While organisations frequently focus their security strategy on external risks, the trend of company employees being targeted by threat actors to help provide access is on the rise.
In this blog post, we explore the growing issue, outline some recent examples and provide some key steps to take in response. Special thanks to Gianna Petrone for helping to compile the information in this article.
A growing concern
Types of insider threats vary widely. They include:
- Second streamers, existing employees that misuse confidential information to generate additional income through fraud or collude with external groups.
- Disgruntled current or former employees that steal intellectual property or commit sabotage.
- Inadvertent insiders who make errors but often don’t realise their error until it is too late.
According to Kroll’s 2019/2020 Global Fraud and Risk Report, incidents caused by insider threats, including fraud by internal parties and leaks of internal information, account for 66% of those reported by organisations. Recent research by Ponemon found that organisations are struggling to identify the warning signs of insider threats. While all types of insider threats are a problem, intentional collusion with ransomware gangs poses a new challenge to organisations.
Insider attempt at Tesla
In July 2020, cybercriminal Egor Igorevich Kriuchkov attempted to recruit a Tesla employee to deploy malware at Tesla’s Nevada Gigafactory. Kriuchkov tried to bribe the employee with a payout of $1 million USD in Bitcoin after a successful malware deployment. The stolen sensitive data would then have been used to extort Tesla into paying a ransom to prevent the data from being leaked.
The Tesla employee reported Kriuchkov to their employer and the FBI which led to a successful cyber sting operation. Kriuchkov was arrested in August 2020 and indicted a month later. With the cybercriminal facing a maximum of five years in prison and a $250,000 fine, a plea bargain was struck in March of this year.
In June 2021, operators of LockBit ransomware launched a new actor-controlled site announcing the arrival of LockBit 2.0 ransomware-as-a-service (RaaS). This version of LockBit comes with advanced technologies. For example, it now automates the encryption of a Windows domain by way of group policies. The relaunch of LockBit also introduced a new Windows wallpaper for devices encrypted by the operation. The operation’s aim is to recruit insiders who can provide Remote Desktop Protocol (RDP), Virtual Private Network (VPN) or corporate email credentials to gain network access.
LockBit claims it will send insiders a virus for execution on a company’s system. Insiders are promised “millions of dollars” for providing this type of access to the ransomware operation. The Windows wallpaper appears for victims who have already been breached by LockBit, causing some to speculate that the advertisement is geared towards IT consultants engaging in incident response following a breach.
DemonWare ransomware attempt
In August 2021, employees of email security company, Abnormal Security, received emails encouraging them to deploy ransomware inside their own network for payment.
The request offered them $1million USD in Bitcoin or 40% of the ransom payment in exchange for launching DemonWare ransomware, a.k.a BlackKingdom, an open-source ransomware project available on Github.
Crane Hassold, the Director of Threat Intelligence for Abnormal Security, engaged with the threat actor by appearing as an employee interested in the offer. According to Hassold, the threat actor allegedly began their scamming attempts by sending unsuccessful phishing emails which would progress to the ransomware attempt.
The actor claimed to have obtained target contact information from LinkedIn, specifically corporate emails.
Recommendations and mitigations
- Reassess the potential risk of insider threat incidents and implement a stronger insider threat mitigation program.
- Improve employee training, data collection and log policies.
- Apply the principle of least privilege and limit network access to those who require it for their roles.
- Be vigilant in checking for early warning behavioural indicators such as out-of-hours remote access, unexplained exporting of large volumes of data and never taking a holiday.
- Employing EDR (Endpoint Detection and Response) and NGAV (Next Gen AntiVirus) will allow detection of abnormal activity taking place within the environment.
How we can help
With more and more attacks targeting endpoints, whether through insider threats or external adversaries, endpoint protection should be a priority for all businesses. Yet traditional endpoint security technologies are not effective at detecting the latest advanced threats, making identifying and responding to endpoint-focused attacks increasingly challenging.
ThreatDetect™, Redscan’s outcome-focused MDR service, supplies the people, technology and cyberoffensive intelligence required to hunt for threats across your organisation’s networks and endpoints and help shut them down before they cause damage and disruption.