Blog
by titanadmin | Nov 23, 2022 | Phishing & Email Spam |
This month has seen a return of the Emotet botnet after a 4-month period of inactivity, with a high-volume email campaign identified that is increasing the size of the botnet. Emotet started life as a banking Trojan but has been updated over the years to add new functionality. Devices infected with Emotet are added to the botnet and can be used for a variety of purposes, but one of the main functions of Emotet is as a malware dropper, delivering additional malicious payloads on devices once the botnet operator has achieved their own goals. Currently, Emotet is being used to drop a new variant of the IcedID loader. IcedID is a banking Trojan that is similarly used to drop other malware variants.
Emotet is primarily spread via phishing emails, with the campaigns typically consisting of hundreds of thousands of emails a day. The lures used in these messages are often changed, but the threat actor behind Emotet tends to opt for traditional lures such as IRS notifications and business-themed emails. The Emotet Trojan is able to hijack message threats from infected devices and reply, including a copy of itself in the emails. Since the emails come from a genuine email account and appear to be a response to a past conversation, the probability of the recipient opening the email and attachment is all the greater.
The emails in the latest campaign still use XLS attachments with Auto_Open macros to deliver the malicious payload, despite Microsoft disabling macros in files delivered via the Internet. In some of the emails, the .xls file is directly attached to the email, although it is commonly included in a .zip file. The zip files are often password-protected to prevent them from being scanned by email security solutions, with the password – and often little else other than the file name and a signature – included in the message body.
To get around Microsoft’s macro protections, the user is advised when they open to the .xls file to copy the file to a whitelisted directory and reopen it. The user is told this is a necessary requirement of their security policy to be able to view the contents of the file, with instructions provided for different Microsoft Office versions. By copying the file to the suggested location and then reopening it, Microsoft’s protections will not be applied, and the macro will be able to run. The latest campaign is predominantly targeting the United States, although it is likely that the campaign will be expanded to target other geographical regions.
Defending against Emotet requires a combination of measures. While email security solutions such as SpamTitan can detect and block Emotet phishing emails, a defense-in-depth approach is recommended that includes comprehensive security awareness training for the workforce and more advanced endpoint detection solutions than standard antivirus software.
TitanHQ offers security awareness training and phishing simulations through the SafeTitan platform which trains employees how to recognize the phishing emails that are being used to deliver Emotet. The phishing simulator includes real-world examples of the types of emails that the gang uses to trick employees into installing Emotet.
For further information on improving your defenses against Emotet and other email threats, give the TitanHQ team a call. All TitanHQ cybersecurity solutions are available on a free trial to allow you to test them for effectiveness and usability before making a decision about a purchase.
by titanadmin | Nov 18, 2022 | Phishing & Email Spam |
A new malware variant called StrelaStealer has been identified that is being distributed via email that targets credentials for two of the most popular email clients: Outlook and Thunderbird. This previously unknown malware was first identified earlier this month, and so far, has been used to target Spanish speakers.
The campaign was identified by security researchers at DCSO CyTec. The intercepted emails have an ISO (optical disc image) file attachment. These files contain all the data that would normally be written to an optical such as a CD, DVD, or Blu-ray disc, sector by sector, with the content bundled into a single file.
One of the files analyzed by the researchers contained an executable file that sideloads the malware contained in the ISO file via DLL order hijacking. The ISO file also contains a .lnk file and polyglot file. A polyglot file can be treated as several different file formats depending on the application that opens it. In this case, the polyglot file is an x.html file, which is both an x.html file and a DLL program that loads StrelaStealer malware. Execution sees the malware loaded in the memory and simultaneously a decoy document is displayed in the web browser while the malware is executed.
Interestingly the malware does not target browser data, cryptocurrency wallets, and other data commonly obtained by information-stealing malware. Instead, it searches for the %APPDATA%\Thunderbird\Profiles directory looking for login.json and key4.db. The former contains the account and password, and the latter is the password database. Both are then exfiltrated to the attacker’s command and control server.
The malware also searches the Windows Registry and retrieves the Outlook software key, and locates the IMAP User, IMAP Server, and IMAP password values. The passwords for Outlook are encrypted, but the malware uses the CryptUnprotectData function of Windows to decrypt the data before exfiltrating the decrypted data to the C2 server
Cybercriminals are constantly developing new techniques for distributing malware. Security awareness training typically focuses on raising awareness of the most common methods of malware delivery, such as Office files containing malicious macros. Since employees are likely to be much less familiar with ISO files, they may not identify these emails as malicious, or may not report them to their security teams due to the decoy document that is displayed, in the belief that nothing untoward has happened.
