Phishing. For the past decade, phishing has remained a stalwart among attack vectors due to its alarming adaptability and effectiveness. The 2024 Data Breach Investigations Report (DBIR) from Verizon highlights a significant surge in phishing attacks that exploit both human psychology and technical vulnerabilities. This evolution underscores a disturbing trend: attackers are no longer just casting wide nets but are instead using precisely targeted tactics that mimic legitimate business communications almost indistinguishably.
Initiated through a compromised legitimate website, this campaign leveraged severe vulnerabilities within widely used WordPress plugins to establish a command and control infrastructure. This campaign’s hallmark was its precision—targeting specific individuals within organizations through emails meticulously crafted to mirror legitimate corporate communications, thus maximizing the likelihood of credential theft.
As phishing tactics become increasingly sophisticated, blending seamlessly into daily workflows and exploiting trusted relationships, our research emphasizes the critical need for organizations to advance their defensive strategies. This involves not only bolstering technical defenses but also significantly enhancing employee awareness and training to recognize and resist these ever-evolving threats.
Initiation and Setup
The campaign began by selecting nocoastsushi.com, an innocuous sushi restaurant website, compromised by exploiting several vulnerabilities identified in the widely used WordPress plugins:
- FORMIDABLE 6.1.1: Unauthenticated PHP Object Injection (CVE-2023-6842)
- JS_COMPOSER 6.6.0: WPBakery Page Builder XSS (CVE-2023-31213)
- LAYERSLIDER 6.11.2: Admin+ Stored XSS (CVE-2024-2879)
- REVSLIDER 6.2.22: Author+ Remote Code Execution (CVE-2024-2306)
This foundation allowed for the discreet setup of phishing operations under the guise of a legitimate website’s infrastructure.
Execution of the Phishing Campaign
The phishing emails originating from this infrastructure were notably advanced. Crafted to resemble legitimate SharePoint notifications, they effectively exploited the trust and routine behaviors of corporate employees. Demonstrating a high degree of customization, these emails used the actual nicknames of employees and closely mimicked the internal formatting and language typical of the targeted organizations. This level of detail suggests a thorough reconnaissance phase and a deliberate strategy to reduce suspicion while enhancing the likelihood of employee engagement.
Email Example:
- Subject: “<Domain Admin> shared ‘Contract- AgreementIhfmS’ with you.”
- Content: The emails contained a deceptive link, ostensibly leading to a SharePoint document but actually redirecting recipients to a phishing page designed to harvest credentials.
Sophistication in Deception
The emails and phishing pages showcased an alarming level of precision in mimicking the internal communications and branding of targeted organizations. Each phishing page was tailored to reflect the unique aspects of the spoofed entity, from logos to specific organizational CAPTCHAs, enhancing the deception’s effectiveness. The phishing sites incorporated real CAPTCHAs and links to actual social media accounts, adding layers of authenticity to their phishing attempts.
Impact and Insights
Other than the campaign’s dual focus on exploiting technical vulnerabilities and human psychology, this attack also showcased several noteworthy tactics that underline its sophistication and targeted nature:
Credibility Through Compromise: By dispatching phishing emails from a compromised email account belonging to a reputable healthcare organization, the attackers significantly reduced the likelihood of detection by reputation-based email filtering systems. This tactic leveraged the inherent trust in the compromised organization to bypass security measures.
Strategic Victim Selection: These phishing attacks’ primary targets were back office employees and sales executives, who likely have access to critical organizational data and systems. This choice of targets underscores the attackers’ strategic aim to maximize potential access to sensitive information and systems.
Lowering the guards: The emails prominently displayed support for the LGBTQ community through a genuine commercial. This inclusion was likely aimed at resonating positively with recipients, leveraging societal values and the organization’s legitimate advocacy efforts to increase the likelihood of engaging with the phishing content.
Here are the IoCs related to this campaign: (Write ‘IoCs related to the attack’)
- msonlineencrypt./com
- 0e368b25357b8c6ad3c8a63d43f9de1f
- 172.67.176./88
- 104.21.80./85
- MD5 3cde68f25007cac0f16b787cd7d59053
- SHA-1 757d6aa28f9bba8da67da3bbde9f8700eb96161f
- SHA-256 17341bd207b912e2e504d1a9194f2cca462860a1ba72bec02d09bd45566d7f4e
Despite public reputation services dismissing these threats as benign and native email solutions failing to detect their malicious nature, only the most advanced third-party threat protection systems were effective in recognizing and mitigating the phishing attacks.
Conclusion
This investigation into a particularly sophisticated phishing campaign highlights a critical lesson: despite public reputation services dismissing these threats as benign and native email solutions failing to detect their malicious nature, only the most advanced third-party threat protection systems were effective in recognizing and mitigating the phishing attacks. This revelation serves as a stark reminder of the ongoing cyber security arms race, where success hinges on our ability to continuously outpace the cunning strategies employed by cyber adversaries.
To navigate this challenging environment, organizations must adopt a proactive and holistic approach to cyber security. This includes deploying multi-layered security solutions, conducting regular security control assessments, and committing to comprehensive training to enhance threat awareness and preparedness across all levels of the organization. By embodying the principles of continuous improvement and vigilance, we empower ourselves to anticipate, adapt, and effectively counter the sophisticated maneuvers of cyber adversaries.
Veriti was able to detect the malicious activity by analyzing the detections from the different security controls and enforced automatically a protection from this campaign cross the security stack – enabling the relevant protections from it.
