Cybersecurity News

FBI: Spike in Vishing Attacks Seeking Escalated Access, Credential Theft

Threat actors are increasingly using “vishing”, or voicemail phishing, to target remote employees for credential theft and prolonged, escalated access, the FBI warns.

vishing voicemail phishing credential theft remote workforce

By Jessica Davis

- Threat actors are increasingly using voice phishing, or vishing, in targeted attacks on remote workers in an effort to steal credentials, escalate privileges, and gain proliferated network access, according to a recent FBI alert.

While phishing attacks prey on human nature through email messages, vishing occurs through phone calls of VoIP platform users. These attacks first came to light in December 2019, with hackers collaborating in targeted attacks on a range of large, global companies using social engineering tactics.

Since the initial attacks, the threat actors have shifted techniques and tactics when attempting to compromise employee accounts or credentials. Previously, the campaigns focused on individuals who would have likely had more access to the enterprise network based on their corporate position.

Now, the attackers are targeting all employees to obtain all possible credentials.

“During COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technology,” according to the alert. “With these restrictions, network access and privilege escalation may not be fully monitored.” 

“As more tools to automate services are implemented on companies’ networks, the ability to keep track of who has access to different points on the network, and what type of access they have, will become more difficult to regulate,” it added.

For the latest campaign, hackers are calling employees to trick them into logging onto a phishing website to capture their usernames and passwords, according to the latest FBI alert.

The actors then use the credentials to gain access to the network. In instances where the victim had extensive network access, the hackers used the stolen credentials to further escalate privileges of the compromised account.

As a result, the hackers further proliferated into the network to cause significant financial damage.

In one instance, the hackers used a chatroom messaging service to contact and phish an employee’s login credentials. They found an employee using the company’s chatroom and convinced the employee to log into the fake VPN page operated by the cybercriminals.

The stolen credentials were used by the attackers to log into the company’s VPN. The hackers leveraged the enterprise access to perform reconnaissance and find an employee with higher privileges. 

“The cybercriminals were looking for employees who could perform username and email changes and found an employee through a cloud-based payroll service,” it added.

This is the third warning on vishing threats reported in less than a year. Previous vishing efforts centered around a massive mining campaign to obtain enterprise login credentials for use in later cyberattacks, as well as attacks on remote healthcare workers by exploiting legacy voicemail technology.

To mitigate the threat, all organizations, including those in healthcare, should be sure to implement multi-factor authentication on all employee accounts to reduce the chance of account compromise. The FBI also recommends entities employ a principle of least privilege, only granting employees network access to elements needed to perform their required functions.

When creating administrator accounts, each administrator should be issued two accounts: one with admin privileges to make system changes and another used only for email, deploying updates, and generating reports.

Further, periodic review of network access controls can also drastically reduce the risk of compromise of vulnerable or weak endpoints within the enterprise network.

Administrators should be actively scanning and monitoring for unauthorized access or any modifications, which can help in the detection of possible system compromise and prevent or minimize data loss.

And as previously noted, enterprises should implement network segmentation policies to break large networks into multiple, smaller networks to assist administrators in controlling the flow of network traffic.

To better understand network segmentation, healthcare providers should review recent NIST guidance on strategies for building a zero trust architecture.