Hackers Focus on Supply Chain Attacks

Friday, August 4, 2017 @ 05:08 PM gHale

The Cobalt attack group is now using supply chain attacks to target an organization’s partners, researchers said.

Traditionally a banking attack, but also featuring other industries like manufacturing, it uses regulatory authorities or security topics to trick victims into revealing information, said researchers at Positive Technologies.

Attackers Using New Backdoor
Malware at Bargain Price of $7
Backdoor Uses Legit Video App
Companies Held for Ransom: Report

The group is targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations, the researchers said.

Attackers use phishing messages disguised as mailings from financial regulators and employ various types of malicious attachments, including malicious documents or ZIP archives packing executables or shortcut files.

The hackers were among the first to have access to the latest version of the Microsoft Word Intruder 8 exploit builder, which allowed them to create files exploiting CVE-2017-0199, a vulnerability patched in April, researchers said in a blog post.

The group also abuses poorly protected public sites to drop files onto the victims’ computers, and delivers the phishing messages to corporate and personal addresses of targeted employees.

Last year, the group was targeting financial institutions in Eastern Europe, Central Asia, and Southeast Asia, but the target list expanded in 2017 to include North America, Western Europe, and Argentina.

Around 75 percent of the targeted organizations are in the financial sector, the researchers said. However, the group also started targeting financial exchanges, investment funds, and lenders.

Financial institutions are not the only area the attackers are focusing on as they also go after manufacturing, government, telecom/Internet, service providers, entertainment, and healthcare organizations.

“Cobalt attacks government organizations and ministries in order to use them as a stepping stone for other targets,” Positive Technologies researchers said.

The phishing emails typically contain a malicious attachment either meant to fetch a dropper from a remote server or containing the dropper in a password-protected archive.

By forging sender information, the group delivers phishing emails to compromise a specific organization that partners with banks, then starts “sending phishing messages from these partners’ infrastructures using the hacked accounts and mail servers of real employees,” researchers said. As a result, recipients are likely to trust the sender, which increases the chances of a successful infection.

“The attackers carefully choose subject lines, recipient addresses, and attachment names that will ‘fly below the radar’ so that recipients open the attachments enclosed with phishing messages,” the researchers said.

“The Cobalt group has been quick to react to banks’ protective measures,” Positive Technologies researchers said. “When spam filters on mail servers began to block most of the group’s phishing emails, which contained forged sender information, the attackers changed techniques. Now they actively use supply chain attacks to leverage the infrastructure and accounts of actual employees at one company, in order to forge convincing emails targeting a different partner organization. This tactic has already been used by other attackers, such as when the infrastructure of M.E.Doc was used to spread the NotPetya virus, which blocked workstations at a large number of major companies.”

Leave a Reply

You must be logged in to post a comment.