08.15.22

Corvus Threat Intel

Social Engineering, Ransomware Impact on NHS, & Crypto Crackdowns

Cisco reveals a breach, NHS reels from a ransomware attack, and sanctions hit cryptocurrency entity, Tornado Cash.

Cisco Discloses Recent Compromise using Social Engineering to bypass MFA

Cisco recently disclosed details about a cyber attack it responded to in May 2022. The attacker gained control of an employee’s personal Google account and found VPN login credentials saved in the web browser. Though the cybercriminal had the username and password, access to the VPN was protected with multi-factor authentication (MFA). The attacker circumvented this with a series of voice phishing attempts by calling the victim and pretending to be from trusted organizations. The goal was to get the user to accept MFA requests initiated by the attacker. In addition, the attacker engaged in “prompt bombing” by sending a large volume of MFA push requests in the hopes that the user would accept one to silence the nuisance. One of the methods ultimately succeeded. The user accepted an MFA push request which authenticated the attacker logging in to the VPN. Now with an initial foothold in the network, the cybercriminals went about establishing persistence, moving around the environment, and stealing data.

Why This Matters

MFA is still one of the most effective information security controls on the market today. However, it is not a “set and forget” solution that will prevent all attacks. Even when it works like it should, users are still vulnerable to social engineering. Never accept an MFA push notification unless you are sitting at the keyboard and trying to log in.

Additional Information:



Emergency Services Provider Likely Down for Weeks Due to Ransomware Attack

Advanced, a UK-based MSP, which provides critical healthcare services to the National Health Service (NHS), confirmed an outage is due to a ransomware attack and will likely take weeks to recover. The incident began earlier in August and forced some of the company’s servers offline. Thirty-six organizations across the NHS rely on Advanced, which provides round-the-clock health information. As a result of the outage, workers in urgent care including 111 call operators have had to rely on pen and paper to keep things running. While third party forensics firms investigate and remediate the attack, the company confirms that for urgent care customers, restoration will be carried out in the next few days. Other healthcare clients are warned that restoration will take a number of weeks.

Why This Matters

This is a nightmare scenario where crucial healthcare services are interrupted due to a ransomware attack. Even being offline for a number of hours can have major consequences for critical healthcare firms. This highlights the importance of building resilient systems and business continuity plans to ensure operations can still run during IT outages or cyber attacks.

Additional Information:



U.S. Sanctions Tornado Cash Cryptocurrency Mixer, Dutch Police Detain Suspected Developer

The U.S. has sanctioned another cryptocurrency entity, Tornado Cash. The group has been accused of assisting hackers—including the North Korean Lazarus group—by laundering millions in stolen funds. Shortly after the OFAC announcement, the Dutch Fiscal Information and Investigation Service arrested the 29-year-old suspected developer in Amsterdam. This marks yet another move in the U.S. attempt to crack down on cryptocurrency-assisted cybercrime. In September 2021, OFAC sanctioned the cryptocurrency exchange Suex, followed by Chatex in November 2021, both for laundering ransomware payments.

Why This Matters

This highlights not only an optimistic example of the U.S. taking action on cybercrime, but international cooperation to do so. While the sanctions and arrest seek to prevent further financial harm, they don’t return the vast sums of money already stolen from legitimate businesses and laundered. Preventing attacks is the onus of your business.

Additional Information:

 


This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.