Looking at the historical tactics utilized by a threat actor group who claims to have perpetrated a recent data breach which impacted many organizations in the education sector helps organizations prepare for future threats. This recent education data breach is associated with a threat actor group known to utilize voice phishing to gain access to large organizations’ customer relationship management (CRM) systems. The data within the CRM itself has been exploited historically by this threat actor group in addition to other data available from this foothold. To strengthen organizational defenses against similar tactics, consider the following:
Additional Technical Controls
Implement phishing-resistant multi-factor authentication for internal and cloud-based systems, prioritizing administrative accounts as well as any accounts with wider-reaching access capabilities (example: remote access).
Develop a process for help desk staff to always follow to verify identity for any caller/sender. Practice these processes with help desk and other customer service staff.
Continue to only allow the level of access needed for each staff person to do their job.
Look at the access of customer service representatives from the lens of their position as first-line threat-facing. Now is an excellent time to consider ways to limit the likelyhood and impact of compromise to customer service accounts and customer relationship management software.
Education for All Staff
Regularly educate all staff of the following:
Impersonation of IT staff and leadership is a technique used by threat actors for email and voice calling stategies.
End calls/be suspicious if the caller or message sender wants the staff to:
- install anything
- change any configurations
- go to any link
- provide remote access
- authenticate
VERIFY BEFORE TRUST: If prompted for any of the above by either an external contact or someone claiming to be an internal contact, verify the request by another menthod (example: use internal directory or a known trusted phone number to call “IT staff” back).
AI can be used to impersonate in voice phone calls.
Additional Resources
The Cost of a Call: From Voice Phishing to Data Extortion [Google]
Phishing for Information: Spearphishing Voice [MITRE ATT&CK]