New Phishing Campaign Impersonating IRS to Distribute the "Emotet" Malware
Researchers have identified a new phishing campaign impersonating the Internal Revenue Service (IRS) to send fraudulent W-9 tax forms that contain the "Emotet" malware. Emotet is known to be historically distributed through malicious Microsoft Word and Excel documents in a variety of themed phishing campaigns, typically coinciding with holidays or business activities done at specific times of the year. However, the malware operators have recently begun to change their distribution method to Microsoft OneNote containing embedded scripts following the blocking of macros by default in Office documents. In this latest campaign, the malware operators are using an "IRS Tax Forms W-9" theme and specified that the sender of the phishing emails was an "inspector" from the IRS. Attached to the emails is a ZIP archive titled "W-9 form.zip" that contains a malicious Word document that is over 500 megabytes (MB) in size in order to bypass antivirus engines that behave differently for large files. Additional researchers observed another phishing campaign capitalizing on the tax season lure to impersonate business partners of the recipients. The operators of this campaign have been utilizing OneNote attachments that, once opened, pretend to be protected and prompt the victim into clicking a "view" button that results in the execution of VBScript code. Once launched, Emotet is downloaded and executed. Additional details of the latest Emotet phishing campaign can be viewed in the report linked below.
Threat Actor Activity
Threat Profile: Dark Power
A new ransomware group has made its presence known in the threat landscape by compromising ten (10) victims in a short period of time. The group calls themselves Dark Power and are believed to be operational since late January 2023, according to compiled data from their ransomware encryptor. Dark Power actors are following trends of several ransomware gangs by practicing double extortion, exfiltrating and encrypting the victim’s data before later posting the exfiltrated data to their leak site if ransom demands are not met. Ransom demands uncovered to this point average $10,000, which is significantly lower than major players in the ransomware scene. Thus far, victims of Dark Power appear to operate in countries across the globe including Algeria, Egypt, France, Turkey, United States, and several others. So far, these actors have compromised at least ten (10) organizations encompassing several industries such as education, IT services, food production, healthcare, and manufacturing. An interesting tactic, technique, and procedure (TTP) of the group is that rather than utilizing text files to display ransom notes, Dark Power uses a PDF document in its place to show the ransom demand, qTox for negotiations, and onion address to the victim leak page. Overall, based on the variety of locations and industries Dark Power is targeting, they appear to compromise entities by opportunity rather than focusing on a direct country or industry, showing that the group is ready to make a name for themselves. Observed indicators of compromise (IOCs) can be viewed in the report linked below. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Critical Microsoft Outlook Zero-day Vulnerability Under Active-exploitation
Microsoft has published step-by-step guidance for detecting and blocking an actively exploited critical zero-day vulnerability affecting Microsoft Outlook. The guidance shows administrators how to identify indicators of compromise (IOC) to ascertain if they've already been compromised, as well as how to detect active attack attempts and defend their servers from the future exploitation of this flaw. The vulnerability, tracked as CVE-2023-23397, is an escalation of privilege flaw that allows privileged Net-NTLMv2 hashes to leak without any user interaction. The hashes can then be collected, weaponized, and redirected to perform NTLM-relay attacks by sending maliciously crafted emails to vulnerable Outlook instances. Successful exploitation allows the threat actor to manipulate the victim's session, allowing them to authenticate as the victim by "sending messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares." The pilfered credentials that the threat actors exfiltrate can be used for lateral movement, as well as changing vulnerable Outlook mailbox folder privileges, allowing the attackers to redirect sensitive emails from targeted accounts to their own command-and-control (C2) infrastructure. The exploitation of this flaw has been attributed by Microsoft to "a Russia-based threat actor," with other researchers believing it could be APT28 (STRONTIUM, Sednit, Sofacy, and Fancy Bear). CTIX analysts urge all Outlook and Exchange administrators to ensure that the guidance in the linked advisory is strictly followed to prevent their networks from being compromised.
- Bleeping Computer: CVE-2023-23397 Article
- GBHackers On Security: CVE-2023-23397 Article
- Microsoft: CVE-2023-23397 Guidance
Norwegian Sailors Sound a Warning About Cyberattacks on the High Seas
Researchers with seafaring backgrounds are sounding the alarm about cyberattacks on ships and the catastrophic outcomes compromised floating computers present. While no official incidents have been reported, there have been many strange, unexplainable events occurring to ships recently. Cyberattacks on the supply chain and shipping industry have become common, as they're valuable targets for both financial and geopolitical purposes. Thus, ships themselves pose a significant risk, given that their inherent role in shipping and supply make them critical targets, with additional escalatory risks for those working in energy, oil, gas, agriculture and more. Some suspected attacks include jamming of ships' GPS causing unintentional entry into unauthorized waters, spoofing AIS (automated identification system) broadcasts of one ship's signal to the location of another ship, or potentially hacking the rudder on a ship to make it run aground. The scarcity of publicly acknowledged cyberattacks at sea doesn't necessarily point to the absences of cyberattacks but rather to the lack of official reporting in the shipping industry, where crew members handle these suspected cyberattacks the same as they would a typical maritime technical issue. Researchers at the Norwegian University of Science and Technology (NTNU) want to bring awareness to ship owners, their crews, and seafarers at large about the real-world implications that cyberattacks could have on ships while highlighting how a ship's Operational Technology (OT) and Information Technology (IT) are highly connected, meaning malware to the IT directly affects the OT. Maritime security and IT personnel should be prepared to handle the physical consequences that can arise from compromised IT and strengthen their ship's security to further deter hackers.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.