Edgewise is now part of the Zscaler family. Learn More

Segmentation Killed the Cat

The alleged Iranian state-sponsored hacking group “Charming Kitten” has pounced out of the shadows after laying low for a few years. Assumed to be a reaction to the recent economic sanctions imposed against Iran by the United States, the adversary targeted U.S. Treasury officials as well as foreign nuclear experts. London-based cybersecurity firm Certfa uncovered the campaign after finding an open server on the internet which contained a list of 77 Gmail and Yahoo email addresses belonging to individuals who might have in-depth knowledge of the sanctions. Certfa tied the attackers to the Iranian government based on an analysis of the domains used in the attacks. Attribution is hard and IP addresses can be spoofed, but the most interesting thing about Charming Kitten’s tactics is the extent to which the group went to trick victims into proffering account credentials.

Phishing is a tried and true way to exploit users. It works because people have become used to clicking on links, because humans are inherently curious, and because we’re busy and don’t always inspect every header or sender address super closely. Although a good portion of phishing attacks could be prevented from progressing if everyone was just a little more attuned to nefarious behavior, the likelihood of that happening is low and slow. Which is why security teams highly recommend implementing a second factor of authentication (2FA) for account access. By turning on 2FA, they argue, attackers can’t just exploit stolen or guessed credentials; they also have to gain access to the second factor.

This is exactly what Charming Kitten did. Their campaign was not a basic phishing attack. Instead, these sly cats sent a phony Google security alert which prompted users to click a button—an image rather than text (which bypasses Google’s security)—that redirected the user to a malicious site. A second, hidden image in the body of the email alerted the attackers when the attack was triggered.

Not your regular phishing catastrophe

So far, this looks like a pretty standard attack plan. But here’s where things get crafty. Naturally the Google pages weren’t legitimate pages, they were hosted on a custom platform that was designed to steal credentials as they’re typed into the page. The Kittens didn’t stop there, though. In an effort to throw victims further off their trail, the attackers asked for a verification code, sent as 2FA in a text message or authenticator app. When the victim input the second factor into the malicious site, the attackers stole that information, too. 

Stay on the cutting edge. Subscribe to our blog.

It makes sense, of course, that for a targeted attack like this one, the perpetrators would go to such lengths. Your average phishing scheme likely does not have to in order to succeed. What should be of note, however, is the ease with which Charming Kitten used what’s theoretically a security precaution to further their attack against victims. SMS-based 2FA has been challenged before, and this is another proofpoint to show why password-centric authentication is not trustworthy. In the case of the Charming Kitten attack, the apparent endgame was access to victims’ email messages, ostensibly containing juicy details about the sanctions. Many attacks will go go beyond the inbox, however, using stolen credentials and permitted access to gain entry to databases storing sensitive data — customer PII, financial info, intellectual property, and the like. Stolen credentials are merely the initial exploitation; once procured, credentials are used to allow the attacker to move laterally, undetected, throughout the network. When that is the case, organizations need to think about how to quickly and efficiently stop attack progression.

Microsegmentation: a categorical network security improvement

Implementing microsegmentation gives organizations finer-grained control over who and what is allowed to access sensitive data and areas of the network. Placing multiple internal “perimeters” on the network gives businesses a chance to evaluate and permit or deny traffic based on a range of criteria. User credentials are only part of that equation, as are domains or other address-based information. Importantly, modern microsegmentation (vs. network construct-based solutions) incorporates information on cryptographic properties of devices and processes requesting system access plus information about the environment in which they’re communicating. This in turn strengthens the mechanisms by which users/devices/processes are approved or denied access, helps companies see when something is amiss on the network, and prevents the attacker from reaching their ultimate goal, be it exfiltrating data, installing malware, or trying to escalate privileges.

When coupled with zero trust access, a highly segmented network prevents a breach. Compromise may still occur (there is a school of thought that says compromise is inevitable), but attackers can’t progress towards their goal. For instance, an approved user accessing a legitimate application is allowed. When some form factor changes, though, for example, the request is coming from an Iranian domain or the request is for a never-before seen transaction (e.g., calls for excessive amounts of data), zero trust microsegmentation catches the action and stops it because the user or process doesn’t meet verification requirements that allow for crossing the “gateway.”

Modern segmentation solutions revolve around context and automation, integrating elements of what’s communicating and how. In this way, widespread breach is prevented even if attackers usurp primary controls (i.e., traditional authentication). In other words, the cat’s out of the bag on phishing, but this time there really is something security teams can do about it.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.