Researchers identify first threats in a post-phishing world
Researchers at XM Cyber have uncovered a new means of carrying out e-mail attacks without the user or cyber security teams knowing.
Attackers convert the user’s account into a tool to invade the network and cause ongoing damage.
XM Cyber, an APT (advanced penetration testing) simulation platform provider, refers to these as ‘the first threats of a post-phishing world’.
Igal Gofman, head of security research for XM Cyber, says he is always looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration.
“A recent area of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.”
The team simulated how a skilled adversary can easily pivot a compromised network by abusing commonly used email applications.
“Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement,” he explained.
The techniques he describes are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user’s workstation.
“In many cases, adversaries use compromised account credentials to access employees’ emails in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.”
He says CX Cyber has seen adversaries abusing cloud synchronisation options to sync malicious metadata such as email rules back to the user’s workstation. Other techniques that were recently discovered by Black Hills penetration testers involve syncing Outlook Web Add-Ins to the user workstations. Those attacks are relatively easy to initiate and can be performed from the cloud.
According to Gofman, by performing a phishing campaign, the attacker can gain system access to a user’s workstation and can control the installed mail client and all related communication. Instead of targeting users outside the organisation by sending phishing emails or using cloud services to sync malicious metadata, the cyber criminal can control all communication.