Record Ransomware Attacks: June 2023 Highest Month Ever
Threat actors broke another record. Here’s what you need to know.
Return of Emotet malware, law firm impersonation, and a breach at Dropbox.
Emotet, the storied malware family that just won’t quit, has returned to action after a months-long hiatus. This malware is spread through email by impersonating trusted companies, then tricking users into downloading files or clicking links. The emails typically contain a seemingly harmless attachment such as a Microsoft Excel or Word file which will quietly carry out a number of malicious activities when opened. Over time, the Emotet operators have grown their operation into a complex malware-as-a-service offering, where the malicious emails serve as a delivery mechanism for other malware or ransomware groups. After small beginnings in 2014, Emotet grew large enough to attract international law enforcement attention and was shut down in January 2021. Unfortunately, the reprieve was short-lived after Emotet returned just a few months later in November 2021. The Emotet operators are known to take a few months off from time to time before getting back to their business of being a delivery service for pernicious cybercrime.
With its expansive infrastructure, Emotet is able to deliver malicious emails to unsuspecting users in astounding numbers. Only a few need to fall prey to keep large crime groups like ransomware gangs supplied with victims. Organizations can help mitigate this threat by training users not to open email attachments they weren’t expecting to receive and by keeping macros in Microsoft documents disabled. Endpoint Detection and Response (EDR) solutions can help prevent wider compromise if Emotet does find its way from a user’s inbox into a network.
Research by Abnormal Security reveals a new threat actor leveraging impersonation tactics to trick businesses into sending fraudulent payments. Dubbed Crimson Kingsnake, this group has been mimicking well-known law firms and debt collection agencies to trick accountants into paying fake invoices.
This is called typosquatting. To mimic lawfirm.com the threat actor might create lawflrm.com – note the “l” instead of an “i”).
If Crimson Kingsnake is met with resistance, they will take on an additional persona as an executive at the targeted company. Now impersonating an executive, the group has been observed going one step further to authorize the questioning employee to make the fraudulent payment, often referencing having approved the services several months prior without a purchase order.
Incidents such as these don’t garner the same attention as large ransomware or data theft cases, but fraudulent payments are a tricky threat. The extra lengths threat actors such as Crimson Kingsnake go to be convincing undoubtedly pays off. Organizations can help protect themselves through social engineering awareness training that includes an emphasis on detecting urgency in a requestor’s email. Whenever payments are involved, checks and balances should be applied, including verification for services rendered, payment information, and the requestor’s identity. A Secure Email Gateway (SEG) can also help prevent spam, phishing, and malicious emails from reaching employees in the first place. Check out this article for more information on preventing this type of attack.
Crimson Kingsnake: BEC Group Impersonates (Abnormal Security)
New Crimson Kingsnake gang impersonates law firms in BEC attacks (BleepingComputer)
Cloud storage giant Dropbox disclosed that it was breached in October after a threat actor stole data from 130 of its GitHub code repositories. Attackers walked away with API keys, some modified code, as well as the names and email addresses of thousands of Dropbox employees, customers, sales leads, and vendors. Dropbox has stated that none of its users’ content, passwords, or payment information were accessed. The attack ultimately stemmed from a phishing attack impersonating the CircleCI devops integration platform and targeting Dropbox employees. This phishing attack led to a sign in page where employees entered their GitHub username, password, and hardware authentication key to pass a One Time Password (OTP) to a malicious site. Threat actors were then able to use this information to gain access to employee GitHub accounts. The intrusion was discovered when GitHub notified Dropbox of suspicious activity.
This is another example of how phishing and MFA bypass have proven effective, even against some of the biggest names in tech. Phishing campaigns can be particularly convincing especially when they are targeted. Phishing-resistant methods of MFA are becoming more of a need as threat actors find ways to bypass traditional MFA methods.
How we handled a recent phishing incident that targeted Dropbox
Dropbox discloses breach after hacker stole 130 GitHub repositories (BleepingComputer)
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.
Threat actors broke another record. Here’s what you need to know.
The world has witnessed an alarming surge in ransomware attacks in 2023. After a 2022 decline,...
Ransomware is up 51% from this time last year. Here’s what you need to know.