NTT Ltd. Global Threat Intelligence Center (GTIC) publishes a Monthly Threat Report based on its observations and research. Its October 2020 report featured an article on the OZIE Team – a Nigerian business email compromise (BEC) threat actor group. The OZIE Team has targeted 852,541 domains since it became active in 2017. It is targeting businesses around the world working in the manufacturing, health care, automotive, and food distribution industries. GTIC has been tracking the OZIE Team Team since August 2019. CISO MAG spoke to Murtaza Bhatia, Head – Vertical Solutions, NTT Ltd. in India. to learn about the modus operandi of this gang and what NTT Ltd. did to protect its customers and employees from BEC attacks during the pandemic.
By Brian Pereira, Principal Editor, CISO MAG
According to the GTIC report, the OZIE Team relies on commodity malware sold through sites like HackForums.net and private discord groups. To purchase the commodity malware, the OZIE Team uses Bitcoin and Bitcoin Cash, or internet payment systems like Perfect Money.
“They use off-the-shelf tools to do this compromise, rather than creating new variants or new malicious codes. They compromise communication channels, people’s information on their laptops and desktops via their email accounts. So, the whole idea is to hack via email as a channel. They send bulk emails to different targeted industries, groups of people that they select, which leads people to click links in the mail or open attachments in the mail. Those links or attachments are malicious, with malicious codes built into the attached files. And that malicious code once executed will start logging keystrokes and send these back to a central server, which collects information over a period of time. And that is how they get passwords and other user information,” explained Bhatia.
The OZIE Team performs massive reconnaissance spam campaigns against a variety of industries looking for victims. After the reconnaissance campaigns, the OZIE Team will analyze the results and focus on an industry based on the results of their reconnaissance campaigns.
This year, the OZIE Team turned its attention to work from home employees, with pandemic-themed BEC attacks.
“The group took advantage of the fact that people are working from home using unsecured systems such as their personal devices, which lack enterprise-grade security tools,” said Bhatia.
To protect its customers who had work-from-home employees, NTT Ltd. launched an emergency response program in March called Care Program.
“Through the Care Program, we went to all our clients and helped them in terms of setting up secure remote connectivity, giving them secure access to business applications on personal and corporate-owned assets from home. We gave them the ability to measure and monitor the productivity of their employees working from home by providing the appropriate collaboration tools. The combination of these solutions will create a secure environment around the user,” said Bhatia.
NTT’s strategy to protect WFH employees
CISO MAG asked Bhatia about NTT’s strategy and the steps it took to protect WFH employees. Bhatia told us that they considered the visibility of the corporate assets at remote locations. They also looked at the reconfiguration of security tools that are already deployed on those assets or devices.
“We need to first understand what kind of asset the home user has. Is it a corporate-owned laptop with security tools already installed and deployed? Can I reconfigure those security tools, because now these tools have gone out of the corporate network and the device will be connected to home Wi-Fi broadband, which is an unprotected network? So, configuration checking policies on these tools had to be considered. These configurations have to be reset or changed for a different scenario because the connectivity has changed. And when the connectivity and environment have changed you need to understand what applications a user is authorized to access. And this depends on the security profile of the user as well as the sensitivity of the application they are using,” added Bhatia.
NTT Ltd. had to assist its customers in changing the policy frameworks for all employees. It was a laborious and time-consuming process.
“We had to change those policy frameworks so that the users had access to applications and data on a need-to-have or need-to-know basis. We could then configure the toolsets available on their devices to prevent them from doing a copy-paste or accidentally leaking the data. So, there are tools and solutions which will help you to do that. We saw that most organizations opted for virtual desktop solutions where the desktop is running in the data center and is streamed to the client device,” said Bhatia.
NTT Ltd. offered its customers data encryption solutions and helped them with policies for sharing and storing data. Customers raised questions about compliance and regulation when discussing cloud storage. However, the government relaxed certain rules about allowing call center employees to operate from home, and that took away some anxiety.
“Everybody said it is OK to use the cloud. But some industries were bound by regulation and were not allowed to use the public cloud. But the DoT later said our contact center agents can work from home. They relaxed the rules in terms of connecting and doing calls from agents sitting at home in the ITeS / BPO sector. The relaxation in rules changed the boundaries of security,” said Bhatia.
Bhatia opines that it is the thought process that matters more than reconfigurations or anything else.
“Reconfiguration is about allowing access and also about securing. It is about how do you allow access with minimum or no risk. And this was possible because of the additional tools and cloud solutions that we deployed, such as multi-factor authentication. We could not ship reconfigured devices to remote locations because of issues with logistics. However, we could deploy and configure security tools to remote devices over the cloud. This helped us in reconfiguring security tools and policies,” concluded Bhatia.
Read the December edition of the GTIC Monthly Threat Report here.
About the Author
Brian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).