Overview of the Attack “Big Game Hunting”

A hacking group known as “Big Game Hunting” is reportedly impersonating Microsoft employees (particularly those from the Microsoft Outlook department) and contacting staff at large organizations via voice phishing (vishing). The attackers:

1. Call employees and claim to be from Microsoft, offering “product evaluations” or assistance.
2. Request remote access to the organization’s infrastructure (e.g., company servers) under the pretense of examining or troubleshooting Microsoft products.
3. Use legitimate remote-access tools such as TeamViewer to gain unauthorized entry to networks.
4. Exfiltrate data and potentially install additional malware or backdoors.

Because the attackers leverage social engineering rather than purely technical exploits, user awareness and strict internal processes for validating remote-access requests are critical.

Attack Chain in Detail

1. Initial Vishing:

   • Attackers gather background information on the target organization (e.g., types of Microsoft products used).
   • They call employees under the guise of Microsoft representatives from Outlook Support or similar.
   • They use social engineering tactics to establish trust (e.g., referencing known products, using employee names, job titles).

2. Remote Access:

   • Once trust is gained, the attackers convince the employee to install or run TeamViewer (or a similar tool).
   • They may provide instructions that appear “official,” such as using corporate-sounding steps or a plausible email domain.

3. Privilege Escalation / Network Pivot:

   • After gaining access, they attempt to move laterally across the network, potentially exploiting further vulnerabilities or extracting credentials.

4. Data Exfiltration / Ransomware Deployment:

   • The stolen data can be used for double extortion (e.g., demanding ransom payments).
   • Attackers may install additional payloads (malware, ransomware) to extend their foothold within the organization.

Recommended Security Measures

1. Employee Awareness and Training

   • Conduct regular security awareness training that highlights voice phishing (vishing) threats.
   • Emphasize the need to verify caller identity. If someone claims to be from Microsoft (or any external partner), employees should confirm via an independent channel or a known Microsoft representative’s contact information.

2. Clear Policies for Remote Access

   • Implement strict protocols for granting any external remote access.
   • Require employees to escalate or seek approval from IT/security teams before installing remote-control software or granting access to systems.

3. Two-Factor Authentication (2FA)

   • Ensure that all critical systems and privileged accounts use 2FA or multi-factor authentication.
   • Even if attackers gain some credentials, 2FA adds an additional layer of security.

4. Endpoint Detection and Response (EDR)

   • Deploy EDR solutions that can detect suspicious behaviors (e.g., large file transfers, unexpected privileged tasks).
   • Regularly review alerts from EDR or any intrusion detection system (IDS) for abnormal remote-access usage.

5. Limit Administrative Privileges

   • Follow the principle of least privilege: staff should only have access to the systems and data necessary for their roles.
   • Segment networks so that a breach in one department does not compromise the entire infrastructure.

6. Incident Response Plan and Testing

   • Develop a clear incident response plan detailing steps to identify, contain, eradicate, and recover from phishing or vishing breaches.
   • Test this plan regularly with tabletop exercises and simulated phishing/vishing attacks.

7. Patch Management

   • Keep all systems and software (including Microsoft products and remote-access software) up to date.
   • Ensure prompt patching of zero-day and known critical vulnerabilities.

Conclusion

The Big Game Hunting group’s methods underscore the importance of employee training and internal policies around verifying caller identities before granting any remote access. While technical defenses (firewalls, EDR, network segmentation) are essential, the human factor is often the weakest link and must be addressed through rigorous awareness programs and strict process controls.