Nearly 95 percent of all successful attacks on enterprise networks targeted organization’s users through email. With the industry of cybersecurity evolving so rapidly, hackers are consistently changing their tactics, keeping it almost impossible to keep up with.
With today’s growing security landscape, email threats are one of the most common strategies utilized by cyber criminals. What started off with spam emails sent to your junk folder, has evolved to a more robust tactic to deliver destructive content straight to your inbox. Here are the top five email security threats that we’ve seen so far this year:
Emotet Banking Trojan
Emotet is an advanced, modular banking Trojan that primarily focuses as a downloader or dropper of other banking Trojans and continues to be among the most costly and destructive malware affecting governments, private and public sectors. Emotet can evade most signature-based detections, and because it is Virtual Machine aware, it generates false indicators when ran in a sandbox. Additionally, Emotet has several methods for maintaining persistence, including auto-start registry keys and services as well as Dynamic Link Libraries to continuously update and evolve its capabilities.
Initial infection of this malware occurs when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate local networks through one of its incorporated spreader modules. The negative consequences from an Emotet infection can be temporary or permanent loss of sensitive proprietary information, disruption of regular operations, financial losses incurred to restore systems and files, and potential harm to an organizations reputation.
Ursnif Banking Malware
A new version of the infamous banking Trojan Ursnif made its appearance again earlier this year in June. This malware is well known in the cyber security community and was the most active malware code in the financial sector from the end of 2016 into early 2017. This malware is capable of stealing users’ credentials, credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.
Once Ursnif infects a new machine it will attempt to spread to other users in the address book of the compromised email accounts. It tricks the victim into opening the malicious email because the message is presented as the reply to an existing conversation conducted by the victim in the past. For example, if you receive an email that was a replay to a previous conversation from a while back, you can look at the “To:” field in the email and see if it’s replied to a large number of unsuspecting users.
Another feature about this malware is its ability to keep track of company names and title the malicious document “VICTIM_COMPANY_.doc” in order to look legitimate. Once the victim clicks enable macros, the second step of the infection process begins, which launches a malicious script that downloads and executes a payload from a server controlled by the attackers. Once installed, Ursnif can operate without being noticed by both the user and the operating system.
Extortion Campaign
Extortion campaigns have been around for quite some time but there was one that was in full swing across the globe that used a clever twist to trick unsuspecting users into paying a ransom. The attacker for this extortion campaign claims to have installed malware on your system and has also used your webcam to record you watching porn. The attacker then goes on to threaten the release of this video to everyone in your contacts unless you pay the Bitcoin ransom.
The basic premise of this type of extortion attempt has been around for quite some time, but the addition of the Username/Password combination in the subject line has unsuspecting users worried. While researching this campaign, Nuspire’s Security Analytics Team (SAT) came across multiple different counts of affected users claiming the Username/Password combination was something they had used eight years ago. In this case, the attacker has somewhat automated the attack to create a script that pulls directly from usernames and passwords of a given data breach that happened eight years ago. Therefore, every victim who had their password compromised as part of that breach, is now getting this same email at the address they used to sign up for the hacked website.
Hopefully, if you were affected by that data breach you updated your username/password combination. Granted, the people who didn’t bother changing this information, this attack directly affects them, but rest assured this attacker doesn’t have a recording of you that they plan to send out to your contacts. It is merely scare tactics to make some easy money, and upon investigation of multiple Bitcoin addresses associated with this campaign, the attacker was indeed making easy money.
This attack could evolve in the future and use more up to date data breaches which in turn could scare more users into paying the ransom, so be on the lookout.
GandCrab Ransomware
GandCrab holds the top spot in ransomware, partly because it’s used by the Magnitude botnet. Although GandCrab is usually spread via spam email, it has recently been distributed via compromised websites and is now appending the .KRAB extension to the encrypted files.
Towards the end of April 2018 a campaign with the subject line “Your Order #{Random Digits}” was circulating. There is limited content in the body of the email and has an attached ZIP file which includes a Word document that contains malicious macros that download and execute GandCrab ransomware.
GandCrab is under constant development where new versions are consistently being released at an aggressive pace. Its basic functionality is well document and does the same typical things ransomware does, including encrypting files with the .KRAB extension, changing the user’s background, and leveraging Tor for communications. One of the interesting elements of Gandcrab is its use of namecoin domains for Command and Control (C2) communication. These are easily identified by the .bit top level domain (TLD). Since attackers rely heavily on Tor and namecoin domains to help evade identification, it is a no brainer for them to use a decentralized DNS service that does not rely on central authority. This also increases the difficulty of having domains shut down and identifying those that are potentially behind them.
Phishing
By the end of Q2 2018 Microsoft had taken over the top spot from Facebook for the number one target of corporate phishing attacks. Reason being, it’s highly profitable for hackers to compromise an Office 365 account. Hackers see email-based attacks as an easy entry point into data, files, and contacts from other Office 365 apps, including SharePoint, OneDrive, Skype, Excel, and CRM.
We see all different types of Phishing attempts from quite possibly the worst attempts to exact replicas of a legitimate Office 365 login page. Unfortunately, Phishing will always exist and can slip through the gaps in email filtering due to the fact that new domains/URLs are popping up every day to host fake login pages. This is where user awareness training is extremely important. Educate your users, roll out training exercises where employees with fake Phishing emails and see who clicks on them and who doesn’t. Because Phishing has become so popular, education will pay off in the long run.
Solutions
Aside from training and educating employees on malware, and ransomware that might come in through a user’s email, there are a few other solutions to take into consideration that can prevent these attacks from entering your network.
- Use antivirus programs with behavior and heuristic detection capabilities, with automatic updates of signatures and software on clients and servers.
- Implement a spam filter to filter out known malspam indicators such as malicious subject lines, and block suspicious and blacklisted IPs.
- Mark external emails with a banner denoting it is from an external source, this will assist users in detecting spoofed emails.
- Implement a block policy for file attachments that are commonly associated with malware such as .dll, and .exe, and attachments that cannot be scanned by antivirus such a .zip files.
- Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam email by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
- Implement a solution that can send the unknown/suspicious files to the sandbox for further investigation and analysis.
- And most importantly employee training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online.
About the Author
Shawn Pope is the Cyber Security Engineer of Nuspire Networks, a state-of-the-science managed network security provider for some of the largest and most distinctive companies around the world.
