Threat actors continue to target email systems worldwide to infiltrate confidential information from organizations or get their hands on individuals’ PII (personally identifiable information), which they can use for various malicious purposes, such as selling it on the dark web for profit, corporate espionage, etc. This post discusses the latest incidents that organizations must take as lessons to improve their email security infrastructure.
Iranian Atomic Energy Agency Discloses Email Hack
The Atomic Energy Organization of Iran (AEOI) recently blamed an unnamed “foreign country” for leaking and stealing sensitive internal emails. This operation was attributed to an Iranian hacktivist group earlier. The Black Reward group posted the stolen AEOI documents online after it failed to force Tehran into releasing political prisoners.
A translated publication claimed the data leak happened in the name of Mehsa Amini, the 22-year-old Iranian arrested by morality police because she wore her headscarf ‘incorrectly.’ Her death triggered a wave of violent protests against the hard-line Iranian regime, which continue to date.
Black Reward claims the stolen documents include nuclear agreements with foreign partners, nuclear development contracts, logistics and construction plans concerning nuclear industries, passport details of Russian and Iranian specialists working in the Bushehr power plant, and operational and technical reports.
If legitimate, Western intelligence agencies and journalists will extract benefits from them. However, the AEOI tried to play down the involvement of local hacktivists in the incident, referring to it as “unauthorized access from another foreign country.”
“We must note that the user emails’ content contains technical messages and daily exchanges,” it said in a statement confirming the hack. “Thus, it is obvious that such illegal efforts, carried out of desperation, are to attract public attention, create psychological operations and media atmospheres, and lack any other value.”
92 Malicious Domains linked to BEC Group Crimson Kingsnake
A business email compromise (BEC) group called ‘Crimson Kingsnake’ was recently spotted impersonating famous international law firms and tricking recipients into accepting overdue invoice payments. A technical write-up by Abnormal, the cloud email security platform, says that 92 malicious domains of 19 debt collection agencies and law firms across the US, Australia and the UK got identified and linked to the cybercriminals.
“The group, called Crimson Kingsnake, impersonates law firms, real attorneys, and debt recovery services to trick accounting professionals into paying bogus invoices,” the firm wrote. “Crimson Kingsnake targeted organizations throughout the United States, Australia, Europe and the Middle East.”
Abnormal further added that, like most BEC threat actors, the group is industry-agnostic, meaning they do not explicitly target organizations in specific sectors. “We conducted active defense engagements with the group and collected Intelligence suggesting some of the threat actors related with the group might be UK based,” reads the advisory. The Crimson Kingsnake attacks started with emails impersonating actual law firms and attorneys referencing an overdue payment.
“To add legitimacy to their messages, the group uses email addresses hosted on domains resembling the target’s actual domain,” Abnormal said. “They set the sender’s display name to the attorney they are impersonating, with the firm’s actual company address in the email signature.”
Sean McNee, CTO at DomainTools, says that BEC attacks are a lucrative business for attackers, and the newest trend is impersonating third parties. “Criminals are hijacking the relationships organizations have with their suppliers, especially those sharing highly sensitive data and invoicing large amounts,” McNee added.
Hackers Impersonate CircleCI And Breach Dropbox, 130 Github Repositories Compromise
Dropbox recently disclosed a data breach involving cybercriminals stealing code from 130 repositories after gaining unauthorized access to a GitHub account through employee credentials obtained in a phishing attack.
The cloud storage giant added it discovered the breach on October 14 after GitHub notified it about the suspicious activity the previous day. “In early October, multiple users received phishing emails targeting GitHub accounts. The threat actors impersonated CircleCI (a user can use their GitHub credentials and log in to CircleCI).” The Dropbox team added that while its technical staff automatically quarantined some of the emails, some landed in Dropboxers’ inboxes.
“The emails, which looked legitimate, directed users to visit a fake CircleCI login page and enter their GitHub credentials. Furthermore, the users had to enter their hardware authentication key for passing a One-Time Password (OTP) to the malicious site.” After succeeding, the threat actors gained access to Dropbox’s GitHub organizations, from where they copied 130 code repositories.
Dropbox believes the cybercriminals behind the attack are the same who targeted GitHub users in September. In the attack, they impersonated CircleCI (the code integration and delivery platform), which Dropbox uses for select internal deployments. “The threat actor did not have access to the contents of any user’s Dropbox account, their payment information or passwords,” the company clarified.
New Strelastealer Malware Steals Thunderbird, Outlook Account Information
Threat actors are actively using a new information-stealing malware called ‘StrelaStealer’ to steal email account credentials from Thunderbird and Outlook, the two widely used email clients. The Malware’s behavior differs from most info-stealers, which steal data from various data sources, like browsers, cloud gaming apps, cryptocurrency wallet apps, the clipboard, etc. Analysts at DCSO CyTec discovered the previously unknown Malware, reporting it first targeted Spanish-speaking users in early November 2022.
How does the malware infect the systems?
- StrelaStealer arrives on the target’s system through email attachments (ISO files with varying content).
- In one example, the ISO contained an executable (‘msinfo32.exe’), sideloading the bundled Malware through DLL order hijacking.
- In another case seen by the analysts, the ISO contained an HTML file (‘x.html’) and an LNK file (‘Factura.lnk’). The x.html file is interesting because it is a polyglot file, a file that threat actors can treat as different file formats based on the application that opens it.
- Once the Malware gets loaded into the system’s memory, the default browser opens to show the decoy and makes the attack less suspicious.
Thus, while organizations invest in robust cybersecurity solutions, threat actors keep taking their game a notch higher. Hence, email authentication policies like DMARC are crucial in today’s working environment. Implementing an effective email security strategy may seem complicated and overwhelming, but it integrates fully with the workflow and processes, ensuring your endpoints are always secure.