Your company, your vendors and suppliers, and your customers are currently under the biggest wave of cyber-attacks that I’ve seen since the internet was created. If you have not noticed this latest wave of attacks, your vendors and customers have or your company may simply not be aware that it has already been attacked.
Along with being a practicing attorney with the BrownWinick law firm, I have managed the firm’s IT department, including its IT security operations. I work on behalf of the firm to maximize its security and to provide legal services to businesses that are under attack. During the past two weeks, I have seen a dramatic increase in calls from clients asking for advice on what to do after falling victim to cyber-attacks.
Sophisticated Attacks — Spear Phishing
Two new sophisticated attacks have risen to pandemic proportions; both are using spear phishing emails to begin the exploit. The most common attack is launched after the hacker researches potential corporate targets so that a corporate executive will be more likely to click on a link in an email, which will either load malware or steal the executive’s Office 365 log-in credentials. This is known as a spear-phishing attack. The attacking email will likely be from a familiar customer or contact, and will contain information that would fit with the target’s business. Once the hacker obtains those credentials, the hacker modifies the Outlook rules so that their emails are not seen by the actual company officer. The hacker is then free to launch very sophisticated invoice fraud attacks — not only on the company itself but also on both its customers and suppliers. The hacker will impersonate someone with authority to submit fake invoices using the company’s own email system and order the company’s accounting department to wire funds to bank accounts that the hacker controls. The hacker may also send fake invoices to the company’s clients with faked wire instructions. The hacker may also steal vendor and customer information so that the hacker can target those companies for a second round of attacks.
A more sinister attack is to use the stolen credentials to launch a ransomware attack. MegaCortex Ransomware Crypto ransomware appeared globally on May 1 and was aimed at selected companies that would be highly motivated to get back online as quickly as possible. The MegaCortex software is highly sophisticated and attempts to shut down numerous security processes on a system in order to maximize the damage. I reviewed a video of an attack underway I noticed numerous well-known security products that are sent orders by the software to shut down. Because the software launches itself from an exploited corporate account, it is quite possible that as with the invoice fraud attacks, the hackers will obtain customer and vendor information that can be used to launch a second round of attacks.
What Should Your Company do to Protect Itself?
- Use two-factor authentication to log onto any company system.
- Have strong and continuous backups of all company systems.
- Educate all employees on the dangers of clicking on any link in any email and to be suspicious of any unusual request or email.
- Install strong security software, hardware, and logging software and hire someone to continuously review the logs.
- Hire security specialists to install a robust defense against these new generation attacks.
- Adopt strong IT and HR policies to increase security and employee awareness.
- If your firewall is four years old, it is likely time to replace it.
- Consider installing a SIEM to collect and manage security information.
- Require verbal or in-person approvals of all wire transfers by the company.
- Require verbal confirmation of any change in address or bank wire information by a vendor.
It is a well-known adage in the IT security field that it is not a matter of whether your company will be hacked, but when. In this current environment, for any company without strong security and support from senior management, that day will be tomorrow, and the next day, and the day after that.
James Pray is an attorney and member of the BrownWinick Law Firm in Des Moines, Iowa. He also serves as Chief Technology Officer. When he is not working with companies that have suffered data breaches or internet-based thefts, he specializes in assisting clients with environmental compliance matters and renewable energy projects.
