Lessons learnt and what lies ahead – security concerns in the channel

A look back at the threats of 2021

When the user is often the weakest link, attackers will focus on their entry point to the network – the email mailbox. However, while cyber attacks are making headlines around the world, they call into question the scale and sophistication of attacks infiltrating the mailbox. While headlines may come and go, long-term effects of these attacks do not.

Threat actors are constantly adding to their repertoire by exploring new tactics and techniques to help bolster their efficacy against both technological blockers and humans – and 2021 was no different as cyber criminals continued to add new methods to their toolbox.

Analysts from Zix | AppRiver recently discovered phishing and malware attacks that leveraged common links, economic trends and very fresh credential harvesting pages. Let’s look at three examples of the type of threats that came to the forefront over the past year.

1. Phishing

Threat actors continued to distribute messages purporting to be files shared via Microsoft, exploiting the huge popularity of Microsoft 365 within businesses.

One of the examples investigated recently highlighted the data breach risk associated with users that fall for phishing attacks. This example was masquerading as a shared Excel file, but ultimately led to a phishing portal that breached stolen user credentials. If the recipient clicked on the link, they were then redirected to the password-stealing portal hosted on the Glitch, a popular free service to create and host applications. From here, the attacker posted the stolen credentials out to another site.

After navigating over to the site for posting credentials, the Zix | AppRiver threat team found that the directory structure wasn’t locked down – a common occurrence. They ran across two log files while traversing the directories: one was for legitimate site errors, but the other was curiously named logsSH.txt. Upon browsing this file, they discovered that there were 18 log entries from victims of this attack.

Synonymous with stolen password logs observed previously, the same victim will try to log in multiple times after not gaining initial access. Sometimes they will change login email addresses and – even more disturbingly – provide different login passwords that may be used for password reuse attacks across other services. The victims IP address and system/browser information is also logged in case the attacker needs to IP and/or browser spoof.

In addition to this, the Zix | AppRiver team quarantined phishing attacks posing as Microsoft password expiration notifications. These were launched from compromised MailChimp accounts in hopes that those sending IPs might be seen as less suspicious by email filters.

2. Exploiting system emails

While bogus Microsoft password expiration scams are a daily occurrence, one stuck out. Instead of the normal text, it utilised an image link for the lure, but the image itself was customised to contain the recipient’s email address and domain. It was also an automated attack being sent in large volumes, indicating that the attacker had an automated setup for these and was not manually changing each image for the recipients.

The threat analyst team captured these to prevent non-admin users from releasing them based on the unique HTML used for the image insertion, in addition to similar hex patterns for the images themselves.

The attack also used a phishing page that abused a legitimate Cloudflare service – highlighting an example of using well-known sites and services (even security ones) to help misdirect and confuse potential victims.

3. Malware

The use of malware to steal user credentials also saw a continued rise in popularity. One malware attack that was captured attempted to use Atlantic Shipping as the purported sender, although the from address didn’t coincide. The lure was generic, stating they had goods to ship in the attached document and needed the recipient to provide a quote for them.

Upon opening the document, it has a unique lure within that states the document was made on Windows 11 Alpha. This was done to try not to raise red flags for the recipient while tricking them into bypassing Office protected view and executing the macro by clicking enable content and/or enable editing. If successful, the attack drops Lokibot as the payload.

Moving forward in 2022 – what’s coming next?

This time of year sees the usual array of predications for the forthcoming year, but in the short term we can certainly expect an evolution of the current cyber criminal playbook that’s delivering significant returns.

Ransomware will continue to grow (with 2021 comfortably exceeding the 2020 US figure of $350m). Phishing attacks and associated business email compromise (BEC) campaigns will target users, especially those working from home and more isolated from the usual support structure and assistance that offices bring.

To help support partners, e92plus has partnered with Zix | AppRiver to provide cyber security solutions that are built for MSPs and designed to integrate seamlessly with Microsoft 365. The offering includes security audits, helping partners to review their current security posture and to ensure their defences are capable of defending against the next threat to come.