Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Emails. Show all posts

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.



Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).

IKEA's Email System Hit by a Cyber Attack

 

Threat actors are targeting IKEA employees in an internal phishing attack via malicious reply-chain email links. 

As per the reports of bleeping computer, email reply-chain phishing begins by taking over a legitimate email account to send malicious emails to its contact lists. In turn, the malicious email further spreads, in this case, to the internal emails of IKEA. 

"There is an ongoing cyber-attack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA," explained an internal email sent to IKEA employees.

"This means that the attack can come via email from someone that you work with, from any external organization, and as a reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious." 

The above message warns employees to remain vigilant and explains that fraudulent emails are difficult to detect because of internal mailboxes. The reply-chain emails contain links with seven digits at the end, and employees have been asked to watch out for such links and avoid clicking on them or even opening suspicious emails. Employees are also told to tell the sender of the emails via Microsoft Teams chat. 

According to Trend Micro, attackers have recently started to exploit internal Microsoft Exchange servers via ProxyShell and ProxyLogin vulnerabilities to perform phishing attacks. Once they secure access to a server, they use stolen internal reply-chain emails to evade detection.

Another concern is that recipients may release the malicious phishing emails from quarantine, thinking they were caught in filters by mistake. Due to this, they are disabling the ability for employees to release emails until the attack is resolved.

"Our email filters can identify some of the malicious emails and quarantine them. Due to that, the email could be a reply to an ongoing conversation, it's easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine," IKEA communicated to employees.

Threat Actors Use Tiny Font Size to Bypass Email Filters in BEC Phishing Campaign

 

A new Business Email Compromise (BEC) campaign targeting Microsoft 365 users employs an array of innovative sophisticated tactics in phishing emails to avoid security protections. 

Researchers at email security firm Avanan first discovered the campaign in September that can fool natural language processing filters through hiding text in a one-point font size within mails. Attackers are also concealing links within the Cascading Style Sheets (CSS) in their phishing emails. This is one more tactic that serves to confuse pure language filters like Microsoft’s Normal Language Processing (NLP), researchers stated in a report. 

According to cybersecurity expert Jeremy Fuchs, the One Font campaign also includes messages with links coded within the font> tag, which destroys the potency of email filters that rely on natural language for analysis.

 “This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see,” Fuchs explained.

In 2018, researchers uncovered an identical campaign called ZeroFont, which employed similar strategies to move past Microsoft NLP in its Office 365 security protections. That campaign inserted concealed text with the font dimension of zero inside messages to fool email scanners that rely on natural language processing in order to spot malicious e-mails. 

According to Avanan analysts, just like ZeroFont, One Font also targets Office 365 enterprises, an action that can lead to BEC, and finally compromise the firm’s network if the emails aren’t flagged and users are duped into handing over their credentials. 

The moment it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention. Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link carries victims to a phishing page where they appear to be entering their credentials in order to update their passwords. Instead, threat actors steal their credentials to use them for malicious purposes. 

How to minimize threats? 

According to Jeremy Fuchs, organizations should opt for a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation. 

Implementing a security architecture that focuses on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help in mitigating risks.

QAKBOT is Employing New Strategies to Targeting Organizations

 

QAKBOT malware also known as QBot or Pinkslipbot is back in business with new tools and tactics. The malware distributors are using Visual Basic for Applications (VBA) macros alongside Excel 4.0 macros to target organizations. 

Toward the end of September 2021, researchers at Trend Micro spotted that the malware operators are sending malicious spam leading victims to SquirrelWaffle (another malware loader) and QAKBOT. The same malware operators have been identified again in early October, this time conducting brute-force attacks on Internet Message Access Protocol (IMAP) services. 

Targeting IMAP services and email service distributers (ESPs) allow threat actors to leverage a potential target's trust in people they have corresponded with before. In this particular campaign, when a target opens the malicious file in their spam email, an auto_open macro will attempt to generate a new sheet and set the font color to white. 

