City law firms in London have been placed on red alert for cyber-attacks. According to recent warnings, City firms may be targeted due to the ongoing situation in Ukraine. And, with such high-profile disruption and lucrative ransoms tempting attackers, law firms may become a new favourite aim. Law firms are also soft targets due to the incredibly sensitive client data stored on their servers. If a breach were to occur, not only would law firms fall foul of GDPR and data protection laws, but could also breach client-attorney privilege. A recent attack on the Ince Group, a London-based law firm, saw the beginning of the difficulties City firms could face if the predicted attacks do occur.

A novel phishing technique called browser-in-the-browser (BitB) attacking has been uncovered by an Infosec researcher in mid-March, which uses simulated browser windows and other authentication service providers to steal login credentials.

BitB attacks act as an extension to existing clickjacking or user-interface redressing that alters the appearance of browsers and web pages to trick users to bypass security controls. With this technique, an entirely fabricated replica is created – a user thinks they are seeing the real popup window, but it’s just faked within the page.

“Very few people would notice the slight differences between the two,” according to the report. “Once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website.”

Julia O’Toole, Founder and CEO of MyCena Security Solutions, says that businesses should remove the danger presented by BitB phishing attacks by ensuring that employees can no longer create, view or type passwords to access the company files, apps and systems. This amounts to taking back access control and removing the risks of human error from the network access process.

“To the untrained eye, which is likely to be the majority of workers, these types of phishing attacks are dangerous yet impossible to spot. All it takes is for one unsuspecting employee to make a mistake and it compromises the entire network.”

“Attacks like these aren’t for quick cash payouts. Actors will sit inside your system and wait to cause the most damage. All the while, the user continues working without realising they’ve unwittingly given their credentials away.”

“Additionally, this type of attack has been utilised in the past. In 2020, cybercriminals used similar BitB techniques on the video game digital distribution service Steam to gain access to consumer credentials. Whilst this may cause damage to individuals, what we’re seeing now is a more aggressive assault on an organisational level.”

While some have recommended using a password manager and Single Sign-On tools to circumvent the problem, as they automatically input passwords without falling for the replica windows, this still presents major issues.

“As we’ve seen recently, centralising multiple passwords behind a manager master password does nothing to prevent access fraud. It only centralises access information for hackers in a breach scenario. This was the case of the Lapsus$ group who, after infiltrating Okta’s network, were able to easily find an Excel document filled with Lastpass master passwords to access their customers' domain administrator accounts.”

“Password managers and Single Sign-on tools may provide a surface layer of convenience for users, but in the event of a breach also offer their company’s keys to the kingdom on a silver platter. Instead, access segmentation and encrypted passwords distribution is a more effective solution that completely removes the potential threat of human error or fraud from the equation and safeguards access integrity.”

“Additionally, businesses might see the appeal in doubling down with multi-factor authentication (MFA) methods as a precaution. But their initial loss of access control means that not even MFA can guarantee the legitimacy or integrity of access. Cyber attackers have found many ways to infiltrate those as we’ve seen recently through known vulnerabilities in MFA protocols. Relying on MFA merely postpones an inevitable breach of access, rather than securing your cybersecurity and cyber resilience outright.”

“Cyber attackers are more intelligent and relentless when it comes to modern-day phishing techniques. Relying on traditional security approaches is no longer enough.”

“Instead, returning access control, segmentation and security to the organisational side ensures that employees non longer need to create, see, or type passwords. Using a safe path from receiving, storing to using encrypted credentials, means they don’t have to worry about leaking them accidentally to cyber actors.”

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI Cyber Division have released a joint Cybersecurity Advisory (CSA) warning organisations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols and a known vulnerability.

As early as May 2021, Russian state-sponsored cyber actors gained access to a non-governmental organisation via exploiting default MFA protocols to control their network. Organisations that implement MFA have been told to review their default configurations and modify as necessary in order to reduce the likelihood that attacks can circumvent this control in the future.

With this in mind, Julia O’Toole, Founder and CEO of MyCena Security Solutions, has said that solely relying on multi-factor authentication to protect network access from this new wave of cyber actors and ransomware gangs is not enough.

“It is important for companies to understand that they must play a more active role in their own cyber-defence. With this MFA vulnerability, it proves even the most secure-seeming security methods will not stop attackers, especially those sponsored by the Russian state.”

