One important task for threat actors is the pursuit of new and innovative techniques for infiltrating their victims’ networks. A major aspect of this pursuit is the selection of a malware that can accomplish the mission at hand. For example, a ransomware threat actor may seek out the ransomware tool that guarantees the highest rate of ransom payment. However, threat actors with different missions might seek out tools using different success criteria. Threat actors can experiment and transition between these tools because, in many ways, these malware varieties represent interchangeable parts in an attack life cycle.
The WannaCry ransomware incident has galvanized global media coverage and dominated discussion among information security professionals since Friday, May 12. The speed with which this malware was able to spread within enterprise networks and how rapidly so many large organizations were impacted is unsettling. Yet, as the dust begins to settle, it is clear that this episode has left a number of lessons in its wake–lessons to be harnessed by defenders and their adversaries.
While this attack is an expansive topic that will continue to evolve as more discoveries are made about the impact, origin, and spread of the WannaCry ransomware, it is also important to keep in mind that WannaCry is one of three major incidents to arise in the past month. Lessons provided by WannaCry are only deepened by the additional context of the fake Google Docs malicious cloud application incident of May 4, 2017 and the introduction of the Jaff encryption ransomware on May 11, 2017. First and most obvious, both Jaff and WannaCry show that the ransomware business model is far from obsolete. There is still a great deal of value to threat actors in holding data for ransom. Second, the novel attack vectors for WannaCry and the fake Google Docs cloud application show that innovation in leveraging new attack surfaces is happening among threat actors. The challenge for defenders is to internalize these revelations and develop an agile security posture that incorporates defense against existing risks and emergent attack vectors.
The explosive growth of ransomware in 2016 marked a dramatic shift in how many threat actors monetize phishing attacks. While certain ransomware tools were delivered using other mechanisms, tools like Locky and Cerber set the tone for the ransomware business model. These ransomware tools were delivered by massive numbers of phishing email to reach the largest number of victims. This business model has been once again put into action by the Jaff encryption ransomware following its debut just one week ago on May 11, 2017. However, the worm functionality demonstrated by WannaCry puts a unique spin on that model by reducing the infrastructure and resource expenditure necessary for the threat actor to maximize their ability to infect new hosts. The goal for both Jaff and WannaCry threat actors is still to reach as many victims as possible to maximize the number of potential ransom payments, lending credence to the notion that ransomware is far from obsolete as an avenue for online crime.
While the propagation mechanisms of the fake “Google Docs” application that made headlines on May 4, 2017 and the WannaCry ransomware worm differ dramatically, both show that virulence is an important aspect of their overall strategy. Furthermore, each of these incidents shows a significant level of innovation by harnessing relatively new attack vectors. The fake “Google Docs” incident took advantage of users’ reliance on cloud services to propagate while WannaCry leveraged a vulnerability only recently disclosed and made public. However effective these attacks were in their own right, the long-term impact will be the future attacks inspired by these innovations. Whether the payload is a ransomware or some other category of malware, threat actors are watching and learning from these attacks. Furthermore, neither innovation is exclusive of the use phishing email as a means for making a “first contact” with a victim as was the case with the fake “Google Docs” application. By combining these promising innovations with a tried-and-trusted attack vector, threat actors will continue to gain access to enterprise data and hold it for ransom.
The high profile events of the past month have provided some indication that threat actors are quickening the pace of innovation and looking to combine these innovations with existing attack models. Both phishing and the ransomware tools delivered via phishing emails have proven very successful for threat actors and continued use of both can be expected. However, as threat actors learn from events like those from the past month it can be expected that they will attempt to implement their own versions using creative re-combinations of these techniques to launch attacks of their own.
To anticipate and mitigate these new attack vectors, those tasked with defending enterprises must adapt their security posture to changing paradigms. It is important to ensure there are agile defense and response processes that incorporate protections for multiple attack surfaces and at various stages of the attack life cycle. This effort begins with the basics of regular patching and network hygiene. It also requires the anticipatory education and empowerment of email users to engage with messages critically and act on suspicions, reporting potentially-malicious emails to the enterprise’s defenders. These internal reports can then be compared to external observations and intelligence reporting to identify the most immediate risks to an organization. The threat landscape is evolving, but in the face of robust, holistic, and human-centered defense strategies, attackers can be overcome.