To improve protection against campaigns such as this, businesses should consider configuring their email security solution to quarantine emails containing risky file attachments such as executable files, and also configure their web filter to block downloads of these file types from the Internet. That is a simple process with SpamTitan cloud-based anti-spam service and the WebTitan web filter.
by titanadmin | Nov 15, 2022 | Phishing & Email Spam |
A new phishing campaign has been detected that is being used to distribute a relatively new malware threat called IceXLoader. The malware was first identified in the summer and is being actively developed, with version 3.3 of the malware being distributed in the latest campaign. The malware appears to be a work in progress, with the latest version of the malware having enhanced functionality and a new method of installation is now being used. While it has only been distributed for a few months, it already represents a significant threat.
As the name suggests, IceXLoader is a malware dropper that is designed to deploy additional malicious payloads on infected devices. This could include additional tools to help the operators of the malware achieve their aims or it could be offered to a range of threat actors under the malware-as-a-service model for delivering information stealers, ransomware, and other malicious payloads. The malware was first identified by researchers at Fortinet, who named the malware IceXLoader due to the presence of ICE_X strings in samples of the malware code.
The malware is delivered via phishing emails with a .zip compressed file attachment, which contains the first stage extractor. If allowed to run, this will create a new hidden folder in C:\Users\<username>\AppData\Local\Temp, and will then drop and execute the second stage executable file, which creates a new registry key and deletes the temporary folder. The second stage executable downloads a PNG file from a hardcoded URL, and converts it into an obfuscated DLL file, which is IceXLoader. The dropper will perform checks to see if it is running in a virtual environment and will wait 35 seconds before executing IceXLoader to avoid sandbox detection. IceXLoader will collect a variety of information about its host, will connect to its command-and-control server and exfiltrate that information, and will then drop additional malicious payloads.
The malware is capable of evading Windows Defender and other anti-malware programs to prevent scanning of the folder where IceXLoader resides. Researchers at Minerva Labs note that the exfiltrated data is freely accessible on the C2 server, so the threat actors are currently not interested in securing the stolen data.
Due to the ability of the malware to evade traditional antivirus software solutions, the key to blocking this threat is implement next-generation endpoint detection solutions that are able to identify malware by their behavior, and ensure that strong, multi-layered anti phishing defenses are implemented to block the initial phishing emails, including an advanced spam filter for blocking the email and web filtering technology to prevent downloads of malicious files from the Internet.
It is also important not to neglect the human element of defenses. Security awareness training for the workforce will go a long way toward preventing these and other email-based attacks from succeeding, by teaching employees email security best practices.
by titanadmin | Oct 31, 2022 | Email Scams, Spam Advice, Spam News |
Phishing attempts are often very convincing as the emails mimic trusted brands, include their logos and color schemes, and the message format is often copied from genuine company messages. The most commonly spoofed brands are well-known companies that have millions of customers, which increases the chances of the message landing in the inbox of a person who has, at least at some point in the past, used that company’s products or services.
Every quarter, Check Point releases its Brand Phishing Report, which highlights the latest phishing trends and the brands being impersonated most often. LinkedIn, Microsoft, Google, and Netflix are regulars in the top 10 List, with LinkedIn being the most commonly spoofed brand in phishing attacks in the first half of the year; however, the top spot has now gone to the German logistics and package delivery firm, DHL.
DHL accounted for 22% of all worldwide phishing attempts in Q3, 2022. DHL itself issued a warning to customers in July after the company became aware that it was being spoofed in a massive phishing campaign that was being conducted globally. It is probable that DHL will remain in the top spot in Q4 due to the increase in online purchases in the run-up to Christmas.
While there is some variation in the phishing emails impersonating DHL, one of the most common appears to have been sent by DHL Express and alerts the recipient about an undelivered package. The message warns that it will not be possible to attempt redelivery of the package unless delivery information is confirmed. The phishing emails include a link to a website to allow that information to be provided; however, the link directs the user to a website where they are required to log in and provide their name, username, password, and other sensitive information, such as payment details.
While email phishing is the most common form, DHL has been spoofed in SMS messages that achieve the same purpose. Of course, SMS messages are not subject to spam filtering controls and mobile devices are less likely to be protected by web filters, which can detect and block attempts to visit malicious websites. SMS phishing – termed smishing – has been growing in popularity in recent years.
Unsurprisingly, given the number of users, Microsoft achieved second place, accounting for 16% of phishing emails in the quarter. The phishing emails spoofing Microsoft are more varied due to the extensive product range, although OneDrive phishing emails were common. These emails claim to be collaboration requests and target businesses and ask the recipient to click on a button to view a shared document. Like many phishing emails, the messages warn the recipient that urgent action is required, as the document will be deleted in 48 hours. The user is directed to a malicious website where they are asked to enter credentials for their Microsoft account.
