Johannesburg, 03 Jun 2020
Phishing and spear-phishing (targeting specific individuals) continue to be significant threats for companies around the world. Pawn Storm, an extremely active espionage group since 2015, has been using these tactics to good effect in targeting entities ranging from the defence industry and multinational organisations to media houses and political parties.
Because of the group’s notoriety, its attack methods have been well-documented.
Throughout the years, it has used everything from social engineering and data-stealing malware to zero day exploits and even a private exploit kit. Trend Micro has been closely following waves of the group’s targeted credential phishing attacks and has collected thousands of e-mail samples. This data has enabled the organisation to identify trends in Pawn Storm’s tactics, techniques and procedures.
Military might
For example, from May 2019 to this year, the group started using hacked e-mail addresses of numerous high-profile targets to send credential spam messages. Most of the focus was on compromised e-mail accounts belonging to defence companies in the Middle East. While the reason behind this strategy remains unclear, one explanation could point to the group attempting to evade spam filtering that combats most general phishing attacks.
An interesting aspect of the Pawn Storm attacks has been that the group did not use malware in the initial stages. It concentrated on tactics such as credential phishing, direct probing of Web mail and Microsoft Exchange Autodiscover servers, and large-scale scanning activities to search for vulnerable servers.
Furthermore, the group has significant resources enabling it to run lengthy campaigns against specific companies and individuals. Their attacks have been sophisticated with especially the spear-phishing finding increasingly innovative ways to get individuals to part with sensitive information.
Never-ending battle
The plethora of tools and tactics used mean organisations must secure their perimeter to reduce the risks from any potential entry or jump-off points. Management must, therefore, adopt a security-first approach to their data strategies to ensure they can mitigate any potential risk of compromise.
This entails enforcing the principle of least privilege. A company can minimise the risks to the network by limiting traffic, enabling only the services needed, and disabling those that are outdated or unused. Part of this entails minding the security gaps. The entire system must be kept updated and its applications patched. A strong patch management policy that is cognisant of things such as virtual patching for known and unknown vulnerabilities is therefore essential.
However, this is not a once-off process. An organisation must regularly monitor its infrastructure. Aside from employing firewalls, the business should incorporate intrusion detection and prevention systems that inspect traffic in real-time and automatically remediate vulnerable systems. Something as simplistic as requiring two-factor authentication for corporate e-mail accounts, network access and outsourced services must be given serious consideration.
Critically important is employee education. A business must raise awareness of phishing techniques and common attack vectors and prohibit the use of personal Web mail and social media accounts for work purposes. Additionally, the organisation must focus on maintaining data integrity. By regularly backing up data and encrypting sensitive information, a company can take great strides to ensure it keeps its most important asset, its data, protected.
Please click here to read the report.
Share