Welcome to this week's edition of the Threatcop Weekly. We have several important updates and insights for you.
- The Iranian state-sponsored group "GreenCharlie," overlapping with APT groups like Mint Sandstorm and Charming Kitten, is the main threat.
- GreenCharlie uses spear-phishing, dynamic DNS (DDNS) providers, and domains mimicking legitimate services to enhance phishing attacks.
- Attacks on U.S. political campaigns and government organizations are the primary focus, with the aim of stealing sensitive information for disruptive purposes.
- Social Engineering: The group employs spoofed domains, fake webinars, and extended email conversations to build trust before delivering malicious payloads.
- With the 2024 federal elections approaching, these attacks underscore the threat to election security, even targeting local campaigns.
- CISOs should anticipate an increase in similar activities as the election season intensifies, emphasizing the need for ongoing security awareness training
- Threat actors impersonate U.S. government agencies to send fake tender invite emails to hundreds of American enterprises.
- The campaign begins with an email allegedly from the General Services Administration (GSA), appearing as an official procurement notice from the U.S. Department of Energy, inviting recipients to bid as subcontractors.
- Users who click the link are redirected to a spoofed GSA page with a domain mimicking the legitimate GSA site (gsa-gov-dol-procurement-notice(.)procure-rfq(.)online).
- The phishing site includes a pop-up guiding users through registration for the RFQ, leading them to enter their email and authenticate their identity.
- Attackers use a CAPTCHA page to evade detection and prevent automated security tools from accessing the credential harvesting page.
- The campaign abuses the domain dyn365mktg.com, linked to Microsoft’s Dynamics 365 Marketing platform, allowing phishing emails to bypass security checks due to inherent trust in Microsoft domains.
- Attackers are now exploiting URL rewriting, a security feature meant to protect users by replacing email links.
- Attackers are using URL rewriting to bypass phishing protections by leveraging email security features.
- Vendors replace original URLs with modified links, scanning them for threats before allowing access.
- Compromised legitimate email accounts send "clean-now-phishing-later" URLs, which gain legitimacy after being rewritten by security vendors.
- Once whitelisted, attackers modify these URLs to redirect users to phishing sites, bypassing further security checks.
- CAPTCHA evasion and geo-fencing are used to avoid detection.
- This method exploits users' trust in security brands, making even cautious employees more likely to click on malicious links.
- BlackSuit continues to use phishing as a primary vector for initial access, now incorporating advanced tactics like exploiting Remote Desktop Protocol (RDP) and leveraging initial access brokers.
- In addition to encrypting files, BlackSuit actors now routinely exfiltrate data, threatening to leak it unless a ransom is paid.
- The group uses partial encryption techniques and legitimate tools to avoid detection, such as repurposing common software and using CAPTCHA evasion to bypass security measures.
- Ransom demands have ranged from $1 million to $10 million USD, with payment typically required in Bitcoin. The group has demanded over $500 million USD in total, with the highest individual ransom reaching $60 million.
- BlackSuit actors are increasingly aggressive, even contacting victims directly via phone or email to pressure them into paying the ransom.
Thank you for reading Threatcop Weekly!
For more information on these stories and to stay updated on the latest in cybersecurity, connect with our PSM advocates at:
