Posted on June 5, 2021 at 3:09 PM
A recent report has revealed that threat actors are now taking advantage of the Colonial Pipeline hack to launch fishing attacks on unsuspecting victims.
Findings from the INKY cybersecurity firm noted that it has received helpdesk emails from users about the new wave of attack.
The campaign uses a common phishing pattern using widely-publicized news events to deceive victims into clicking malicious links and emails.
According to the security firm, some of the targets stated that they received emails notifying them about the ransomware attack on Colonial Pipeline and asking them to download a ransomware system update to protect their system.
The threat actors stated that if the targets download the update, it will prevent their organization from suffering a similar ransomware attack.
But in reality, the emails and the links will only lead the user into inviting malware into their machines.
Malicious emails come from newly-created domains
As indicated by the security firm, the malware-infested emails were delivered from domains that were created recently. The domains include selectivepatch.com and ms-sysupdate.com, which the security team believed, were created by the threat actors.
They were designed to seem authentic and created in a way that prevents conventional anti-phishing software to identify and block them. However, INKY says it used other methods to identify them.
Both of the domains were created and registered on NameCheap, which is one of the most common platforms for threat actors. Domains on the platform are very cheap, and customers can pay for hosting services using Bitcoin. This explains why it is attractive to bad actors since they can hide their identity why paying for the service.
And, conveniently for the hackers, the malicious links in the emails come from the same domain that sent the emails.
The fake websites were designed with images and logos from the target company so that they can look very convincing. However, when the target clicks on the download button on the page, it downloads a “Cobalt Strike” file to their system known as “Ransomware_Update.exe.”
“Cobalt Strike” has been listed as the second most detected threat on computer systems by Red Canary.
According to a report by INKY, the threat was discovered in about 66% of all ransomware attacks in the 4th quarter of 2020.
Hackers taking advantage of ransomware fears
Data analyst at INKY Bukar Alibe noted that the firm started seeing phishing attacks a few weeks after it was reported that Colonial Pipelines has paid ransom to the DarkSide threat group.
He stated that based on the tense situation around, hackers started taking advantage to offer users a solution that is supposedly coming from the genuine company. The software update, according to the threat actors, would fix the problem and keep the users from being targets. But in the real sense, the threat actors are sending the users to places where they would bit hit with the malware they are afraid of.
“All the recipient had to do was click the big blue button, and the malware would be injected,” Alibe added.
IT teams need to alert employees
Apart from taking advantage of the fear surrounding ransomware attack, the threat actors designed the fake website and the emails to look like it was genuine from the user’s company. As a result, it makes it look too convincing enough for users to be deceived.
Alibe has asked IT teams to inform employees not to give in to such scams. The company IT experts have to let employees know that the company will not in any way ask employees to download a file via email.
Alibe noted that the threat actors are taking the advantage of workers’ desire to do the right thing. He also pointed out that the attack targeted two firms, but IT firms should be very vigilant because there could be more attacks following a similar pattern.