#NSBCS.051 - Caught in the Net: How to Stay Ahead of Phishing Attacks

Cyber DefenceCyber Response & RecoveryCyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Caught in the Net: How to Stay Ahead of Phishing Attacks

In today’s digital landscape, email remains a primary communication tool and a high-value target for cybercriminals. Phishing and Business Email Compromises (BECs) are on the rise, posing significant risks to organisations of all sizes.

Phishing is a social engineering tactic where cybercriminals send fraudulent messages designed to trick recipients into revealing sensitive information or installing malware. Often disguised as trusted individuals or companies, these emails may prompt users to click on malicious links or download attachments, ultimately leading to stolen credentials or malware infections.

A BEC will typically involve the unauthorised access of an email account, often achieved through phishing or brute-force attacks. Once a threat actor gains access to an email account, they may steal confidential information, manipulate company communications, or even launch further phishing attacks from within the compromised account.

Cybercriminals are advancing in both their skills and tactics, creating increasingly realistic and sophisticated phishing schemes. Traditional email filters and security controls often fail to detect these new methods, as threat actors may employ artificial intelligence to mimic legitimate language patterns or imitate real communication styles within a company. This sophistication means that phishing attempts may appear so credible that even vigilant employees might be caught off guard.

One prevalent example is the use of SharePoint in phishing attacks. Cybercriminals often mimic legitimate SharePoint notifications, which many organisations rely on for sharing files and collaborating. These phishing emails may appear as genuine SharePoint invitations, prompting users to click on a link to view an "important document." Once the link is clicked, victims are typically redirected to a fake Microsoft login page where they are asked to enter their credentials. These credentials are then captured by the attacker, granting unauthorised access to the individual’s email account, as well as to sensitive company information housed in SharePoint and other connected Microsoft services.

In any organisation, effective security begins with the people on the inside. Employees who are trained to recognise phishing attempts and suspicious activity provide a critical line of defence:

  • Conduct Regular Phishing Awareness Training: Schedule frequent training sessions to keep employees up to date on phishing tactics, reinforcing their ability to spot unusual requests or suspicious links.

  • Simulate Phishing Scenarios: Run controlled phishing simulations to test employees’ responses and provide hands-on experience with real-world tactics in a safe environment.

  • Establish Clear Reporting Channels: Ensure employees know where and how to report suspicious emails or activity immediately to prevent potential threats from advancing.

  • Implement Visible Warning Signs: Use automated systems to flag external emails or add banners on potential phishing emails, reminding employees to be cautious.

  • Reinforce Key Indicators of Phishing: Regularly remind staff of red flags, such as odd URLs, unfamiliar sender addresses, and unusual urgency in requests for credentials or sensitive information.

While no organisation is immune to threats, those with an informed, vigilant workforce can minimise the risk of compromise and ensure that, if an incident does occur, it’s detected and mitigated early. With proactive security and a strong emphasis on cyber awareness, you can stay in control rather than responding to the cards you're dealt. Investing in proactive measures today not only protects your business but also fosters a culture of cybersecurity that takes NoStepsBackwards!

For info on NSB Cyber’s Digital Forensics & Incident Response (DFIR) capabilities or to book a meeting with our team, click here.

What we read this week

  • New SteelFox malware hijacks Windows PCs using vulnerable driver - A new malicious package named 'SteelFox' targets Windows machines, mining cryptocurrency and stealing credit card information by exploiting the bring your own vulnerable driver (BYOVD) tactic to gain SYSTEM-level privileges. This malware bundle, delivered as a dropper, is circulated on forums and torrent sites disguised as a crack tool for activating legitimate software like Foxit PDF Editor, JetBrains, and AutoCAD. While state-backed threat actors and ransomware groups often use vulnerable drivers for privilege escalation, this technique is now being adopted for info-stealing malware attacks as well.

  • North Korean Hackers Target macOS Users - North Korean hackers are targeting macOS users with a new malware campaign focused on cryptocurrency, using phishing emails, fake PDF apps, and a technique to bypass Apple’s security features. SentinelOne has uncovered that the BlueNoroff hacking group, backed by the North Korean government, is sending phishing emails with fake news headlines related to decentralised finance (DeFi) and cryptocurrency, aiming at professionals in these sectors. This campaign abuses the ‘zshenv’ file to maintain persistence on macOS without triggering security notifications for changes in background processes. The malware downloads a decoy PDF from Google Drive to avoid suspicion, while in the background, it pulls and executes additional malicious code and establishes communication with a command-and-control server to collect system data and a unique identifier.

  • 'GoIssue' Cybercrime Tool Targets GitHub Developers - Cybersecurity researchers have identified 'GoIssue,' a tool marketed on cybercriminal forums for $700, designed to harvest email addresses from public GitHub profiles. Utilising GitHub tokens, GoIssue automates the collection of data based on criteria such as organisation memberships and stargazer lists. This tool enables attackers to send bulk emails directly to developers, potentially facilitating credential theft, malware distribution, OAuth exploitation, and supply chain attacks. The emergence of GoIssue underscores the increasing targeting of developer platforms by cybercriminals, aiming to compromise corporate systems through developer accounts. Security experts advise developers to be vigilant and implement robust security measures to protect their GitHub profiles and associated data.

  • Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw - Microsoft has released fixes for 90 security vulnerabilities across the Windows ecosystem, highlighting two zero-day flaws currently under active exploitation. One critical issue, identified as CVE-2024-49039, is a privilege escalation vulnerability in the Windows Task Scheduler that allows attackers to execute code or access resources at elevated privilege levels. This flaw was discovered by Google's Threat Analysis Group, indicating its potential use in targeted attacks. Another vulnerability, CVE-2024-43451, involves NTLMv2 hash disclosure, enabling attackers to authenticate as the user with minimal interaction. Microsoft has not provided specific indicators of compromise for these vulnerabilities but urges users to apply the latest security updates promptly.

  • Malicious PyPI package with 37,000 downloads steals AWS keys - A malicious Python package named 'fabrice' was discovered in the Python Package Index (PyPI), where it had been available since 2021 and downloaded over 37,000 times. This package, a typosquat of the legitimate 'fabric' library, was designed to steal Amazon Web Services (AWS) credentials from developers. Upon installation, 'fabrice' executed platform-specific scripts: on Linux, it created a hidden directory to store and execute encoded shell scripts; on Windows, it downloaded and ran a VBScript to launch a hidden Python script. Users can reduce the risk of typosquatting by carefully verifying packages downloaded from PyPI. Additionally, specialised tools are available to detect and prevent these threats. To safeguard AWS repositories against unauthorised access, administrators should utilise AWS Identity and Access Management (IAM) to control permissions for resources.

Shane Bell
Previous

#NSBCS.052 - ASD’s Annual Cyber Threat Report 2023-2024: Insights & Actions
Next

#NSBCS.050 - 50 Signals Strong: NSB’s Chronicles of Cyber