Malicious hackers attempting ransomware attacks are increasingly using legitimate software tools already on the computers of their victims, according to two recent reports.
Access brokers—or criminal hackers who gain a foothold in companies, then later sell that access to other criminals—have been shifting from phishing and other malware-driven attacks. Instead, they’re focusing more on social engineering—such as impersonation—and infiltrating software tools like those used by IT support to get remote access into colleagues’ computers, according to the latest global threat report from cybersecurity company CrowdStrike.
The new reality shows how hackers are adapting to the defenses used by businesses to monitor and respond to intrusions in their systems. By increasingly masquerading as legitimate users on corporate networks, hackers are more difficult to detect.
Whatever the case, both reports offer companies tips about what to look out for and how to better defend themselves against the latest hacking tricks. The key is to set up protocols to make attempts aimed at IT help staff and the software they use to do their jobs less likely to succeed.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said hackers are increasingly leading “hands on keyboard attacks,” or manual techniques instead of breaking into systems indirectly using malware or other malicious code. The strategy lets hackers avoid strong defenses that rely on automated threat detection and firewalls. Rather, they simply ask someone on the inside for access, using subterfuge to make the request seem legitimate.
Phishing by voice—or “vishing”—is becoming a favorite hacking tactic. The method involves calling a corporate help desk, for example, and impersonating an employee in distress over a computer problem. Many successful social engineering attacks start with collecting legitimate information about an employee that can be found on social media sites or in an underground market, all in an effort to get the target’s login credentials reset, CrowdStrike said.
The method is a favorite of criminal hacking group Scattered Spider, best known for ransomware attacks in 2023 on casino giants Caesars Entertainment and MGM Resorts.
“We’ve seen a massive increase in help desk social engineering, where threat actors call the help desk and pretend to be a user,” Meyers said. “We also see the opposite where they impersonate the IT support in order to target the users and claim to be the help desk.”
Hackers using these types of “interactive” intrusions most frequently target tech companies, CrowdStrike found. One easy way for businesses to avoid those types of attacks, Meyers said, is to require an extra step like a video call to verify that an employee requesting a password reset is really the employee in question, and not an imposter.
Of all targets, the U.S. manufacturing sector is among the hardest hit when it comes to ransomware attacks that target industrial businesses, according to an annual threat report from cybersecurity company Dragos. Although many people think of manufacturing as steel plants and assembly lines, it’s actually a highly-digitized and diverse sector that includes pharmaceuticals, chemical, electronics, and food and beverage businesses.
The manufacturing sector is a favorite for digital extortionists because any operational downtime is costly and therefore management is often willing to quickly pay up. Among the industrial sectors, manufacturing is among the fastest to digitize and, as a result, is at greater risk of hacking, said Dragos co-founder and CEO Robert M. Lee.
“Manufacturing ends up being that kind of canary in the coal mine of ‘Here is where our infrastructure is going and you start seeing that be true across all these other infrastructure sites as well,’” Lee said. “If criminals can do something that gets them paid faster and more they’re going to do it.”
What’s more, hackers who take facilities offline aren’t necessarily very sophisticated—and they don’t need to be. All they need to know is how to slow or shut down production.
Of the 1,693 responses by Dragos to ransomware attacks in 2024, a quarter involved the shutdown of a manufacturing facility, Lee said. Ransomware gangs targeting industrial companies are taking advantage of misconfigured or vulnerable remote tools inside target companies, like virtual private networks, a normally secure way of accessing sensitive networks from outside the facility, to gain initial access, Dragos said in its report.
More than half of the incidents Dragos responded to last year involved a remote device like a VPN or remote desktop software.
“There are some companies—especially in the manufacturing space—that are such highly-purposed manufacturing that if you shut down the operations at all you have to basically rebuild everything,” Lee said. “You are talking about hundreds of millions of dollars of product loss if not higher.”
To minimize risk and secure their systems, Lee said industrial businesses should make the following five steps a priority: Create an updated incident response plan in case of an attack; take inventory of the digital systems that malicious hackers could use to gain access and secure those devices that connect directly to the internet; increase visibility and monitoring of networks and devices, secure all remote access into the corporate system, and fix software bugs after assessing which ones are the highest risk if exploited by hackers.