Troy Gill

Malware Distributors Leverage Kaseya Attack

admin — Tue, 06 Jul 2021 23:44:11 +0000

Malware Distributors Leverage Kaseya Attack admin Tue, 07/06/2021 - 18:44 Threat Alert Troy Gill

News of the supply chain style ransomware attack against enterprise technology firm Kaseya has been making huge headlines this week. If you had not already heard, sometime late last week, Kaseya was victim to what appears to be the REvil ransomware gang. This is the same group that has been causing havoc by disrupting fuel supplies and more recently meat distribution. Here, the REvil distributors used a supply chain attack technique via the compromise of a Kaseya software that is used primarily by MSPs and their customers. Kaseya has now confirmed that they believed around 1500 companies have ultimately been impacted from the attack. Those responsible are now demanding $70 million in exchange for a blanket decryption tool.

While many organizations returning from the holiday weekend are scrambling to make sure they are not affected, malware distributors are looking to take advantage and create an opportunity for themselves. Today we have been capturing a malicious email campaign attempting to pose as a security patch related to Kaseya. The malicious emails instruct the recipient to open an attached executable file to fix the Kaseya vulnerability. This attack theme is quite timely as it preys upon the uncertainty and fear surrounding this high-profile incident. Attackers are always eager to capitalize on large scale events that will give them increased attention, especially when that attention may carry some sense of urgency and fear.

The malicious emails began hitting our filters around 11am CST today. They appear to have been somewhat hastily crafted as the subject line was out of context. The sender also directly attached the [EXE] file which is a bright red flag. However, if history is any indication there will likely be new and improved versions yet to come.

And though these errors exist, the malware attached is just a dangerous as you might expect. The attached [EXE] contained Cobalt Strike. Cobalt Strike is commercially available and often used by pen testers and red teams to help better defend networks. However, as of late the malicious use of Cobalt Strike has been on the rise since threat actors have learned how to weaponize it into an attack tool.

Remember that security advisories/patches are a common theme used in malware and phishing email attacks. Falling victim to this email attack would likely lead to ransomware and/or data theft, the very thing you are trying to avoid.

**UPDATE-7-7-2021**

As we suspected we have now spotted additional malware attacks have using the Kaseya security patch theme. The sample below is part of a campaign that began this morning. The password protected archive attached to this email contains an executable which delivers the Dridex Trojan.

Hackers Threaten Home Invasion Using Stolen Cryptocurrency Account Data

admin — Tue, 05 Jan 2021 01:13:02 +0000

Hackers Threaten Home Invasion Using Stolen Cryptocurrency Account Data admin Mon, 01/04/2021 - 19:13 Threat Alert Troy Gill

Amidst another year inundated with data breaches it can be dizzying to even keep track of those that may impact you. It is important to remember that threat actors are indeed keeping track. For many, it can also be difficult to connect the dots between when a breach happens and how that stolen data may be leveraged against you.

Our Threat Analysts have been paying extra close attention to Bitcoin related scams given its historic rise in value over the past weeks. We have observed various attacks looking to take advantage of this meteoric rise, but one also illustrates well how attackers will leverage even what may seem like relatively benign data to launch scams, phishing and even malware attacks.

This morning we found threat actors are now sending personalized email threats to Bitcoin investors. These email threats rely on data stolen from cryptocurrency solution provider Ledger earlier this year. Reports have stated that “The name, mailing addresses and phone numbers for 272,000 customers have been recently released by hackers”. It seems that cybercriminals made fast use of this stolen data after it was posted recently on Raidforums. Ledger customers were re-assured in a statement by the provider “this data breach has no link nor impact on our hardware wallets, the app or your funds”. However, that is not to say there will not be any indirect fallout. Namely, at least some of these customers are now subjected to personalized scams like we see so often after data like this is released.

The emails themselves appear to be addressed to the Ledger account holder and include, in the body of the message, the recipient name and address of record (redacted in the screenshot below for privacy). We have certainly seen scams of all ilk, but this may be the first to threaten home invasion…

And while it is our opinion that the treats made within the email are a sham, there are always a few people in any large group who will take the bait and pay the ransom. This is what these threat actors typically rely on in attacks like these… playing the numbers.

