Cybereason's Nocturnus research team published a report on how it has been tracking an APT group by the name of Molerats. Also known as the 'Gaza Cyber Gang' this threat actor is known for espionage campaigns, the latest a highly targeted one against a specific group of people in the West Bank and Gaza Strip.
In and of itself that's not big news, such campaigns happen all the time. You might think that the campaign to infect victims with the Spark malware, and a previously undocumented backdoor named as Pierogi, is equally so-so; it uses the social engineering lure of geopolitical events. After all, if you want to target people in the Palestinian territories, then emails pertaining to the Trump peace plan or the killing of Qasem Soleimani are likely to grab their attention.
If, as someone tasked with defending an enterprise in the UK from a myriad of cyber-threats, you are not interested in this story then you are missing the bigger picture: social engineering lures are one of the biggest threats to your security strategy and your business. Global event media coverage is used by threat actors right across the cyber-crime spectrum, from those espionage-motivated APTs to low-level back-bedroom chancers, to bait the email phishing campaigns that oh so often signal the start of an attack.
Take, for example, the Emotet group which has been using the understandable interest in the Coronavirus outbreak to spread malware. The emails purport to come from official public health organisations and supposedly contain advice to prevent the spread of the disease.
Actually, they contain malicious Word documents designed to spread a different kind of infection. "Organisations that have concerns around global shipping should exercise extra caution around Coronavirus-themed emails," Sherrod deGrippo, senior director of threat research and detection at Proofpoint, warns, "people and organisations broadly should be exercising extreme caution around any emails, links or websites related to Coronavirus because of the demonstrated, increased risk that attackers will seek to use concerns around it as lures."
Ed Williams, director (EMEA) of SpiderLabs at Trustwave, knows all about using lures to gain a foothold within enterprise networks. "When we launch successful phishing exercises during red teaming," he told SC Media UK, "we try to rush the end-user through a deadline or depict a scenario where if they don't act quickly something bad will happen, which is why geo-political events are so popular and I would argue so successful." It should come as no surprise that criminals will exploit the general kindness of others, and such lures "play on human emotions, which can be a very powerful, and often difficult to resist force," Williams says.
It's not just news that is already in the global eye, Jens Monrad, head of threat intelligence (EMEA) for FireEye says, that are used in such lures. Threat actors will also use "falsified information with the aim of driving a specific narrative," as witnessed by FireEye in certain attack campaigns. And, Monrad warns, it's not just email being used as the delivery mechanism either. "While there is a continuous stream of lures sent by email, I also want to highlight the use of social media platforms like LinkedIn," he says, "the use of social media platforms could allow a threat actor to engage with a victim outside the usually applied security controls we assume most organisations have today."
The 2019 Verizon Data Breach Incident Report reckoned that phishing was involved in 78 percent of cyber-espionage incidents and 32 percent of confirmed breaches. "We’ve also observed phishing attacks that leverage SMS messages, messaging apps, and social media apps; beyond the typical purview of email-based phishing," says Tom Davison, technical director (EMEA) at Lookout.
Just as you wouldn’t protect an endpoint device from ransomware with user education alone, he told SC Media UK, mobile threat defence is a critical mitigation from targeted attacks. "Security on mobile devices may be even more important given the extra complexity in identifying phishing attacks on a smaller screen," he warns, "our data shows that over 56 percent of mobile users have clicked through a phishing link received on mobile."
To mitigate against this kind of enterprise attack methodology, the topic of any phishing campaign is largely irrelevant, Martin Jartelius, CSO at Outpost24, says. "The simple fact that a user interacts with a campaign does not constitute a failure, it’s when a user surrenders their information or have their system compromised," Jartelius continues, "training for awareness, hardening of endpoints to decrease consequence and in depth defence strategies are still the best solutions. If you have nothing like this in place – start there. If this is in place, you need not worry regarding this threat."
Alyn Hockey, VP of product management at Clearswift, adds that 'phishing testing' is also effective and vital, as long as it's done regularly and not on a one-off basis. "People have become indoctrinated to click even if it’s not relevant and need to break that habit," he says.
"Organisations can’t rely solely on human behaviour to protect their networks and data," Yaniv Hoffman, VP of technologies at Radware, says, "they must practice a zero trust approach to help secure access from users, end-user devices, APIs, IoT devices, microservices, containers, and more."
Sometimes the simplest advice is the most effective, as Francis Gaffney, director of threat intelligence at Mimecast explains by recommending that users are advised "to search and visit official sites with credible URLs such as .gov departments, and never open an unsolicited email correspondence encouraging you to follow the link provided." Indeed, establishing a "security culture that’s tolerant of incorrect clicks," is key, according to Oz Alashe, CEO of CybSafe, who adds "accidentally clicking something isn’t so bad so long as users report it; if no one knows, nothing can be done."
For more simple but solid guidance, it's worth visiting the National Cyber Security Centre advice for dealing with 'suspicious' emails.