Lessons to Learn from the Latest Business Email Compromise Scam and AZORult Stealer

A Quick Look into the Infamous AZORult Stealer

Ever heard of AZORult? Sounds like some nerdy stuff. I am not gonna lie, it slightly is! It is a trojan that steals various data including login credentials, browser history, cookies, and more. The history of AZORult is well known by those in the cyber security industry. AZORult was initially discovered back in 2016. As the years passed, we saw some of its ongoing malicious attacks. Most recently a peculiar campaign started in November 2019, where AZORult was found exploiting the ProtonVPN service and releasing malware through counterfeit ProtonVPN installers for Windows.

That’s the problem with cyber security though. The threats and how they work are so technical, shifty and unintelligible that we tend to ignore them. What does catch our attention is finding out 207 days later that one of the business email accounts was breached and now we have GDPR/Invoice-fraud/unmitigated disaster on our hands.

About the Latest BEC Scam

What caught my attention this week was the very specific and downright brazen sale of Microsoft Office 365 credentials of C-Suite employees including “CEO, CFO, COO, CMP, CTO, President, Vice President and Director among others”.  

The price varied based on the company in question from $100 - $1500. There were different size companies involved in the sale all within the “mid-sized” bracket.  The nature of the AZORult malware grabs credentials indiscriminately from infected machines so one can assume that the criminal database may well contain credentials from small and large sizes companies also. AZORult is not the only malware or mechanism to steal credentials.

Learnings from these Cautionary Tales

So, what have we learned and how can we leverage this learning for business email compromise protection? The sale and further dissipation of such illegally held information is almost impossible to stop. In fact, cyber-attacks and subsequent leaks are on the rise. This week alone has seen extremely high priority systematic breach of thousands of organisations.  

It's clear that software vendors and security experts must indeed find ways to ensure better security so that vulnerabilities are patched or not created in the first place. This is the work of a small few.  However, the rest of us (the vast majority) do not have to sit back and hope not to be hit in this war raging between these few, and the elusive hackers.  We are far from helpless and can do a great deal to add strength to our defenses and ensure we are safe in the fight.  

The other thing that the AZORult reminds us that we should not presume that cloud services are secure. They are only as secure as we configure, monitor and use them.

In some ways cloud services can be less secure than traditional on-premise services because in many cases they can be accessed outside of our corporate network, which for many organisations is the traditional security perimeter. Even the popular cloud services like Microsoft Office 365, that are at the heart of businesses, and are equipped with security features, are most prone to email hacking and other cyber attacks. In January 2020 alone, an astonishing 1.2 million Microsoft accounts were compromised. Considering Office 365 as one of the most used services, and being experts in cloud cyber security, we have put together a list of the best practices that can be followed to fight these incidents.

How to Prevent Business Email Compromise and Secure your Microsoft 365

Being a SaaS cloud security company, Octiga understands the gaps between identification and implementation of security solutions. We suggest a quick list to better secure Microsoft Office 365. However, beyond this list you should also consider getting adequate endpoint security monitoring to secure devices from malware and other nasties.

We strongly recommend following the NIST cybersecurity framework that combines industry standards and best practices to help organisations of all sizes manage their cybersecurity threats, vulnerabilities and impacts.

1. Identify and Protect Yourself

This section of the framework emphasises on building an understanding of the risks and limiting or containing the impact of a possible cybersecurity attack. To achieve this, you can:

- Check your Microsoft Office 365 cloud security configurations: Do you allow unnecessary access methods such as Outlook for the Web (not needed if users only use Outlook on desktop)? Are you properly controlling your administrative privileges? Too many admins, anonymous admins or admins with mailboxes are all risks.  Are you allowing external mail forwarding?

- Enable Multi Factor Authentication (MFA) across the board on your 365 tenant: MFA should be the new normal.  The time has passed when it is good enough to put MFA on just your high value asset credentials. Every account. Now please!

2. Detect Breaches

This encourages organisations and individuals to build and implement strategies to identify cybersecurity threat incidents in a timely manner. To achieve this, you can:

- Put Monitoring and Alerting in place: Research has shown that most breaches go unnoticed for a long time. Infact, an IBM Security Report states that in 2020, the average time to identify and contain a data breach took up to 280 days.  WOW! Imagine the mess that it would cause. You need to be alerted for potential incidents and security breaches well within time to reduce its aftermath.

3. Respond and Recover Rapidly

The section of the framework presses on the importance of implementation of mitigation strategies and restoring the affected operations rapidly. To achieve this, you can:

- Turn on the Universal Audit Log: This is off by default. It will make any incident response activity much more straightforward.  

- Look for tell-tale signs: Logins from outside of your normal locations, logins from dodgy IP addresses or unknown devices, unusual mailbox rules are just a few to name.

- Change User Credentials: Do this for all the suspected breached accounts immediately, even if you are not 100% sure that a breach has occurred.

Summing Up

Both users and organisations can strengthen their cloud services using the above mentioned simple yet strong practices. Configuring cloud security can be a tedious task, especially when you are multi-tasking, do not have technical expertise or lack implementation resources. At Octiga, we cater to these needs using our solutions that encompass the best practices by NIST framework. We assure you a rapid, automated, and affordable security journey. Get in touch for more details.