Phishing Threat Intelligence Newsletter for October 2024
This is a monthly newsletter I put together for our internal security team with a lean towards phishing and healthcare. Created with help from ChatGPT.
Phishing via Google Ads Targets Lowe’s Employees
Summary: Interesting technicque to watch. A recent malvertising campaign targeted Lowe’s employees by impersonating the company’s employee portal through fraudulent Google ads. Threat actors used phishing pages that closely resembled the legitimate MyLowesLife site to steal login credentials. These attacks underline the need for caution when clicking on sponsored links, especially for accessing internal portals.
Key Insight: Avoid using search engines to access internal portals—bookmark them instead to reduce exposure to phishing.
Further Reading: Malwarebytes Blog
Emerging Phishing Threats: Typosquatting and Brand Impersonation Trends
Summary: Zscaler's research uncovers a growing trend in phishing attacks involving typosquatting and brand impersonation. Attackers are increasingly mimicking popular brands using lookalike domains to trick users into divulging sensitive information.
Key Insights:
Over 10,000 malicious domains detected between February and July 2024.
Google, Microsoft, and Amazon are the top impersonated brands.
Attackers use free TLS certificates to evade detection.
Sectors like Internet Services and Online Shopping are prime targets.
For more details, visit Zscaler's blog.
Suspected Espionage Campaign Delivers “Voldemort” Malware
Summary: Proofpoint researchers identified a sophisticated espionage campaign distributing custom malware named "Voldemort." This campaign used advanced techniques like abusing Google Sheets for command and control (C2) and targeting organizations globally by impersonating tax authorities. The malware, likely tied to an APT actor, has intelligence-gathering capabilities and is suspected of espionage rather than financial gain.
Key Insights:
Targeted over 70 organizations across multiple sectors.
Abuses Windows file protocols and advanced C2 mechanisms.
For more details, visit Proofpoint's blog.
Scattered Spider Targets Insurance and Financial Sectors Using Cloud Ransomware
Summary: The Scattered Spider group has intensified its ransomware attacks on the insurance and financial industries, leveraging cloud vulnerabilities and phishing campaigns to compromise high-privileged accounts. The group uses social engineering tactics, including SIM swapping, smishing, and cloud credential theft, to gain unauthorized access. Their advanced techniques, combined with partnerships like BlackCat, have made them a formidable threat to cloud-based infrastructures.
Further Reading: EclecticIQ Blog
Top Cyber Attacker Techniques: May-July 2024 Insights
Summary: ReliaQuest’s report from May to July 2024 highlights the growing threat of phishing, accounting for 37% of incidents. The “SocGholish” malware, delivered via fake browser updates, remains widespread. Additionally, exposed credentials make up 88.75% of alerts, posing significant risks. Key sectors targeted by ransomware include manufacturing and tech. To defend against these threats, organizations should enhance multi-factor authentication, monitor user behavior, and deploy rapid response measures.
Key Insights:
Phishing remains a top threat.
Credential exposure is a major risk.
Ransomware is heavily targeting manufacturing and tech sectors.
Further Reading: ReliaQuest Blog
Unveiling RECORDSTEALER: A Persistent Infostealer Targeting Sensitive Data
Summary: RECORDSTEALER (Raccoon Stealer V2) is a malware targeting sensitive information like passwords, payment data, and cryptocurrency wallets. It infects systems through malvertising and fake downloads, focusing on web browsers for data exfiltration. RECORDSTEALER’s infrastructure has been disrupted, but related malware such as VIDAR and STEALC are still active.
Key Insights:
Uses browser exploits for credential harvesting.
Communicates with command-and-control servers using encrypted channels.
Evades detection via obfuscation and process injection.
Further Reading: Google Cloud Blog
Splinter: A New Post-Exploitation Red Team Tool
Summary: Splinter, a post-exploitation tool developed in Rust, allows for remote command execution, file uploads, and process injection. It uses encrypted HTTPS for command-and-control (C2) communication, making it harder to detect. Initially built for red team operations, the tool's misuse poses significant risks to compromised systems.
Technical Key Insights:
Splinter supports process injection into system processes.
Uses encrypted C2 channels for communication.
Built with Rust for enhanced performance and cross-platform compatibility.
Further Reading: Unit 42 Article
Supershell Malware Targeting Linux SSH Servers
Summary: Supershell, a Go-based backdoor, is being deployed on Linux SSH servers through brute-force attacks. Once installed, it provides attackers with remote access via a reverse shell, enabling them to hijack systems and deploy additional payloads like cryptocurrency miners.
Key Insights:
Uses reverse shell for remote control.
Exploits weak SSH credentials via brute-force attacks.
Can execute additional malicious payloads, such as XMRig miners.
Written in Go, enhancing cross-platform capabilities.
