Incident figures from the POST CyberForce CSIRT indicate that the number of incidents fell month on month. This decrease was due to the drop in the number of phishing campaigns during the period. Despite this decline, phishing campaigns still represent the majority of incidents, accounting for almost 50% of incidents recorded by the POST CSIRT.
Phishing
We have seen a significant decrease in the number of bulk phishing campaigns, i.e. with no particular target. However, this is offset by more targeted campaigns (spearphishing).
Here is a list of stolen credentials and attackers’ targets:
Stolen credentials Target
POST Webmail credentials (pt.lu), MyPost (personal data)
Microsoft login details Microsoft Cloud
LuxTrust, DHL credit card details and token numbers.
In addition, we have seen increasing use of new techniques to extend the lifetime of campaigns and make them harder to combat. Cybercriminals are no longer hesitant about using evasion techniques for phishing.
Such techniques include only showing malicious content to visitors from a certain geographic area, based on an IP address or a specific combination of IP address, time stamp and automatically generated details from the victim’s browser.
This IP-based blocking means that, when a URL is reported to the POST CyberForce CSIRT, team members only see an ad with no relation to the attack, a blank page or a page with a 404 error message.
Cybercriminals are hiding their activities to avoid detection by defenders and their intelligence tools.
Google LLC (=)
Cloudflare Inc (+1)
Bitly Inc (+4)
DigitalOcean LLC (+1)
Online SAS (-1)
Microsoft Corporation (+3)
A100 ROW GmbH (-3)
Namecheap Inc. (New)
Weebly Inc. (New)
OVH SAS (-2)
Here are some examples of phishing screenshots to help you recognise them. We make such screenshots available whenever an incident occurs. Follow us on our Twitter account https://twitter.com/CsirtPOST
Vishing/Spam calls
During the period, thousands of fraudulent calls were received in Luxembourg from groups impersonating Microsoft. Such Vishing (Voice Phishing) accounted for a significant number of incidents over the relevant timeframe.
These calls, with numbers appearing to come from various countries (Spain, the United Kingdom, etc.), were in fact spoofed and the callers confirmed to be from India. Typically, callers used a prefix and then added extensions at random until they found a free number.
In the event that a victim happened to answer the call, the caller would prompt the victim to follow a procedure designed to take them to Windows Event Viewer. The caller would then trawl though this until they found operating system errors, making sure that the victim didn’t understand the events found. Various speakers came on the line over the course of the process and the different stages.
By using records in the Event Viewer to trick the victim into believing that their Windows system was infected with malicious content, the caller persuaded the victim to install two pieces of software, presented as security solutions, to get rid of the problem:
UltraViewer and TeamViewer, both of which allowed the hackers to take control of their victims’ computers remotely.
Finally, once the two programs were installed, the third and final step was for the victim to log into their bank to make a €10 transfer. The purpose of this step was to persuade the victim that they were paying an activation fee for the security solution. In reality, the hackers’ aim was to steal bank account credentials in order to make a separate payment themselves.
We can see, therefore, that hackers never fail to exploit their victims’ gullibility to steal their bank details. It is also important to note that companies can protect themselves against these risks by running large-scale awareness campaigns to avoid being caught out, and adjusting software installation rights to avoid any company user being able to install any piece of software.
Ransomware and leaks
On the ransomware side, we have seen significant activity from groups such as Conti during the period. Conti specialises in disclosing leaked company data if their instructions are not followed.
These groups are constantly looking for exposed and exploitable vulnerabilities to perpetrate ransomware attacks.
The activities of such groups are a reminder of just how important it is to remedy defects in the most exposed systems as soon as patches become available.
Malicious code
We observed a few instances of malware use during the period, such as the spread of Agent Tesla.
Agent Tesla is a program similar to a keylogger that can be used to steal information. It can be used to extract credentials from a range of browsers, e-mail servers and FTP clients. It also recovers data from registry keys, the clipboard, screenshots, video and more.
DDoS
We observed a few DDoS attacks over the period, with a peak volume of 7.8 Gbps on our network. The techniques used during the period were:
NTP amplification (two identified attacks).
Unusual ICMP requests.
The number of large-scale DDoS attacks is still relatively low thanks to the anti-DDoS solutions provided by POST Telecom.
Vulnerabilities
The quarter saw the publication of a zero-day vulnerability in the Pulse Secure VPN applications. This vulnerability has been implicated in several security incidents compromising Pulse Secure VPN applications with the vulnerability in question (CVE-2021-22893) as the entry vector into the system, as FireEye reports in its blog:
Actively exploited by attackers, this vulnerability was included in the ranking of the most exploited vulnerabilities published by the FBI in 2021, in addition to the Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065):
The POST CyberForce CSIRT has identified several instances where exposed Pulse Secure VPN applications have left customers vulnerable and strongly advises anyone who has not yet done so to implement the patches offered by Pulse Secure VPN.
During the period, there were several instances of intrusion resulting from successful phishing campaigns and where dictionary attacks were initially used to gain access.
When a victim provides their credentials during a phishing campaign against a particular target, the attacker can use these details to gain access to the desired application or system in order to conduct further activities for another purpose.
The objectives identified during the period following a successful intrusion were fraud and data exfiltration.
In the context of phishing attacks, the POST CyberForce CSIRT recommends being particularly vigilant to avoid falling victim by checking that the URL matches the identity, format and text of the e-mail or SMS displayed.
In the case of dictionary attacks, intrusion is only possible when the same credentials are being used to access multiple applications. If there is a data leak from one of the applications where these credentials are used and they fall into the hands of malicious actors, they can be reused to access other applications or systems, especially if the victim uses similar credentials on the applications or systems targeted by hackers.
That is why it is important to use unique passwords for each application or system as much as possible.
Have you experienced an intrusion, security incident or cyber attack? If you want to understand the circumstances that led to your incident, contact the POST CyberForce CSIRT. Our experts will support you and provide the assistance you need in relation to your security incident.
