Security News

The Necurs botnet, a large and well-known spam originator, has become synonymous with cybercrime. Its spam-sending capabilities, through a botnet of a few million infected devices, are frequently dedicated to vast campaigns that deliver banking malware, cryptojacking malware, ransomware and a variety of email scams sent to millions of recipients in each run.

IBM X-Force monitors Necurs activity and recently discovered yet another face of this malspam volcano. This time, Necurs is spewing geotargeted emails designed to threaten and extort payment from those who may have been watching adult movies or possibly having an extramarital affair.

Of course, this spam campaign is yet another a wide-cast net from Necurs, and the attackers have no idea whether the person they reached actually does any of these activities, but the odds appear to pay off anyway. Like other phishing and social engineering scams, it is often a numbers game.

Over 30,000 IPs Spewing an Extortion Scam

In Necurs spam campaigns that started around mid-September, X-Force detected millions of emails sent to recipients in different countries, essentially from the same set of malicious IPs and with similar content.

The emails came from over 30,000 different IP addresses, 70 percent of which were dynamic IPs. The attackers demanded that victims pay in bitcoin to one of more than 500 unique wallets. The campaign came in typical spikes of activity that was more marked midweek and then over the weekend.

All of Necurs’ cybercrime campaigns are linked with well-known cybercrime gangs, such as the operators of the Dridex malware, TrickBot, Locki and Monero miners, to name a few. But in this case, scammers don’t have much more than a creative email they send around and wait for the cash to come in. All they’re using here is social engineering.

Email content examined by X-Force researchers revealed a number of repeating formats in which the sender falsely claimed to have malware-based control of the recipient’s email accounts and computer. The attackers went on to allege that they had infected adult sites with tracking malware and filmed the victim through his or her webcam while watching content on a supposedly compromised site.

To keep the matter secret, the senders demanded that money be sent to them in bitcoin, asking for an amount between $250 to $550. If they were not paid, the attackers threatened to distribute the supposed video recording to the victim’s contact list, family, co-workers and friends.

In another version of the scam, the attackers claim they have knowledge about an extramarital affair the recipient is engaged in and threaten to send supposed proof of the affair to the victim’s spouse, family, friends and co-workers.

In all cases, the sender has no control of the recipient’s device or webcam, and the entire ploy is a sham. But to make the recipient believe otherwise, the spammers added a twist: the value of the “From” header field is equal to the “To” header field, which would seem to confirm that the blackmailer has access to the victim’s accounts/computer. Also, the “SMTP-From” and “SMTP-To” values are equal to the “From” value.

How Necurs Tailors Its Spam to Recipients’ Local Language

This time, unlike previous campaigns, Necurs is spreading spam in different languages. To deliver the message in the correct language, emails are sent according to the recipient’s webmail top-level domain (TLD). So if the domain is .co.uk, for example, the email will be sent in English, and if the domain in .fr, it will be sent in French.

While the campaign included versions of this scam in seven different languages, the overwhelming majority of emails were sent in German and ended up in X-Force spam honeypots when recipient email addresses had a .de or .ch TLD.

Languages touched by this campaign so far include:

  • Arabic;
  • English;
  • French;
  • German;
  • Italian;
  • Japanese; and
  • Korean.

The researchers were somewhat surprised to see Arabic, Japanese and Korean on the list, since those languages are harder to machine-translate and are rarely targeted by international crooks.

The French email was written by someone who is likely a French speaker, and not translated online like the English version, for example. It could be indicative of some of those involved originating in Europe and possibly collaborating with counterparts in other parts of the world.

Victims Pay Up in Bits

It is unusual to be able to judge the success of a spam campaign from the outside. Security researchers rarely have access to metrics of how many people opened a malicious email, how many went to the phishing site or how many ended up paying the criminals. In this case, however, there is a way to get a general idea because the attackers used bitcoin wallet addresses.

