As a CISO that helped his company navigate through the aftermath of a crippling ransomware attack last year, Bridgestone Americas' Tom Corridon says his biggest advice for other organizations is to designate key decision-makers for handling such crises before they happen.

Not having a clear-cut line of action at the executive level in advance can exacerbate the consequences of a cyberattack and allow the attacker an opportunity to create more damage, Corridon said in an interview at Accenture's third annual virtual OT cybersecurity summit last week..

"When you want to pull a lever, when you want to make a decision about disconnecting networks, or paying a ransom, who makes those decisions?" Corridon said. "To know that going in is really, really important because then you are not caught flatfooted. You are not caught looking around the room going, 'is that you, or is that me?'"

The February 2022 ransomware attack on Bridgestone led to the tire giant to shut down its networks at manufacturing and retreading facilities in North America and Latin America for several days. The well-known ransomware group LockBit 2.0 later claimed credit for the attack and announced plans to publicly leak data accessed from Bridgestone's systems if the company did not comply with the group's ransomware demand.

Bridgestone later disclosed that the cyberattackers had accessed business records as well as files containing Social Security numbers, bank information, and other sensitive data on some of its customers. But the company has released no other details of the attack since then, including whether it paid the LockBit gang a ransom or not. 

The attack was one of several last year that affected operating technology (OT) networks at industrial and manufacturing companies in the US and elsewhere. A second-quarter 2022 analysis of ransomware attacks from Dragos showed most attacks (68%) on industrial organizations targeted the manufacturing sector.

Tabletop Exercises for Executives

Corridon's interview at the Accenture virtual event steered clear of the details of the attack, the damage it had caused, and the recovery effort. However, it focused on several lessons the company was able to take away from the attack. The biggest, according to Corridon, is knowing who makes crucial decisions during an unfolding crisis, and how.

Corridon advocates that organizations that do tabletop exercises for their technical team need to have a parallel scenario-based exercise that involves key executives and decision-makers. Just like incident management processes have two threads — one technical and one for executives — so, too, should tabletop exercises.

Another key consideration is that the executives in charge of making critical decisions during a ransomware attack need to be comfortable making them without a lot of data. 

"They need to be comfortable making decisions in the moment that are going to feel like gut decisions or rash decisions," Corridon noted. "But we need to be prepared for that because the longer you sit on a decision and you analyze it and think it through and wait for that perfect decision to land in your lap, the more time the threat actor has to go further into your environment and do more damage."

Never Let a Good Crisis Go to Waste

According to Corridon, who was interim CISO at Bridgestone when the attack happened, one silver lining with major security events is the heightened awareness and willingness to change that it can foster. In the year since the attack, Bridgestone has implemented security changes that would otherwise have taken years to convince executives of, push through, and enable, he said.

He advised that security teams take a never-let-a-good-crisis-go-to waste approach to push through change, if they are unfortunate enough to experience a major security breach. 

"In an incident, your executives have a front-row seat to the action," Corridon said. "So, they are walking away with a better understanding of terms they never wanted to understand or wanted to know." 

That heightened awareness and understanding often means they are more prepared to give security teams the money and resources they need to implement a stronger security posture moving forward. "They are prepared for change [because] they have a taste in their mouth of a bad experience," he says.

Similar change can be harder to achieve in the lower echelons, where concerns over everyday jobs and goals can quickly relegate security concerns to the backburner once an immediate crisis has passed, Corridon acknowledged. Therefore, it's important to always keep cybersecurity a relevant and top of mind topic for employees. In much the same way that OT environments emphasize physical safety precautions, organizations need to make cybersecurity a part of the daily routine for employees.

One way to begin getting stakeholders to think differently about cyber resilience is to stop describing breaches and attacks as security incidents. "An incident is when you trip and fall or somebody unplugs something by accident," he said. A ransomware attack, on the other hand, is a criminal act against the company. 

"Having that reframing of thought can go a long way," Corridon said. "The words you use as you are going through the event and actually recognizing it as a crime against the organization is a first step."

Attackers have found a new way to avoid detection in business email compromise (BEC) and account takeover attacks by buying locally generated IP addresses to mask the origin of their login attempts, thus circumventing the common "impossible travel" security detection, Microsoft is warning.

An impossible travel flag occurs when a task is performed at two locations in a shorter amount of time than would be required to travel from one location to the other — for instance, if Employee A always logs on from Boston at 9 a.m., then a login attempt an hour later from Singapore would raise a red flag. However, masking the actual origin IP address from which a malicious task is coming provides "the ability and opportunity for cybercriminals to gather large volumes of compromised credentials and access accounts" from anywhere, Microsoft researchers wrote in a blog post.

