Global Security Report - Midyear 2018
It is hard to believe we are more than halfway through 2018.
Earlier this year, AppRiver security analysts Troy Gill and David Pickett released AppRiver’s annual Global Security Report that outlined the biggest threats of 2017.
With the second half of the year underway, now is a great time to reflect on some of the cyberthreat trends AppRiver security analysts have seen in the first part of 2018.
Attacks get personal
Attacks continue to grow more customized whether the attempt is either to deliver malware or to perpetrate a phishing attack.
Ransomware has continued to wreak havoc, as the city of Atlanta officials can testify to first hand. The city fell victim to a ransomware attack that destabilized municipal operations in May of 2018. According to reports, the city of Atlanta spent several million dollars to recover from the attack.
Spear phishing tactics continue to net attackers huge sums as Business Email Compromise attacks (BECs) and other fraud is becoming more widely adopted by attackers. Common vulnerabilities and exploits have continued to be leveraged in email attacks in 2018, and attackers are continually looking for different file types to deliver their payloads.
As spoofing detection and sender verifications have improved, attackers have – as they always do – adapted their techniques to find ways around them. What’s more, an overriding theme we have been noticing over the past several years has been a trend toward a greater number of attacks being more targeted, more customized and more personalized.
Spear phishing has become much more common and is being seen with a much greater frequency than ever and is being delivered on a much broader scale. Even more concerning is that a good number of these attacks are being launched from trusted sources, specifically, compromised accounts. These types of attacks look to disarm email security measures designed to focus on sender validation. Specifically, looking for spoofed domain names, bad IP reputation and things like DKIM and SPF will all generally fail to raise any red flags. These attacks also have great success in subverting well-trained end users who might otherwise be cautious enough to avoid emails from an unknown sender. It is imperative that full content inspection be implemented and that every aspect of the email be evaluated using a multitude of techniques.
Let’s examine some of the more popular phishing and account takeover attacks.
In an attempt to avoid detection, many of the phishing attacks launched from compromised accounts inject as little content as possible into the body of the message. In the example below – which was sent from a compromised Office 365 account, the attacker incudes the cloud storage brand “Box” to add credibility to the link in the message in case the target looks. The email purported that the sender was sharing a file via “Box.” However, the link was to a phishing page designed to harvest credentials from the recipient.
Here is the corresponding landing page for the link contained within the message.
It is hosted on an unsecured WordPress site that was registered nearly 8 months ago. The landing page is designed to harvest more user credentials that will, of course, be used in further phishing attacks, BECs or malware campaigns.
Business Email Compromise (BEC) Update
Over the past several years, BEC attacks have become widely embraced by cybercriminals looking to reap big profits. In fact, some estimate that BECs are now netting cybercriminals more than $1 billion dollars annually.
Attackers rely on publicly available information along with social media sites such as LinkedIn to gather as much personal data about the targets as they can before launching these types of attacks. They frequently pose as a CEO of the same company they are targeting or as a business associate that a frequently deals with the company. There is one goal in mind – to dupe the target into initiating a wire transfer for a large sum to the attacker’s account. Although these attacks have varying levels of sophistication and many subtle nuances, the intended result is the same: to get that helpful employee to initiate a wire transfer, often ranging from hundreds to millions of dollars.
Given the success of these attacks, we also have seen others jumping on the bandwagon. However, some have set their sights slightly lower – instead of wire transfers, these attackers are looking for gift cards.
Here are a few examples of such attacks:
The first photo is a standard initial message in an attack that is looking to commit wire transfer fraud. In this case, the attack did spoof the domain name in the “From” field. In other instances, they utilize a misspelled version of the domain or a display name of a person in the company with a free mail address, such as Gmail, Yahoo etc., or simply use the address of another previously compromised user.
If this email had not been quarantined and if the recipient had replied, the attacker would have then requested a wire transfer.
Below is an example of an attack aiming to get gift cards from the target. These attacks usually range from $500 to $1000 in total gift card value via individual card denominations of $50 or $100.
Conversation Hijacking Attack (CHA) UPDATE
A product of account takeovers, the Conversation Hijacking Attack has been capitalizing on the trust established by two individuals that have had a prior conversation (You can read more here for a detailed look at how these attacks work.).
We have seen these types of attacks continue in 2018; and the attackers have employed more obscure tactics to attempt to hide the true nature of the attachments being used to deliver the malware payload. The malware attached in these attacks historically has been and remains the Gozi/Ursnif banking trojan.
The Gozi/Ursnif trojan, whose source code has leaked several times over the years, has a rootkit component, it captures browser and email application passwords, logs keystrokes and captures screenshots. While this malware poses a great threat to the individuals being targeted, an even greater risk is for the business or organization whose network would be exposed if the attack is successful.
The chart below depicts the monthly totals of CHA email attacks.
It shows the frequency of these attacks slowed in February and March but had a major resurgence toward the latter part of 2018’s second quarter. Conversation Hijacking Attacks increased 37 percent over the previous six-month period. In all, we quarantined 169k CHA messages, up from 123k the prior six-month period.