In all, X-Force saw 500 bitcoin addresses used in this campaign; however, most emails indicated the same few wallets while others were rarely used. It was therefore possible to look up the miscreants’ financial profits via services such as BitRef that enable researchers to check bitcoin wallet balances. While we did not check every wallet, we did want to see if the attackers were getting any money.

We spot-checked the top 20 bitcoin addresses used in the campaign. As an example, one of the addresses that appeared in over 3 million email messages sent to German recipients amassed 0.52 BTC, which was equal to about $3,300 as of September 20, 2018. That wallet never got any more money and stopped receiving coins on September 19.

The amount of bitcoin contained in only the 20 main wallets totals about $50,000. Some wallets are still actively receiving coins. Most wallets show some withdrawals of the coins, bringing them to zero, which means the attackers have been removing the coins to another wallet or cashing them out.

Phishing Is Phishing — Don’t Take the Bait

October is National Cyber Security Awareness Month (NCSAM)in the U.S., making it a great opportunity to remind employees, family and friends to polish up on some information security basics, especially those related to email.

Put simply, you should always avoid opening unsolicited email. This can minimize the opportunity to fall for a social engineering scam. These communications are carefully crafted to lure people to take action, especially if they trigger an emotional reaction such as fear, urgency or, in this case, embarrassment.

You should also enable email filtering on your accounts to prevent most spam from getting through. Keep your devices clear of malware, run an up-to-date antivirus program and, if ever in doubt, have them examined by a professional.

If possible, use a separate device for online banking and other activities that involve the transfer of sensitive information. In general, adult content websites are known for high traffic and therefore are often a target for cybercriminals, which helped lend this scam some added credibility.

Visit the X-Force Exchange to learn more about this campaign. For tips to keep yourself safe from online scams and malware, check out the FBI’s Internet Crime Complaint Center (IC3) and StaySafeOnline.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Intelligence while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

While vastly different than their IT counterparts, operational technology environments share common risks and best practices.

Our nation’s critical infrastructure and the industrial control networks that manage them are under constant threat from a host of malicious actors — including nation-states, politically or financially motivated hackers, insiders, and disgruntled ex-employees.

Unfortunately, all industrial control system (ICS) networks share a common weakness: they were built before cyber threats existed and are not designed with built-in external security controls.

A breach of an ICS network can be disastrous and expensive. Consequences range from physical and environmental damage and costly downtime for manufacturing processes to putting lives at risk. In addition, a breach can bring heavy fines from regulators and lawsuits from parties claiming injury or damage, and it can also shake shareholder confidence.

Given these stakes, let’s consider the five most common threats to ICS networks and how to reduce the risk associated with them.

 

Risk 1. Poor Network Configuration
The weaker the configuration, the greater the likelihood of a successful attack. For example, once a control device has been exposed to the Internet due to a poor configuration, both phases of a breach can occur — the attacker can gain a foothold in the network and exploit a sensitive asset.

Mitigation: ICS devices should never be directly connected to the Internet. Strict network segmentation should be implemented and the integrity of the network should never be sacrificed for the sake of convenience.

Risk 2: No Audit Trail
An audit trail is essential for understanding what’s going on in any network. However, logging mechanisms in some ICS environments do not exist or are incomplete. In many cases, security teams lack the knowledge of operational technologies (OT) to know how to collect logs or where to look for them.

Mitigation: Basic record-keeping is crucial for both the incident response and the forensic investigation of an attack. It is also required for any type of regulatory compliance audit. This begins with understanding the limitations of the environment — what data is being monitored and collected, and what isn’t. One hundred percent visibility, monitoring, and control should be the goal, including the collection and aggregation of all logs.

Most ICS networks have components that generate an audit trail, but too often these capabilities are underutilized. All incidents should be automatically reported to the security incident response team, logged, and correlated via a real-time audit mechanism.

