What SOCs Need to Know About Water Dybbuk

According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail Transfer Protocol services like SendGrid to send emails designed to bypass the filters from email service providers and security services that protect emails. This attack leveraged an HTML file that was attached to an email. Based on our analysis, we determined this to be a targeted attack based on some of the features that were enabled in the JavaScript and on the PHP code deployed by the attackers from the server side. Like other typical BEC schemes, the initial stage always involves a spear phishing attack on an individual target. The threat actors behind this campaign used a malicious JavaScript attachment that redirects users to a fraudulent Microsoft phishing page. The screenshot below in Figure 1 shows an actual malicious spam used in this attack. Once the email attachment is opened, the target's computer will reach out to the command-and-control server hosting a BadaxxBot toolkit that acts as a redirector to the final phishing page. This functionality can also be skipped by the threat actors, who can just redirect any visitors to the final phishing page. This can be used in multiple ways, such as validating the target and supplying email address data to the form login page of the phishing site. Details of how the attack works are explained in a separate section. The final phishing page uses the open-source framework Evilginx2 for phishing login credentials and session cookies. After a successful phishing attempt, the threat actors will login to their target's email account which will be used for BEC schemes like CEO fraud, bogus invoice scheme, account compromise, etc. We initially came across this attack in November 2022 primarily because of the very low detection counts for its malicious attachment, and second, because we had access to a machine that was a target of this campaign. Looking back at other similar malware samples that were shared to the public, the tools, tactics, and procedures used in these attacks have been running under the radar since April 2022, based on the earliest shared malware sample. For several months, Water Dybbuk had been successful in its malicious spam campaign by evading AV detections because of its obfuscated JavaScript malware. First, it checks if additional information needs to be validated before returning the redirect phishing URL to its target victim. The information to be validated includes the IP address and the browser's user-agent string, which are used for filtering on the server side. If IP address checking is not enabled, it will continue requesting a redirect URL for the phishing page. The decoded HTML page contains another redirection routine to the actual phishing page. The hardcoded URL for the final phishing page will be clearly readable after deobfuscation. From one of the C&C servers used by Water Dybbuk redirect victims, we noticed that the threat actors used a compromised server from a government site. The files for the phishing toolkit are still hosted on the compromised server and one of the files hosted in the server revealed the name of the toolkit used in this campaign - BadaxxBot. As the tool can be bought and leveraged by other attack groups, it would not be surprising to see this malware used in other BEC campaigns. The redirection ends on a C&C server hosting an Evilginx2 phishing toolkit configured for phishing credentials and session cookies from Microsoft Office 365 accounts. Evilginx2 is a man-in-the-middle attack framework used to intercept and manipulate web traffic. It is designed to be used in phishing attacks and can be used to bypass two-factor authentication. The framework can be used to steal credentials and intercept the session cookies of commonly targeted platforms such as Microsoft Office 365, Microsoft Outlook, Facebook, and LinkedIn, among others. From the malware samples we found, we extracted the target email addresses and found that their profile fits perfectly with the usual target victims of BEC schemes, which are the executives and the finance department of a company. While sifting through our data sources to try and determine the impact of these attacks, we found that the potential target companies had an average annual revenue of approximately US$3.6 billion, with the largest having a revenue of US$70 billion. We had access to a system that was a target of this attack, which provided us a unique angle that is rarely observed by researchers. Water Dybbuk is a BEC campaign which targets large companies using commodity malware support tools like BadaxxBot and EvilGinx2. Even though the group use phishing toolkits that are readily available, they still managed to avoid AV detections via open-source obfuscator tools. While BEC attempts involve social engineering to engage with victims and ultimately wire funds, it is important to note that phishing attempts are also typically used to gain access to email accounts that will be used for scamming victims who are contacts of the compromised account. Most of these attacks are not very technical or involve much work. The effort the attacker needs to put into this scam is low in comparison to other types of attacks that companies face. The potential profits are very high, thus we expect that these types of attacks will continue to happen. In the 2021 IC3 report, BEC attacks were listed as the most costly form of cybercrime. A common method of getting victimized by BEC scams is through phishing attacks. Constant phishing exercises using tools such as Phishing Insight that are conducted for employees can help minimize the effectiveness of these attacks, and turn what is traditionally the weakest link for this business model into an organization's greatest defensive strength.

This Cyber News was published on www.trendmicro.com. Publication date: Thu, 02 Feb 2023 13:04:02 +0000


