Recently, there has clearly been a tendency towards the spread of social engineering as a way to penetrate the organization’s infrastructure. Comparing the statistics of 2017 and 2018, we observe an almost 50 percent increase in the number of cases when malware was delivered to employees' computers precisely through attachments or phishing links in the body of the message.
In general, the whole range of threats that can be implemented using e-mail can be divided into several categories:
- incoming spam
- inclusion of organization computers in the bot network sending outgoing spam
- malicious attachments and viruses in the body of the message (small companies most often suffer from massive attacks like Petya).
To protect against all types of attacks, you can either deploy several SZI, or follow the path of the service model. We already talked about the Unified Cybersecurity Services Platform - the core of the Solar MSS ecosystem of managed cybersecurity services. Among other things, it includes the virtualized technology Secure Email Gateway (SEG). As a rule, a subscription to this service is acquired by small companies, in which all IT and IS functions are assigned to one person - a system administrator. Spam is a problem that is always in front of users and management, and you cannot solve it. However, over time, even the leadership becomes clear that it simply does not work out to “finish” her sysadmin - she takes too much time.
2 hours to parse mail - it's a bit much
A similar situation was addressed to us by one of the retailers. Time tracking systems showed that every day its employees spent about 25% of their time (2 hours!) On mailbox analysis.
Having connected the customer’s mail server, we configured the SEG instance as a two-way gateway for both incoming and outgoing mail. We started filtering by predefined policies. We compiled the Blacklist based on the analysis of the data provided by the customer and our own lists of potentially dangerous addresses received by Solar JSOC experts as part of other services, for example, monitoring information security incidents. After that, all the mail was delivered to the recipients only after cleaning, and various spam mailings about "grand discounts" ceased to pour in tons to the customer's mail servers, freeing up space for other needs.
But there were situations when a legitimate letter was mistakenly classified as spam, for example, as received from an untrusted sender. In this case, we have granted the right of decision to the customer. There are not many options for what to do: immediately delete or quarantine. We chose the second way in which such spam is stored on the SEG itself. We granted the system administrator access to the web console, in which he could at any time find an important letter, for example, from the counterparty, and pass it to the user.
Get rid of parasites
The email protection service includes analytical reports whose purpose is to control the security of the infrastructure and the effectiveness of the applied settings. In addition, these reports allow you to predict trends. For example, we find the corresponding section “Spam by Recipient” or “Spam by Sender” in the report and look at whose address the largest number of blocked messages arrives.
Just when analyzing such a report, the sharp increase in the total number of letters from one of the customers seemed suspicious to us. He has a small infrastructure, the number of letters is low. And suddenly after a working day, the amount of blocked spam almost doubled. We decided to take a closer look.
We see that the number of outgoing letters has increased, and in all in the “Sender” field there are addresses from a domain that is just connected to the mail protection service. But there is one caveat: among the completely sane, possibly even existing, addresses, there are obviously strange ones. We looked at the IP from which the letters were sent, and, as expected, it turned out that they did not belong to the protected address space. Apparently, the attacker sent spam on behalf of the customer.
In this case, we made recommendations for the customer to properly configure DNS records, specifically SPF. Our expert advised creating a TXT record containing the rule "v = spf1 mx ip: 1.2.3.4/23 -all", which contains an exhaustive list of addresses that are allowed to send letters on behalf of the protected domain.
Actually, why is this important: spam on behalf of an unknown small company is unpleasant, but not critical. The situation is completely different, for example, in the banking industry. According to our observations, there the victim’s confidence level in a phishing email rises many times if it was sent allegedly from a domain of another bank or a counterparty known to the victim. And this distinguishes not only bank employees, in other sectors - the same energy sector - we are faced with the same trend.
We kill viruses
But spoofing is not such a common problem, such as viral infections. And how do they most often deal with viral epidemics? They put an antivirus and hope that "the enemy will not pass." But if everything was so simple, then, given the rather low cost of antiviruses, everyone would have long forgotten about the malware problem. Meanwhile, we constantly receive requests from the series “help restore files, everything has been encrypted, work is worth it, data has been lost”. We are not tired of repeating to customers that antivirus is not a panacea. In addition to the fact that anti-virus databases may not be updated quickly enough, we often encounter malware that can bypass not only anti-viruses, but also sandboxes.
