Companies are getting better at detecting and fending off brute force attacks. Depending on how big, and how hard-hitting the attack is, it can still get through, of course, but the main problem with such an attack is that it’s impossible to miss. The moment it starts, security professionals know what’s going on, and can immediately spring into action.
Of course, the hackers know this, and have been looking for ways around the problem. How can they launch an attack that will go unnoticed?
Now, it seems that they have a viable answer: low and slow.
It requires patience. Rather than hitting hard and all at once, this new attack vector utilizes a small number of machines and a low attack frequency in order to stay under the radar. Often, the hackers orchestrating such attacks will spread them out over weeks, or even months, and alternate between several different companies on the thinking that if it doesn’t trigger any alarms, then the security folks won’t go on high alert, and they can keep chipping away until they get lucky and break in.
While it hasn’t worked so far, the new approach did manage to go unnoticed for a number of months before the pattern was detected by SkyHigh Security.
The attack they discovered is an especially clever one. It has been going on since May, and it seeks to target email accounts not controlled by individuals, but used to fulfill other corporate functions. These are things like service automation, marketing and other system accounts.
The reason? Most of these don’t use two-factor authentication, and most people who check those types of accounts don’t expect to see malicious emails in those inboxes, and are thus more likely to click on embedded links, even if sent by accounts that are unrecognized.
Nothing is currently known about the group behind the attacks. They are focused on high-value targets in the financial services and medical fields and attempted to gain access to Office 365 accounts, which would give them access to a wealth of sensitive corporate information.
Although there’s no evidence that the attack has succeeded to this point, it is as clever as it is insidious, and definitely something to be aware of. From a practical standpoint, the strongest defensive move you can make is to be sure that all of the aforementioned types of email accounts are using two-factor authentication.