“Within the Russia-Ukraine conflict, we’ve seen ransomware gangs like Conti pledging support with Russia. Their attacks are classified as acts of war, which has seen changes in insurance exemptions to reflect an increase in damages caused to enterprises related to state-sponsored cyber-attacks.”

"About 75% of ransom payments come from insurance, but with more developments from ransomware groups in recent years, it is becoming too expensive to insure damages for every cyber-attack. After insurance companies put out war exclusions, more gangs are announcing that they are acting independently to the Russian Federation or Ukraine, in the hope insurance companies will keep funding the ransoms.”

"Rather than spending hundreds of thousands on insurance, companies are better off investing in improving cyber-defences themselves to prevent attacks in the first place.”

“Additionally, we have even seen independent ransomware gangs are getting more brazen in their attempts to breach. New arrivals on the scene like Lapsus$ have actively used social media to advertise their access to victims via phishing attacks, broadcasting their victims’ identities through Telegram for anyone to see.”

“With groups such as Lapsus$ acting not for financial or political motives but instead for clout and infamy, it makes them far more dangerous to businesses. Lapsus$ breaching Nvidia in mid-February and stealing 1 terabyte of data, including the usernames and passwords of more than 71,000 Nvidia employees, makes the idea of unique user control redundant and exposes the limitations of centralised access once the system gets compromised.”

“Most recently, Lapsus$ has even advertised breaching access to Okta – an authentication company used worldwide. Any hack of this kind can have ramifications for all organisations relying on Okta to authenticate access, with Lapsus$ themselves threatening to focus on Okta customers.”

“Simply relying on MFA methods will not prepare organisations for this rising tide of new-age cybercriminals. In fact, Lapsus$ does not want to kill the golden goose and said they were not interested in OKTA itself but in its customers. Instead, regaining and re-establishing command and control on the business side, managing access through segmentation and encrypted passwords distribution is a more effective solution in removing the potential for human fault entirely from the equation.”

“A simple focus in security structure like this makes all the difference in protecting your network from exploited access, and therefore hefty ransom payments.”

- Ends -

FOR MORE MEDIA INFORMATION                                    
Adam Hartley/ Nathan Patel/ Alex Henderson
T +44 (0)20 7388 9988
mycena@spreckley.co.uk

About MyCena Security Solutions
Founded in 2016, MyCena is the market leader in segmented access management and safe password distribution. MyCena’s patented security system allows companies to adopt a cyber-resilient strategy from conception using access segmentation, distribution and protection. With its ground-breaking technology, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain attacks success. The company offers enterprise security solutions and applications to end users. To learn more visit: https://mycena.co/ 

MyCena has launched a mobile device add-on for its enterprise segmented digital access security solution. Its aim is to solve three fundamental cybersecurity weaknesses: creating and sharing passwords, risk aggregation, and memorising passwords. Companies worldwide are suffering more numerous and more costly attacks every day. More than four of every five cyberattacks begin with a phished password and, with the average ransomware breach now costing over £3.6million, there is an urgent need for businesses to protect themselves. MyCena’s solution helps companies to make common critical security issues – like stolen passwords and system single points of entry – a thing of the past.

Ubisoft, the video games developers behind franchises such as Assassin’s Creed and Far Cry, was the target of a large attack earlier this month. Users first noticed disruption in accessing Ubisoft services, before further interruptions to Ubisoft games, systems and platforms. Ubisoft then confirmed it had suffered a cyber security incident. As a precaution, the Ubisoft IT team carried out a company-wide password reset to try and mitigate any damage – although access had already occurred. Early signs point to the hacking group LAPSUS$ taking responsibility. The group has previously attacked companies such as NVIDIA, aiming to steal data and extort a fee in return for not leaking any customer or business information.

The US government has passed another law in a bid to fight cybercrime. On March 11, the Senate passed new legislation drawn up by senators Gary Peters and Rob Portman. It states that any US critical infrastructure institution must declare when it has suffered a new cyberattack on its systems. This law is part of President Biden’s attempt to improve US national cybersecurity following several notorious attacks in recent times. It comes at a crucial time. With experts expecting fresh attacks on critical infrastructure due to the Ukraine conflict, companies will now have to notify the government within 72 hours of an attack – or 24 hours if they are making a ransomware payment. Should companies not notify the authorities, they can now face severe penalties.