Search the Community
Showing results for tags 'phishing emails'.
Found 2 results
SwissMiss posted a topic in Security & Privacy NewsSuspected state-sponsored hacking group tried to break into US utilities Researchers say the phishing attempts were spotted in July. A suspected nation state-sponsored hacking group attempted to infiltrate US utility firms in July, researchers say. On Thursday, Proofpoint researchers Michael Raggi and Dennis Schwarz said that between July 19 and July 25, spear-phishing emails were sent to three US companies responsible for providing utility services to the public. The phishing emails impersonated an engineering licensing board, the US National Council of Examiners for Engineering and Surveying, and attempted to elicit panic in recipients by pretending that the victim company had failed an exam. This is a common technique used in phishing emails and is found in other examples including fake bank withdrawal emails, tax demands, and student loan complaints. If a target is frightened, they may be more likely to follow a phishing email's instructions without thinking things through. Contained within the message was a Microsoft Word document, named Result Notice.doc, which used embedded macros to spring malicious code onto a recipient system. The emails originated from an IP address which led to the discovery of additional domains used to impersonate other engineering and electric licensing agencies in the United States. However, only the original domain, nceess[.]com, appears to be active in current phishing campaigns. If a victim opens the file and enables VBA macros, three Privacy Enhanced Mail (PEM) files are dropped; tempgup.txt, tempgup2.txt, and tempsodom.txt. These files are then decoded and transformed into Notepad-impersonating GUP.exe, libcurl.dll -- a malicious loader -- and sodom.txt, a file which contains command-and-control (C2) configuration settings for the malicious code. The malware, dubbed LookBack, is then launched via GUP.exe and libcurl.dll. LookBack is a Remote Access Trojan (RAT), written in C++, which is able to view system data, execute shellcode, tamper with, steal, and delete files, take screenshots, kill processes, move and click a mouse without user interaction, force an infected PC to reboot at whim, and remove itself from a machine. LookBack is also able to create a C2 channel and proxy in order to exfiltrate and send system information to the attacker's server. Proofpoint has connected the recent attacks with APT campaigns in 2018 linked to Japanese firms. FireEye researchers said the group -- known as APT10 or Menupass -- attacking media companies appears to be Chinese and has a history of going after targets in Japan. If it is the same threat actors, this could demonstrate that APT10 is branching out to include US firms in their hit-list. Firm conclusions that LookBack is the work of a state-sponsored group seeking to disrupt core utilities and services are not possible, as the researchers note that the malware has not been actively associated with any APT previously and "no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary." However, the macros do provide a clue to state-sponsored activity. Many of the connections between the macro and VBA function obfuscation are strikingly similar to the code used in the aforementioned Japanese attacks, despite being rewritten. "We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized," Proofpoint says. "The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers." Source: Suspected state-sponsored hacking group tried to break into US utilities
Attackers love exploiting the naivety of users because it’s so easy. All it takes is one successful phishing email to persuade just one user to hand over their organizations login details. Once that hacker gains entry to your systems, you’re not going to find out until it’s too late — your anti-virus and perimeter systems aren’t programmed to pick up on access using legitimate login details, giving snoopers all the time in the world to, well, snoop. And if it’s not exploiting them, well then we can always rely on good old fashion ‘careless’. It was only recently that UK political leaders were publicly (and almost proudly) proclaiming their own particularly poor password habits on Twitter. MP Nadine Dorries admits she regularly shouts the question “What is my password?” across the office, and after her being criticized on Twitter, MP Nick Boles defended her by agreeing with a journalist that password sharing is rife among MPs. As much as it’s easy to poke holes in politicians’ hapless knowledge of IT security, the truth is that most employees within the business world share passwords too. So while users remain the biggest threat to a company’s security, blaming employees is never the right route to take. Employers are (usually) human. They are careless, flawed and often exploited. So, how are you supposed to spot inappropriate user access when it’s already been defined as appropriate? Spotting the threat Security must be there to protect users from both careless and malicious behavior and to protect the business from outsiders trying to gain access by pretending to be employees. When you boil it down, the only way to really tell if someone is a malicious insider or an intent external threat actor is by allowing them to perform actions (such as launching applications, authenticating to systems, accessing data, etc.) and determine whether the actions are inappropriate. But given the majority of your user population doesn’t act the same way everyday – let alone the next week or month – it makes more sense to spot the threat actor by looking at leading indicators of threat activity, rather than waiting for the threat activity itself. One of the most accurate leading indicators is one no malicious insider or external threat actor can get around – the logon (local, remote, via SMB, via RPC, etc.). Endpoints require logons for access, lateral movement of any type requires authentication to access a target endpoint, and access to data first requires an authenticated connection. The leveraging of Logon Management solutions provides organizations with not only the ability to monitor logons and identify suspicious logon activity, but to also craft logon policies to limit the scope of account use and automatically shut down access based on inappropriate logon behavior. By using the contextual information around a user’s logon (origin, time, session type, number of access points, etc.) genuine logins become useless to would-be attackers. So, while there might not be a patch for the user quite yet, keep in mind that you do have a foolproof way to make sure authenticated users are who they say they are, identify any ‘risky’ user behavior and put a stop to it before it ends up costing you capital, customers and your company’s reputation. To read more about external attacks and how to detect and stop them, read our latest whitepaper “Stopping the External Attack Horizontal Kill Chain”. Source