-UPDATED-

Today cybercriminals upped the ante in their efforts to take advantage of the Ledger breach news. Attackers are now launching phishing attacks which seek to gain access to Ledger accounts with the ultimate goal of stealing users crypto-assets. These emails are well crafted and contain personalization within the body of the message as well as a personalized link.

The URLs embedded in the body of these emails leads to a well crafted phishing page designed to harvest passphrases and pin numbers from the user. As you can see the domain name being used could certainly look legitimate at first glance but was registered by the threat actor just yesterday.

With the price of Bitcoin at all time highs we expect more related attacks and scams to surface in the coming weeks.

U.S. Voters In Attackers Crosshairs

admin — Tue, 06 Oct 2020 23:45:50 +0000

U.S. Voters In Attackers Crosshairs admin Tue, 10/06/2020 - 18:45 Threat Alert Troy Gill

It has been difficult to avoid the media attention surrounding the upcoming U.S. election and at least some level of political uncertainty surrounding the election process itself due to the pandemic. It was only a matter of time before cybercriminals attempted to exploit U.S. voter registration to spread attacks to unsuspecting individuals. We are now seeing phishing attacks doing that very thing. U.S. voters should take notice because in addition to this attack, there will almost certainly be other similar attacks as the U.S. election draws nearer.

Over the past several days we have been seeing phishing messages posing as the Election Assistance Commission and purporting to come from the domain [usa.gov]. The messages state that there is a problem with your voter registration and that your voter registration could not be confirmed.

These phishing attacks are being launched from SendGrid servers and utilize SendGrid links in the messages. SendGrid-based attacks have reached a fever pitch as of late as their platform has been abused heavily by attackers. Using SendGrid(or other services like it) lends some credibility to the message in the eyes of the intended recipient as well as some security controls.

These links redirect to one of several compromised WordPress sites. There the attackers are looking to gather personal data from the target. The page below is one of six pages designed to gather personal details:

��Ƶɫ-AppRiver email threat protection customers are protected from this cyber attack and others like it. With advanced link protection, attachment sandboxing, message retraction, quarantine, and a full dashboard of awareness, confidently secure your inboxes and keep your network from being a major vulnerability for your business.

For more on the latest threats, check out our Mid-Year Threat Report.

Firefox Send Service Being Used to Distribute Banking Trojan

admin — Thu, 18 Jun 2020 23:03:09 +0000

Firefox Send Service Being Used to Distribute Banking Trojan admin Thu, 06/18/2020 - 18:03 Threat Alert Troy Gill

We have been closely monitoring Conversation Hijacking Attacks (CHA) ever since we uncovered the activity back in late 2017. Operated by threat actors actively distributing the Gozi/Ursnif banking trojan the group has been relentless in their efforts to distribute malware through this method and have clearly found some good success with it.

If you are unfamiliar with CHA’s they are quite simple. The attackers send out thousands of phishing attacks with the intent of harvesting users' email credentials. Once they have collected credentials they use a bot to log into the (otherwise) legitimate email accounts and send out malware by ‘replying’ to ongoing conversations, thus the term Conversation Hijacking Attack.

The most common method of infection in these botnet-generated CHA’s has been the inclusion of a malicious word document. These are sometimes encrypted and sometimes not. Throughout the past few years, this group has consistently looked for new and improved ways to raise their efficacy. This past week saw another shift in their attack methods that we found quite interesting.

Attacks Shifted This Week

These malicious actors are now using the Firefox Send service private file sharing service to deliver the payload in the body of the emails. This allows for free file sharing by encrypting the file and providing a custom URL where the file can be retrieved. These URLS are formatted as (https://send.firefox.com/download/*). Abusing the service is a natural evolution given the historical affinity this group has displayed for using encrypted payloads in an attempt to circumvent security solutions.

The URL embedded in these emails leads to an encrypted archive (ZIP) that contains a malicious VBS file. Of course, to open the archive you must use a password which is conveniently located in the body of the message. This is an attempt to circumvent security controls as the URLs base domain the is well known and trusted firefox.com. As a bonus, the encryption of the file being delivered aids the attackers by preventing SOME security solutions automated detection from seeing inside the archive and thus understanding the true nature (malware) of the file being shared. Our customers can rest assured they are protected from this threat.

