Channel Businesses Hit by Phishing Attack
There are multiple reports of a new phishing attack that may in fact be targeting those who work in the indirect telecom and IT channels.
Ron Hayman, chief cloud officer at master agent Avant, said his company became aware of the attack last Thursday morning when it received an email from another master that was infected. By midday, Avant was swamped with similar emails and began alerting the providers that they were compromised.
On the surface, the phishing attack might appear routine, but the Avant team noticed something different from the usual phishing bait.
“First, the email was not spoofed. It came from the person’s actual account, and therefore, looked legitimate,” said Hayman.
“Second, when the recipient challenged the sender to confirm the email was legit, the sender replied back encouraging the recipient to open the attachment,” Hayman continued. “Third, we believe that the hacker was able to both compromise the desktop and the email of the sender to achieve this level of sophistication.”
Measuring impact on the channel is difficult at this point, but Avant says it has a general idea.
“Our understanding is that this is a sophisticated hit with an active attacker from the Ukraine. It impacted master agents, agents and suppliers, and at least one of the master agent’s services were disrupted for 48 hours,” Hayman said.
Defining the Target and Marking the Bull’s-Eye
Evidence began popping up elsewhere as well. For example, Channel Futures and Channel Partners editors received email notifications from Cato Networks support and SOC teams that a company executive’s email account credentials were compromised. The warning not to open the attachment or click any links in the email was emphatic.
Cato responded quickly. The notification came just an hour or two after our editors received the original email that appeared to be from the executive.
Some MSSPs initially questioned whether this attack was aimed specifically at the channel or whether they simply got caught up in a bigger net. In any case, attacking security providers makes perfect sense to the criminal mind.
“It makes sense for hackers to target MSSPs in order to reach their clients — leveraging trusted partners in this way offers potentially far greater rewards, whilst reducing the ability of victims to adequately defend themselves,” said Colin Bastable, CEO of security awareness and training company Lucy Security, which specializes in helping organizations educate their employees about phishing.
“Such attacks can be hard to remediate, as the expertise and control is outsourced to the very people who are trying to defend themselves from, and contain, the attack. So, the hacker gets more bang for their buck, with the added benefit that the outsourced defenses of their victims are in disarray and trust is reduced to zero,” Bastable added.
But that doesn’t mean that targeting MSSPs and other partner types is a new development in cyberthreats.
“Leveraging channels and the suppliers of outsourced services is not a new strategy for hackers – we have seen attacks on global system integrators, often by state actors – for the last eight to nine years or more,” said Bastable.
As to this particular phishing attack, Avant believes partners’ clients are as much a target as the partners themselves.
“We believe both MSSPs are targeted themselves and used as a source to get client contacts,” said Avant’s Hayman. “At a minimum, a rootkit is installed and contacts are being copied and used to attack others within the community.”
However, when pushed to confirm the target, Avant couldn’t say for sure that partner businesses specifically are in the bull’s-eye.
“While we cannot be certain that the channel industry is being targeted, the attacker is using appropriate terms like ‘Payment and Sales Proposal.’ While these are general terms, they are also related to our industry,” said Hayman.