Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
adv ex on 5 january 2024
adv ex on 22 February 2024
adv ex on 22 February 2024
banner Expire 26 April 2024
Rescator cvv and dump shop
banner expire at 13 May

Yale lodge shop
UniCvv
banner Expire 1 April  2021

Colonial Pipeline Incident Sparks 'Help Desk' Phishing Attacks

Premiums

TRUSTED VENDOR
Joined
Dec 5, 2020
Messages
1,314
Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.

Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.

Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.

“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.

“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”

The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.

Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.

In related news, it has been reported that the DarkSide group responsible for the attack on Colonial Pipeline may have breached the critical infrastructure organization via a single compromised password.

A Mandiant VP working on the case reportedly claimed that the VPN account log-in allowed remote attackers to infiltrate the company’s network, even though the account was no longer in use at the time. The credential was subsequently found on the dark web, meaning it may have been previously reused across multiple accounts.
 
Top Bottom