Risk 3: Lack of Control
Many ICS environments do not have basic controls for managing assets that are considered table stakes in IT networks. As a result, security hygiene in OT networks is often an afterthought and lacking in the following ways:

  • Patches can’t be easily deployed and usually aren’t.
  • There’s no centralized, up-to-date inventory of assets, configurations, software versions, patch levels, etc.
  • Internal security policies are not monitored or enforced.
  • The security model is based on a “if it works, better not mess with it” paradigm.

Mitigation: Implementing a centralized and automated asset management capability for OT networks is crucial. Without an up-to-date and accurate inventory of ICS assets, especially the controllers responsible for managing physical processes, it is virtually impossible to assess risks, apply patches, and detect unauthorized changes and activity.

Risk 4: Employee Ignorance
Just as in IT environments, employees pose a significant risk to OT network security. Phishing attacks, social engineering, and risky browsing behaviors all threaten to punch a hole that can be exploited by attackers to compromise the IT, OT or both networks via lateral movement.

Mitigation: Security training, network segmentation, and multifactor authentication can all help prevent breaches caused by employee lack of awareness, policy violations, or human error.

Risk 5: Insider Attacks
Insiders in OT environments pose the same security risk as in IT environments. The source can be malicious, such as a disgruntled employee, an insider who is paid to steal or sabotage assets, or an internal account compromise attack by an outsider. An insider threat can also be unintended, caused by human error.

Mitigation: Performing a risk assessment to identify and address vulnerabilities such as over-privileged accounts, insiders with access to resources they don’t need to do their jobs, and orphaned accounts is essential to reducing the attack surface for insider threats. Knowing and monitoring OT attack vectors, which are primarily the network and direct access to devices via serial ports, can also defeat these threats. Network activity anomaly detection and routine device integrity checks can identify malicious activity before it’s too late. Finally, unifying IT and OT security, because both environments are often interconnected, can help protect against attacks that originate on one network and attempt to move laterally to the other.

Despite the cultural divide between IT and OT, both environments share a common set of threats and vulnerabilities. And while the consequences of an OT security breach are decidedly more physical in nature, many of the lessons learned and best practices from IT can help prevent them.

 

FireEye analyzed over half-a-billion emails from the first half of 2018, and found that 32% of email traffic seen in the first half of 2018 was considered ‘clean’ and actually delivered to an inbox.

Their report also found that 1 in every 101 emails had malicious intent. When compared to the previous six-month period, the changes in both these numbers depict that the email landscape continues to see an increase in email-based threats.

 

 

“From malware to malware-less attacks including impersonation attacks like CEO fraud, a single malicious email can cause significant brand damage and financial losses. By choosing an email security solution with features based on real-time knowledge gained from the frontlines, and by teaching users to always ensure they are communicating with who they think they are, organizations can better defend against attacks,” said Ken Bagnall, VP of email security at FireEye.

Email reliance continues, cyber criminals adapt

With email security solutions focused on detecting malware, cyber criminals are now adapting their attacks, exposing organizations to malware-less assaults such as CEO fraud. In fact, the majority of attacks blocked (90%) during analysis were malware-less, with phishing attacks alone making up 81% of the blocked malware-less emails, almost doubling from January to June 2018.

Data also indicates that phishing attacks will continue to rise, while impersonation attacks (which were at 19%) remain relatively proportional to the total number of attacks seen. With it only taking one email to potentially impact an entire organization, the protection of this data must be taken seriously.

Other notable email attack trends

While the overall number of attacks stayed fairly consistent each month during the evaluated six-month period, a few notable trends stuck out relative to when and how attackers struck:

  • Relative to malware-based attacks, Mondays and Wednesdays were most common
  • Malware-less attacks were most likely to occur on a Thursday including domain name spoofing and attacks using a spoofed friendly user name, with the exception of newly existing domains which peaked on Wednesdays instead
  • Impersonation attacks were most likely to fall on a Friday
  • When it comes to the weekend, malware-less attacks continued to be more prevalent than malware-based attacks, with domain name spoofing attacks and newly existing domains being the most likely among them.
The information contained in this website is for general information purposes only. The information is gathered from Helpnet Security while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.