Repeatable VEC Attacks Target Critical Infrastructure
Cyber Security Threat Summary:
The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise. These attacks involve impersonating trusted individuals within the target organization. The latest statistics indicate that the likelihood of organizations falling victim to a VEC attack has increased dramatically, rising from 45% in June 2022 to 70% in May 2023.
Abnormal Security conducted an investigation that uncovered a series of repeatable VEC attacks utilizing a distinctive method. The attackers targeted multiple critical infrastructure organizations by compromising five vendor email accounts.
“The attack involved sending emails from the compromised accounts and attempting to reroute outstanding and future invoices to a new bank account, following a fake updated payment policy. The most cunning aspect of these attacks was the use of familiar language and known domains, making them appear genuine and bypassing traditional security defenses. The most cunning aspect of these attacks was the use of familiar language and known domains, making them appear genuine and bypassing traditional security defenses. While the emails contained subtle grammatical errors, they featured characteristics expected in legitimate vendor communications. These deceptive tactics, coupled with the absence of prior correspondence between senders and recipients, made the attacks challenging to detect for both human recipients and conventional email security solutions” (InfoSecurityMagazine, 2023).
Security Officer Comments:
While utilizing these compromised accounts, the threat actor conducted email attacks targeting 15 individuals from five different customer organizations, which comprised of two healthcare companies, two logistics firms, and one manufacturing company. Abnormal security observed that all the emails contained distinct phrasing with mentions of a “bogus check” and “opting out from check for now”. Moreover, the attacker employed the same contact phone number in all the emails, establishing a clear link between the attacks and a common source.
Security Officer Comments:
BEC attacks are harder to defend against than traditional phishing because common indicators like bad domains are not used. Because communications are coming from trusted and expected partners, employees will be more likely to fall victim to attacks. The only real prevention is to train employees to spot BEC attacks. Employees should understand that every email received could be malicious. If you receive a strange invoice, wire transfer request, or unexpected email from a trusted user, verification via phone is recommended. Never use email communications to verify a payment request, because the account may still be compromised by the threat actor. Avoid requests that prey on emotions, have a sense of urgency, or just feel off. While emails may be coming from a trusted sender, spelling mistakes and bad grammar seen in normal phishing emails may still be present. To avoid falling victim to BEC yourself, multifactor authentication is recommended on all email accounts. Users should monitor leak websites and leverage security tools that monitor for stolen or leaked credentials.
Link(s):
https://www.infosecurity-magazine.com/news/repeatable-vec-attacks-critical/
https://abnormalsecurity.com/blog/vec-attacks-replay-critical-infrastructure