advice to each other on how to be successful.
CF: Is MFA the key to preventing BEC? If so, what aren’t people doing when they enable MFA that’s leaving them vulnerable?
JMO: MFA is one of the most effective ways to prevent a successful BEC attack. However, because these attacks are rarely made public, there’s a lack of awareness about this threat and that leads to MFA not being a priority for many security teams. That’s why we published this research, to highlight this threat to the wider community.
CF: Is the response to a BEC attack different from that of a ransomware attack? If so, how?
JMO: It can often be a totally different type of investigation. If there was no malware, likely only certain email inboxes were affected so there won’t be large scale remediation required. The focus will be more on the financial side, seeing if there’s any way to claw back all, or a portion, of what was lost. It’s usually impossible. This is when organizations tend to put protections in place for BEC attacks and we’re trying to help correct that.
CF: What makes BEC so attractive to cybercriminals? Does it carry a high success rate?
JMO: It does carry a high success rate, as the number from the FBI report shows. For many of the people doing these attacks, it is the only way to make a significant amount of money and isn’t viewed as morally wrong. Cybercriminals sometimes position this as a victimless crime where the victim is considered at fault for being tricked. It’s also becoming increasingly multi-generational, with older members bringing on and mentoring new members. These new members are also more tech savvy and in some cases are helping the attackers become more technically capable.
More than 90% of MSPs in North America are planning to add new services to their cybersecurity portfolios, with threat intelligence being the top choice.
That’s according to new research by Kaspersky. As perceived competition in the market has risen since 2019, pricing, quality of protection and ability to offer additional services have also become key factors for choosing a cybersecurity vendor.
Among the various threat intelligence services, the most interesting choices for MSPs are advanced persistent threat (APT) reporting, threat campaigns and techniques of APT actors. This is followed by threat data feeds and threat lookup to help to improve incident response. Other services that providers look for include malware analysis, security assessment and targeted attack discovery.
By expanding their portfolio with cybersecurity services, MSPs can strengthen their position in the competitive market. In 2021, 70% of providers reported an increase in their client base since 2019, and a third see the competition from other MSPs as the most serious business challenge compared to only 19% in 2019.
Industry competition also determines the requirements for cybersecurity vendors. When it comes to choosing a vendor for the service, the No. 1 criteria for MSPs is competitive pricing, followed by quality of protection in tests and the ability to offer additional services. These areas should allow MSPs to build the best threat intelligence offering for their customers.
Mikhail Kolchin is Kaspersky‘s head of MSP business.
“The value of security is steadily increasing in MSPs’ service portfolios, and this is mainly dictated by market demands due to the developing threat landscape, remote post-pandemic work and other realities of what we call the new normal,” he said. “For instance, attacks such as ransomware are represented more often targeting companies for ransom regardless of size and data criticality. What we see is that cybercrime is unfortunately evolving with larger bad actors’ budgets in place, cheaper tools available on dark web and so on.”
MSPs have to instill trust in their customers, and threat intelligence services can enrich MSPs’ expertise further, and allow them to address threats faster and more effectively, Kolchin said.
“What has left us delighted is the fact that MSPs have a strong tendency to analyze and react to global attacks happening in the field,” he said. “Eighty-five percent of MSPs revised their security approach in response to the SolarWinds incident regardless of having been affected by it. It is a very healthy percentage.”
The REvil ransomware group was hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official. Reuters broke the news.
The Russian-led criminal gang was responsible for the Colonial Pipeline cyberattack. It led to widespread gas shortages on the East Coast.
REvil’s Happy Blog website, which had been used to leak victim data and extort companies, is no longer available.
Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify. He said this news comes as no surprise.
“Like many organizations, it is not a case of if you will get hacked but when, and this also applies to hacker gangs,” he said. “Hackers will hack hackers. REvil are a well-known ransomware gang that has caused havoc for many organizations around the world so it is unsurprising that they would be a target. There are many hackers around the world who are using their skills for good and this includes government hackers who work vigorously to defend society from cybercrime. So targeting REvil will likely be a statement that government hackers will work together to stop cybercriminals at the source.”
Chuck Everette is director of cybersecurity advocacy at Deep Instinct.
