Another week goes by with an abundance of malicious activity. From nation-state threat actors reportedly targeting millions of consumers across Singapore, South Korea, Japan, India, Great Britain, and the US with Coronavirus phishing campaigns, to nefarious groups impersonating Defense company recruiters and sending fake job offers via LinkedIn, to stealthy cyber espionage in Eastern Europe, and finally to ransomware operators lurking around the enterprise in the post-infection phase, the criminal contingent is restless and merciless.
This week's newsletter will cover:
- Secure email gateway bypasses
- Industry-specific cyberattacks
- Incident response during a ransomware infection
Secure email gateway bypasses
In addition to custom zip files, CSS tricks and compromised SharePoint sites, evil parties continue to explore options to bypass the victims’ security email filters.
- Following the hack of an Oxford University email server, notorious individuals have launched a phishing campaign to harvest Microsoft Office 365 credentials from European, Asian, and Middle Eastern targets. Besides impersonating the university’s brand, the hijackers have leveraged a domain hosted on an Adobe server and previously used by Samsung to be more plausible.
- In other malicious activities, researchers have seen the use of:
- Tailored phishing messages to individual recipients to elude mass email filters.
- Email accounts with whitelisted providers such as Gmail and Yahoo to sneak past SPF, DKIM and DMARC authentication. The afore-mentioned technologies help against email spoofing i.e. check whether the email has been sent from the domain it claims to be originating from.
- New domains that are not yet flagged as suspicious.
- Valid SSL certificates.
- Security questions to give a sense of legitimacy.
Recommendation: Educate employees on the risks of social engineering and regularly test their understanding. Invest in email monitoring technologies that rely on machine learning and AI to detect abnormal behavior.
Banking | Financial Services
Researchers have flagged social engineering attempts against a series of banks across the United States as well as two in the Netherlands and Canada. These initiatives deploy the Qbot malware using web redirects. Besides information stealing, key logging and backdoor deployment, the latest version of the nefarious program comes with detection evasion (new packing layer to hide code from signature-based scanners) and anti-sandbox techniques.
In another campaign, COVID-19 themed against United States financial institutions, a new variant of the IcedID banking trojan has also been observed. According to analysts, the authors have boosted the anti-detection capabilities.
In its most recent version, IcedID has changed its tactics by:
- Injecting malicious code into the legitimate “msiexec.com” process to make it look like a normal installation of a Windows application.
- Using steganography to hide encrypted modules and configuration files.
- Concealing encrypted strings within files with missing PE headers to hinder analysis efforts.
- Achieving persistence after reboot via hourly scheduled tasks.
- Beaconing out to multiple domains to blend its C2 communication with normal traffic.
- Sniffing on Firefox, Chrome and Internet Explorer browser activity by proxying all connections to msiexec.exe. To achieve full control of the browsers, the malware creates a local proxy that listens on 127.0.0.1:56654, invokes API hooks, and generates a self-signed certificate in the %TEMP% folder.
Following a multi-stage dropping, loading, and unpacking process, the main module of IcedID is downloaded from “cucumberz99.club” as a PNG file, decrypted using the RC4 algorithm and keys embedded in the file itself, and deployed to steal financial data on the fly via injected web forms.
Recommendation: Educate employees on the risks of social engineering and regularly test their understanding.
Incident response during a ransomware infection
A ransomware attack, especially when it comes to a larger organization, may have been preceded by a complete compromise of the IT environment from backup servers to domain controllers, which allows the threat actors to easily turn off defenses as well as spy on containment, negotiation, and eradication tactics.
Here is what to do in case you become a victim:
- Shut down the network and the computers running on it to prevent ongoing encryption and to deny the hackers’ access to them.
NOTE: On a machine you are willing to sacrifice, attempt to create a full memory dump.
- Treat the incident as a data breach.
- Assume the perpetrator is still in the network, reading emails and snooping on post-infection activities.
- Communicate via a separate secure channel.
- Perform a full investigation, bringing in external help where needed.
- Audit all internal and public-facing devices for persistence mechanisms, vulnerabilities, weak passwords, and rogue tools.
- Conduct a forensic sweep of the IT infrastructure, focusing on privileged accounts.
- Undertake a full Active Directory review to detect backdoor accounts.
- Consider reimaging all devices on a compromised network.
- Change all domain passwords.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Cyware, F5 Labs, ZDNet, Bleeping Computer, IT Security Guru, TechRepublic, Armorblox, Juniper Threat Labs, Threatpost, Advanced Intel, McAfee, The Hacker News, ESET, Creative Commons