It is common for attackers to use widely-covered news events to get people to click on malicious emails and links, and cybersecurity firm INKY said it recently received multiple helpdesk emails about curious emails their customers were receiving.
INKY customers reported receiving emails that discuss the ransomware attack on Colonial Pipeline and ask them to download “ransomware system updates” in order to protect their organization from a similar fate.
The malicious links take users to websites with convincing names — ms-sysupdate.com and selectivepatch.com — both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post.
The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”
In March, Red Canary’s 2021 Threat Detection Report listed “Cobalt Strike” as the second most frequently detected threat and the INKY report notes that Talos Intelligence found it was involved in 66% of all ransomware attacks in Q4 of 2020.
Bukar Alibe, data analyst for INKY, said they began to see the phishing attack just a few weeks after news broke that the pipeline paid millions to the DarkSide ransomware group in order to restore the company’s systems.
“In this environment, phishers tried to exploit people’s anxiety, offering them a software update that would ‘fix’ the problem via a highly targeted email that used design language that could plausibly be the recipient’s company’s own,” Alibe wrote. “All the recipient had to do was click the big blue button, and the malware would be injected.”
In addition to capitalizing on the fear around ransomware, the attackers made the emails and fake website look like it came from the user’s own company, giving them an air of legitimacy, Alibe added.
The attackers were also able to get past many phishing systems by using new domains.
“If it looks as if it was sent by the company itself (e.g., from HR, IT or Finance), does it in fact originate from an email server under the company’s control? If it looks like the HR or IT Departments but deviates from the norm, that should be a flag,” the blog post said.
Alibe urged IT teams to notify employees that they will “not be asked to download certain file types” because these kinds of phishing emails seek to exploit employees desire to do the right thing by following purported security guidelines. Alibe noted that the attack was targeted toward two companies and said IT teams should expect more attacks along the same lines.
“We would not be surprised if we see attackers use the recent Nobelium-USAID phishing campaign as a lure,” Alibe said.