Uncomfortable Truth #5 about Phishing Defense
March 27, 2019 by David Mount in PhishingLast in a 5-part series. In this blog series we’ve explored the Uncomfortable Truths about phishing defense that relate to the problem of over-relying on technology to keep us safe. We’ve also seen how empowered users can give Security Operations teams desperately needed visibility into phishing threats. This leads us to our fifth and final Uncomfortable Truth: Most organizations are unable to effectively respond to phishing attacks. Before you get offended and say “Hey, that doesn’t apply to me, our SOC is awesome,” stick with me on this. The reasons for ineffective phishing incident response are many and varied, but...
Emotet Update: New C2 Communication Followed by New Infection Chain
March 26, 2019 by Darrel Rendell in Threat IntelligenceCISO Summary On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office...
This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware
March 20, 2019 by Darrel Rendell in Threat IntelligenceCISO Summary Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective. Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates. GandCrab is the last of the infamous “ransomware as a service” threats....
Uncomfortable Truth #4 about Phishing Defense
March 20, 2019 by David Mount in PhishingPart 4 of a 5-part series. I’m not going to beat around the bush here. Uncomfortable Truth #4 is quite simple: Users are NOT the problem. There. I said it. If this statement seems at odds with your current thinking, don’t close this browser window just yet. Stick with me, and the effectiveness of your phishing defense programs could be changed for the better. Let’s illustrate with a story from Malcolm Gladwell. In his book ‘Blink’, Malcolm Gladwell tells of the Getty Museum in New York buying an ancient Greek Kouros statue—a tale of man triumphing over machine, as it...
Uncomfortable Truth #3 about Phishing Defense
March 18, 2019 by David Mount in PhishingPart 3 of a 5-part series. In part 1 and part 2, we discussed the Uncomfortable Truths that no matter how good your perimeter controls, malicious emails still reach the inbox, and that security teams cannot defend against attacks they cannot see. While some still hold next-gen technologies in almost exalted status, many organizations are beginning to accept that phishing threats still reach user inboxes and that these users will be tempted to click. To address this risk, significant investments are made in awareness activities, including phishing simulation. Commonly, the primary goal or success metric of these activities is a...
Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication
March 15, 2019 by Cofense in Threat IntelligenceWe are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2. In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s. The URI’s contacted contain variable words in the paths. We are seeing form data passed with a name variable and data. This change will break researchers as well as certain detection technologies while they...
Uncomfortable Truth #2 about Phishing Defense
March 14, 2019 by David Mount in PhishingIn Part 1, we explored the uncomfortable truth that no matter how good your perimeter controls, malicious emails still reach the inbox. While security technologies do a great job of telling us about the attacks they have stopped, they do a poor job of telling us about the threats they have let through. This segues nicely into: Uncomfortable Truth #2: You cannot defend against attacks you cannot see. Visibility is a core tenet of any security operations center. Afterall, if a SOC has no visibility of an attack, they cannot mitigate it. As the threat landscape evolves, organizations deploy more...
‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future
March 12, 2019 by Aaron Riley in Threat IntelligenceCISO Summary Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan. Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns. Technical controls can help combat this threat,...
Uncomfortable Truth #1 about Phishing Defense
March 11, 2019 by David Mount in PhishingPart 1 of a 5-Part Series The threat posed by phishing is not new. For many years, the media and research papers have been littered with examples of data breaches that have been traced back to phishing attacks. Organizations have attempted to tackle the threat through investments in next-gen technologies and increased employee awareness training. Despite these efforts, the threat has not receded, in fact, it’s become more sophisticated and more effective. It’s time for organizations to accept some uncomfortable truths about routine approaches to phishing defence and think differently – understanding that REAL phish are the REAL problem. In...
Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works
March 6, 2019 by Aaron Riley in Threat IntelligenceCISO Summary Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot. Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to...