Threat actors are using a combination of platforms such as BulletProftLink, a service for creating industrial-scale malicious email campaigns, and residential IP services to help them evade the flag, Microsoft Security researchers revealed. 

BulletProftLink sells an end-to-end service, including templates, hosting, and automated services for committing BEC — essentially providing cybercrime-as-a-service (CaaS). The abuse of residential IP addresses meanwhile allows for higher volumes of BEC attacks, the researchers warned. One IP service provider, for example, has 100 million IP addresses that can be rotated or changed every second.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks," according to Microsoft, which added that threat actors in Asia and Eastern Europe are the ones most frequently deploying this tactic.

A Growing Tide of Business Email Compromise

The warning comes against a backdrop of escalating numbers of BEC campaigns. Indeed, the FBI reported that in 2022, it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion. Microsoft said that nearly all forms of BEC attacks are on the rise, with the top lures among the socially engineered campaigns including payroll topics, invoices, gift cards, and business information.

"Instead of exploiting vulnerabilities in unpatched devices, BEC operators seek to exploit the daily sea of email traffic and other messages to lure victims into providing financial information, or taking a direct action like unknowingly sending funds to money mule accounts, which help criminals perform fraudulent money transfers," the researchers wrote in the post.

Top targets for BEC cybercriminals are executives and other senior leaders, finance managers, and human resources staff with access to employee records like Social Security numbers, tax statements, or other personally identifiable information, the company said.

Attackers also like to target new employees who may be less likely to verify unknown sender email addresses, the researchers said. Indeed, attackers successfully breached security vendor Dragos by targeting a new employee with a socially engineered attack, allowing them to log into the company's employee-onboarding process.

Protection & Mitigation Against Local IP Tactics

While "masquerading behind different IPs/proxies" has been in use by threat actors for more than a decade, its increased use in BEC attacks should serve as a reminder to organizations that they need to practice more vigilance in flagging suspicious network activity, notes one security expert.

In particular, organizations need to use more than geo-location to evaluate the authenticity of an attempt to access a network, says Roy Akerman, co-founder and CEO of cloud and SaaS security firm Rezonate. Instead, full behavioral analysis is the way to go.

"Additional behavioral information on the browser details, actions taken, pattern of usage, and others should be taken into account to limit the usage and stealing of identities," he says in an email to Dark Reading.

There are also other steps that enterprises can take to stop BEC campaigns that attempt to circumvent the impossible travel flag, Microsoft said. The company suggested that enterprises configure mail systems to flag messages sent from external parties, as well as enable DMARC and notifications for when email senders are not verified.

Organizations also should block senders with identities that they cannot independently confirm and report their mails as phishing or spam in email apps, the researchers said.

Setting up strong authentication policies, such as multifactor authentication (MFA), can also help thwart BEC campaigns, making accounts "more resistant to the risk of compromised credentials and brute-force login attempts, regardless of address space attackers use," the researchers also noted.

Employee training in how to spot fraudulent and malicious emails should be commonplace among organizations at this point given the frequency with which attackers use BEC and phishing to compromise accounts, as well as their continued success rate and the cost associated with these attacks, the researchers said.

The FBI is warning US citizens that are traveling to or living abroad in Southeast Asia of false advertisements leading to labor trafficking, where individuals are intimidated and forced to involve themselves in international cryptocurrency investment fraud schemes.

Criminal actors, primarily belonging to Chinese crime groups, post fake job advertisements on employment sites and social media, offering jobs such as call center customer service representatives and beauty salon technicians. These fake advertisements reach potential victims on a global scale, including those from countries like Bangladesh, Brazil, China, Ethiopia, Hong Kong, India, Japan, Russia, Vietnam, Zimbabwe, as well as the US.

By reeling in their victims' interest with promises of competitive salaries and a wide range of supposed benefits, criminal actors manage to convince these individuals to travel to the "job location" where they are ultimately coerced to commit criminal cryptocurrency acts, by confiscating their personal items and threatening them with violence.

"This activity continues to expand at an alarming rate, with thousands of new victims trafficked every month, while industrial sized scam and money laundering operations expand far beyond the pace of any response," Jason Tower, Myanmar country director at the United States Institute of Peace and cyber trafficking expert, said in a column.

The FBI is encouraging people to do their research on any company and job opportunity before accepting a position, to be careful when the benefits and salary do not align with a job offer, and to share their contact information and employment details with those close to them.