The U.S. government and education sectors are being targeted by cybercriminals looking to steal sensitive data. These sectors hold large volumes of sensitive data that are easily monetized, victims can be extorted, and access to compromised networks can be sold to other cybercriminal groups such as ransomware gangs. These attacks can result in significant data breaches, major financial losses, and reputational damage that is hard to repair.

The campaign uses a combination of two malware variants and vulnerability exploitation, and the attack starts with phishing emails with malicious attachments. The campaign was identified by researchers at Veriti and delivers the notorious Agent Tesla remote access trojan (RAT) and an information-stealing malware called Taskun. Agent Tesla provides attackers with remote access to networks and is often used by initial access brokers for compromising networks, with the access sold on to other cybercriminal groups. Agent Tesla can be used to download additional payloads and has comprehensive information-stealing capabilities. The malware can log keystrokes, take screenshots, and steal credentials from browsers, wireless profiles, and FTP clients.

Taskun malware is spyware that also has information-stealing capabilities. In this campaign, the malware is used to compromise systems and make it easier for Agent Tesla to be installed, establish persistence, and operate undetected for long periods. The campaign involves emails with malicious attachments, with social engineering techniques used to trick employees into running malicious code that exploits unpatched vulnerabilities in operating systems and Office applications. The campaign involves a reconnaissance phase to identify the vulnerabilities that can be exploited to maximize the chance of a highly impactful compromise. The vulnerabilities exploited in this campaign include several Microsoft Office remote code execution vulnerabilities dating from 2010 to 2018 and takes advantage of businesses with poor patch management practices, incomplete inventories of connected devices, and devices running outdated software due to issues upgrading.

Defending against email-based attacks involving multiple malware variants and vulnerability exploitation requires a multi-layered approach to security, with cybersecurity measures implemented that provide overlapping layers of protection. The first line of defense should be advanced spam filtering software to block inbound spam and phishing emails. SpamTitan from TitanHQ is an AI-driven cloud-based email filtering service that is capable of identifying and blocking spam and phishing emails and has advanced malware detection capabilities. In addition to dual antivirus engines, the SpamTitan hosted spam filter includes email sandboxing for behavioral detection of malware threats. In independent tests, SpamTitan was shown to block 99.983% of spam emails, 99.914% of phishing emails, and 99.511% of malware.

It is important to ensure that employees are made aware of the threats they are likely to encounter. Security awareness training should be provided to teach cybersecurity best practices, eradicate risky practices, and train employees to be vigilant and constantly on the lookout for signs of phishing and malware. The SafeTitan security awareness training platform makes it easy to develop and automate comprehensive training and keep employees up to date on the latest tactics used by threat actors. SafeTitan, in combination with TitanHQ’s cloud-based anti-spam service, will help to ensure that phishing and malware threats are identified and blocked.

Cybersecurity best practices should also be followed, such as implementing multi-factor authentication on accounts, ensuring patches are applied promptly, keeping software up to date, installing endpoint antivirus solutions, and network segmentation to reduce the impact of a successful attack. It is also important to ensure there is a comprehensive inventory of all devices connected to the network and conduct vulnerability scans to ensure weaknesses are detected to allow proactive steps to be taken to improve security.