Thousands of people working for government agencies and NGOs have been targeted by a sophisticated spear-phishing campaign, according to the FBI and the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Microsoft previously announced that this campaign is the work of the group behind the SolarWinds attack, but the FBI and CISA have not yet confirmed this.

In the attack warned by US government agencies, attackers managed to gain access to the Constant Contact account of USAID, the US government's development organization. Constant Contact is a service used for email marketing. The attackers then sent phishing emails that appeared to be from USAID through the compromised account.

The emails contain a legitimate Constant Contact link pointing to a malicious ISO file. This ISO file contains malware as well as a PDF document that serves as a diversion. According to the FBI and CISA, the recent campaign attacked more than 7,000 accounts belonging to more than 350 government organizations and NGOs.

In the warning , the FBI and CISA provide various Indicators of Compromise (IOCs) and other technical information. An IOC is an indicator that identifies the presence of a specific threat, such as a particular malware instance, within the network. This includes URLs, domain names and IP addresses.

In conclusion, organizations dealing with international business are advised to raise their awareness and follow recommended security measures, including implementing training programs, restricting administrator accounts, and rolling out signatures to facilitate connections to Cobalt Strike servers and other post-exploitation tools. to block.

Previous Post Next Post