Threat actors’ next big target: VIPs, Executives, and Board members

A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization. 

Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:

  • Confidential and sensitive information including financials, trade secrets etc. 
  • Authorize or order other employees in the organization to carry out certain tasks.
  • Valuable assets including networks, devices, and facilities. 

How do threat actors target C-level executives?

Research and reconnaissance

  • To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
  • Using this information, they narrow down the list of potential targets and their associates.
  • They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax. 
  • They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.

Data theft attacks

  • Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more. 

Impersonation attacks

  • Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.  
  • Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication. 
  • If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive. 

Extended attacks

  • Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment. 
  • If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.  

How to protect C-level executives from these attacks?

Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:

Continuous monitoring

Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats.  A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.

Review social media presence

Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis. 

Multi-layered protection

Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network. 

Regular cybersecurity refreshers

Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps. 

 

An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations. 

Top open source resources to stay vigilant against COVID-themed cyber attacks

 

As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.

In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.

COVID-19 Cyber Threat Coalition

Cyber Threat Coalition (CTC)  is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC.  Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.

How does CTC alert organizations?

  • Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products. 
  • If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
  • This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
  • Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).

How can you contribute?

  • CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements 
  • Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.  

Here is the CTC Blocklist for vetted malicious domains and IP addresses:

COVID-themed cyber attacks: Alienvault OTX group
Alienvault OTX group

COVID-19 CTI League

(https://cti-league.com/)

This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure. 

How is the medical sector benefiting from the CTI League?

  • CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
  • They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
  • They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities. 

Cyber Threat Alliance

(https://www.cyberthreatalliance.org/)

This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.

What are they offering?

PhishLabs

(https://www.phishlabs.com/covid-19-threat-intelligence)

Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety.  PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.

What have they got to offer?

Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).

PhishLabs image files
PhishLabs image files

Checkphish: Coronavirus Scam Tracker 

(https://checkphish.ai/coronavirus-scams-tracker)

Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.

Sample: https://checkphish.ai/data/covid_feed.tsv

Checkphish scam tracker feed
Checkphish scam tracker feed

The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.

COVID-themed cyber attacks: Checkphish dashboard
Checkphish dashboard

MISP 

(https://covid-19.iglocska.eu)

Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access https://covid-19.iglocska.eu/.

Events on MISP
Events on MISP
Post that directs users to a frequently updated dataset
Post that directs users to a frequently updated dataset

RiskIQ

RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’,  ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform. 

Links to the lists of COVID-themed domain names:

https://covid-public-domains.s3-us-west-1.amazonaws.com/list.txt (consolidated list)

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-YYYYMMDD

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-20200420

Covid-19 Medical Supply Scams from RisqIQ dashboard.
Covid-19 Medical Supply Scams from RisqIQ dashboard.

RisqIQ Dashboard: https://community.riskiq.com/

Github CTI league Repo

(https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE)

A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related. 

COVID-themed cyber attacks: CTI League Slack discussion  
CTI League Slack discussion

Independent Researchers And Feeds

Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:

@dustyfresh

Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc. 

Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.

@sshell_

Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.

@sshell feed
@sshell feed

@LukasStefanko 

Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis. 

Threatfeeds.io

(https://threatfeeds.io/)

This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.

MalwareBazaar

(https://abuse.ch/blog/introducing-malwarebazaar/)

Abuse.ch provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis. 

Advisories

The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics: 

@CyberDost

Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across. 

@Europol

This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.