Cyber Security Firm Warns Cyber Attackers Using Notoriety of Colonial Pipeline Cyber Attack for Phishing Campaigns.
It is common for attackers to use high profile news events to trick people into clicking malicious emails and links. The cybersecurity company INKY thus indicates that it has recently received numerous warnings concerning curious e-mails received by their customers. The latter claim to have received e-mails mentioning the ransomware attack on Colonial Pipeline, and inviting them to download “ransomware system updates”, in order to protect their organization from a similar fate.
Convincing mirror sites
The malicious links lead users to websites with convincing names – ms-sysupdate.com and selectivepatch.com – both newly created and registered with NameCheap. The same domain that sent the emails also controls the links, INKY said in a statement.
Cyber attackers have succeeded in making fake websites even more convincing by designing them with the logo and images of the targeted company. A download button on the page downloads a “Cobalt Strike” file called “Ransomware_Update.exe” to the user’s computer.
In March, Red Canary’s “2021 Threat Detection Report” listed “Cobalt Strike” as the second most frequently detected threat. The INKY report highlights that Talos Intelligence found it to be involved in 66% of all ransomware attacks in Q4 2020.
Cyber attackers playing on their nerves
Bukar Alibe, data analyst for INKY, says the phishing attack began to emerge just weeks after the news that Colonial Pipeline had paid ransomware group DarkSide millions to restore its systems.
“In this context, the ‘phishers’ tried to exploit people’s anxiety by offering them a software update that would ‘fix’ the problem through a highly targeted email that uses language design that could plausibly be that of the recipient’s business, ”writes the analyst. “All the recipient had to do was click the big blue button, and the malware would be injected. “
In addition to taking advantage of the fear generated by ransomware, the attackers made the e-mails and fake websites appear to come from the victim’s company, giving them additional apparent legitimacy. adds the analyst.
Attackers have also successfully thwarted many phishing detection systems using new domains.
Other phishing campaigns to plan
“If it appears to have been sent by the company itself (eg, HR, IT, or finance), is it actually from a company-controlled mail server? If it looks like a letter from the HR or IT departments but deviates from the norm, then that’s a signal, ”the blog post reads.
Bukar Alibe urges IT teams to inform employees that they will not be asked to download certain types of files as these types of phishing emails seek to exploit employees’ desire to do the right thing. following purported safety guidelines. The analyst notes that the attack targeted two companies, and anticipates more such attacks to come.
“We wouldn’t be surprised to see attackers use the recent Nobelium-USAID phishing campaign as bait,” warns Bukar Alibe.