Cofense Blog

STAY CURRENT ON INDUSTRY TRENDS & COFENSE NEWS

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

March 20, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats....

READ MORE

Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...

READ MORE

Uncomfortable Truth #3 about Phishing Defense

March 18, 2019 by David Mount in Phishing

Part 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...

READ MORE

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

March 15, 2019 by Cofense in Threat Intelligence

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they...

READ MORE

Uncomfortable Truth #2 about Phishing Defense

March 14, 2019 by David Mount in Phishing

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into:  Uncomfortable Truth #2: You cannot defend against attacks you cannot see.  Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more...

READ MORE

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

March 12, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...

READ MORE

Uncomfortable Truth #1 about Phishing Defense

March 11, 2019 by David Mount in Phishing

Part 1 of a 5-Part Series    The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.   Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.   It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...

READ MORE

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

March 6, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot. Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to...

READ MORE

Finding the Whole Phishing Attack: Problems and Solution

March 5, 2019 by David Mount in Cyber Incident Response

Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed. To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish. Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks. Cofense Vision...

READ MORE

Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

March 4, 2019 by Cofense in Internet Security Awareness

By Kaustubh Jagtap You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send. It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective...

READ MORE

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

March 20, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats....

READ MORE

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

March 15, 2019 by Cofense in Threat Intelligence

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they...

READ MORE

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

March 12, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...

READ MORE

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

March 6, 2019 by Aaron Riley in Threat Intelligence

CISO Summary Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot. Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to...

READ MORE

Finding the Whole Phishing Attack: Problems and Solution

March 5, 2019 by David Mount in Cyber Incident Response

Mitigating a phishing attack is a little like zapping termites. If you don’t eliminate the whole problem, trouble continues to breed. To help, CofenseTM has announced the general availability of Cofense VisionTM. We knew that existing email search and quarantine tools weren’t fast enough, making it hard for the SOC to find and remove every phish. Integrated with the latest release of Cofense TriageTM, Cofense Vision lets incident responders see the entire phishing attack, including emails not reported by users. With a single click, the SOC can quarantine every bad email and stop the attack in its tracks. Cofense Vision...

READ MORE

A Closer Look at Why the QakBot Malware Is So Dangerous

February 22, 2019 by Max Gannon in Threat Intelligence

CISO Summary Cofense Intelligence ™ recently reported a phishing campaign distributing the QakBot malware. QakBot infestation is a significant threat, so be sure to share today’s follow-up post with your SOC analysts. We’ll drill down into the novel techniques QakBot uses to stymie detection and manual analysis. This sophisticated banking trojan, which Cofense™ has seen distributed via the Geodo/Emotet botnet, uses multiple tools to cover its tracks and steal credentials. The threat actors who have developed it are creative and aggressive.

READ MORE

With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat

February 11, 2019 by Max Gannon in Threat Intelligence

CISO Summary The Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support infrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan benefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT does recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to wreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal information, and distributing other malware.

READ MORE

Emo..Qak? Geodo/Emotet Botnet Delivers Qakbot Malware as First-Stage Payload

February 4, 2019 by Cofense in Threat Intelligence

By Max Gannon, Mollie MacDougall, Darrel Rendell, and Aaron Riley CISO Summary In the past few days, CofenseTM has detected double trouble from the Geodo/Emotet malware. Not only have we seen Geodo botnets directly delivering non-Geodo malware via phishing campaigns, we’ve also observed Geodo campaigns use more precise targeting.

READ MORE

The Malware Holiday Ends—Welcome Back Geodo and Chanitor

January 29, 2019 by Darrel Rendell in Threat Intelligence

CISO Summary Even cybercriminals knock off for the holidays. Then in January, it’s back to work. We all have bills to pay. This past holiday season, including the Russian Orthodox Christmas which fell on January 7, threat actors cooled their heels and malware campaigns dipped. But with the holidays over, threat actors are back in action. Chanitor malware campaigns are spiking, at even higher levels than a year ago, and Geodo/Emotet campaigns have been surging too.

