One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 401953 |
| Date de publication | 2017-08-29 13:00:00 (vue: 2017-08-29 13:00:00) |
| Titre | One Man Cyber Attacked 4,000 Companies; Don\'t Let It Happen to You |
| Texte |
A cyber-attack over the past four months was discovered which targeted more than 4,000 companies, and successfully penetrated at least 14 of them. The targets were mainly in the oil and gas, mining, transportation, and construction sectors - in locations as diverse as Germany, Kuwait, UAE, Egypt, and Croatia. The malicious party was able to acquire sensitive financial data and remote control of endpoints. Some speculated that a sophisticated criminal organization might be behind the attack. However, it turned out that the attacker was a 20-year-old man from Nigeria, and he was hardly a cyber mastermind.
In fact, it was not difficult for researchers to discover the culprit’s identity:
“Following extensive research into the campaign, researchers have revealed the identity of the criminal behind it. He is a Nigerian national, working on his own. On his social media accounts, he uses the motto: ‘get rich or die trying.’”
The attacker had sent very crudely written phishing emails with improper punctuation, which would've made me immediately suspicious of if one had ended up in my inbox. Here's what was sent in the body of his emails:
“Dear Sir/Ms,...
Please confirm the receipt of this mail as we have sent several emails to your esteemed company.
Find attach 2 pages of our purchase order request for the month of May,
kindly send us PI signed and stamped also do advice bank details for LC processing.
Thanks and Regards
Nurafi
--
Saudi Aramco
P.O. Box 5000
Dhahran 31311, Saudi Arabia”
The email attachment's file name was “Saudi Aramco Oil And Gas.rar,” and the 591.1 Kb file had NetWire, a remote access Trojan, and HawkEye, a commericial keylogger, bound to it.
NetWire is considered to be the first multi-platform RAT malware. It's primarily designed to exploit weaknesses in point-of-sale systems, but can also acquire sensitive financial data from client machines which aren't part of a POS system. It's configured to be spread as an email attachment Trojan, where it can linger for months while undetected.
HawkEye is another malware which is sold in the Dark Web to be distributed as an email attachment Trojan. Its payload is a DOCX file, which can then acquire email and web browser passwords and engage in keylogger spyware functions.
The only thing the attacker did to obscure his location was to put “Saudi Arabia” in his emails. He used two free Yahoo webmail addresses, which made it easy for the researchers to trace him. Plus, the fact that he only used two email addresses also meant that the companies he was targeting could have easily blocked those addresses to avoided receiving email from that attacker again.
Given the simplistic nature of this operation, it's really concerning that his victims were large companies, not small or medium sized businesses. It's often assumed that large companies are more likely to have CISOs and better security monitoring systems with technologies such as SIEM in their server rooms. It's surprising to hear about so many large organizations falling for such a pedestrian, script kiddie sort of attack. Here are lessons that can be learned from its success, which can help you be better prepared and avoid falling victim to similar attacks:
Train all your employees and contractors who have business email accounts. Teach them about phishing. Tell them to never open email attachments from senders who aren't known to the company, and to never share financial details except with specific people. Avoid sharing sensitive data o |
| Envoyé | Oui |
| Condensat | “dear “following “saudi ‘get 000 31311 5000 591 able about access accounts acquire activity addresses administrator administrators advice again against alerted all also although amateurish amount anomalous another antivirus arabia” aramco are aren't assumed attach attachment attachment's attachments attack attacked attacker attacker's attacks attacks: attacks; automatically avoid avoided bank basics becoming been behind believe better blocked body bound box browser business businesses but campaign can catch cisos client commericial common companies companies; company concerning configure configured confirm considered construction contractors control could criminal croatia crudely culprit’s cyber dark data day designed desk details detection dhahran did die difficult discover discovered distributed diverse docx don down easily easy egypt elementary email emails emails: employee employees ended endpoint endpoints engage ensure esteemed evade even events except executing execution exploit extensive fact falling file fileless financial find first four free from functions gas generate germany given grandmother's had hadn't happen hardens hardly has have hawkeye head hear help here here's him his hit however identity identity: immediately implementing improper inbox include increasing inform install intrusion it's its just keylogger kiddie kindly known kuwait large leads learned least lessons let like likely linger location locations logs lower machine machines made mail mainly make makes malicious malware man many mastermind may meant media medium might mining monitoring month months more most motto: much multi must name national nature netwire never nigeria nigerian not nurafi obscure often oil old one only open operation order organization organizations out over own pages part parties party passwords past patched patches payload pedestrian penetrated people phishing platform please plus point pos possible prepared pretty primarily processing punctuation purchase put quality quite rar rat really receipt receiving regards remote request research researchers revealed rich rooms sale saudi script sectors security send senders sensitive sent server several share sharing should siem signature signatures signed similar simple simplistic sir/ms sized small social software sold some sometimes sophisticated sort specific speculated spread spyware stamped stop stopped strains success successfully such sure surprising suspicious system systems targeted targeting targets teach technologies tell than thanks them then these thing those threats time tools trace train transportation trojan trusted trying turned two uae undetected used uses vendors very victim victims weaknesses web webmail well weren’t what when where which who windows working would've write written yahoo year your zero |
| Tags | Guideline |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.