Example below:

Attackers love to abuse legitimate services and Firefox Send is just one more they have in their bag of tricks. However, we have observed that these links remain active now, even 48 hours after their distribution. In recent months, as attackers look to lend credibility to their attacks, we have also seen a rise in abuse of other services as well including Evernote, Gitbook storage.googleapis.com, onedrive.live.com, appspot, sharepoint.com and FireBaseApp just to name a few.

Hackers Using COVID19 Stimulus to Exploit End Users

admin — Tue, 21 Apr 2020 01:30:04 +0000

Hackers Using COVID19 Stimulus to Exploit End Users admin Mon, 04/20/2020 - 20:30 Threat Alert Troy Gill

It ended up taking just a few days longer than we expected but the malicious emails attempting to exploit the US economic stimulus package have begun to ramp up. Attackers ALWAYS have been relentless in their attempts to exploit every possible angle to accomplish their agenda. Human tragedy is, unfortunately, no exception.

For them, the current COVID-19 pandemic and resulting stimulus package are just opportunities to take advantage of the unsuspecting. As the topic began to gain media traction, attackers were quick to tailor their attacks to exploit the situation. In many ways, this is a perfect storm for them as they thrive on the inherent urgency, uncertainty and fear that comes with a pandemic. Through this, they are able to lower the defenses of their intended targets. Attackers have clearly recognized this and have embraced the topic to the extent as follows:

This chart represents COVID-19 themed emails as a percent of all “bad” email traffic. Currently about 1 of every 5 bad emails currently invokes the Coronavirus or COVID-19 terms to garner attention.

Since this new trend in COVID19-themed attacks has taken root we have been anticipating and monitoring closely for the next iteration of attacks – ones we assume will exploit public interest in stimulus relief funds. Though we have seen a few poorly formatted attempts in previous days, on Thursday the tide shifted as we are now seeing well-formatted and carefully crafted malicious emails spoofing the Small Business Administration (sba.gov) as stimulus relief communications.

Here’s an example of the current campaign and there will certainly be a variety of ones to come:

The malware payload in these messages initially delivers the Remcos remote access trojan, then drops Formbook, an info-stealer trojan which is fully capable of stealing sensitive data such as user credentials but also gains fairly wide-ranging control over the victim's machine thus allowing further code execution and data theft.

While the COVID-19 themed attacks have been going full steam ahead for weeks now, this is just the tip of the iceberg when it comes to attacks leveraging the topic of economic stimulus relief. We all need to be extra vigilant as we expect a multitude of new attacks to emerge in the coming days such as IRS notifications, phony internal communications from employers and other variations of these legitimately themed attacks.

Zoom users in attackers’ crosshairs

admin — Fri, 17 Apr 2020 21:18:46 +0000

Zoom users in attackers’ crosshairs admin Fri, 04/17/2020 - 16:18 Threat Alert Troy Gill

The global health crisis that we are all facing has presented incredible challenges for people and for organizations. And it has accelerated a move to the cloud dramatically. As we all rise to the occasion to meet this challenge also be mindful of the opportunities that this crisis has afforded cybercriminals.

Enabling a secure, remote workforce is critical as attackers will attempt to exploit every new possibility that presents itself. We have already seen a bevy of email-based attacks looking to capitalize on this crisis and there will be many more to come.

As a result of the global social distancing measures put in place, businesses have rushed to tools such as Zoom to keep their workforce productive and engaged. In fact, it was recently reported that the Zoom service was seeing an average of 200 million daily users in March, up from 10 million daily users as recently as December.

They are not the only ones.

Cybercriminals are also looking to Zoom – but for criminal reasons. During the past month cybercriminals have been observed registering thousands of new domain names including the word “zoom” which they intend to use to deliver phishing and malware attacks.

Many of these attacks are crafted well enough to fool even seasoned Zoom users but we wanted to pluck one from the quarantine and examine it a little closer so that everyone knows what to be on guard against. The email itself was posing as a notification that a scheduled Zoom meeting with Human Resources and Legal Counsel already has begun.

This theme does a good job in creating the urgency that attackers often aim for. The savvy Zoom veteran might notice the difference in the Zoom logo font in the body of the message. When hovering over the link to inspect closer, as everyone should be doing before they click on ANY link, you should notice that the domain in the email link does not lead to zoom.us, which should be a huge red flag to everyone.

Clicking on the link leads to a well-designed phishing page designed to harvest email credentials.