Microsoft discovers phishing attacks By The SolarWind Hackers


Microsoft has discovered multiple phishing attacks that the tech company said were carried out by the group of attackers behind the SolarWinds backdoor. The attacks, which also exploited an iOS vulnerability, targeted some 3,000 individual email accounts of individuals in more than 150 organizations in at least 24 countries. The attacked organizations are engaged in, among other things, international development and human rights.


In the first months of this year, the attackers carried out several phishing attacks using emails containing an HTML file. When the user opened the file, an ISO file was written to the computer using JavaScript in the HTML file and the user was encouraged to open the file. When opened, an .lnk file was run that executed the Cobalt Strike Beacon on the system. This is a remote access tool that attackers use to move laterally through an environment.


The attackers also adapted their tactics. Similarly, an HTML file pointed directly to an ISO file containing an RTF document that output Cobalt Strike Beacon was used. Other phishing attacks only used a link pointing to a website posing as a site of the attacked organization. Subsequently, the ISO file was offered on this site.


Microsoft saw that the attackers also exploited a vulnerability in iOS. When victims opened the link in the email and were forwarded to the attackers' server, it checked to see if it was an iOS device. If so, the user was redirected to another server that exploited iOS vulnerability CVE-2021-1879. The moment Apple closed this zero-day leak , it was already under attack.


In the latest attack observed by Microsoft on May 25, the attackers managed to gain access to the Constant Contact account of USAID, the US government's development organization. Constant Contact is a service used for email marketing. The attackers then sent phishing emails that appeared to be from USAID through the compromised account.


When users clicked on the link in the email, they were redirected to the legitimate Constant Contact service, from where they were redirected to an attackers' server that placed an ISO file on the system. Users still had to open the file themselves to get infected. Microsoft's Tom Burt argues that the attacks show that there must be rules stating how countries should behave in cyberspace and what the consequences will be if those rules are violated.

Previous Post Next Post