Small- and medium-sized businesses are being targeted in a phishing campaign that leverages the email service provider (ESP) SendGrid. SendGrid is a legitimate and well-known company that provides a customer communication platform for transactional and marketing email. SendGrid customer accounts are targeted to gain access to company mailing lists which can be used for a variety of email campaigns, such as phishing, spamming, and scams. In this campaign, the phishers compromise companies’ SendGrid accounts and use the ESP itself to send phishing emails. Emails sent through the SendGrid platform are likely to be trusted by email security solutions, especially as the compromised accounts will have been used to send communications in the past. SendGrid may even be whitelisted to ensure that the emails are always delivered to inboxes. SendGrid emails are also likely to be trusted by end users.
In this campaign, the emails use a security-themed lure and inform the recipients that they need to set up 2-factor authentication – a perfectly reasonable request since 2-FA will better protect accounts against unauthorized access. The users are provided with a link that directs them to a malicious website that spoofs the SendGrid login, and if credentials are entered, they are harvested by the scammer. The emails were routinely delivered to inboxes and evaded email security solutions because the SendGrid was trusted.
SendGrid performs stringent checks on new accounts so it is difficult for malicious actors to use SendGrid directly, instead they compromise business SendGrid accounts, often through phishing attacks. Twilio SendGrid detected the malicious activity linked to customer accounts that were being used for phishing, and its fraud, compliance, and cyber security teams immediately shut down accounts. To better protect SendGrid accounts, users are advised to log in to their account and set up 2-factor authentication to prevent compromised credentials from granting access to user accounts.
The campaign demonstrates that even emails from reliable sources may not be what they seem. Many companies provide security awareness training to their employees that teaches cybersecurity best practices and trains employees on how to recognize and avoid phishing. It is important to include these types of emails in training material, as ESPs are being increasingly targeted by cybercriminals due to the effectiveness of campaigns run through an ESP.
With SafeTitan, keeping employees up to date on the latest tactics used by phishers and other cybercriminals is easy. The training content is regularly updated with new phishing templates based on real-world attacks and the latest phishing trends, and phishing simulations can be conducted on employees to test how they respond to phishing attempts outside of the training environment. SafeTitan is the only security awareness training platform that delivers targeted training automatically in response to bad security practices by employees, ensuring training is provided at the moment when it is most likely to be taken on board.
A new malware-as-a-service operation has been identified named Eternity Project which is offering a modular malware with extensive capabilities, allowing threat actors to conduct a range of malicious activities based on the modules they pay for. The capabilities of the malware are being enhanced to include further modules. Currently, the threat group is offering an information stealer, clipper, miner, dropper, worm, and ransomware, with distributed-denial-of-service (DDoS) bots to be provided in an upcoming module.
The threat actors claim the stealer module will allow users to obtain passwords stored in multiple browsers, data from email clients, instant messaging services, password managers, VPN clients, gaming software, system credentials, cryptocurrency wallets, and more. The miner allows victim devices to become cryptocurrency mining slaves, the clipper allows data to be stolen from the clipboard, which specifically targets cryptocurrency wallets and replaces them with the threat actors’ crypto-wallet addresses, with the ransomware allowing data encryption, although no data exfiltration. The worm module allows the user to infect other devices on the network, with the dropper used to drop the payload of choice onto infected devices. The Eternity Project malware was analyzed by researchers at Cyble, who report that the malware is being offered via a Telegram channel which, at the time of publication, had over 500 subscribers, as well as on the threat group’s TOR website.
Malware-as-a-service operations such as the Eternity Project give unskilled hackers the capability to conduct a range of attacks that they would otherwise not be able to perform. According to Cyble, the malware modules are being offered from as little as $90 up to $490 for the most expensive module – ransomware. Those costs could easily be recovered from the capabilities provided. The methods used to distribute Eternity malware will depend on the capabilities of the threat actors that pay for the modules. Since multiple methods of distribution could be used, defending against Eternity malware and other malware-as-a-service offerings requires a defense-in-depth approach and for security best practices to be followed.
Phishing remains the number one vector for delivering malware. Campaigns are easy and cheap to conduct, and phishing campaigns can be very effective. Email security solutions are fed threat intelligence and have anti-virus components, but many solutions rely on signature-based detection and are only effective at detecting known malware. Behavior-based detection methods are needed for detecting heavily obfuscated malware and zero-day threats. SpamTitan combines signature-based threat detection using dual AV engines and a Bitdefender-powered sandbox for identifying zero-day malware threats and allows the blocking of specified attachments such as zip files and executable files. SpamTitan protects against malicious links in emails and scans all inbound emails in real-time, using advanced threat protection methods such as Bayesian analysis, machine learning, greylisting, and heuristics which provide a market-leading 99.99% spam catch rate with a 0.003% false-positive rate
Defense-in-depth against phishing is critical for blocking malware threats. Protection can be significantly improved using DNS filtering. DNS filtering is used to block the web-based component of phishing attacks by providing time-of-click protection to prevent users from visiting malicious web pages linked in phishing emails. DNS filtering is used to filter out malicious websites by preventing users from visiting those sites when web browsing, blocking redirects to malicious sites, and category and keyword-based filters to control the content that users can access, preventing access to risky websites. DNS filters can also be used to block downloads of certain file types from the Internet, such as those associated with malware.
The WebTitan DNS Filter provides these capabilities without latency, and protections can be applied for users on or off the network, no matter where they access the Internet. WebTitan is fed threat intelligence from more than 500 million endpoints worldwide and provides AI-based protection against active and emerging phishing URLs and zero-minute threats.
Security Awareness Training & Phishing Simulations
Technical measures to block email and web-based threats are essential, but it is also important to provide security awareness training to the workforce on security best practices and to teach employees how to recognize and avoid threats such as phishing. Security awareness training should be provided regularly, and phishing simulations conducted to identify gaps in knowledge to allow them to be addressed before they can be exploited.
SafeTitan is the only behavior-driven security awareness solution that delivers security awareness training in real-time in response to specific user behaviors and includes an extensive library of training content that is delivered in easy-to-digest chunks for creating a human firewall to augment your technical cybersecurity measures.
Enforce Multifactor Authentication
Multifactor authentication should be implemented on all accounts and services to prevent compromised, stolen, or leaked credentials from being used to gain access to accounts. It is especially important to apply multifactor authentication to administrator accounts and for remote access services. Multifactor authentication requires an additional factor to be provided before access is granted, in addition to a password.
To protect against destructive malware attacks involving wipers and ransomware, it is essential to back up data regularly and to test backups to ensure that file recovery is possible. A good approach to take is the 3-2-1 method for backing up – make three copies, stored on at least two different media, and ensure that one copy is stored securely off-site. Backup files should also be encrypted.
You should ensure that updates for software and operating systems are applied promptly, with patching prioritized to address the most critical vulnerabilities first.
Change Default Credentials and Set Strong Passwords
Default credentials should be changed, as should the default configurations of off-the-shelf software and strong, unique passwords should be set to protect against brute force attacks. Threat actors can easily gain initial access to the network through brute force attempts to steal passwords, such as password spraying – using passwords compromised in previous data breaches.