March was a busy month for former Black Basta affiliates who are using old social engineering techniques to target executives in the manufacturing, professional, scientific, and technical services industries. According to Reliaquest, the activity of the threat actors indicates that these sectors “were likely direct targets.”
According to its report, “Attackers are using automation to compress a multi-step social engineering attack into minutes, reducing the time defenders have to intervene before a live remote management session is established on a senior leader’s machine.” This means that they target C-Suite executives to ratchet up the pressure. Initially, the threat actors send a high volume of emails, known as a “bomb,” which floods the user’s email account within minutes. This technique is designed to overwhelm the user. While the victim struggles to manage a flood of incoming emails, the threat actor reaches out via a direct Microsoft Teams message or phone call (vishing), posing as technical support. Within minutes of the email flooding, the attacker initiates contact, gains the user’s trust, and steals their credentials—ultimately obtaining full access to the account.
The rest is history. The takeaway? Educate your C-Suite executives on their increased risk of being targeted by cyber threat actors and how to identify an email bomb, a vishing scheme, suspicious Teams chat from an external account, the launching of a remote session that is not one used by the organization, and to never give away their credentials. Any one of these clues could prevent an incident.