Scientists have uncovered a new phishing marketing campaign built to distribute ransomware and steal data by capitalizing on desire in the latest Colonial Pipeline outage.
Security vendor Inky spotted the malicious email messages, which claimed numerous Microsoft 365 buyers were being targeted.
Email messages had been spoofed to surface as if despatched from the recipient’s “Help Desk.” They ended up instructed to click on a malicious connection in buy to obtain a critical “ransomware method update” to secure their firm from the same destiny as Colonial Pipeline.
“The malicious e-mail had been sent from freshly made domains (ms-sysupdate.com and selectivepatch.com) managed by cyber-criminals. The domain names, sufficiently plausible to surface legit, ended up nevertheless distinct plenty of so that backyard garden range anti-phishing computer software would not be capable to use common expression matching to detect their perfidy,” described VP of security tactic, Roger Kay.
“Both domains were being registered with NameCheap, a registrar common with undesirable actors. Its domains are reasonably priced, and the firm accepts Bitcoin as payment for hosting solutions (helpful for those people attempting to remain anonymous). The malicious backlinks in the e-mail belonged to — shock — the exact same area that sent the email messages.”
The down load alone is, in point, Cobalt Strike — a genuine pen-screening tool usually made use of in ransomware attacks and data exfiltration and which could be made use of in this occasion to regulate specific systems.
Anti-phishing software program ought to be applied to mitigate the risks posed by these types of attacks in conjunction with effectively-believed-out guidelines these kinds of as IT teams in no way asking workers to obtain selected file styles, Kay concluded.
In similar information, it has been noted that the DarkSide group dependable for the attack on Colonial Pipeline may perhaps have breached the critical infrastructure business through a one compromised password.
A Mandiant VP doing the job on the situation reportedly claimed that the VPN account log-in permitted distant attackers to infiltrate the company’s network, even nevertheless the account was no longer in use at the time. The credential was subsequently identified on the dark web, which means it may well have been formerly reused across a number of accounts.
Some pieces of this post are sourced from: