Weekly Intelligence Summary | 15 May 2020
Updated: Jun 11
In the spotlight this week:
Microsoft advised Office 365 users on how to combat targeted phishing or BEC attacks; SilverTerrie group launched cyberattacks against government agencies, healthcare institutions, universities, and insurance firms; US government and its partners identified RAT malware used by the North Korean government; newly discovered Maze Ransomware targeted attacks in May.
Microsoft finally made efforts in helping Office 365 users defend themselves against targeted phishing or Business Email Compromise (BEC) attacks by recommending to change their login page with more sign-in options. Microsoft also revealed a new tactic of attackers: sending emails with an attached PDF on OneDrive asking users to sign in to a fake advertisement page used for capturing users’ credentials.
SilverTerrie, a group of Nigerian cyber criminals, was reported to have recklessly launched BEC attack campaigns against government agencies, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) published Malware Analysis Reports providing technical details of a malware variant used by the North Korean government which has been identified as COPPERHEDGE.
Maze ransomware or ChaCha was first observed in May 2019 and has targeted organizations in North America, South America, Europe, Asia, and Australia, and most notably a Fortune 500 company.
May 07, 2020 | Phishing campaign used “Business Document Received” as email headline
A new Azure advertisement sign-in page was announced in February 2020 and started rolling out in April. This advertisement apparently was found out to be a phishing strategy. The phishing campaigns show how fast attackers can adapt to changes in the approach they mimic. Another new phishing method was found to have used emails with the subject line “Business Document Received”. The emails carry a PDF attachment that poses as a OneDrive document requiring users to sign in. It turns out the link points to a phishing site that spoofs the new sign-in page.
Source: Microsoft Security Intelligence Twitter Post. Retrieved from https://twitter.com/MsftSecIntel/status/1260975503340482560
May 07, 2020 | SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes
Focusing on one of the most active subsets of the global threat landscape, Palo Alto Networks Unit 42 tracks Nigerian cyber criminals involved in BEC activities under the name SilverTerrier. From January to April, three malicious activities were observed. SilverTerrier members launched a series of ten COVID-19-themed malware campaigns. These campaigns have produced over 170 phishing emails seen across Palo Alto’s customer base. While broad in targeting, SilverTerrier has exercised minimal restraint in terms of aiming for organizations that are critical to COVID-19 response efforts. Alarmingly, several of these campaigns recklessly included government healthcare agencies, local and regional government units, large universities with medical programs/centers, regional utilities, medical publishing firms, and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.
Source: Palo Alto. Retrieved from https://unit42.paloaltonetworks.com/silverterrier-covid-19-themed-business-email-compromise/
May 09, 2020 | What one cybersecurity company has learned from responding to Maze ransomware
One of Maze’s biggest victims was the multibillion-dollar IT services company Cognizant, which has clients in banking, oil, and gas industries. Despite a reported denial of involvement from the hackers themselves, Maze’s fingerprints were on last month’s attack which disrupted Cognizant’s services with its clients.
Source: Cyberscoop. Retrieved from https://www.cyberscoop.com/maze-ransomware-mandiant-lessons-learned/
May 09, 2020 | Threat Brief: Maze Ransomware Activities
Maze ransomware, a variant of ChaCha ransomware, was first observed in May 2019 and has targeted organizations in North America, South America, Europe, Asia, and Australia. This ransomware is typically distributed via emails containing weaponized Word or Excel attachments. It can also be transferred via exploit kits. The malware first establishes a foothold within the environment. It then obtains elevated privileges, conducts lateral movement, and begins file encryption across all drives. However, before encrypting the data, these operators may exfiltrate the files to be used for further coercion, including public exposure.
Source: Palo Alto. Retrieved from https://unit42.paloaltonetworks.com/threat-brief-maze-ransomware-activities/
May 12, 2020 | North Korea’s Malicious Cyber Activity
The Malware Analysis Report is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with US Government partners, DHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This malware variant has been identified as Copperhedge. The US Government refers to malicious cyber activity by the North Korean government as Hidden Cobra.
Source: Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.us-cert.gov/northkorea and https://www.us-cert.gov/ncas/analysis-reports/ar20-133a
May 12, 2020 | Microsoft Patch Tuesday, May 2020 Edition
It was reported that Microsoft recently issued software updates to plug at least 111 security holes in Windows and Windows-based programs. None of the vulnerabilities were labeled as being publicly exploited or detailed prior to May 12, 2020. As customary practice if you are running Windows on any of your machines, it is once again time to prepare and have your patches updated, nevertheless. However, focusing solely on Microsoft’s severity ratings may obscure the seriousness of the flaws being addressed this month.
Source: KrebsonSecurity. Retrieved from https://krebsonsecurity.com/2020/05/microsoft-patch-tuesday-may-2020-edition/