Typically, Macros is executed when the victim opens the document and click on the “Enable Content” button. When selected, the macros read the embedded data in a form control “UserForm1”, and are revealed as Hard-coded QAKBOT payload hosts. 

QAKBOT is a banking trojan that was first discovered in 2007. In recent years, QakBot operator has invested a lot into its development, turning this Trojan into one of the most powerful and dangerous among existing samples of this malware type. It has been identified as a key "malware installation-as-a-service" botnet that enables many of today’s campaigns. 

According to Trend Micro researchers, the reemergence of OAKBOT malware is likely a signal that malware distributors might attempt to monetize some of these infections using ransomware in the coming weeks. 

“QakBot is unlikely to stop its activity anytime soon. This malware continuously receives updates and the threat actors behind it keep adding new capabilities and updating its modules in order to maximize the revenue impact, along with stealing details and information. Previously, we’ve seen QakBot being actively spread via the Emotet botnet. This botnet was taken down at the beginning of the year, but judging by the infection attempt statistics, which have grown in comparison to the last year, the actors behind QakBot have found a new way of propagating this malicious software,” stated Haim Zigel, malware analyst at Kaspersky.

HM Treasury of UK Received Five Million Malicious Emails in Past Three Years

 

Her Majesty’s Treasury, the UK government department answerable for the country’s financial policy, has been hit by almost five million destructive email assaults in the previous three years, according to official figures. 

A Freedom of Information (FoI) request submitted by the think tank Parliament Street revealed that 4,870,389 phishing, malware and spam emails concentrating on HM Treasury were effectively blocked in this period. This comprised 1,271,207 malicious email attacks from October 2018 to September 2019, 1,918,944 between October 2019 to September 2020, and 1,680 from October 2020 to September 2021. 

The information comes as Chancellor Rishi Sunak prepares to ship the United Kingdom govt’s annual budget, which is anticipated to incorporate pledges around cybersecurity, such as funding to minimize the digital skills gap. 

The figures highlight the escalating determination of threat actors to access and steal confidential government information. Earlier this week, Parliament Street disclosed that more than 126 million malicious emails had been fired at House of Commons inboxes this year, a 358% increase at the overall figure for 2020. However, there was no specific data on how many threats slipped past email filters over this period. 

The number of malicious emails blocked by HoC filters in 2018 was 15.7 million, which surged to nearly 30.3 million in 2019, but then dropped again to almost 28 million in 2020. With 126.4 million malicious emails recorded up to September this year, Parliament Street believes the total for 2021 could reach as high as 150 million.

“The ever-present cyber threat facing public sector organizations is not going to disappear any time soon. In fact, recent trends indicate that cyber-attacks are likely to become more sophisticated, and criminals will find new ways to breach systems, disrupt apps and websites, and steal sensitive data,” Chris Ross, SVP International for Barracuda Networks, said. 

“This is why it is imperative the organizations defend themselves from all angles, with web application firewalls, to protect cloud infrastructure and network, email inbox defense software, to help defend against the onslaught of phishing attacks targeting employees, and a third-party data backup solution, to protect data and organizations against the growing ransomware threat,” he added.

DocuSign Phishing Campaign is Aimed Against Lower-Level Employees

 

Phishing attacks involving non-executive staff with access to sensitive corporate information are on the rise. According to Avanan researchers, non-executives were impersonated in half of all phishing emails reviewed in the previous several months, while 77% targeted employees at the same level. 

Previously, phishing attacks were aimed at fooling business people, with phishing actors impersonating CEOs and CFOs. After gathering the appropriate information, attackers will pose as the company's CEO or another high-ranking official and send an email to finance personnel requesting money transfers to an account they control. 

"Security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. At the same time, non-executives still hold sensitive information and have access to financial data. Hackers realized, there is no need to go all the way up the food chain," researchers said. 

