Elnur - stock.adobe.com
When you go to sign into your company's VPN, be mindful of the URL you're signing into.
According to the advisory dated August 20, "Actors registered domains and created phishing pages duplicating a company's internal VPN login page, also capturing two-factor authentication (2FA) or one-time passwords (OTP). Actors also obtained Secure Sockets Layer (SSL) certificates for the domains they registered and used a variety of domain naming schemes."
Examples of domain naming formats include "support-[company]," "[company]-support," "ticket-[company]" and others.
The cybercriminals behind the vishing campaign built profiles on targeted employees using a myriad of sources (from social media to publicly available background check services); threat actors then used unattributed VoIP numbers to "call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company."
The cybercriminals then posed as members of the targeted company's IT help desk, using this obtained profile of information to create a personal connection and build trust. After building this trust, the cybercriminal would convince a victim employee that "a new VPN link would be sent and required their login, including any 2FA or OTP." After the employee falls victim and logs in, the threat actor uses these now-stolen credentials to gain access to the employee's account and any corporate tools within.
"In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator," the advisory said. "In other cases attackers have used a SIM-Swap attack 2 on the employees to bypass 2FA and OTP authentication. The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed."
Tips offered by CISA and the FBI for organizations include restricting VPN connections to managed devices only, employing domain monitoring and improving 2FA and OTP messaging to "reduce confusion about employee authentication attempts." For users, the agencies recommended bookmarking the correct corporate VPN URL, not visiting alternative URLs on the sole basis of an inbound phone call and to be suspicious of unsolicited phone calls from unknown individuals.
The FBI and CISA also warned that cybercriminals are looking to take advantage of "increased telework" at numerous organizations. "The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification," the advisory read.
Infosec professionals and threat researchers have also warned how the hasty move to remote workforces has left employees vulnerable to social engineering scams. During IBM's Red Con 2020 virtual event last week, Charles Henderson, global head of IBM's X-Force Red, said planned migrations to remote workforces often take many months to do securely, but the COVID-19 pandemic forced many organizations to make the switch in a manner of days. Henderson also said enterprise employees expect to continue to work from home well after the public health crisis has improved.
"This year it is amazing to me how the security landscape has changed," Henderson said during his Red Con remarks. "We need to realize that in order to be competitive past the pandemic and to be truly responsible when it comes to security, we need to prepare for the true home office revolution that we're seeing."
This vishing campaign referenced in the alert bears some similarities to the widely-publicized Twitter breach from last month; both campaigns involved vishing attacks to steal credentials, and both campaigns targeted specific employees. It's unclear if the two vishing campaigns are connected.
CISA has not responded to a request for comment.
Security News Director Rob Wright contributed to this report.