[BreachExchange] Hackers use Colonial pipeline ransomware news for phishing attack

[Sophia Kingsbury]

https://www.zdnet.com/article/hackers-use-colonial-pipeline-ransomware-news-for-phishing-attack/

Cyberattackers are now using the notoriety of the Colonial Pipeline
ransomware attack to leverage further phishing attacks, according to the
findings of a cybersecurity company.

It is common for attackers to use widely-covered news events to get people
to click on malicious emails and links, and cybersecurity firm INKY said it
recently received multiple helpdesk emails about curious emails their
customers were receiving.

INKY customers reported receiving emails that discuss the ransomware attack
on Colonial Pipeline and ask them to download "ransomware system updates"
in order to protect their organization from a similar fate.

The malicious links take users to websites with convincing names --
ms-sysupdate.com and selectivepatch.com -- both of which are newly created
and registered with NameCheap. The same domain that sent the emails also
controlled the links, INKY explained in a blog post.

The people behind the attack were able to make the fake websites look even
more convincing by designing them with the logo and images from the target
company. A download button on the page downloads a "Cobalt Strike" file
onto the user's computer called "Ransomware_Update.exe."

In March, Red Canary's 2021 Threat Detection Report listed "Cobalt Strike"
as the second most frequently detected threat and the INKY report notes
that Talos Intelligence found it was involved in 66% of all ransomware
attacks in Q4 of 2020.

Bukar Alibe, data analyst for INKY, said they began to see the phishing
attack just a few weeks after news broke that the pipeline paid millions to
the REvil ransomware group in order to restore the company's systems.

"In this environment, phishers tried to exploit people's anxiety, offering
them a software update that would 'fix' the problem via a highly targeted
email that used design language that could plausibly be the recipient's
company's own," Alibe wrote. "All the recipient had to do was click the big
blue button, and the malware would be injected."

In addition to capitalizing on the fear around ransomware, the attackers
made the emails and fake website look like it came from the user's own
company, giving them an air of legitimacy, Alibe added.

The attackers were also able to get past many phishing systems by using new
domains.

"If it looks as if it was sent by the company itself (e.g., from HR, IT or
Finance), does it in fact originate from an email server under the
company's control? If it looks like the HR or IT Departments but deviates
from the norm, that should be a flag," the blog post said.

Alibe urged IT teams to notify employees that they will "not be asked to
download certain file types" because these kinds of phishing emails seek to
exploit employees' desire to do the right thing by following purported
security guidelines. Alibe noted that the attack was targeted toward two
companies and said IT teams should expect more attacks along the same
lines.

"We would not be surprised if we see attackers use the recent
Nobelium-USAID phishing campaign as a lure," Alibe said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210604/96ed2575/attachment.html>