Israel-based Hackers Show growing Sophistication of Message Attacks

According to a report by email security firm Abnormal Security, a threat group based in Israel has recently been involved in sophisticated email attacks. This is an unusual occurrence, as the majority of attacks analyzed by Abnormal Security over the past year originated from Nigeria. The report highlights the growing sophistication of the Israeli threat actors, who have developed advanced techniques to carry out their attacks.

The attackers from Israel have been using sophisticated spoofing techniques to perpetrate business email compromise (BEC) exploits. The report tracked approximately 350 BEC exploits dating back to February 2021, all attributed to this particular group. The methods employed by the Israeli attackers include spoofing senior leaders who are responsible for financial transactions, using personas both inside and outside the target company, and even translating emails into the language commonly used by the target organization.

One notable tactic used by the attackers is to send fake emails from spoofed executives, making it appear as if the email is coming from a CEO or other high-ranking individual within the organization. This is done by updating the sending display name to mimic the CEO's name, particularly if the target organization has a DMARC policy that would typically prevent email spoofing. The attackers also make use of real domains to further deceive the recipients.

The attacks follow a specific framework involving both internal and external message vectors. The internal vectors typically impersonate high-level executives within the targeted organization, while the external vectors involve real attorneys specializing in mergers and acquisitions, often from reputable firms like KPMG. Once the initial contact is made, the attackers request an initial payment related to an impending acquisition. In some cases, the attackers even transition the conversation from email to a voice call via WhatsApp to expedite the attack and minimize the evidence trail.

The report highlights several key findings regarding these attacks. The targeted organizations are multinational enterprises with significant average annual revenue, and employees from 61 countries across six continents have received these fraudulent emails. The average amount requested in an attack is $712,000, which is significantly higher than the average BEC attack. The attackers primarily use English for their emails but also provide translations in Spanish, French, Italian, and Japanese. It is also worth noting that approximately 80% of the attacks occur in March, June-July, and October-December.

 

Although the attackers are based in Israel, their motivations align with those of non-state actors, primarily driven by financial gain. The report acknowledges the historical reputation of Israel as a hub for cybersecurity innovation and highlights the contrast between the country's innovation in cybersecurity and the emergence of threat actors within its borders.

The increasing severity of these BEC attacks and the higher amounts requested indicate the need for robust email security measures. Abnormal Security recommends a combination of human training to identify BEC exploits and automated defense systems that utilize behavioral AI to detect anomalies and prevent attacks before they reach their targets. With email continuing to be a lucrative attack vector, it is expected that threat actors will evolve their tactics, test new approaches, and become more targeted and sophisticated in their attempts to compromise email users. As organizations adopt communication platforms like Slack, Zoom, and Microsoft Teams, it is crucial to consider their security implications and ensure proper defenses are in place to mitigate risks.

 

 PaperCut Ransomaware Attack

As warned earlier, and prior to 2020, hackers have been increasingly utilizing outdated or older printer driver files, exploiting their vulnerabilities to breach infrastructures and steal information from companies or users.

hackers have been known to exploit vulnerabilities in printer driver files, particularly those that are outdated or not updated. This type of attack allows hackers to target the infrastructure of companies or individual users and steal valuable information.

Printers are often connected to networks and computers, and their drivers act as software interfaces between the printer and the operating system. If these drivers have known vulnerabilities, hackers can exploit them to gain unauthorized access to the system.

To mitigate the risk of such attacks, it is crucial to keep printer drivers up to date by regularly checking for updates from the manufacturer. Additionally, implementing strong network security measures, such as firewalls and intrusion detection systems, can help prevent unauthorized access and protect sensitive information. Regular security audits and employee training on best practices for cybersecurity can also significantly reduce the likelihood of successful attacks.

 

 

The PaperCut vulnerability, as indicaten in the FBI report CVE-2023-27350, affects PaperCut MF and PaperCut NG software, allowing attackers to bypass authentication and execute arbitrary code with SYSTEM privileges. The vulnerability was announced by PaperCut in March 2023, and unpatched servers are being actively exploited. Another vulnerability, CVE-2023-27351, allows unauthenticated attackers to access user information. A message is printed to get a ransom from the  user shown on figure below.

 

Ransomware groups and state-sponsored cyberespionage threat actors are actively exploiting this vulnerability. The Bl00dy ransomware group has targeted educational facilities, exfiltrating data and encrypting systems. Microsoft has reported attacks by the Lace Tempest group delivering Clop ransomware using the vulnerability. Iranian state-sponsored threat actors, Mint Sandstorm and Mango Sandstorm, have also adapted the exploit in their operations.

To detect this cybersecurity threat, monitoring network traffic accessing the SetupCompleted page of a vulnerable PaperCut server is recommended. Modifying certain configuration keys or print scripts may indicate a compromise. DNS log files should be searched for domains associated with recent PaperCut exploitation. Monitoring child processes spawned from the PaperCut server and analyzing server settings and log files can help identify compromises.

To protect against this vulnerability, patching vulnerable PaperCut servers is crucial. If patching is not possible, ensure that vulnerable servers are not accessible from the internet. Block inbound traffic from external IP addresses to web management ports and apply IP address restrictions to allow only verified site servers. Keeping all systems and software up to date and patched is also important to avoid common vulnerabilities.

Microsoft tweets about cyberespionage threat actors

With more than 70,000 organizations using PaperCut in more than 200 countries, other threat actors became interested in exploiting this vulnerability. CISA reports that 68% of the U.S.-exposed PaperCut servers (this includes vulnerable and non-vulnerable servers) belong to the Education Facilities Subsector. PaperCut also has customers in local governments, legal, life science, healthcare and higher education, according to its website.

Microsoft tweeted on May 5, 2023, that two Iranian state-sponsored cyberespionage threat actors — Mint Sandstorm (a.k.a., Charming Kitten and Phosphorus) and Mango Sandstorm (a.k.a., Muddy Water, Static Kitten and Mercury) — have quickly adapted the exploit in their operations to achieve initial access after the public proof of concepts were published as swhown below.