Joerg Habermeier - stock.adobe.c
Organisations in critical sectors such as government, healthcare, insurance, medical research and publishing, and utilities, are being extensively targeted by business email compromise (BEC) campaigns originating from Nigeria’s SilverTerrier cyber crime group, according to Palo Alto Networks’ Unit 42 threat intelligence team.
Unit 42 has been tracking SilverTerrier – a loosely affiliated cyber criminal group specialising in BEC attacks – for some time, charting its evolution from novice threat adversaries specialising in 419 scams to a sophisticated and dangerous threat.
Peter Renals, a researcher at Unit 42, said that in the past three months, three SilverTerrier actors have launched a series of Covid-19 coronavirus-themed malware campaigns, producing more than 170 distinct phishing emails and exercising “minimal restraint” in their targeting of organisations leading national responses to the pandemic in Australia, Canada, Italy, the UK and the US.
“With the global impacts of Covid-19, an unprecedented number of corporations are expediating their cloud infrastructure migrations, all while transitioning to a largely remote workforce that is understandably interested in all topics related to the virus,” said Renals in a disclosure blog.
“Given this trend, it should come as no surprise that BEC actors are seizing opportunities to exploit the situation through tailored phishing campaigns related to Covid-19.”
BEC attacks, also known as “man in the email”, target employees with access to company funds through compromised accounts belonging to senior management, including c-suite executives. Usually, they will try to convince the target to transfer money into a bank account controlled by the attacker under some pretext, such as an urgent end-of-quarter payment. Statistics from the US’s FBI suggest that in 2019, BEC attacks resulted in global losses of $1.77bn (£1.42bn/€1.62bn).
SilverTerrier’s current campaigns are being used to seed a variety of strains of malware at their targets, according to Unit 42, including AgentTesla, FormBook and LokiBot. Renals said none of the malicious campaigns were actually successful in infecting their targets, who are all existing Palo Alto customers. More details of each of the 10 campaigns can be read here.
Renals said: “As 2020 progresses, the most prominent threat facing customers is commodity malware deployed in support of sophisticated BEC schemes. Given the global impacts of Covid-19, SilverTerrier actors have begun adapting their phishing campaigns and will likely continue to use Covid-19-themed emails to deliver commodity malware broadly in support of their objectives.
“In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programmes to apply extra scrutiny to Covid-19-related emails containing attachments.”
Read more about BEC attacks
- Business email compromise and email account compromise attacks are increasing and evolving. To keep up with threat actors, Proofpoint says a new approach is required.
- A public-private partnership in the Netherlands works to break the chains used by fraudsters to carry out BEC attacks.
- Why is BEC such a popular attack? Because it works, unfortunately, tempting hackers with huge potential payouts. Learn how to keep them from lining their pockets with your assets.
There are a number of ways organisations can guard against BEC attacks. One of the most fundamental is to implement additional workflow controls when approving outgoing financial transactions, which means the attacker must target and convince multiple people to do their bidding, one of whom might spot something was not right.
In terms of cyber security procedures, the optimal defence against BEC attacks is heightened employee awareness and improved training. People should, as a matter of course, be on the lookout for phishing emails, which can often easily be identified if you are paying proper attention to things like correct spelling and punctuation, domain names and sender email addresses, whether or not the email is expected, and whether what it says appears too good to be true.
For those in financial roles, further failsafes may be needed, such as verification of transactions via a medium other than email.