Gallery

An extremely skilled group of hackers-for-hire dubbed “Bahamut” is using sophisticated social engineering tactics against a range of targets around the world, researchers at BlackBerry have found. The group has refined its tactics over time, and it adapts every time a security firm publishes research on its activities.

“BlackBerry assesses that BAHAMUT’s phishing and credential harvesting tradecraft is significantly better than the majority of other publicly known APT groups,” BlackBerry says. “This is principally due to the group’s speed, their dedication to single-use and highly compartmentalized infrastructure, and their ability to adapt and change, particularly when their phishing tools are exposed.”

The group now uses a streamlined framework for phishing that makes it very difficult to block these attacks.

“While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly,” the researchers write. “Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates. This embrace of ever-fleeting infrastructure makes real-time detection all but impossible. Catching a window that is open only for a few hours on infrastructure that is constantly changing requires resources and luck that few network defenders, much less individual targets, could ever hope to possess.”

The group also does extensive research on its targets, and in some cases has used fake social media profiles to build trust with their victims. Notably, the researchers found that the hackers often knew the target’s personal email address, and avoided sending phishing emails to the victim’s corporate or government address.

“Throughout our analysis of their phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of information about their targets prior to phishing them,” they write. “This was clearly the result of a concerted and robust reconnaissance operation.”

BlackBerry concludes that Bahamut’s patience, attention to detail, and commitment to operational security puts them far above most threat actors.

“In sum, BlackBerry finds BAHAMUT to be well above average in its social engineering,” the researchers write. “The group has truly impressive operational security that enables them to continue to attack despite numerous, repeated attempts to expose their operations.”

New-school security awareness training can help your employees defend themselves against targeted social engineering attacks.

Inexperienced cybercriminals can easily find places to buy phishing kits in the open, on the “surface web” (as opposed to the deep or dark web), according to Jan Kopriva at the SANS Internet Storm Center. Kopriva set out to see how many of these kits he could find for sale on popular websites, and was able to find more than a hundred on YouTube alone after a single search. These YouTube videos offered demonstrations of the phishing kits’ functionality and pointed users to where they could purchase the kits.

“Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored – this wasn’t mentioned in the video description so it was probably intended as a surprise bonus feature),” Kopriva writes. “For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100. The 86 ‘commercial’ phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.”

The kits spoofed a wide range of services, with Office 365, PayPal, Amazon, and Netflix appearing most frequently. Each of the offerings contained various functionalities, and some included tutorials for new scammers.

“Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium,” Kopriva says. “Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.”

Kopriva’s research demonstrates how easy it’s become for aspiring criminals to launch effective phishing attacks with minimal technical skills. New-school security awareness training can enable your employees to identify and thwart these types of attacks.

It may be time for organizations to stop paying the ransom when they sustain a ransomware attack, according to Caleb Barlow, CEO of CynergisTek. On the CyberWire’s Hacking Humans podcast, Barlow discussed the recent tragic case of a woman in Germany who died after the nearest hospital sustained a ransomware attack, forcing her ambulance to divert to another hospital twenty miles away. While the crooks in that case stopped the attack after being informed that they’d hit a hospital, Barlow said criminals will continue evolving their tactics and targeting critical systems to extract a ransom.

Late last year, for example, ransomware gangs began exfiltrating victims’ data before triggering the ransomware. This allows them to demand a ransom in exchange for not publishing the data, so the victim will be pressured to pay even if they’re able to restore from backups.

Barlow thinks the next evolution will be criminals targeting the integrity of data, in addition to availability and confidentiality. In the case of a hospital, this could have life-threatening implications.

“This is just going to continue to get worse,” Barlow said. “And what I keep cautioning people on is the new thing to worry about isn’t that they lock up your data, it’s not that they release your data – it’s that they change your data. And I don’t think most security systems are monitoring what appears to be legitimate access to data if somebody changed it. That’s the thing we really need to prevent against. And there are ways to prevent this….Imagine if I change data in the supply chain. Imagine if I change data in a healthcare record. All of a sudden, I break all of the trust in that system. I don’t have to change all of the data. I just have to show I can change one record, and no one can trust any of the data.”

Barlow said the increasing sophistication and damage caused by these attacks has changed his opinion on paying the ransom.

“When this first started, these ransomware demands were like $500,” he said. “And I would tell clients all the time, look, you know, law enforcement’s going to recommend you don’t pay it. It’s five-hundred bucks. Pay it. Move on. It’s just – you know, worst-case scenario, you’re losing five-hundred bucks. And I was saying the same thing when it was $10,000. And you would occasionally find me saying the same thing when it was $100,000. Well, now it’s in the millions. Now these are real numbers.”

Even more importantly, he added, these attacks are growing more dangerous.

“But what we also have to realize now is there’s kinetic implications,” Barlow said. “And this is becoming rampant. This isn’t an occasional issue. This is going to happen to everybody. The only way to stop this – and I’m a firm believer in the way to stop cybercrime is to change the economics for the bad guys. Well, unfortunately, the only way to change the economics for the bad guys is to forbid paying a ransom.”

Ideally, however, organizations should endeavor to prevent these attacks in the first place. New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize phishing attacks and follow security best practices.

The latest data from analyst firm IDC shows massive growth in the remote workforce in the coming years – something that puts organizations at greater risk for a cyberattack.

Everyone already knows that a material percentage of today’s workforce is doing so remotely as a result of COVID-19. But the projections found in IDC’s U.S. Mobile Worker Population Forecast, 2020–2024 paint a picture that, if not properly addressed proactively, will be a cybercriminal’s paradise.

According to the research, the number of mobile workers will increase from 78.5 million in 2020 to 93.5 million in the US in 2024 – an increase of nearly 20%. IDC breaks down the mobile workforce into two distinct categories:

• Information Mobile Worker – these are typically those people working from a single location using a specific endpoint to access data, content and applications. Examples of IM workers include programmers, analysts, marketers, accountants and lawyers.
• Frontline Mobile Workers – the users in this group are typically client-facing and distributed and can be working on a number of devices. Examples of these workers include nurses, store associates, and field technicians.

The challenge with growth in either group is two-fold. First, they’re not ready, as indicated by the lack of good password hygiene, the lack of preparation for cyberattack. Second, they’re already under attack, as indicated by the amount of malicious content they interact with in email and on the web already and nearly two-thirds of them have already had a credential compromised.

Taking your workforce mobile/remote is an idea whose time has come. It’s just necessary that organizations put proper Security Awareness Training in place to ensure their mobile workforce understands the cyber-minefield they’re embarking into, the increased need for them to help protect the organization when mobile, and to always be vigilant when using corporate devices, applications, or data.