“The hope is that the actions the U.S. government has taken against these ransomware criminal gangs will set a precedent for other countries and the gangs themselves that governments will no longer stand by idly and allow these 21st century cyber mafia gangs to operate without impunity,” he said. “Hopefully a clear message is being sent that running a ransomware business is not worth the risks any longer. With REvil being taken offline, this can definitely be counted as a benefit for those in the cybersecurity defense area. The one thing to note here is there are plenty of other ransomware criminal gangs ready to step in and take back over the areas vacated by REvil. We can only hope that this government-assisted shutdown will have a negative impact on the operations of the other gangs due to fear of it happening to them as well.”
Ferrara Candy suffered a ransomware attack this month that led to delays for candy delivery leading up to Halloween.
According to NBC News, Ferrara first noticed that hackers were encrypting its computers and demanding a payment on Oct. 9. It has hired outside experts to help restore its systems. The attack impacted production at its manufacturing facilities.
Ferrara didn’t respond to requests for comment.
Anurag Kahol is Bitglass‘ CTO and co-founder
“With Halloween just around the corner, this company will have to quickly restore all of its systems to get candy production back on track,” he said. “This highlights how all enterprises need advanced threat protection to prevent ransomware attacks and mitigate their impact. For instance, a zero trust approach can significantly reduce an organization’s attack surface by ensuring only authorized users are granted access to their network, while continuously monitoring for suspicious activity and potential threats. Additionally, enforcing mandatory employee security training is crucial to identify illegitimate emails, as phishing is a primary vector for ransomware attacks. With these proactive safety measures, organizations can have the security needed to prevent an intrusion.”
Gary Ogasawara is Cloudian‘s CTO.
“Cybercriminals are getting smarter about whom they target and when,” he said. “For businesses that rely on certain seasons for a big portion of their sales, an attack like this could have a huge negative impact because of the limited time they have to recover. Unfortunately, many security experts continue to focus on increased perimeter security and other traditional defenses as the solution, despite these measures having proven ineffective time and time again.”
A comprehensive cybersecurity strategy should assume ransomware will get in, and put greater attention on being able to recover quickly and easily without paying ransom, Ogasawara said.
“The best way to ensure such recovery is having an immutable (unchangeable) data backup copy,” he said. “This prevents cybercriminals from altering or deleting the data, enabling victims to quickly restore an uninfected copy of their data and resume operations. In addition, data should be encrypted so that criminals can’t read or publish sensitive data in any intelligible form, thereby eliminating the other aspect of ransomware extortion.”
Tech giant Gigabyte has allegedly suffered a serious network breach.
According to PrivacySharks, a sample of files from Gigabyte’s network were leaked on AvosLocker’s onion site and appear to contain confidential details regarding deals with third-party companies and identifiable information about employees. AvosLocker is a ransomware group.
AvosLocker has threatened to leak more data from Gigabyte’s network if the Taiwanese company refuses to negotiate.
Gigabyte couldn’t be reached for comment.
Chris Morgan is senior threat intelligence analyst at Digital Shadows.
“The recent incident affecting Gigabyte is the second time the Taiwanese company has been impacted by a ransomware attack in the past three months,” he said. “The RansomExx group targeted Gigabyte in August, which resulted in the theft of 112 gigabytes of data. However, it is yet unclear whether this is connected to the recent attack by AvosLocker.”
Avoslocker is a relatively new ransomware group and was first observed in June, Morgan said. They are based on the ransomware-as-a-service (RaaS) business model.
“This involves ransomware developers renting out their malware and infrastructure to affiliates, who conduct attacks on their behalf in return for a share of profits,” he said. “AvosLocker are distinctive due to their use of an auction feature for stolen data, which the group introduced in mid-September. This followed the introduction of a similar feature by the REvil group in June. This allows interested parties to pay for the data that AvosLocker steals from their victims, though it is unclear how successful this feature has been in terms of providing an additional revenue source for the group.”
Jake Williams is co-founder and CTO at BreachQuest.
“The details in the file tree should be extremely concerning to Gigabyte as they consider the impact of this breach,” he said. “In most double extortion schemes, the data theft focuses on quantity rather than quality. The file tree from this dump suggests that in this case, the threat actor focused on quality. The AvosLocker double extortion model includes sale of data for those that don’t pay, rather than just free release. To facilitate sales, AvosLocker must steal data that’s worth buying. The file tree (directory listing) teased by AvosLocker certainly appears to be the kind of data that would be valuable to a multitude of cybercriminals.”
In addition to personal data, the dump would also seemingly include contract details that will damage relationships with vendors and cause significant reputational losses for Gigabyte, Williams said.
