Gone phishing: Cybersecurity company reeled in

It’s been almost 2 weeks since our last usually weekly threat report, so it’s time we got you back in the know with some updates. This week, we’re going to chat about phishing, malspam, credential stuffing, ransomware, and Linux malware. Here are the deets:

• What can we learn from the SANS phishing incident?
• COVID-19 news:
• Emotet leveraging COVID-19 for lure
• Cyber theft of Canadian COVID relief
• Ransomware headlines
• Spotlight: Drovorub Linux Malware

SANS employee falls for M365 phishing

On August 13, 2020, additional details were released regarding a phishing attack that led to the exposure of personal information for approximately 28,000 members of the SANS Institute.

On July 24, 2020, employees from various parts of the SANS Institute reported that they had received phishing emails purporting to be a file shared by a SANS SharePoint service.

According to SANS Institute, the email contained a file, titled “Copy of July Bonus 24JUL2020.xls,” which was used to entice the victims to click the ‘Open’ button to access the file.

After the victims clicked the button, they were redirected to a phishing site which asked them to enter their Microsoft 365 (formerly Office 365) credentials.

Once the credentials were entered, a malicious Microsoft 365 add-on named “Enable4Excel,” was downloaded onto the device.

The malicious M365 application created a forwarding rule, named “Anti Spam Rule,” that searched for specific keywords associated with financial data, such as “agreement,” “bank cash,” “dividend,” “fund,” and “transfer,” among others.

Once the keyword was found in an email, the email would be forwarded to an external address.

Microsoft 365 logs can be a PITA, but they’re too important to ignore. Serious threats to your organization’s health are out there. Learn how to tackle them with the right team by your side.

Emotet leverages COVID-19 lure

On August 14, 2020, details were released regarding a new spam campaign that uses COVID-19-themed lures to target users from US organizations, with the end goal of dropping the Emotet malware onto the victims’ devices.

Security researcher Fate112 (@tosscoinwitcher) identified the campaign on August 8, 2020, and noted that this new Emotet campaign uses a stolen email purporting to be from the “California Fire Mechanics.”

The email contains a malicious attachment, titled “EG-8777 Medical report COVID-19.doc,” and has the subject line “CFMA May COVID-19 update.” Once the user opens the file and clicks the ‘Enable Content’ button, a PowerShell command downloads the Emotet malware, “498.exe,” and saves it to the “%UserProfile%” folder.

Once the malware is executed, the victim’s machine becomes part of the malware bot operation to send further spam emails.

Additionally, the Emotet malware has other capabilities, such as the ability to download and install additional payloads for other malware variants, like Qbot or TrickBot. These can be used to steal personal data and could potentially lead to ransomware deployment.

In other COVID-19 cybersecurity news, multiple sites belonging to the Canadian government suffered a cyberattack, which resulted in the theft of COVID-19 relief payments.

These government sites were used to provide access to services for immigration, taxes, pensions, and benefits (also referred to as GCKey). They used a single sign-on (SSO) system to allow the public access to multiple Canadian government services.

The attackers used credential stuffing attacks to steal a portion of GCKey accounts. According to the Canadian government, the passwords and usernames of 9,041 users were acquired fraudulently and used to access government services such as Employment and Social Development, Canada’s My Service Canada Account, and the Immigration, Refugees and Citizenship Canada portal.

Additionally, approximately 5,500 CRA accounts were also targeted as part of the GCKey attack through another credential stuffing attack aimed at the Canadian Revenue Agency (CRA).

To help remediate the attacks, the Canadian Government disabled access to the affected individuals’ accounts to maintain the safety and security of taxpayers’ information.

Carnival Cruise, Jack Daniels, and Konica Minolta in ransomware headlines

On August 15, 2020, Carnival Corporation and Carnival plc suffered a ransomware attack that encrypted and exfiltrated some files from the company’s systems.

The incident was confirmed when Carnival Corporation filed its 8-K form with the US Securities and Exchange Commission (SEC), in which they disclosed the cyberattack.

However, an independent cybersecurity firm, Bad Packets, tweeted that Carnival Corporation might have been targeted through vulnerable edge devices.

According to Bad Packets Carnival uses multiple Citrix ADC (NetScaler) servers that were vulnerable to CVE-2019-19781. They also used Palo Alto Networks firewalls vulnerable to CVE-2020-2021.

Similarly, the Kentucky-based spirits and wine company, Brown-Forman (think Jack Daniels), was reportedly targeted by the Sodinokibi (REvil) ransomware operators which resulted in a data breach.

On August 14, 2020, the ransomware operators announced on their ransomware leak site that they were able to infiltrate the company’s network and examine its system and data infrastructure for more than one month.

Although the ransomware failed to encrypt the files due to “the quick action of staff members”, the ransomware operators were able to exfiltrate around 1TB of confidential data including employees’ information, company agreements, contracts, financial statements, and internal correspondence.

I’ve been waiting for a public instance of ransomware groups exfiltrating data but failing to encrypt. Since ransomware operators have started exfiltrating as well as encrypting, defenders have more opportunity to detect and respond before the encryption happens. Did exfiltrating jeopardize encryption in this case? If so, Ransomware leaks could ultimately be a fad. Or, will the company pay to prevent the leak? If that’s the case, ransomware leaks are here to stay.

Multiple screenshots of files with names, conversations between employees, and database backups as recently as July 2020 were published on the extortion website.

The threat actors plan on selling the most important files to the highest bidder and leaking the remaining files if the company refuses to pay the undisclosed ransom.

Oh yeah, and Konica Minolta got hit too, but I’m running out of space. Let’s move on.

Malware spotlight: Drovorub

On August 13, 2020, the FBI and NSA issued a joint security alert on Drovorub, a Linux malware they’ve observed being used by GRU 85th Main Special Servicer Center (GTsSS) Unit 26165, commonly associated with APT28 (Russian nation-state hackers).

Drovorub is the name APT28 uses for the malware, not one assigned by either the NSA or the FBI. According to the alert, Drovorub consists of four components:

• Linux kernel mode rootkit
• User mode client
• Agent with file transfer and port forwarding capabilities
• Command and control (C2) server

Drovorub can steal files and remotely control the victim’s computer with stealthy and anti-detection features. Drovorub objectives range from industrial espionage to election interference.

Only one indicator of compromise was provided, the IP address of a Drovorub C2 server: 185.86.149.125.

In April 2019, this C2 server was accessed by an IP address, 82.118.242.171, that was previously attributed to the Strontium APT group by Microsoft Response Center in 2019.

To best prevent attacks, the alert recommends that U.S. organizations update Linux systems to versions running kernel version 3.7 or later.

This comes with kernel signing enforcement, which prevents APT28 from installing Drovorub’s rootkit.

The NSA and FBI also provided SNORT rules to detect C2 network activity of Drovorub, YARA rules to detect files associated with the components, and a script to test for the presence of the Drovorub kernel mode rootkit.

That’s all for this week, folks. See you next week!

• Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Money takes flight in $4.5 million ransom payment