Cyber News related to What SOCs Need to Know About Water Dybbuk

States and Congress Wrestle With Cybersecurity After Iran Attacks Small Town Water Utilities - The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack. Then it - along with several other water utilities - was struck by what federal authorities say are Iranian-backed ...
9 months ago Securityweek.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Water services giant Veolia North America hit by ransomware attack - Veolia North America, a subsidiary of transnational conglomerate Veolia, disclosed a ransomware attack that impacted systems part of its Municipal Water division and disrupted its bill payment systems. After detecting the attack, Veolia has ...
8 months ago Bleepingcomputer.com
Florida water agency latest to confirm cyber incident as feds warn of nation-state attacks - A regulatory agency in Florida that oversees the long-term supply of drinking water confirmed that it responded to a cyberattack over the last week as the top cybersecurity agencies in the U.S. warned of foreign attacks on water utilities. The agency ...
10 months ago Therecord.media
Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere - Three members of Congress have asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting the nation's top cyberdefense agency to warn other water and sewage-treatment utilities that ...
10 months ago Securityweek.com
Hackers breach US water facility via exposed Unitronics PLCs - CISA is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers exposed online. PLCs are crucial control and management devices in industrial settings, and hackers compromising them could ...
10 months ago Bleepingcomputer.com
ICS at Multiple US Water Facilities Targeted by Hackers Affiliated With Iranian Government - The hackers behind recent cyberattacks targeting industrial control systems at water facilities in the US are affiliated with the Iranian government, according to security agencies in the United States and Israel. The FBI, CISA, the NSA, the EPA and ...
10 months ago Securityweek.com
Cyberattack on Irish Utility Cuts Off Water Supply for Two Days - An attack launched by hackers last week against the systems of a small water utility in Ireland interrupted the water supply for two days. The cyberattack was reported by a local newspaper, Western People, and technical details are murky. The attack ...
10 months ago Packetstormsecurity.com
Hackers Hijacked Irish Water Facility that Interrupted Supply - Recently, there was a cyberattack on an Irish water utility that resulted in hackers gaining control of the system and disrupting the water supply. Last week, a private group water system in the Erris area was targeted by cybercriminals in a ...
10 months ago Cybersecuritynews.com
Cyberattack Defaces Israeli-Made Equipment at US Water Agency, Brewing Firm - The targets included the Equipment used by the Municipal Water Authority of Aliquippa, Pennsylvania and Brewmation, a New York-based company specializing in turnkey brewing and distilling equipment. U.S. officials have attributed a cyberattack on the ...
10 months ago Hackread.com
Two-day water outage in remote Irish region caused by pro-Iran hackers - Residents of a remote area on Ireland's west coast were left without water last week due to a cyberattack perpetrated by a pro-Iran hacking group targeting a piece of equipment the hackers complained was made in Israel. The incident affected a ...
10 months ago Therecord.media
UK water company that serves millions confirms system attack The Register - Scans of identity documents such as passports and driving licenses. Documents that appear to be HR-related, displaying the personal data of what could be customers, including home address, office address, dates of birth, nationalities, and email ...
8 months ago Theregister.com
Cybersecurity agency warns that water utilities are vulnerable to hackers after Pennsylvania attack - HARRISBURG, Pa. - Hackers are targeting industrial control systems widely used by water and sewage-treatment utilities, potentially threatening water supplies, the top U.S. cyberdefense agency said after a Pennsylvania water authority was hacked. The ...
10 months ago Abcnews.go.com
Ransomware gang targets nonprofit providing clean water to world's poorest - Water for People, a nonprofit that aims to improve access to clean water for people whose health is threatened by a lack of it for drinking and sanitation, is the latest organization to have been hit by ransomware criminals. The ...
9 months ago Therecord.media
Greater Paris wastewater agency dealing with cyberattack - The organization that manages wastewater for nine million people in and around Paris was hit with a cyberattack on Friday. Service public de l'assainissement francilien - known by its acronym SIAAP - manages nearly 275 miles of pipes throughout four ...
10 months ago Therecord.media
Breaches by Iran-Affiliated Hackers Spanned Multiple U.S. States, Federal Agencies Say - A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities ...
10 months ago Securityweek.com
Top White House cyber aide says recent Iran hack on water system is call to tighten cybersecurity - WASHINGTON - A top White House national security official said recent cyber attacks by Iranian hackers on U.S. water authorities - as well as a separate spate of ransomware attacks on the health care industry - should be seen as a call to action by ...
10 months ago Apnews.com
Top White House Cyber Aide Says Recent Iran Hack on Water System Is Call to Tighten Cybersecurity - A top White House national security official said recent cyber attacks by Iranian hackers on US water authorities - as well as a separate spate of ransomware attacks on the health care industry - should be seen as a call to action by utilities and ...
10 months ago Securityweek.com
Cyberattack on Pennsylvania Water Authority Disrupts OT Gear - This past weekend, the Aliquippa Municipal Water Authority, located in Pittsburgh, experienced a cyberattack after one of its booster stations was hacked by an Iranian-backed cyber group. The threat group, known as Cyber Av3ngers, hacked a system ...
10 months ago Darkreading.com
DOE Puts Up $70 Million to Secure US Energy Infrastructure - The federal government will spend as much as $70 million for technologies that will create a more resilient energy delivery infrastructure that is better protected against a range of threats, including from cybercriminals. The U.S. Department of ...
9 months ago Securityboulevard.com
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
9 months ago Darkreading.com
Bad Password May Have Led to Pennsylvania Water System Hack - TNS) - Federal and state security officials said a poor or even default password could be the weak link that enabled hackers to break into a Pittsburgh-area water system. The Municipal Water Authority of Aliquippa suffered the cyberattack on ...
10 months ago Govtech.com
Attacks on critical infrastructure are harbingers of war: Are we prepared? - Recent attacks on several water authorities, such as Aliquippa and St. Johns River, are putting a new spotlight on the need to protect critical infrastructure. In war, to bring a nation to its knees, attacks against power and water inflict the most ...
9 months ago Scmagazine.com
Knostic Raises $3.3M for Enterprise GenAI Access Control - PRESS RELEASE. RESTON, Va. and TEL AVIV, Israel, April 11, 2024/PRNewswire-PRWeb/ - Knostic, the world's first provider of need-to-know access controls for Generative AI, emerges today from stealth, having been named one of the top three finalists ...
6 months ago Darkreading.com
CVE-2020-36787 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)