Case Study on Bitcoin Scam Incident - A Combined Social Engineering and Privilege Escalation Attacks
In this blog, HKCERT will provide advice for SMEs and the general public on defending against social engineering and privilege escalation attacks.
On 15 July 2020, a total of 130 high-profile accounts in a major social networking platform were compromised by outside parties to set up a bitcoin scam. The attackers launched a sophisticated attack utilising multiple attack tactics. For a start, they used social engineering attack to steal the employees’ credentials of the social networking conglomerate. Then they used the stolen account’s priviledge to access internal systems and support tools. Finally, the attackers launched a large-scale message blast of bitcoin scam via the celebrities’ accounts, which include billionaires, famous singers and politicians. The scam message claimed that by sending bitcoins to a designated bitcoin wallet as part of the COVID-19 relief effort, the email receipients could receive a double amount of bitcoin in return.
Using the lure of celebrity, this common cryptocurrency scam tactic managed to deceive many people, enabling the scammers to rake in 12.83 bitcoin, equivalent to HK$ 1,166,000. On 31 July, US authorities arrested three suspects behind this incident. They were found to have used a combination of social engineering and privilege escalation attacks. A lesson learned here is that defending against social engineering attacks and preventing inside threats, e.g. privilege escalation, are critical in cyber security implementation.
2. Attack Analysis
Although the suspects were arrested, there is still a question – how can they compromise so many accounts. The social networking platform’s support team said on July 16, "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." According to the social networking platform, the attack targeted a small number of employees through a phone spear phishing attack. It indicated that for a successful attack, the attackers require 2 factors: (1) Obtain access to the internal network; (2) Get specific employee credentials which can grant them access to the account support tools. Apparently, the initially targeted employee may not have permissions to use the account support tools. The attackers then used the stolen account to access the internal systems to identfiy those with access to the necessary tools. In short, the attackers utilised the social engineering attack for accessing internal systems, then exploited the securirty loopholes for escalating the account privilege, before finally using the account support tools for posting this scam. In the following sections, we will further explain how social engineering and privilege escalation are being used in cyber attacks.
2.1 Steal Credentials via Social Engineering Attack
Social engineering refers to the psychological manipulation of people into performing actions or revealing confidential information. In other words, social engineering is an attack tactic that exploits human psychology weakness to gain private information, access, or valuables.
It has always been a common attack tactic to steal user credentials. The COVID-19 epidemic has seen increasing use of remote access technology, but also a rise in social engineering attacks that try to lure users into providing the access credentials. Besides using phishing emails, the scammers recently began conducting a voice phishing attack that combined phone calls and phishing sites to steal VPN credentials from employees. The attackers used this method to get access to the internal network in the scam incident mentioned above. With remote working becoming more and more popular, social engineering attack will become a major cyber security threat to enterprises.
2.1.1 Most Common Social Engineering Tactic - Phishing
Among different types of social engineering attacks, phishing is the most common, with attackers often pretending to be a trusted institution or individual to trick victims into exposing personal data and other valuable information.
Phishing attacks are generally launched in two ways:
- Spam phishing is a widespread attack aimed at general users, which is non-personalised.
- Spear phishing aims at high-value targets, which usually uses personalised information to particular users. The scam incident mentioned above is an example of spear phishing.
No matter it is via direct communication or via a fake website form, the scammers target to convince a user to give out information or asset, or even install malware. There are three common methods used in phishing attacks. They include:
- Email phishing is the most traditional means of phishing. It uses an email to urge the receiver to reply or follow-up. Sample emails can refer to HKCERT blog articles.
- Voice phishing uses a rogue interactive voice response system to record victims' inputs or a real person speaking with victims to increase trust and urgency. As mentioned above, some scammers used this method to steal VPN credentials.
- SMS phishing uses SMS texts or mobile app messages that include a web link or a prompt to follow-up via a fraudulent email or phone number. For example, scammers sent SMS about free mask giveaways or delivery delays to trick victims into giving out their personal information during COVID-19. Security advices on COVID-19-themed phishing attacks can refer to HKCERT previous blog article.
2.1.2 Social Engineering to Gain Physical Access
In order to access targeted internal systems, the attackers not only use phishing attacks but also try to obtain physical access to the system. For example, an attacker might impersonate an external IT service auditor or a facility employee who looks trustworthy to the security guards for letting them into the building.
In general, accessing the internal systems is the beginning of an attack, and social engineering is the most common method for attackers to achieve this goal.
2.2 Gain Control to Internal Tools via Privilege Escalation Attacks
According to the report posted in The New York Times, the attackers used stolen credentials to join into an internal instant messaging channel of the company. Through the knowledge gained from the dialogue between employees, the attackers then targeted employees who had the privilege of account support tools. Eventually, the attackers gained the required privilege in the system to access the account support tools to make the bitcoin scam attacks happen.
There are two types of privilege escalation: horizontal and vertical. Horizontal privilege escalation means an attacker expands their privileges by firstly taking over an account and then misusing the legitimate resources belonging to another user with a similar level of access. Vertical privilege escalation means an attacker attempts to gain more permissions or higher privilege with an existing account they have compromised.
In this incident, the attackers firstly used the horizontal privilege escalation method followed by the vertical privilege escalation during the attack process.
3. Security Recommendations
Most of cyber security incidents start from social engineering attack. If a staff falls into the trap, it might cause a series of further attacks, similar to the incident mentioned above. So it is important for organisations to raise the security awareness of their employees to prevent these types of attacks.
Here are some recommendations for organisations that can help users to avoid social engineering attacks:
- Do not click or open links in unsolicited messages in email, instant messaging text and social media;
- Verify the sender before clicking any link, opening any attachment or providing any information;
- Use long and hard-to-guess passwords, enable multi-factor authentication if available;
- Use security software and keep all client software up-to-date;
- Do not leave devices, such as mobile or laptop connected to organisation networks, unattended in public areas;
- Perform regular user awareness training and phishing drill test.
Here are some recommendations for organisations to protect their systems from privilege escalation:
- Adopt a need-to-know basis and avoid sharing sensitive information among different employees via instant messaging channels or groups;
- Create specialised users and groups with minimum necessary privileges and file access;
- Deploy security tools such as network analytics, endpoint protection, and user behavioural analytics to detect and prevent abnormal account access and activity;
- Keep systems and applications up-to-date;
- Harden system access controls and review privileged accounts regularly;
- Build comprehensive security policies covering normal and privileged account management, cyber security, and physical security. If attackers compromised a normal user's account of an organisation, a good account management and security policy would effectively reduce the risk and impact.