Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

11/14/2019
10:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Keeping It Real Can Pay Off for Old-School Attacks

Even a previously known attack can fool the security team if it is well crafted.

In the security arena, much of the effort a team will expend centers around the continual process of identifying and understanding the details of the methodology employed by the novel attacks that keep showing up.

This effort happens at such a rapid pace, it may be disconcerting to the security team to be forced by some situation to realize how well a previously known attack can succeed if it is well-crafted in all aspects.

Not clicking on unknown attachments (so as to give malware permission to run) is a classic security homily. But what if the user doesn't realize that the attachment is an unknown one and thinks that it is legitimate? It's called social engineering.

Social engineering is the method that malware authors use to conceal from the user what it is that they are actually going to be doing when they perform an action. Social engineering has as its goal giving the user the permission they need to go ahead and do something. This aspect of an attack can be the paramount factor in its outcome, eclipsing any other methodology that may be simultaneously used.

Some recent news from Proofpoint brings this into focus. It found threat actors in late October 2019 who were trying to pull off one of the oldest attack vectors around, that of a poisoned Word attachment that is just waiting to start installing malware. The user has to "open" it, of course.

The emails that were used as a lure purported to originate with the German Federal Ministry of Finance. They were targeted at IT service companies. The document itself promised a large tax refund, if only the user would open the attached refund request form. The attachment would, instead of getting the business money, go out and install the Maze ransomware on the victim's computer. Some variants attempted to load the Crowdstrike backdoor as the payload.

This campaign used similar sender email addresses in the lure to those that would be normally used by the Ministry. This attention to detail in the social engineering shows its importance to the attack, how necessary it can be to make everything appear to be legitimate.

The same actor used a different lure document in an Italian campaign occurring in late October, where the lure was supposed to be from the Italian Ministry of Taxation. Besides once again taking over a "brand," the actors again found Ministry-similar domains to front as sender email addresses.

Proofpoint says that it saw "a consistent set of TTPs (Tactics, Techniques and Procedures) that allows attribution of these campaigns to a single actor with high confidence."

Finally, the actor tried their luck in the US in November. Proofpoint observed "thousands of emails attempting to deliver malicious Microsoft Word attachments with English lures, this time impersonating the United States Postal Service (USPS) and distributing the IcedID banking Trojan." The emails seemed to be directed at the healthcare vertical.

It's not new or complicated. It's not flashy. But even a simple attack can work if it has been done right.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...