Often in the ransomware world, the oldest, most common methods of hacking an organization remain the most effective. That includes social engineering, which, although some feel is less effective now that there’s much more widespread knowledge about it, remains a key way to infiltrate a target.
Social engineering involves convincing people into giving up valuable information like passwords, personally identifiable information (PII) like social security numbers, banking information, and so on. This can mean tricking people or bribing them, and both methods remain popular.
This is especially true for the ransomware threat group Lapsus$, which is quickly becoming one of the most notorious gangs in the world. Security journalist Brian Krebs recently discussed how Lapsus$ continues to gain footholds in enterprises, and a lot of its work is done via old-fashioned social engineering.
Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.—Microsoft, about Lapsus$ ransomware group
“Phone-based social engineering” has a familiar ring, doesn’t it? This tried-and-true hacking method is still a primary attack vector. In 2022, when pretty much everyone should be aware of these attempts, it’s still happening. And still successful.
“Paying employees” is another phrase that should send shivers down the back of everyone with security responsibilities. Ultimately, there’s probably no way to completely eliminate this kind of graft. Bribes are, of course, perhaps the oldest type of social engineering in existence. But properly vetting potential hires can go a long way toward minimizing this danger.
It’s easy to get depressed by this kind of information, to want to throw your hands up and say it’s simply impossible to protect your organization from ransomware and other cyberattacks. But that would be the wrong attitude. Training should be ongoing for employees, and taking precautions to make sure your data is properly backed up and recoverable quickly enough to reduce the impact should also be first-line defense strategies.
The criminals who run Lapsus$ and other ransomware gangs will keep using social engineering and other methods to get your crown jewels. That’s why you need to keep up just as obsessively with the latest defensive measures. Make it so hard to hack your organization that the bad guys give up and find easier targets.