“It also seems likely there are trade secrets included in the dumps, though the quantity and quality of those trade secrets are difficult for outsiders to evaluate based on file and directory names,” he said. “But one thing is for sure – Gigabyte is feverishly evaluating the contents of the files in the directory listings and evaluating the impact of their probable release.”
Tech giant Gigabyte has allegedly suffered a serious network breach.
According to PrivacySharks, a sample of files from Gigabyte’s network were leaked on AvosLocker’s onion site and appear to contain confidential details regarding deals with third-party companies and identifiable information about employees. AvosLocker is a ransomware group.
AvosLocker has threatened to leak more data from Gigabyte’s network if the Taiwanese company refuses to negotiate.
Gigabyte couldn’t be reached for comment.
Chris Morgan is senior threat intelligence analyst at Digital Shadows.
“The recent incident affecting Gigabyte is the second time the Taiwanese company has been impacted by a ransomware attack in the past three months,” he said. “The RansomExx group targeted Gigabyte in August, which resulted in the theft of 112 gigabytes of data. However, it is yet unclear whether this is connected to the recent attack by AvosLocker.”
Avoslocker is a relatively new ransomware group and was first observed in June, Morgan said. They are based on the ransomware-as-a-service (RaaS) business model.
“This involves ransomware developers renting out their malware and infrastructure to affiliates, who conduct attacks on their behalf in return for a share of profits,” he said. “AvosLocker are distinctive due to their use of an auction feature for stolen data, which the group introduced in mid-September. This followed the introduction of a similar feature by the REvil group in June. This allows interested parties to pay for the data that AvosLocker steals from their victims, though it is unclear how successful this feature has been in terms of providing an additional revenue source for the group.”
Jake Williams is co-founder and CTO at BreachQuest.
“The details in the file tree should be extremely concerning to Gigabyte as they consider the impact of this breach,” he said. “In most double extortion schemes, the data theft focuses on quantity rather than quality. The file tree from this dump suggests that in this case, the threat actor focused on quality. The AvosLocker double extortion model includes sale of data for those that don’t pay, rather than just free release. To facilitate sales, AvosLocker must steal data that’s worth buying. The file tree (directory listing) teased by AvosLocker certainly appears to be the kind of data that would be valuable to a multitude of cybercriminals.”
In addition to personal data, the dump would also seemingly include contract details that will damage relationships with vendors and cause significant reputational losses for Gigabyte, Williams said.
“It also seems likely there are trade secrets included in the dumps, though the quantity and quality of those trade secrets are difficult for outsiders to evaluate based on file and directory names,” he said. “But one thing is for sure – Gigabyte is feverishly evaluating the contents of the files in the directory listings and evaluating the impact of their probable release.”
While ransomware is grabbing all the headlines, business email compromise (BEC) is inflicting more costly damage on organizations and individuals, according to new Unit 42 research.
BEC is costing victims thousands, even millions of dollars, according to Unit 42, Palo Alto Networks‘ threat research group. In investigations conducted since Jan. 1, 2020, the average wire fraud attempted was $567,000 and the highest was $6 million.
Moreover, the FBI reports that BECs caused $1.87 billion in losses last year, making it one of the most expensive types of cybercrime.
BEC is a cyberattack involving the hacking, spoofing or impersonation of a business email address. The victim of a BEC attack receives an email that appears to come from a trusted business. The email looks and feels genuine. However, it typically contains a phishing link, a malicious attachment, or a request to transfer money to the attacker.
Many organizations think they’ve already taken steps to protect themselves against BECs, Unit 42 said. However, those steps may not have been properly implemented. Among the hundreds of BEC cases Unit 42 has worked on since the beginning of last year, 89% of victims failed to turn on multifactor authentication (MFA) or follow best practices for its implementation.
BEC Deep Dive
Unit 42’s Jen Miller-Osborn
To learn more, we spoke with Jen Miller-Osborn, Unit 42‘s deputy director of threat intelligence.
Channel Futures: While ransomware is grabbing all the headlines, is BEC more prevalent and dangerous to more people and organizations? If so, how?
Jen Miller-Osborn: In the sense of monetary loss to an organization, it far surpasses ransomware. It rarely makes the news because organizations don’t want it publicized and, in contrast to ransomware, there are no real world effects which employees or customers would notice. There is also rarely malware involved in BEC cases, often the attackers rely solely on social engineering to accomplish their goals, so it can be much harder to detect and stop.
Scroll through our slideshow above for more from Unit 42 and other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like