Researchers have discovered a new phishing campaign designed to spread ransomware and steal data by capitalizing on interest in the recent Colonial Pipeline outage.
Security vendor Inky spotted the malicious emails, which said several Microsoft 365 customers were targeted.
Emails were spoofed to appear as if sent from the recipient’s “Help Desk.” They were instructed to click on a malicious link in order to download a critical “ransomware system update” to protect their organization from the same fate as Colonial Pipeline.
“The malicious emails were sent from newly created domains (ms-sysupdate.com and selectivepatch.com) controlled by cyber-criminals. The domain names, sufficiently plausible to appear legitimate, were nonetheless different enough so that garden variety anti-phishing software would not be able to use regular expression matching to detect their perfidy,” explained VP of security strategy, Roger Kay.
“Both domains were registered with NameCheap, a registrar popular with bad actors. Its domains are inexpensive, and the company accepts Bitcoin as payment for hosting services (handy for those trying to remain anonymous). The malicious links in the emails belonged to — surprise — the same domain that sent the emails.”
The download itself is, in fact, Cobalt Strike — a legitimate pen-testing tool often used in ransomware attacks and data exfiltration and which could be used in this instance to control targeted systems.
Anti-phishing software must be used to mitigate the risks posed by such attacks in conjunction with well-thought-out policies such as IT teams never asking employees to download certain file types, Kay concluded.