It is unclear why LinkedIn has fallen out of favor slightly, although it still achieved 3rd spot and accounted for 11% of phishing attempts in the quarter. The rest of the top ten consists of Google (6%), Netflix (5%), We Transfer (5%), Walmart (5%), WhatsApp (4%), HSBC (4%), and Instagram (3%).
Phishing is one of the main ways that cybercriminals gain access to business networks. The attacks are easy to conduct, low cost, and do not require extensive technical knowledge. Businesses can block the majority of these malicious messages by implementing an advanced spam filter such as SpamTitan Cloud. They should also consider adding an extra layer to their defenses – A web filter such as WebTitan Cloud.
Technical defenses such as these are vital for protecting against phishing attempts, but it is also important for businesses to ensure that they provide regular security awareness training to their employees to make them aware of the threat of phishing and to teach them how to identify phishing emails. In addition to training, phishing simulations should be conducted on the workforce. These have been proven to reduce susceptibility to phishing attempts, as they give employees practice at identifying phishing and any failures are turned into a training opportunity.
With the SafeTitan security awareness training and phishing simulation platform, training is automatically triggered in real-time in response to phishing simulation failures and other security errors, when the training is likely to have the greatest effect.
If you run a business and want to improve your defenses against phishing, give TitanHQ a call. TitanHQ products are available on a free trial to allow you to put them to the test before making a decision about a purchase. MSPs that have yet to add spam filtering, web filtering, and security awareness training to their service stacks should give the TitanHQ channel team a call to find out more about these opportunities to improve their clients’ defenses against phishing and other cyberattacks.
by titanadmin | Oct 25, 2022 | Network Security, Phishing & Email Spam |
The construction firm Interserve has been slapped with a £4.4 million GDPR fine for failing to prevent a phishing attack and the theft of the personal and financial information of up to 113,000 employees.
Interserve is a construction and outsourcing group, which, at the time of the cyberattack in 2020, was a strategic supplier to the UK government, including the Ministry of Defense. An employee received a phishing email and forwarded it to a colleague, who opened the email and downloaded the malicious content, which saw malware installed on its network. What happened next is all too common in cyberattacks. The threat actors had a foothold in the network, then moved laterally, and compromised 283 Interserve systems and 16 accounts.
Interserve’s anti-virus software was then uninstalled by the threat actors, and ransomware was deployed to encrypt files on the network. The information accessed, encrypted, and stolen by the attackers included highly sensitive employee information such as contact information, national insurance numbers, and bank account details. Data classed as special category data under the GDPR was also compromised, including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The Information Commissioner’s Office (ICO) investigated the cyberattack and data breach and determined Interserve had failed to put appropriate security measures in place to prevent cyberattacks such as this, and the lack of appropriate safeguards left Interserve vulnerable to cyberattacks from March 2019 to December 2020.
The ICO identified several areas where the attack could have been identified and blocked. The initial phishing email was not blocked, nor was the malicious email detected when it was forwarded internally. The company had anti-virus software installed, which quarantined the malware and generated a security alert, yet Interserve failed to investigate the suspicious activity. Had it been investigated Interserve should have been able to determine that the attacker still had access to its network. The ICO also found outdated software systems and protocols in use, there was a lack of staff training, and insufficient risk assessments had been performed.
The failure to implement appropriate safeguards violated information privacy laws, resulting in a £4.4 million fine being proposed. The response of Interserve to that notice of intent to fine did nothing to warrant any reduction in the penalty.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner, John Edwards.
These cybersecurity failures are all too common at businesses and they leave the door wide open for hackers, yet malware and ransomware attacks such as this can easily be prevented. In this case, following cybersecurity best practices, ensuring employees practice good cyber hygiene, and responding to security alerts quickly could have prevented or certainly reduced the severity of the data breach.
An effective email security solution should have been in place for detecting malicious emails, first when the initial email was received and again when it was forwarded. The email should have been quarantined and checked by the IT security team. Had appropriate end-user training been provided, both employees should have been aware of the threat of email-based attacks and known how to identify phishing emails. The IT security team should also have investigated the alert and suspicious network activity.
It is not possible to prevent all cyberattacks but implementing an advanced spam filter and providing security awareness training to employees will go a long way toward improving an organization’s security posture. Those are areas where TitanHQ can help. TitanHQ has developed a suite of cybersecurity solutions including SpamTitan Email Security, the SafeTitan Security Awareness and Phishing Simulation Platform, and the WebTitan DNS Filter for blocking web-based attacks.
For more information on improving your security posture to block cyberattacks, prevent data breaches, and protect against financial penalties from regulators, give the TitanHQ team a call.