Further Reading: AhnLab ASEC Report
Cybercriminals Exploit Legitimate Software with CAMO Techniques
Summary: ReliaQuest's latest findings reveal the growing use of legitimate IT tools by cybercriminals in "Commercial Applications, Malicious Operations" (CAMO). These tools, such as PDQ Deploy and SoftPerfect, are used for spreading ransomware, exfiltrating data, and evading detection by blending into normal network operations. This trend complicates incident detection and response.
Key Insights:
CAMO tools can bypass detection by leveraging legitimate system capabilities.
Attackers use trusted tools to move laterally and exfiltrate data.
Network segmentation, monitoring, and whitelisting can mitigate these threats.
Further Reading: ReliaQuest Blog
Phishing Attack Uses Two-Step Approach to Evade Detection
Summary: A new phishing attack leverages a two-step process, using legitimate platforms like Microsoft Office Forms as an intermediary to evade detection. After clicking the phishing email link, users are directed to a legitimate form before being redirected to a fake login page designed to steal credentials. This sophisticated approach helps attackers bypass security filters by exploiting trusted platforms.
Key Insight: Be cautious of phishing links that utilize legitimate services as intermediaries before redirecting to malicious sites.
Further Reading: KnowBe4 Blog
Surge in Malicious Links Marks 133% Increase in Q1 2024
Summary: Phishing attacks using malicious links surged by 133% in the first quarter of 2024, as attackers shift away from traditional attachments to evade detection. Links allow attackers to obfuscate malicious content and use redirects, CAPTCHA, and legitimate services to conceal their payloads. This growing trend emphasizes the need for organizations to enhance email security and continuously train employees to spot suspicious links.
Further Reading: KnowBe4 Blog
HR-Related Phishing Tactics Grow More Sophisticated
Summary: Threat actors are increasingly using HR-related phishing emails, disguised as official company communications, to trick employees into providing credentials. These phishing attacks often use urgent subjects like “Revised Employee Handbook,” leading victims to a fake Microsoft login page. Attackers use the stolen credentials for further exploitation. The campaign evades email security platforms by leveraging legitimate-looking content and psychological manipulation.
Further Reading: Cofense Blog
Inc Ransom Attack: Advanced Extortion Techniques Emerge
Summary: The Inc Ransom group uses advanced techniques like data exfiltration without encryption, exploiting firewall vulnerabilities and hiding within legitimate network traffic using tools like Impacket and PowerShell. By deploying Rclone for data transfer, they evade detection while pressuring victims through extortion. The report includes details on a recent attack against a healthcare organization.
Technical Key Insights:
Use of Rclone for stealth data exfiltration.
Abuse of firewall vulnerabilities for initial access.
Impacket and PowerShell used to blend into legitimate traffic.
Data theft replaces encryption in the extortion strategy.
Further Reading: ReliaQuest Blog
RansomHub Reigns, Meow Ransomware Surges in August 2024
Summary: RansomHub leads ransomware threats, targeting Windows, macOS, Linux, and VMware ESXi systems using sophisticated encryption techniques. Meanwhile, Meow ransomware shifts focus from encryption to selling stolen data on leak marketplaces, employing the ChaCha20 encryption algorithm. Both groups aggressively target exposed RDP configurations and vulnerable systems.
Technical Analysis:
RansomHub uses robust encryption across multi-platform environments, complicating recovery.
Meow exploits ChaCha20 for file encryption and omits .exe files, leveraging leak sites for extortion.
Both utilize exposed RDP ports for initial access.
Further Reading: Checkpoint Blog
Phishing-as-a-Service Platform Sniper Dz Gains Traction with Unique Tactics
Summary: The Sniper Dz Phishing-as-a-Service (PhaaS) platform has facilitated the creation of over 140,000 phishing websites. It offers pre-made phishing templates targeting major brands, leveraging public proxy servers and SaaS platforms to evade detection. Sniper Dz uses unique obfuscation techniques, enabling phishing campaigns to bypass traditional security measures while collecting stolen credentials.
Key Insights:
Sniper Dz uses proxy servers to hide phishing activities, making detection more difficult.
Phishers can easily launch campaigns targeting popular services without needing technical expertise.
Integrating proxy detection mechanisms and monitoring SaaS usage can help identify such attacks.
Further Reading: Unit42 Article
DragonForce Ransomware: Advanced Tactics and Affiliate Program
Summary: DragonForce, using both LockBit and ContiV3 forks, targets critical sectors through its RaaS affiliate program. The ransomware employs sophisticated tactics like BYOVD to disable EDR/XDR systems, coupled with SystemBC for persistence and lateral movement. Affiliates can customize attacks using the builder to encrypt files, terminate security processes, and evade detection through advanced anti-analysis features. Mimikatz and Cobalt Strike are used for credential harvesting and system reconnaissance.
Key Technical Insights:
BYOVD: Drivers like TrueSight.sys and RentDrv.sys disable security.