Learn why more than half of the Fortune 100 trusts PhishMe® for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.
Over the past several days, the Phishing Defense Center identified and responded to several messages related to an ongoing phishing email campaign spoofing DocuSign to carry out an attack. These messages appear to be official DocuSign emails including links to review the document. Upon clicking the link, various malicious files are downloaded to the victim’s computer including the DELoader financial crimes malware.
As most of you are aware, a fast moving, self-propagating attack blew across the internet over the weekend, and it’s not over yet. Using an alleged NSA exploit , this malware is able to quickly traverse a network and deliver a ransomware payload affecting hundreds of countries and hundreds of thousands of users.
According to internet sources, Eugene Pupov is not a student at Coventry University.
Since the campaign’s recent widespread launch, security experts and internet sleuths have been scouring the internet to discover the actor responsible for yesterday’s “Google Doc” phishing worm. As parties continued their investigations into the phishing scam, the name “Eugene Popov” has consistently popped up across various blogs that may be tied to this campaign.
A blog post published yesterday by endpoint security vendor Sophos featured an interesting screenshot containing a string of tweets from the @EugenePupov Twitter handle claiming the Google Docs phishing campaign was not a scam, but rather a Coventry University graduate student’s final project gone awry.
Several folks on Twitter, including Twitter verified Henry Williams (@Digitalhen) have pointed out a serious flaw in the @EugenePupov profile.
This twitter account, which fraudulently used a profile image portraying molecular biologist Danil Vladimirovich Pupov from the Institute of Molecular Genetics at the Russian Academy of Sciences, has since been deactivated.
Coventry University’s communications team quickly responded on social media denying all claims that anyone named Eugene Pupov is a current or former student.
Something clearly is “phishy” about this situation.
Despite the university’s recent announcement discrediting claims of enrollment for a Eugene Popov, I would like to hypothetically explore the theory that yesterday’s campaign was a result of a student phishing research project that went terribly viral. Our PhishMe Intelligence teams identified and obtained the campaign source code and noticed that the most notable aspect of this phishing campaign was its uncanny ability to self-replicate and spread. From our vantage, there is no outward evidence indicating data was stolen or manipulated as previously alleged.
The list of domains created for this alleged “student demonstration” stinks like rotten phish.
As a career-wide security researcher and current leader of phishing intelligence research teams, this list of domains is concerning. Typically, when a researcher is creating proof-of-concept code for a white paper or presentation, the naming conventions adjust the URLs to showcase their malicious or fraudulent nature for education purposes, examples being:
If the party responsible intended to showcase educational materials that had any potential to unintentionally mislead a victim, they would typically create one, possibly two, examples to help avoid such scenario. A similar example of this would be the puny code phishing sample recently covered in WIRED where the researcher created one puny code example domain.
What’s most concerning here is the number of googledoc look-alike domains. In most best practice scenarios, a legitimate security researcher would not typically register 9 domains to illustrate a point or to educate on a threat vector. This behavior pattern is most noticeably tied to malicious actors with real nefarious motivations behind their actions.
It may be some time before the true motives of the phishing worm author are revealed, however we are inclined to believe there is a very good chance that malicious intent was in development during this campaign, the execution of which snowballed quickly beyond the author’s desired scope.
One of the most popular Netflix series, Orange is the New Black, scored an early parole due to some bad behavior this weekend. TheDarkOverload, the group claiming responsibility for the hack, already released the season five premier and is threatening to release “a trove of unreleased TV shows and movies.”
Even the biggest companies fall for it. This week, reports showed that Business Email Compromise (BEC) scams, sometimes referred to as CEO Fraud Emails, netted over $100 million dollars from Facebook and Google. While people are increasingly aware of phishing emails containing links and attachments, BEC scams (also known as CEO Fraud) continue to reward criminals with alarming effectiveness. These phishing scams fly past traditional security roadblocks because there are no URLs or Attachments to scan.
Problems arise when we use the terms Spam and Phishing interchangeably. At the risk of sounding persnickety, I’m going to try to build the case of why we need to stop confusing Spam and Phishing.