A cyber-attack over the past four months was discovered which targeted more than 4,000 companies, and successfully penetrated at least 14 of them. The targets were mainly in the oil and gas, mining, transportation, and construction sectors - in locations as diverse as Germany, Kuwait, UAE, Egypt, and Croatia. The malicious party was able to acquire sensitive financial data and remote control of endpoints. Some speculated that a sophisticated criminal organization might be behind the attack. However, it turned out that the attacker was a 20-year-old man from Nigeria, and he was hardly a cyber mastermind.
In fact, it was not difficult for researchers to discover the culprit’s identity:
“Following extensive research into the campaign, researchers have revealed the identity of the criminal behind it. He is a Nigerian national, working on his own. On his social media accounts, he uses the motto: ‘get rich or die trying.’”
The attacker had sent very crudely written phishing emails with improper punctuation, which would've made me immediately suspicious of if one had ended up in my inbox. Here's what was sent in the body of his emails:
Please confirm the receipt of this mail as we have sent several emails to your esteemed company.
Find attach 2 pages of our purchase order request for the month of May,
kindly send us PI signed and stamped also do advice bank details for LC processing.
Thanks and Regards
P.O. Box 5000
Dhahran 31311, Saudi Arabia”
The email attachment's file name was “Saudi Aramco Oil And Gas.rar,” and the 591.1 Kb file had NetWire, a remote access Trojan, and HawkEye, a commericial keylogger, bound to it.
NetWire is considered to be the first multi-platform RAT malware. It's primarily designed to exploit weaknesses in point-of-sale systems, but can also acquire sensitive financial data from client machines which aren't part of a POS system. It's configured to be spread as an email attachment Trojan, where it can linger for months while undetected.
HawkEye is another malware which is sold in the Dark Web to be distributed as an email attachment Trojan. Its payload is a DOCX file, which can then acquire email and web browser passwords and engage in keylogger spyware functions.
The only thing the attacker did to obscure his location was to put “Saudi Arabia” in his emails. He used two free Yahoo webmail addresses, which made it easy for the researchers to trace him. Plus, the fact that he only used two email addresses also meant that the companies he was targeting could have easily blocked those addresses to avoided receiving email from that attacker again.
Given the simplistic nature of this operation, it's really concerning that his victims were large companies, not small or medium sized businesses. It's often assumed that large companies are more likely to have CISOs and better security monitoring systems with technologies such as SIEM in their server rooms. It's surprising to hear about so many large organizations falling for such a pedestrian, script kiddie sort of attack. Here are lessons that can be learned from its success, which can help you be better prepared and avoid falling victim to similar attacks:
- Train all your employees and contractors who have business email accounts. Teach them about phishing. Tell them to never open email attachments from senders who aren't known to the company, and to never share financial details except with specific people. Avoid sharing sensitive data over email, even to trusted parties, as much as possible.
- Although an increasing amount of malware can evade signature detection, and fileless malware attacks are becoming more common, NetWire and HawkEye weren’t zero day attacks; they had been known to antivirus vendors for quite some time. At the time of the attack, pretty much all antivirus software had signatures that should have stopped NetWire and HawkEye. Even lower quality antivirus software that hadn't been patched for a few months would've been able to stop those malware strains. This leads me to believe that your grandmother's Windows XP PC likely has better endpoint security than this attacker's victims did. Be sure to install antivirus software, and configure it to automatically install security patches to ensure that it can catch well-known threats like these!
- Implementing security monitoring tools is a must. Include email server activity and employee client machine file execution events in your logs. Intrusion detection systems can be configured to inform administrators of anomalous activity. Executing a malicious email attachment, such as one file bound with a RAT Trojan, can generate events that an administrator can be alerted to.
Many of the cyber-attacks I write about are very sophisticated. But just as many attacks, if not more, are really as amateurish as what this attacker did. It really makes me to hit my head against a desk sometimes.
When your company security-hardens your business, make sure you have the most elementary basics down as well to avoid falling victim to simple attacks like this one.