This made sense because sending orders and making urgent requests as a high-ranking employee enhances the likelihood of the receiver complying with these messages. Phishing actors switched to lower-ranking individuals who can nonetheless serve as great entry points into corporate networks, as CEOs became more alert and security teams in large firms built additional measures around those "important" accounts. 

In their emails, the malicious actors suggest using DocuSign as an alternative signing option, prompting recipients to enter their credentials in order to read and sign the document. These emails are not from DocuSign, despite the fact that they appear to be.

DocuSign, Inc. is an American firm based in San Francisco, California that helps businesses handle electronic contracts. DocuSign's Agreement Cloud includes eSignature, which allows users to sign documents electronically on a variety of devices. DocuSign has over a million customers and hundreds of millions of users across the globe. DocuSign's signatures, including EU Advanced and EU Qualified Signatures, are consistent with the US ESIGN Act and the European Union's eIDAS regulation. 

Rather than spoofing DocuSign notifications, phishing scammers were signing up for free accounts with the cloud-based documented signature service and compromising the accounts of others in August, according to researchers, in order to fool email recipients into clicking on malicious links. 

When an email appears in your inbox, it's vital to read it carefully for any signs of fraud. According to the researchers, unsolicited files, spelling errors, and requests for your credentials should all be treated with caution. Phishing attempts based on DocuSign aren't exactly new, and several threat actors have taken use of them to steal login passwords and transmit malware.

Russia-Linked TA505 Targets Financial Organizations in MirrorBlast Phishing Campaign

 

Russia-based threat group TA505 is deploying a weaponized Excel document in a new malware campaign, tracked as MirrorBlast, targeting financial organizations. 

According to cybersecurity experts at Morphisec Labs, the most significant feature of the new MirrorBlast campaign is the low detection rates of malicious Excel documents by the security software, putting organizations at high risk that rely solely upon detection tools.

Evasive technique 

The developers of the malware campaign use phishing emails to mount the first phase of its attack. The initial email contains an Excel document that uses a macro. The macro, which can only be executed on a 32-bit version of Office due to ActiveX compatibility issues, contains a lightweight Office file designed to bypass detection. 

"The macro code performs anti-sandboxing by checking if these queries are true: computer name is equal to the user domain; and username is equal to admin or administrator," the researchers explained. "We have observed different variants of the document; in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties. Later it moved to the sheet cells. In addition, the code has added one more obfuscation layer on top of the previous obfuscation." 

Upon installation, the command executes JScript, which generates the msiexec.exe process responsible for downloading and installing the MSI package. The dropped MSI package, comes in two variants, one written in REBOL and one in KiXtart, according to researchers who analyzed several samples of the dropped MSI package. 

Subsequently, the MSI package sends the machine's information to a command and control (C2) server, including the computer name, user name, and a list of running processes. The C2 server then responds with a code telling the software how to proceed. The malware campaign also uses a Google feed proxy URL with a fraudulent message requesting the user to access a SharePoint or Onedrive file. This helps the attackers evade detection, Morphisec said.

Since September 2021, the malware campaign has targeted multiple institutions in regions such as Canada, the US, Hong Kong, and Europe. Morphisec tied the attack to TA505, an active Russian threat group that has been operating since 2014 and has a long history of creativity in the manner they lace Excel documents in phishing campaigns. 

In this malware campaign, researchers observed certain aspects of the attack that led them to attribute it to TA505. This includes the infection chain and installer script. It also uses similar domain names to other TA505 attacks and an MD5 hash that matches one used in another of the group's assaults.

MSHTML Attack Targets Russian State Rocket Centre and Interior Ministry

 

An MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities, as per Malwarebytes. 

Malwarebytes Intelligence has detected email attachments directed especially against Russian enterprises. The first template they discovered is structured to resemble an internal communication within JSC GREC Makeyev. 

