Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.
Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.
Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.
“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.
“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”
The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.
Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.
In related news, it has been reported that the DarkSide group responsible for the attack on Colonial Pipeline may have breached the critical infrastructure organization via a single compromised password.
A Mandiant VP working on the case reportedly claimed that the VPN account log-in allowed remote attackers to infiltrate the company’s network, even though the account was no longer in use at the time. The credential was subsequently found on the dark web, meaning it may have been previously reused across multiple accounts.