Signs Point to Foreign Syndicate Fueling BEC Surge From Within U.S. ISPs
2024-12-3 00:36:26 Author: securityboulevard.com(查看原文) 阅读量:0 收藏

Avatar photo

Evidence suggests that a sophisticated group of foreign threat actors is using U.S.-based infrastructure to power business email compromise (BEC) attacks, making them harder to detect and nearly immune to traditional endpoint security. According to Todyl’s 2024 BEC report, BEC attacks have surged by 558% this year, largely due to the actions of the Soze Syndicate, an organized cybercrime group that has operated undetected for over two years. By strategically embedding within trusted U.S. internet service providers (ISPs), these actors effectively bypass typical geo-blocking and location-based safeguards, underscoring an urgent need for advanced behavior-based detection approaches.

Soze Syndicate: Foreign Actors Hiding in Plain Sight

As the first to publicly identify Soze’s operations, Todyl uncovered distinct patterns of unusual activity, such as repeated logins without email interaction, strategic rule changes and the use of session tokens to access other platforms within the Microsoft ecosystem — including Microsoft 365, SharePoint and Azure — with a level of stealth that makes detection challenging. The Soze Syndicate has reportedly managed over 5,000 hosts for over two years without facing significant law enforcement intervention, a startling feat that underscores the need for new detection approaches and proactive, transparent responses from the cybersecurity industry.

How Attackers Bypass Traditional Security Measures

Soze’s tactics reveal limitations in multi-factor authentication (MFA), which is not infallible in protecting against their methods. Their use of adversary-in-the-middle (AiTM) attacks, session hijacking and identity theft allows them to capture MFA tokens or other credentials and circumvent login protections typically activated by foreign domain logins. Instead, by using domestic ISPs and embedding within legitimate traffic, they gain privileged access undetected.

Examples of these attacks show how Soze exploits trusted platforms and communication channels to blend in:

  • AiTM Attack on a Non-Profit: Soze targeted a non-profit’s payment team with an AiTM attack that captured a session token through a fake MFA prompt, gaining prolonged access. Unusual patterns eventually led to detection, sparing the organization from financial loss.
  • SharePoint Phishing at a Manufacturing Company: By compromising a SharePoint account, Soze phished multiple employees, leading them to a fake login page that harvested MFA tokens and credentials. The attack, which reached over 10 users, was only detected after several days.
  • Rogue App Installation at an Accounting Firm: A rogue Azure app installed on an employee’s account automatically copied emails daily without login prompts, necessitating advanced detection to identify the malicious behavior.

The Importance of Advanced Behavior Detection

Traditional security approaches focused on geographic restrictions are proving inadequate against sophisticated BEC attacks. A behavior-based detection strategy that emphasizes unusual user actions — such as logins that don’t interact with inboxes and patterns of session token generation for broader access — is essential to identifying threat actors who operate within U.S.-based infrastructure. By focusing on cross-platform behavior and monitoring for anomalies, this approach helps reveal attackers who rely on tactics that mimic legitimate user activity, allowing them to evade detection by standard geographic and access-based security measures.

Strategies for Improved BEC Detection

To effectively counter BEC threats, companies need to expand beyond traditional methods like MFA and standard log analysis. Critical defenses should include cross-platform behavior monitoring and anomaly detection, which can catch attackers operating on domestic infrastructure and bypass geo-detection safeguards. SMBs in particular should consider identity-based threat detection systems, such as identity threat detection and response (ITDR), and seek support from managed detection and response (MDR) providers. These measures enhance defenses by enabling faster threat identification and response to identity-based intrusions.

By staying informed of these evolving tactics and adopting advanced detection tools, organizations can better protect themselves against the increasingly stealthy and persistent BEC threats affecting businesses worldwide.

Avatar photo

David Langlands

David Langlands is a seasoned cybersecurity professional with over 25 years of experience in preventing, detecting, containing, and recovering from major cyber incidents. He has played a key role in groundbreaking projects, including contributing to the team that created the first web browser and implementing the first firewalls at AT&T Bell Laboratories. David is the Chief Security Officer at Todyl,where he leads efforts to protect businesses from advanced threats. Previous positions include Vice President of Security at DXC Technology and Partner, IBM Security | Global Leader of Cloud and Infrastructure Security at IBM.

david-langlands has 1 posts and counting.See all posts by david-langlands


文章来源: https://securityboulevard.com/2024/12/signs-point-to-foreign-syndicate-fueling-bec-surge-from-within-u-s-isps/
如有侵权请联系:admin#unsafe.sh