The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic asset of the country's defence and industrial complex for both the rocket and space industries. It is also the primary manufacturer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centres for developing rocket and space technology. 

The email purports to be from the organization's Human Resources (HR) department. It stated that HR is conducting a check of the personal information given by workers. Employees are asked to fill out a form and send it to HR, or to respond to the email. 

When the recipient wishes to fill out the form, they must allow editing. And that action is sufficient to activate the exploit. When the target opens a malicious Office document, MSHTML loads a specially designed ActiveX control. The loaded ActiveX control can then execute arbitrary code to attack the machine with further malware. 

The second file, Malwarebytes discovered appears to be from Moscow's Ministry of the Interior. The attachment may be used to aim at a variety of fascinating targets. The documents' title translates to "Notification of illegal activity." 

It requests that the recipient complete the form and submit it to the Ministry of Internal Affairs, or respond to the email. It also encourages the targeted victim to do so within seven days. 

Malwarebytes further stated, they seldom come across proof of cybercrime against Russian targets. Given the targets, particularly the first, they think a state-sponsored actor is behind these assaults, and are investigating the source of the strikes. 

Vulnerability Patch

The CVE-2021-40444 vulnerability is rather outdated in nature (it involves ActiveX) however, it was just recently discovered. It wasn't long before threat actors were posting proofs-of-concept, tutorials, and exploits on hacker forums, allowing anybody to conduct their own assaults by following step-by-step instructions.

Microsoft immediately issued mitigation instructions that blocked the installation of new ActiveX controls and managed to squeeze a fix into its most recent Patch Tuesday release, just a few weeks after the flaw was made public. 

The time it takes to build a patch, on the other hand, is frequently overshadowed by the time it takes users to apply it. Organizations, particularly large ones, are frequently discovered to be far behind in patching, thus the chances of more cyberattacks like these increase.

Employees in Retail Industry Most Frequently Targeted by Malicious Emails, New Study Reveals

 

A new study from security firm Tessian highlights the sophisticated techniques employed by threat actors to evade detection and trick employees. Between July 2020-July 2021, two million malicious emails bypassed traditional email defenses, like secure email gateways, placing many employers at risk of data breach and cyber fraud. 

According to the study, retail industry was targeted far more than any other industry, with the average employee in this sector receiving 49 malicious emails a year. This is significantly higher than the overall average of 14 emails per user, per year. Employees in the manufacturing industry were also identified as major targets, with the average worker receiving 31 malicious emails a year. 

The most common technique employed by the attackers was display name spoofing (19%), where the hacker modifies the sender’s name and disguises themselves as someone the victim recognizes. Domain impersonation, where the attacker sets up an email address that looks like a legitimate one, was used in 11% of threats discovered. The brands most likely to be impersonated were Microsoft, ADP, Amazon, Adobe Sign, and Zoom. 

Threat actors also targeted employees in the legal and financial services industries through account takeover attacks. In this method, the malicious emails come from a trusted vendor or supplier’s legitimate email address. They likely won’t be flagged by a secure email gateway as suspicious and to the person receiving the email, it would look like the real deal. 

Interestingly, less than one quarter (24%) of the emails examined in the study contained an attachment, while 12% contained neither a URL nor file — the typical indicators of a phishing attack. Links, however, do still prove to be a popular and effective payload, with 44% of malicious emails containing a URL.

Interestingly, threat actors deliver malicious emails around 2 p.m. and 6 p.m. in the hopes that a phishing email, sent during the late afternoon, will slip past a tired or distracted employee. 

“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear phishing email. Why? Because they reap the biggest rewards. The problem is that these types of attacks are evolving every day. Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organizations’ last line of defense. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them. Even with training, people will make mistakes or be tricked,” said Josh Yavor, Tessian’s CISO.

“Businesses need a more advanced approach to email security to stop the threats that are getting through – the attacks that are causing the most damage – because it’s not enough to rely on your people 100% of the time,” he added.