Archive for the ‘Spear Phishing’ Category
Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defense contracting, media, and other industries, researchers from security firm FireEye warned on Monday.
The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries, FireEye said in a blog post. The tactics and techniques used in both post-election campaigns largely overlap, leading FireEye to suspect the new one is also the work of the Russian-government-controlled hacking arm. FireEye researchers Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr wrote:
Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.
At least 38 FireEye clients have been targeted so far in the spear-phishing campaign, Carr told Ars. The emails purport to deliver an official US State Department from a known public-affairs official at the same US agency. The messages were designed to appear as a secure communication that’s hosted on a webpage linked to the official’s personal drive. To further appear legitimate, the message delivers a legitimate State Department form.
Federal prosecutors on Tuesday unsealed charges that accused two Chinese government intelligence officers and eight alleged co-conspirators of conducting sustained computer intrusions into 13 companies in an attempt to steal designs for a turbofan engine used in commercial jetliners.
A 21-page indictment filed in US District Court in the Southern District of California said the Jiangsu Province Ministry of State Security, an arm of the People’s Republic of China’s Ministry of State Security, directed the five-year campaign. According to the indictment, between January 2010 to May 2015, the team allegedly used a wide range of methods to break into the computer networks of companies involved in aerospace and turbine manufacturing and Internet and technology services. Their primary goal was stealing data that would allow a Chinese government-owned company to design its own jetliner. With the exception of Capstone Turbines, a Los Angeles-based gas turbine maker, other targeted companies weren’t identified by name and were referred to only as companies A through L.
"Members of the conspiracy targeted, among other things, data and information related to a turbofan engine used in commercial jetliners,” prosecutors wrote in the superseding indictment. “At the time of the intrusions, a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.” The indictment continued:
Syrian Electronic Army (SEA) Hackers have made their place on the FBI’s Most Wanted List.
The US Department of Justice and the Federal Bureau of Investigation (FBI) are willing to pay $100,000 reward for any information that leads to the arrest of the heads of the infamous hacking group Syrian Electronic Army.
On Tuesday, the DoJ unsealed charges against three suspected members of the
Every week, or even every day, we all see emails from our banks, credit card issuers, or insurance companies, where we are asked to urgently click on a link due to a compromised account or to download an important notice. Even worse, we all have friends or relatives who have sent a cool video or file that we MUST check out. I hate to admit, I’ve known people in the security space that have fallen victim to this kind of attack, let alone a non-security aware user. That’s the danger of Spear Phishing. The attacker uses a spoofed email address designed to look like it’s coming from a source that is trusted by the victim to trick them to open a malicious attachment, click a malicious link or visit a malicious website with the intent of gaining insight into confidential data and/or gain access to the victim’s organization. Attackers have evolved their techniques the last several years, where reconnaissance and social engineering tactics often helps to produce content and wording that makes the delivery email more believable to the victim. Making malicious executables even harder to find, attachments to click are often in a common file format (zip, rtf, doc, xls).
According to the latest Verizon Data Breach Investigation Report, for two years running more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing as a component of a multi-staged attack. Wired Magazine lists an even higher number at 91% of all attacks employ phishing or spear-phishing techniques. At RSA, we are seeing that the initial spear-phishing isn’t used to elicit a single piece of user information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network. We are all too familiar with this attack vector as it was disclosed as part of our 2011 breach; we understand and take Spear Phishing very seriously. Making matters worse, the median time to first click comes in at only one minute, 22 seconds across all campaigns. That doesn’t give IT departments much time to warn users.
A motivated attacker can get a weaponized file through traditional email security solutions or inline network inspection such as IDS/IPS systems, because these tools rely on pattern and signature matching, and are easily made blind by intentional obfuscation of attachments and embedding of unique code that can’t be picked up by known patterns. In order to effectively respond to spear phishing attacks defenders must maximize visibility into each stage of the attack lifecycle in order to understand the delivery mechanism, and the infection (i.e. did the user fall for it)by having full visibility into network, endpoint, and user activity.
The ability to reconstruct the entire email session as well as extract and perform analysis on all attachments is crucial to understanding the scope of the attack. The ability to extract the initial malicious payload is an invaluable way for investigators to perform deep analysis on potentially malicious files. The only way to truly determine whether or not an end user fell victim to the attack and to understand the full scope of the attack is to have deep visibility into the endpoint and across the network without relying on signature-based anti-virus solutions (a motivated attacker can easily evade AV).
RSA’s Advanced Security Operations Center solution provides the visibility into the network and endpoints to shine a light on this all too often successful attack technique. We understand the dangers, have learned from the past, and know that our solution can stand up against the most sophisticated Spear Phisher. Learn more.
The post Catching Phish with a Spear: Familiarity Breeds Contempt appeared first on Speaking of Security – The RSA Blog and Podcast.