What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 19, 2021
Hackers Infect Employees of Law Firms, Manufacturing Companies, and Financial Services Orgs. with Increasingly Pervasive Infostealer, SolarMarker
SolarMarker Infects 5X More Corporate Victims Using Over a Million Poisoned WordPress Pages Key Takeaways eSentire has observed a fivefold increase in SolarMarker infections. Prior to September, eSentire’s Threat Response Unit (TRU) detected and shut down one infection per week. Beginning in September, TRU averaged the detection and shutdown of five per week. SolarMarker is a…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Aug 26, 2015

Landing the big catch: sophisticated phishing and international wire transfers

Earlier this month, networking technology and service provider Ubiquiti (NASDAQ:UBNT) filed a report with the U.S. Securities and Exchange Commission (SEC) disclosing a significant attack worth US $46.7 million. The haul was acquired through a new and increasingly popular attack technique targeting top-level corporate execs.

These kinds of attacks may seem like a new trend, however they’ve actually been around for some time. This particular case is significant due to the magnitude of the attack. According to Ubiquiti’s website, the company reported fourth-quarter earnings of $44.1 million (on June 30, 2015). This attack effectively wiped out those earnings.

At eSentire, our incident response team has investigated many variants of these types of phishing attacks. In most cases the victim organizations didn’t know anything had happened until they detected irregularities in their balances. Without continuous detection and intervention, it’s practically impossible to avoid these types of targeted attacks as they’ve fast become the attack of choice.

While phishing scams require more time and effort to execute, cybercriminals have found incredible success, regardless of an enterprise’s size, scope or industry. The most common kind of attacks that eSentire sees are of the “six figure” variety which provide a hefty reward for a reasonable output of effort. These kind of attacks are not only a nuisance to the victim but they’re also quite embarrassing. The attackers are highly effective and know the meaning of the term “pigs get fat, hogs get slaughtered”.

Targeted attacks take advantage of the single greatest weakness within the enterprise - the employee. You absolutely can’t “patch” every employee with cybersecurity training. Regardless of how cyber-savvy your employees become, cybercriminals prey on the fact that inevitably, an employee will click a malicious link or unintentionally engage in a phishing attack – executive level included. Hackers take advantage of basic human nature and the fact that today, employees are busy, distracted and easily duped through feigned familiarity, flattery or appeals to their vanity.

In the case of Ubiquiti, scammers were able to successfully spoof corporate emails, leading to a multi-phase fund transfers spanning international jurisdictions. In the last year alone, the volume of cases related to this attack style have been on the rise and highlight an emerging trend targeting businesses regularly working with international suppliers or foreign trade partners.

Ubiquiti - through the assistance of banking partners and law enforcement - has so far recovered $8.1 million since the initial breach was discovered in early June. Company officials are hopeful that through continued legal proceedings they will recover another $6.8 million.

The resulting investigation concluded that internal controls over financial reporting were ineffective due to one or more material weaknesses. The report filed with the SEC highlights that the company continues to implement additional procedures and controls as a result of the investigation. While there has been no discussion of regulatory action specific to this case, the online brokerage industry has seen recent enforcement actions for failure to effectively protect infrastructure under what the SEC refers to as “The Red Flag Rule”.

At the end of the day, this style of attack can drain your bank account, wipe out earnings and cause reputational damage. Not to mention the disruption to regular business operations that could be ignited by regulatory practices and procedures investigations.

Is it all doom and gloom? Maybe not. It depends on what actions you take to defend against these kinds of attacks. Noted cybersecurity author Brian Krebs highlighted the architecture of a Business Email Compromise (BEC) in a recent article detailing the Ubiquiti attack. BEC attacks vary from traditional phishing attacks in that cybercriminals target decision-making executives through careful and thoughtful research netting access to corporate email accounts.

Once they gain access, they troll communications looking for keywords and triggers that help them to craft the accurate messaging that will ultimately launch the transfer attempt. These sorts of attacks are highly complex and require special attention from attackers. This high-touch mode of attack also means that the attacker can pivot the techniques they use to evade detection from traditional spam filters. In spite of the effort required to launch this kind of attack, the rewards are quite lucrative.

Preventing every possible scenario is virtually impossible and any cybersecurity expert claiming otherwise is either exaggerating or lying. While unpreventable, you can dramatically reduce risk by ensuring someone is designated to watch for the signs of suspicious activity inside your corporate network.

This type of continuous monitoring requires the deployment of a rich platform of network forensic tools, with capabilities like sophisticated packet-level detection. eSentire provides Active Threat Protection, which is delivered as a continuous 24x7x365 service. The Intelligence and Defence contractor communities developed these very sophisticated capabilities a number of years ago to deal with nation state adversaries. Several of these capabilities have made their way into commercial offerings from firms including RSA and Palantir. They’re costly but certainly within reach of Fortune 50-sized budgets. They also require a sophisticated, operational skillset, which is scarce in most markets.

The reality is that you don’t know what you don’t know. Therefore it’s essential that all traffic is reviewed at a granular level. Security information event management technology – the popular go-to in compliance-driven environments – attempts to derive threat indicators from security event logs (Syslog and Windows Event Logs) which deliver a very terse set of facts. While still useful they have limited efficacy in the current threat landscape in terms of detecting whether something bad is happening in time for you to react to it. The same devices that are collecting log information are missing these new attacks. If the attack is missed, it won’t be logged.

eSentire employs methodologies utilized by the Intel and Defence. At the core of these methodologies is the recognition for a rich data set. The only way to collect entire data sets is with full-packet capture. Once full-packet capture is underway, the data must be rapidly and efficiently interrogated in order to investigate atypical events or anomalous behaviors. This involves complex pattern matching, IP reputation testing, correlating to known indicators of compromise and performing elapsed time behavior analysis. Due to the ever increasing use of TLS/SSL, having the ability to monitor the contents of encrypted traffic is incredibly important.

The downside of this approach is the expense; it requires a lot of CPU, ample storage and complex software. Now, the your threat needle lives in a much larger haystack than when compared to the old SIEM-based approach. While these technologies can be highly effective at identifying candidate threats, you need a skilled human analyst to perform the last mile of investigation and correlation.

At eSentire our sensors and SOC analytics automatically detect and respond to all but the last 0.0015% of security events. For these complex anomalies eSentire “grey matter” intervenes to perform the last leg of correlation. This proven technique is highly effective when confronted with advanced targeted attacks like the Ubiquiti case.

This formula can be replicated in-house by combining advanced cybersecurity expertise, tools, an A-team of threat analysts and a multi-million dollar budget. However countless organizations lack the budget and resources to assemble an internal SOC. eSentire provides this and more to mid-sized organizations as a service.

eSentire is a trusted security provider, protecting over $2.5 trillion of assets protected globally 24x7x365. Contact eSentire to learn how Active Threat Protection can help you avoid the headlines.

J. Paul Haynes
J. Paul Haynes President & Chief Operating Officer

J.Paul Haynes is a professional engineer with a 25-year entrepreneurial track record of success. J.Paul has led eSentire to 10x its size since he joined the company in late 2010.