New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.

WannaCry Highlights an Evolving Threat Landscape

The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries.

While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry ransomware, it is also important to keep in mind that WannaCry is one of three major incidents to arise in the past month. Lessons provided by WannaCry are only deepened by the additional context of the fake Google Docs malicious cloud application incident of May 4, 2017 and the introduction of the Jaff encryption ransomware on May 11, 2017. First and most obvious, both Jaff and WannaCry show that the ransomware business model is far from obsolete. There is still a great deal of value to threat actors in holding data for ransom. Second, the novel attack vectors for WannaCry and the fake Google Docs cloud application show that innovation in leveraging new attack surfaces is happening among threat actors. The challenge for defenders is to internalize these revelations and develop an agile security posture that incorporates defense against existing risks and emergent attack vectors.

Figure 1 – WannaCry combined classic ransomware elements with powerful propagation potential

The explosive growth of ransomware in 2016 marked a dramatic shift in how many threat actors monetize phishing attacks. While certain ransomware tools were delivered using other mechanisms, tools like Locky and Cerber set the tone for the ransomware business model. These ransomware tools were delivered by massive numbers of phishing email to reach the largest number of victims. This business model has been once again put into action by the Jaff encryption ransomware following its debut just one week ago on May 11, 2017. However, the worm functionality demonstrated by WannaCry puts a unique spin on that model by reducing the infrastructure and resource expenditure necessary for the threat actor to maximize their ability to infect new hosts. The goal for both Jaff and WannaCry threat actors is still to reach as many victims as possible to maximize the number of potential ransom payments, lending credence to the notion that ransomware is far from obsolete as an avenue for online crime.

Figure 2 – Jaff relies on commonplace and familiar phishing narratives to infect victims

Figure 3 – Although a new ransomware, Jaff brings few new features to the table

While the propagation mechanisms of the fake “Google Docs” application that made headlines on May 4, 2017 and the WannaCry ransomware worm differ dramatically, both show that virulence is an important aspect of their overall strategy. Furthermore, each of these incidents shows a significant level of innovation by harnessing relatively new attack vectors. The fake “Google Docs” incident took advantage of users’ reliance on cloud services to propagate while WannaCry leveraged a vulnerability only recently disclosed and made public. However effective these attacks were in their own right, the long-term impact will be the future attacks inspired by these innovations. Whether the payload is a ransomware or some other category of malware, threat actors are watching and learning from these attacks. Furthermore, neither innovation is exclusive of the use phishing email as a means for making a “first contact” with a victim as was the case with the fake “Google Docs” application. By combining these promising innovations with a tried-and-trusted attack vector, threat actors will continue to gain access to enterprise data and hold it for ransom.

Figure 4 – Phishing email was used as a vector for attacking cloud infrastructure using a fake Google Docs web application

The high profile events of the past month have provided some indication that threat actors are quickening the pace of innovation and looking to combine these innovations with existing attack models. Both phishing and the ransomware tools delivered via phishing emails have proven very successful for threat actors and continued use of both can be expected. However, as threat actors learn from events like those from the past month it can be expected that they will attempt to implement their own versions using creative re-combinations of these techniques to launch attacks of their own.

To anticipate and mitigate these new attack vectors, those tasked with defending enterprises must adapt their security posture to changing paradigms. It is important to ensure there are agile defense and response processes that incorporate protections for multiple attack surfaces and at various stages of the attack life cycle. This effort begins with the basics of regular patching and network hygiene. It also requires the anticipatory education and empowerment of email users to engage with messages critically and act on suspicions, reporting potentially-malicious emails to the enterprise’s defenders. These internal reports can then be compared to external observations and intelligence reporting to identify the most immediate risks to an organization. The threat landscape is evolving, but in the face of robust, holistic, and human-centered defense strategies, attackers can be overcome.

Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.

PhishMe and Aquion Announce Strategic Channel Alliance

Partnership Extends Offering of PhishMe Solutions Across Australia, New Zealand and Oceania

 MELBOURNE, AUSTRALIA – WELLINGTON, NEW ZEALAND – May 23, 2017: PhishMe Inc., the leading provider of human phishing defense solutions and Aquion, a focused software security distributor of IT products and services, announced a new strategic channel alliance. As a premier reseller and distributor, Aquion will help to accelerate the rapid growth that PhishMe has achieved across Australia and New Zealand.