READ MORE

Introducing the Cofense Triage Certification Program

January 23, 2019 by Cofense in Cyber Incident Response

By Kiarra Grant Want to be a certified expert in phishing response? Now you can. Introducing the Cofense Triage TM Operators Certification. It’s our second industry-specific certification program, complementing our program for operators of Cofense PhishMeTM. The new program is focused on Cofense Triage, the first and only phishing-specific incident response platform. Become an expert in Cofense Triage while taking your phishing defense program to the next level. The Cofense Triage Certification program provides: Validation and certification of skills in the operation of Cofense Triage Training in running a successful phishing response program The ability to augment Cofense solution expertise...

READ MORE

Uncomfortable Truth #4 about Phishing Defense

March 20, 2019 by David Mount in Phishing

Part 4 of a 5-part series.   I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple:  Users are NOT the problem.  There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better.  Let’s illustrate with a story from Malcolm Gladwell.   In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...

READ MORE

Uncomfortable Truth #3 about Phishing Defense

March 18, 2019 by David Mount in Phishing

Part 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...

READ MORE

Uncomfortable Truth #2 about Phishing Defense

March 14, 2019 by David Mount in Phishing

In Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into:  Uncomfortable Truth #2: You cannot defend against attacks you cannot see.  Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it.  As the threat landscape evolves, organizations deploy more...

READ MORE

Uncomfortable Truth #1 about Phishing Defense

March 11, 2019 by David Mount in Phishing

Part 1 of a 5-Part Series    The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks.   Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective.   It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...

READ MORE

Efficient Phishing Programs: 3 Common Problems and 1 Awesome Solution

March 4, 2019 by Cofense in Internet Security Awareness

By Kaustubh Jagtap You hear it all the time. Teams tasked with improving phishing defense aren’t sure how many employees see, or even receive, the simulations they send. It’s why CofenseTM has introduced the Cofense PhishMe Responsive Delivery™ capability in Cofense PhishMe™ Enterprise edition. This capability allows operators to send a phishing simulation only when targeted employees are actively using email. It also delivers the phishing simulation directly to the employee inbox, thereby bypassing any technical issues including gateway configuration changes and whitelisting complications. Additionally, having this capability adds another layer of automation to your phishing program, making it more effective...

READ MORE

This Company Turned a Phishing Attack into a Teachable Moment

February 27, 2019 by Zach Lewis in Phishing

You’ve read it on this blog before. It’s not enough to simulate phishing emails and raise employees’ awareness. At the end of the day, you need to be able to stop real attacks. One key: basing simulations on phishing threats you actually see in your organization. Following is a real example of one CofenseTM customer that took these words to heart. This company is global. It operates in an extremely data-rich industry that stores Social Security numbers, email addresses, credit card information, and more. In other words, they have a lot to protect. First, the company leveraged information from a...

READ MORE

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

February 20, 2019 by Tonia Dudley in Internet Security Awareness

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic. First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh: “The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be...

READ MORE

Here’s Proof that Corporate Board Members Want Stronger Phishing Defense

February 12, 2019 by Cofense in Internet Security Awareness

By Susan Mo More and more, boards of directors are security decision-makers. One example: Cofense just published a case study on a company whose board lit a fire for a stronger phishing defense—and it’s paying dividends.  This board took the lead in launching phishing simulations.  A leading aviation company in my part of the world, Australia, has a highly public presence. Translation: any security issues would likely make headlines. So the board mandated an anti-phishing program. Using Cofense PhishMeTM, the company now runs phishing simulations to condition its employees to recognize and report phishing emails.  The program is still in the...

READ MORE

Expect Credential Phishing to Continue Surging in 2019

February 6, 2019 by Tonia Dudley in Internet Security Awareness

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

READ MORE

We’re Making It Easy for MSSP’s to Deliver Phishing Defense

January 31, 2019 by Cofense in Phishing

By John McCabe We’re Making It Easy for MSSP’s to Deliver Phishing Defense A new Cofense™ Managed Security Service Provider (MSSP) program makes it easy for service providers to offer phishing defense to small and medium-sized businesses. Phishing is a huge problem for SMB’s. With limited budget and expertise, they’re often targets of spear phishing, ransomware, and other attacks.

READ MORE