Significant Increase in Cyber Attacks Targeting Accounting Firms

Within the past week, Blackpoint Cyber’s 24/7 Security Operations Center (SOC) has observed an alarming uptick (200+% increase) in cyber attacks targeting accounting firms. According to our VP of Threat Operations, Xavier Salinas, accounting firms are currently the most attacked vertical in our SOC since February – we don’t believe this is a coincidence, as it is US tax season.

Our analysis indicates that ransomware operators are primarily exploiting VPN vulnerabilities in accounting firms faster than MSPs can successfully patch. For example, if an MSP has 200 customers with a vulnerable VPN or firewall and they can realistically patch 20 customers a day, it will take up to two weeks to address all vulnerabilities. This logistical situation leaves a window of opportunity for attackers.

Unfortunately, we continue to see next-gen A/V and EDR technologies failing to identify the initial indicators of compromise in these attacks. Luckily, our SOC is detecting and stopping these attacks using our patented SNAP-Defense technology, which closely monitors lateral spread and unusual activity of legitimate, especially privileged, accounts.

Several days ago, the FBI and CISA released a Joint Cybersecurity Advisory (CSA) to warn users and admins of the possibility that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The advisory points out that APT actors are likely using any or all these CVEs to gain access to networks across multiple critical infrastructure sectors.

We believe some, though not all, of these recent accounting firm attacks rely on these Fortinet vulnerabilities when Fortinet devices are present. Other attacks are utilizing other existing VPN vulnerabilities on unpatched devices as well as publicly exposed remote services, such as Remote Desktop Protocol, that are not properly safeguarded.

If you have customers in the accounting vertical, please ensure:

• All systems, especially VPNs and firewalls, are patched
• Security technologies are fully updated
• Publicly exposed remote access (including VPN and RDP) is safeguarded (IP restricted, MFA, etc.)
• Accidentally opened or unneeded remote access is disabled or removed
• They have 24/7 monitoring, detection, and response in their environment

Our SOC team is successfully detecting and stopping threats targeting accounting firms because we have real-time lateral spread monitoring and in-depth investigation of odd account behavior using our SNAP-Defense technology and ACTion Engine. If you have accounting or other financial firms related to taxes or tax preparation not utilizing our 24/7 MDR service, we highly advise you speak to your clients during this critical period about the need and benefits of 24/7 MDR.

In addition, Blackpoint also offers all partners free external vulnerability scanning, which can help identify publicly exposed services, such as RDP. The scan is available in the Blackpoint Portal under the Sales Enablement section. Please contact your account manager for more details.