RSA-1024 & Salsa20 encryption for ransomware payloads.
Use of PowerShell and Cobalt Strike for malware execution and persistence.
Further Reading: Group-IB Blog
RDP Brute-Force Attacks
Summary: Remote Desktop Protocol (RDP) brute-force attacks remain a high-risk method for attackers to gain unauthorized access to networks. Cybercriminals exploit weak/default credentials and exposed RDP ports using automated tools, making it a preferred method for both nation-state and cybercriminal groups. Attackers can use compromised access for data theft, deploying ransomware, or selling credentials on dark web forums.
Technical Highlights:
Attackers use tools like Hydra and Medusa for brute-forcing RDP.
RDP exploits involve enumeration via port scans and credential stuffing.
Initial access brokers often sell RDP access for further attacks.
Defense Recommendations:
Use strong, unique passwords and multi-factor authentication.
Limit RDP exposure to the internet, utilizing VPN and firewalls.
Implement rate-limiting and robust monitoring to detect unusual RDP activity.
For more details, you can visit ReliaQuest's article on RDP Brute-Force Attacks.
New Phishing Tactic Exploits HTTP Headers for Stealthy Redirects
Summary: Attackers are using a new technique involving HTTP response headers to automatically redirect users to phishing pages. The tactic leverages compromised websites, making the phishing links appear legitimate. This technique is particularly challenging to detect and has been observed in phishing campaigns targeting various industries.
Key Insights:
HTTP headers are manipulated for silent phishing page redirects.
Attackers pre-populate victim data (like email addresses) to enhance credibility.
Detection is difficult, requiring heightened user vigilance and advanced security monitoring.
For more details, visit KnowBe4.
Cyber Predators Exploit Healthcare Vulnerabilities with Ransomware and Data Theft
Summary: Cybercriminals are increasingly targeting healthcare organizations, exploiting weaknesses to steal patient data and extort hospitals via ransomware attacks. These criminals collaborate through darknet marketplaces, offering ransomware-as-a-service, and trading access to compromised healthcare systems. With attacks up 32% globally in 2024, healthcare remains a prime target due to its valuable data and often outdated security infrastructure.
Key Insights:
Healthcare sees an average of 2,018 attacks weekly, with APAC and Latin America hit hardest.
Ransomware-as-a-service empowers less experienced criminals.
Hospitals face high risks due to the critical nature of their operations.
Read more: Checkpoint Research.
Phishing Campaign Exploits Google Apps Script for Sophisticated Attacks
Summary: A new phishing campaign manipulates Google Apps Script macros to target users across multiple languages. The phishing emails falsely claim to provide “account details” and include links to malicious pages mimicking legitimate Google services. Victims are tricked into disclosing sensitive information, leading to data theft and operational disruption.
Key Insights:
Attack uses Google’s infrastructure to appear legitimate.
Affected users may disclose sensitive data via a deceptive Google Apps Script URL.
Advanced email filtering, real-time URL scanning, and phishing awareness training are crucial defenses.
For more details, visit Checkpoint Research.
New Windows PowerShell Phishing Campaign Highlights Serious Risks
Summary: A recently discovered phishing campaign uses GitHub-themed emails to trick recipients into launching PowerShell commands, enabling the download of password-stealing malware. The attack uses social engineering techniques, disguising itself as a CAPTCHA verification process. By exploiting PowerShell’s automation capabilities, attackers gain unauthorized access to credentials stored on victims' systems.
Key Insights:
Attack targets GitHub users but could be adapted for broader use.
Exploits PowerShell to execute malicious commands.
Vigilance and disabling unnecessary PowerShell access are crucial defenses.
For more, visit Krebs on Security.
Phishing Attacks Exploit Content Creation and Collaboration Platforms
Summary: A recent phishing campaign abuses popular content creation and collaboration tools to trick users into clicking malicious links. Cybercriminals use legitimate-looking posts and documents with embedded phishing URLs, leading to credential theft through fake login pages. These attacks have been seen in both business and educational environments.
Key Insights:
Phishing emails from trusted platforms contain hidden threats.
Common platforms include design tools and document-sharing services.
Users should be cautious of unexpected links and suspicious login requests.
For more information, visit KnowBe4.
Cyber Threats Looming for the 2024 U.S. Election
Summary: As the 2024 U.S. election approaches, cyber threats from nation-state actors, hacktivists, and cybercriminals are expected to rise. These include disinformation campaigns, phishing attacks, and attacks on electoral infrastructure. Businesses should brace for phishing campaigns and SEO poisoning targeting politically charged topics.
Key Insights:
Nation-state groups may conduct hack-and-leak operations and influence campaigns.
Expect a surge in phishing attacks and scams using election-related themes.
Businesses should implement advanced cybersecurity measures to mitigate risks.
For more details, visit ReliaQuest.