On December 1, 2014, a blog regarding activity by a threat actor classified as “FIN4” was published by the Wall Street Journal. This article describes an active targeted phishing campaign with a focus specifically targeted at the emails of C-level executives, legal counsels, regulatory, risk, and compliance personnel, and other individuals who discuss confidential and potentially market effecting matters.
What We Know
The technique uses spear phishing emails to gather credentials from users and return them back to the Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack. This threat activity was previously alerted on by eSentire in a communication sent to our clients and posted to our website on November 11, 2013. At that time eSentire began blocking these attacks for our clients proactively within the Asset Manager Protect Service (AMP) and have continued to watch for these indicators since.
eSentire features that help protect you:
- As the channel of initial communication was disclosed, eSentire scanned through all historical data stored on your sensor(s) to see if any machines spanned to us were compromised through this method. At this time we do not see any indicators of compromise through the disclosed channels.
- We have added the IPs associated with the initial communication vectors below into our AMP blacklist and continue to watch for these threat indicators.
The following recommended actions are effective security controls that you can implement locally to help protect your networks from this threat:
- Educate users on email security best practices.
- Enable two-factor authentication for email logins.
- Implement a group policy control to disable VBA macros in Microsoft Office