Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
More than 130 companies have fallen victim to social engineering.
The GuidePoint Research and Intelligence Team (GRIT) has documented the activities of a highly developed hacker group with significant social engineering and network penetration skills, including the ability to communicate in English at the native level. Attacks by this group target more than 130 American companies from various industries.
The main goal of attackers is to obtain credentials and one-time passwords through social engineering aimed at individual employees of organizations. These methods go undetected by traditional security tools, as attacks occur outside of the usual field of view: using phone calls to employees' mobile phones and SMS messages. Without notifications from users about such calls and messages, security teams may not even be aware of a hacking attempt. Hackers continue their actions until they find a vulnerable employee.
Since June 26, 2024, the group has registered several domain names similar to the addresses of VPN services used by organizations. Among them: ciscoweblink.com, ciscolinkweb.com, fortivpnlink.com and others. Attackers call employees, introducing themselves as technical support, and report problems logging into the VPN, after which they send a link to a fake site. This site mimics a real VPN login page, but is built to steal user credentials.
The fake login pages are thoroughly spoofed, including the names of the VPN groups used by the organizations. In some cases, fictitious groups such as 'TestVPN' and 'RemoteVPN' are added to amplify the effect of social engineering. Through such pages, hackers receive a login, password and, if using multi-factor authentication, a user token. If the system uses push notifications, the attackers ask the user to approve the request in order to complete the attack.
After gaining access to the network through a VPN, the hackers immediately begin scanning the network, identifying targets for further advancement, maintaining access, and escalating privileges. The main goal of this group is financial gain: if successful, they steal data, destroy backups, and eventually launch ransomware.
The security services of companies that may be at risk strongly recommend checking VPN activity logs for the last 30 days for suspicious activity. If signs of compromise are found, an incident must be immediately declared and a thorough investigation must be conducted. It is also important to warn employees about new social engineering techniques and instruct them to immediately report suspicious calls from individuals claiming to be IT or support employees.
Source
The GuidePoint Research and Intelligence Team (GRIT) has documented the activities of a highly developed hacker group with significant social engineering and network penetration skills, including the ability to communicate in English at the native level. Attacks by this group target more than 130 American companies from various industries.
The main goal of attackers is to obtain credentials and one-time passwords through social engineering aimed at individual employees of organizations. These methods go undetected by traditional security tools, as attacks occur outside of the usual field of view: using phone calls to employees' mobile phones and SMS messages. Without notifications from users about such calls and messages, security teams may not even be aware of a hacking attempt. Hackers continue their actions until they find a vulnerable employee.
Since June 26, 2024, the group has registered several domain names similar to the addresses of VPN services used by organizations. Among them: ciscoweblink.com, ciscolinkweb.com, fortivpnlink.com and others. Attackers call employees, introducing themselves as technical support, and report problems logging into the VPN, after which they send a link to a fake site. This site mimics a real VPN login page, but is built to steal user credentials.
The fake login pages are thoroughly spoofed, including the names of the VPN groups used by the organizations. In some cases, fictitious groups such as 'TestVPN' and 'RemoteVPN' are added to amplify the effect of social engineering. Through such pages, hackers receive a login, password and, if using multi-factor authentication, a user token. If the system uses push notifications, the attackers ask the user to approve the request in order to complete the attack.
After gaining access to the network through a VPN, the hackers immediately begin scanning the network, identifying targets for further advancement, maintaining access, and escalating privileges. The main goal of this group is financial gain: if successful, they steal data, destroy backups, and eventually launch ransomware.
The security services of companies that may be at risk strongly recommend checking VPN activity logs for the last 30 days for suspicious activity. If signs of compromise are found, an incident must be immediately declared and a thorough investigation must be conducted. It is also important to warn employees about new social engineering techniques and instruct them to immediately report suspicious calls from individuals claiming to be IT or support employees.
Source