Aquion specializes in bringing innovative and emerging technologies to the Australia/New Zealand and APAC marketplaces.  Aquion’s sales and technical resources are vendor trained and certified to deliver a high level experience to customers. The strategic alliance will benefit customers across the region, with PhishMe’s human intelligence-driven anti-phishing solutions augmenting Aquion’s comprehensive security technology portfolio. Together, PhishMe and Aquion will help to protect organisations from today’s advanced security threats.

Audrey Lyon, Sales Manager of Aquion said “We’re excited about this collaboration which provides us with excellent opportunities, as PhishMe’s defense solutions offer a number of unique benefits to organisations throughout the Asia Pacific region. PhishMe’s innovative approach presents customers with a comprehensive and scalable human phishing defense solution, to help tackle the pressing issue of the number one attack vector – phishing. We know our customers are struggling with phishing attacks that are growing in complexity and frequency.  Our relationship with PhishMe will certainly enhance the Aquion Security business unit which helps customers monitor, manage, and secure all elements of enterprise infrastructure using the best technologies.”

PhishMe’s phishing incident response platform and phishing threat intelligence enables Security Operations Centre and Incident Response teams to respond faster to real threats – decreasing the risk of data breaches. Its intelligence-driven solutions empower employees to be an active line of defense and source of attack intelligence by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. The company has received a range of respected industry awards over the course of the last year, and recently announced record year-on-year growth.

“Collaboration with industry leading IT and security companies such as Aquion extends our reach to a greater number of customers facing an unprecedented increase in frequency and damage caused by cyberattacks,” explained Jim Hansen, Chief Operating Officer, PhishMe. “PhishMe is the only security company that provides a comprehensive and scalable human phishing defense solution. Through our alliance with Aquion, we are giving organizations across the Oceania region the security solutions and intelligence they need to proactively detect and quickly respond to cyber attacks.”

PhishMe and Aquion will both be exhibiting at AusCERT 2017, taking place at the Surfers Paradise Marriott in Gold Coast, Australia from 23-26 May, 2017. Please visit PhishMe in booth S29 and Aquion in booth S17 for more information.

Connect with PhishMe Online

 About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Media Contact

AxiCom for PhishMe Global
Francesco Tius

Phone: +44 (0) 20 8392 4061
Email: francesco.tius@axicom.com

About Aquion

Since 2000, Aquion has been making it easier for A/NZ and APAC enterprise and government customers and their resellers to source, implement and maintain software solutions which meet their specific business requirements.

Aquion’s business units focus on delivering:

  1. Innovative and emerging technologies to manage, monitor and secure data and infrastructure
  2. Software from thousands of vendors to corporate resellers providing an end to end solution for their customers
  3. Support and maintenance services to ensure all corporate software users have access to latest versions and vendor support
  4. Technical pre and post sales services to make choosing and installing the best software for the need easier

Our purpose of making business easier combined with our track record of consistent growth gives us confidence that Aquion will be bigger and stronger moving into the future.

Media contact

Kieran Rigney
Marketing and Communications Manager – Aquion

Phone: +61 2 8036 8025

Email: krigney@aquion.com.au

FBI Announces That BEC Scam Losses Continue to Skyrocket, as Losses Exceed $3.1B

Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.  

Tales from the Trenches: DocuSign® DELoader Phishing Attack

Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.

In the Shadow of WannaCry, Jaff Ransomware Arrives Using Familiar Phishing Techniques

Adding another entry to the ever-growing list of encryption ransomware, the Jaff Ransomware made its debut onto the threat landscape with large sets of phishing emails on May 11, 2017 – one day before the sensational impact of the WannaCry ransomware attack. However, the risks posed by the Jaff ransomware should not be overlooked. This, too, is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.

What You Can Do About the WCry (WannaCry) Ransomware

As most of you are aware, a fast moving, self-propagating attack blew across the internet over the weekend, and it’s not over yet. Using an alleged NSA exploit , this malware is able to quickly traverse a network and deliver a ransomware payload affecting hundreds of countries and hundreds of thousands of users.