Common Vulnerabilities & Exposures (CVE)
In AppRiver’s Global Security Report published earlier this year, it was mentioned that Common Vulnerabilities & Exposures exploits will continue to be a top malware vector. This has been true during the second quarter of 2018 with CVE2017-11882 being the most utilized attack by malicious actors.
CVE 2017-11882 is typically exploited via Office files saved in Rich Text Font (RTF) format and utilizes the Word Equation Editor. It involves a memory corruption issue when Office is unable to properly handle objects in memory allowing attackers to run code via file-less attacks without the use of macros. The attachment file size using this attack may be extremely small, as well (some have come in around 10kb). However, the majority are larger.
Although not as common as 2017-11882, CVE 2017-0199 is also being actively used as an attack method. CVE 2017-0199 utilizes an embedded ole2 link object where the Office HTA handler will typically retrieve and execute a malicious remote file when the Office file is opened. However, some user interaction may be required for this to run. This depends on the user software (Office or Wordpad) and if the \objupdate control was inserted. Like CVE 2017-11882, these are usually weaponized RTF versions of the file format to help evade signature-based detection.
Below is a recent example of a CVE2017-11882 attack:
Cryptocurrency Theft and Mining
Malware that not only looks for traditional financial information, but also cryptocurrencies such as Bitcoin that has been around for years. However, we have noticed an increase in the volume of malicious files that also have this capability as this functionality has been added to several malware families over the past six months.
Despite the recent declines in cryptocurrency prices, the exploitation of user’s computing resources continues to be profitable for malicious actors, with some raking in millions of dollars with such schemes.
The most recent example of this being spread via email is the Rakhni ransomware. It has been around since 2013 – locking up machines and demanding ransoms to decrypt the files. The authors have recently added a cryptocurrency mining component to maximize profitability.
To make a determination of how it will proceed with an infection, it will scan the users machine for a %AppData%\Bitcoin folder. If it finds this folder, it will encrypt the machine for a ransom and append the .neitrino extension to common file types.
The most plausible reasoning behind this decision, since the user owns and/or has mined cryptocurrency already, is because it would make it easier for the user to pay the ransom to the malicious actors. However, if it doesn’t find a folder with the Bitcoin name, it will then download a crypto-mining component if the system has more than two logical processers that are powerful enough to handle coin mining for Monero, Mone or Dashcoin. If it doesn’t contain the Bitcoin folder or the two logical processers, it will then skip to its worm functionality and attempt to copy itself to machines on the local network.
The Rakhni trojan is just one example of this type of attack, but there are many other avenues of infection for user endpoints and unpatched servers that are being utilized for cryptomining operations.
The below example is from an AppRiver customer who subscribes to AppRiver’s Web Protection. In this example, Web Protection detected numerous callback attempts to Monero mining pools from their network and blocked the communication attempts. Through the notification function included with AppRiver’s Web Protection, specified administrators were notified of this type of activity on their networks.
Weaponizing Obscure File Extensions
Obscure file extensions continue to be a popular tactic among attackers in an effort to confuse recipients of the sender’s true intentions.
We’ve previously blogged about symbolic link (.slk) files being used to evade the Microsoft Office protected view and BEC attacks using .xps extensions to help avoid detection via breaking up multiple canvas clip mappings. However, the most recent example is the .SettingContent-ms shortcut files. These are particularly sneaky since they allow an attacker to bypass Windows security safeguards and achieve code execution without prompting the user to choose which program to use to open the file. Details of the attacker were posted in a security blog on June 11th and attackers didn’t waste any time customizing the attack for nefarious purposes.
Fortunately for many Office 365 users, the .SettingContent-ms extension is natively blocked by default for Outlook 2016 (and possibly other versions/clients) when directly attached, as seen below:
This image shows this attachment decoded from its raw form to a readable format on the right. The tag contains the malicious remote destination to pull down an executable file and subsequently run it on the machine.
After this file was analyzed, it was determined that its function was to call back to an IP and ports associated with the Remcos remote access tool. This remote access tool may be used for legitimate purposes by some system administrators and costs between $68 to $457 USD for licenses from the creator’s site. This price depends on the license timeperiod and the number of users needed to remotely control. However, cracked versions are circulated on the internet and in hacking forums, and these cracked versions are commonly utilized by malicious actors.
Below, the chart depicts messages which included malware, of various types, as attachments in the email. In total, AppRiver has already quarantined more than 92 million emails containing malware attachments in 2018.
This chart depicts Phishing activity as seen by our email security solution. So far in 2018, we have quarantined more than 180 million Phishing messages. This includes many forms of generalized phishing attacks, such as brand impersonation.
The next chart show Spear phishing activity in 2018. Spear phishing attacks, such as BECs, have been on an upward trend throughout 2018. In all we have quarantined just over 1 million BEC attack messages, up from 653 thousand during the prior six-month period- an increase of 55 percent.
Email remains a favorite vector used by attackers to get a foothold into your organization. Whether for the purposs of malware infection, data theft or financial fraud—everyone is a target. Attackers will continue to find ways to monetize their activities and will pivot quickly to a new technique when previous techniques become obsolete. With absolute certainty, more zero-day exploits are on the horizon. As these threats continue to evolve, so should your email and network security solutions!