Unfortunately, few ordinary employees of organizations are aware of phishing and malicious emails and are able to distinguish them from regular correspondence. On average, every 7th user who does not undergo regular awareness raising lends itself to social engineering: opens an infected file or sends its data to cybercriminals.
Although the social vector of attacks, in general, was constantly strengthening little by little, last year this trend became especially noticeable. Phishing emails became more and more like the usual mailings about promotions, upcoming events, etc. Here you can recall the Silence attack on the financial sector - bank employees received a letter allegedly with a promotional code to participate in the popular industry conference iFin, and the percentage of those who fell for the trick was very high, although, recall, we are talking about the banking sector - the most advanced in terms of information security.
Before the last New Year, we also observed several rather curious situations, when employees of industrial companies received very high-quality phishing letters with a "list" of New Year's promotions in popular online stores and with promotional codes for discounts. Employees not only tried to follow the link, but also sent a letter to colleagues from related organizations. Since the resource referenced in the phishing email was blocked, employees began to massively leave requests for access to the IT service. In general, the success of the newsletter must have exceeded all the expectations of the attackers.
And recently a company that “encrypted” turned to us for help. It all started with the fact that the accounting staff received a letter allegedly from the Central Bank of the Russian Federation. The accountant clicked on the link in the letter and downloaded the WannaMine miner, which, like the well-known WannaCry, exploited the EternalBlue vulnerability. The most interesting thing is that most antiviruses are able to detect its signatures since the beginning of 2018. But, either the antivirus was disabled, or the databases were not updated, or it wasn’t there at all - in any case, the miner was already on the computer, and nothing prevented it from spreading further over the network, loading the CPU of the servers and the workstation 100% .
This customer, having received the report of our forensics group, saw that the virus had initially penetrated through mail and launched a pilot project to connect the email protection service. The first thing we set up was mail antivirus. At the same time, scanning for malware is carried out constantly, and signature updates were first made every hour, and then the customer switched to twice a day mode.
Full protection against viral infections should be layered. If we talk about the transmission of viruses via e-mail, it is necessary to weed out such letters at the entrance, train users to recognize social engineering, and then rely on antiviruses and sandboxes.
SEG Yes on guard
Of course, we do not claim that Secure Email Gateway solutions are a panacea. Targeted attacks, including targeted phishing, are extremely difficult to prevent because each such attack is “sharpened" for a specific recipient (organization or person). But for a company trying to provide a basic level of security, this is a lot, especially with the experience and expertise correctly applied to the task.
Most often, when targeting phishing is implemented, malicious attachments are not included in the message body, otherwise the anti-spam system will immediately block such an email on the way to the recipient. But they include links to a pre-prepared web resource in the text of the letter, and then it’s all over the small. The user follows the link, and after a few redirects in a matter of seconds, he is on the last of the entire chain, the opening of which will load malware on his computer.
Even more sophisticated: at the time of receipt of the letter, the link can be harmless and only after some time has passed, when it is already scanned and skipped, it will begin to redirect to malware. Unfortunately, Solar JSOC specialists, even taking into account their competencies, will not be able to configure the mail gateway to “see” malware through the entire chain (although as protection you can use the automatic spoofing of all links in SEG letters so that the latter scans the link not only at the time of delivery of the letter, and at each transition).
Meanwhile, aggregation of several types of examinations, including data obtained by our JSOC CERT, and OSINT, helps to cope even with a typical redirect. This allows you to create advanced blacklists, based on which even a message with multiple forwardings will be blocked.
Using SEG is just a small brick in the wall that any organization wants to build to protect its assets. But this link needs to be correctly put into the big picture, because even SEG with proper tuning can be made a full-fledged defense.
Ksenia Sadunina, Consultant, Expert Presale, Product and Services, Solar JSOC