The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory on an ongoing sophisticated spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs).
Based on incident reports, malware collection, and trusted third-party reporting, the advisory said the cyber threat attacker leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S. government organization and distribute links to malicious URLs, associated with the spearphishing campaign.
“A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs, the cybersecurity advisory said. “The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL, from which a malicious ISO file was dropped onto the victim’s machine.”
In addition to the advisory, a Malware Analysis Report (MAR) was released based on the analytic efforts by the CISA and the FBI, which provides a detailed analysis of three malicious ISO (optical disc image) files. These malicious files are linked to the spearphishing campaign using Constant Contact to spoof a U.S. Government organization and distribute links to malicious URLs.
Two of the ISO spearphishing files submitted to CISA contain a dynamic-link library that is a custom Cobalt Strike Beacon loader, a Portable Document Format (PDF) file, which is displayed to the target as a decoy document, and a Microsoft shortcut that executes the Cobalt Strike beacon, according to the MAR. The remaining file is corrupt and fails to extract PDF and LNK files. The two Cobalt Strike Beacon loaders contain the same encoded configuration data.
Cobalt Strike is a commercial penetration testing tool used to conduct red team operations that contains several tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the attacker and checks for additional commands to execute on the compromised system.
CISA and FBI advised critical infrastructure owners and operators to implement multi-factor authentication (MFA) for every account, and secure from the ongoing spearphishing campaign. While privileged accounts and remote access systems are critical, it is also important to ensure full coverage across SaaS solutions. Cybersecurity programs must also be updated with their latest software as soon as patches become available. If organizations are unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited, CISA said.
Users should implement endpoint and detection response (EDR) tools that allow a high degree of visibility into the security status of endpoints and can be an effective tool against threat actors, CISA said. In addition, critical infrastructure owners and operators must execute a centralized logging application that allows technicians to look out for anomalous activity in the network environment, such as new applications running on hosts, out-of-place communication between devices, or unaccountable login failures on machines. It also aids in troubleshooting applications or equipment in the event of a fault, the agency added.
The security agencies also asked critical infrastructure owners and operators to Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce appropriate user responses to spearphishing emails.
CISA and the FBI also recommended that organizations deploy signatures to detect and/or block inbound connections from Cobalt Strike servers and other post-exploitation tools and protect themselves from the ongoing spearphishing campaign.
In addition, they must implement unauthorized execution prevention by disabling macro scripts from Microsoft Office files transmitted via email, and consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. They must also configure and maintain user and administrative accounts using a strong account management policy, and remove default accounts if not required.
The Microsoft Threat Intelligence Center (MSTIC) detected last week a wide-scale malicious email campaign operated by Nobelium, the threat actor behind the attacks against SolarWinds, the Sunburst backdoor, Teardrop malware, GoldMax malware, and other related components. Since January this year, the campaign, initially observed and tracked by Microsoft, evolved over a series of waves, demonstrating significant experimentation.
On May 25, the campaign escalated as Nobelium leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
“Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity,” the software giant said.
Volexity also identified last week a phishing campaign targeting NGOs, research institutions, government agencies, and international agencies based in the United States and Europe.
“The campaign’s phishing e-mails purported to originate from the USAID government agency and contained a malicious link that resulted in an ISO file being delivered. This file contained a malicious LNK file, a malicious DLL file, and a legitimate lure referencing foreign threats to the 2020 US Federal Elections,” Volexity said in a blog post.
While Volexity cannot say with certainty who is behind these attacks, it does believe it has the earmarks of a known threat actor it has dealt with on several previous occasions. Several attack attributes are consistent with previous tactics used by APT29, such as the use of archive file format containing an LNK to deliver the initial payload, application of a US election-themed lure document sent from a spoofed US government source address, deployment of CobaltStrike with a custom malleable profile as an initial payload, and the relatively widespread nature of the campaign, with many targets receiving the same spear phishing content at the same time.
Russian Foreign Intelligence Service (SVR) hackers, also known as APT29, Cozy Bear, and The Dukes, used publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems to obtain authentication credentials to allow further access, U.S. government said in April. The targeting and exploitation center on the U.S. and allied networks, including national security and government-related systems.