Phishing has been a top threat since the birth of cyber threats. What is interesting is the recent campaigns involving impersonation. One popular security /defender trend is levering vendors for managed services or some form of threat monitoring. Some threat actors are targeting this trend by impersonating such services to push ransomware. Whaaat?
The attack works by impersonating a vendor such as Crowdstike, claim a breach has been detection and offer to launch a fake incident response. Part of the fake incident response includes downloading software, which ends up being malware. Imagine you have a partnership with a security company. You receive what looks to be a legit email or call claiming they have detected malware within your organization. How would you know it wasn’t real? Part of many incident response playbooks is to deploy a EDR and evaluate host systems so it wouldn’t be weird for the Crowdstrike incident response team to ask to install something. Then BAM …. you find out you just installed ransomware.
Check out this post from techmonitor to learn more about this attack HERE. The lesson learned is to make sure you validate any communication with your trusted service providers. Same goes for all critical communication.