• CheckPoint.com
• 
• 
• 
• 
• 
• 

By Matan Ben David, Incident response Analyst

Imagine that you’re the owner of a startup and waiting for a million-dollar seed round of funding, only it never shows up in your bank account. Or imagine you’re the head of a venture capital firm who believes you’ve wired investment funds to one of the startups in your portfolio, yet the funds never appeared on the other side.

This is a real case that was investigated by the Check Point Incidence Response Team (CP IRT) earlier this year (2019).
\nA Chinese venture capital firm was alerted by their bank that there was an issue with one of their recent wire transactions. A few days later, a young Israeli startup realized they didn’t receive their one million dollars seed funding. Both sides got on the phone and quickly realized that their money was stolen.

Once both sides realized the money was gone, they also noticed something strange going on with the emails between the two parties, as some of the emails were modified and some were not even written by them.

At this point, the CEO of the Israeli startup engaged CP IRT to investigate the fraudulent money transfer. What started as a normal Business Email Compromise (BEC) quickly turned into something else.

CP IRT collected and analyzed the available logs, e-mails, and PCs involved.
\nDuring the evidence collection phase, CP IRT faced 3 challenges that any customer-facing Incident Responder has probably encountered at some point.

CHALLENGES

The customer’s mailboxes were hosted on GoDaddy’s email server which, not surprisingly, didn’t provide any information to help the investigation.

The audit logs only showed the five last logins to the server and all of them were for the Israeli startup employee

We realized that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used.

We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails.

THREAT ACTOR IN THE MIDDLE

Now that we had the original emails, the bigger picture became clearer and we could see how the attacker was able to carry out this attack.

Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it.

Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains.

The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.

The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO.

The second email was sent to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.

This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack.

Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.

ELECTRONIC DIVERSIONS OF PHYSICAL MEETINGS

At one point during the attack, the Chinese account owner and the CEO of the Israeli startup scheduled a meeting in Shanghai. At the last moment, the attacker sent an email to both sides canceling the meeting, providing a different excuse for why they couldn’t meet to each.

Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.

This was an unacceptable risk for the attacker, and so, he took steps to make sure it wouldn’t happen. This is the sign of an experienced attacker.

What would you do if you realized you just managed to steal one million dollars?

Go on a vacation? Buy a nice car?

Not our attacker:

In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment.

If that wasn’t enough, even after the attack was remediated, the Israeli CFO  continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction. The content of the email is as follows:

Lessons learned / Key Takeaways

\n
1. Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
\n
2. Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
\n
3. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
\n
4. Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
\n
5. Always capture as much forensic evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
\n
6. Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.
\n

Have an Incident Response Plan and Tactical IR Playbooks ready ahead of time! Knowing what to do before a crisis arises streamlines response activity and decreases the time it takes to remediate.

For the email security vector, Check Point’s Artificial Intelligence based security engines include an advanced anti-phishing engine, which relies on behavioral analysis, designed to prevent precisely attacks similar to the one in our story.

TOP ATTACKS AND BREACHES

• Crooks are exploiting the global panic concerning the outbreak of the Coronavirus to infect Japanese users with Emotet through emails pretending to be a notice regarding infection prevention measures.
  • Check Point SandBlast and Anti-Bot blades provide protection against this threat (Trojan.Win32.Emotet)

Tags: #Phishing

• The Japanese firm NEC, a contractor for Japan’s defense industry, has suffered a data breach on December 2016. The breach, which was publicly disclosed by Japanese media, happened after an unauthorized actor hacked one of the company’s servers, potentially accessing 28,000 files.
• The US government contractor Electronic Warfare Associates has fallen victim to a Ryuk ransomware attack, which compromised its web servers and other online sites. The attack occurs days after Ruyk’s newest variant was enhanced to allow its operators to steal government-related data in large quantities.
  • Check Point SandBlast and Anti-Bot blades provide protection against this threat (Ransomware.Win32.Ryuk)

Tags: #Ransom&Steal

• Despite the release of final security patches, attackers are continuing to actively exploit the critical Citrix vulnerability tracked as CVE-2019-19871, affecting Citrix NetScaler ADC and Gateways. It is estimated that around 80,000 companies from United States, United Kingdom, Germany and more are still at risk.
  • Check Point IPS blade provides protection against this threat (Citrix Multiple Products Directory Traversal (CVE-2019-19781))

• Following the credit card breach affecting over 850 Wawa convenience stores, hackers have put up for sale more than 30 million payment details on a dark web marketplace.
• A leaked confidential United Nations report reveals that several UN servers of offices in Geneva and Vienna were compromised by an unknown actor. The report speculated that the attack was conducted by state actors, which were able to compromise an Active Directory server via SharePoint vulnerability.

Tags: #APT

• OurMine, a hacking group known to target celebrity social media accounts, hacked the official accounts of a number of NFL teams on various platforms, including Twitter, Facebook and Instagram.

VULNERABILITIES AND PATCHES

• Check Point Research has disclosed a flaw in the Zoom video conference, which could allow attackers to brute-force Zoom for meeting IDs and hack into sessions that are not password-protected.
• Two vulnerabilities have been found in Microsoft Azure Cloud Infrastructure by Check Point Research - a server-side request forgery (SSRF) issue (CVE 2019-1234) and a remote code execution flaw (CVE-2019-1372). The first may allow an attacker to access sensitive information from virtual machines running on Azure cloud. The second may lead to a remote code execution and complete takeover of the affected server through the Azure App service. Both were addressed and patched by Microsoft.
• A critical security flaw in OpenSMTPD email servers has been discovered, and may potentially allow remote attackers to take complete control over OpenBSD-based and other Linux-based servers. The flaw resides in OpenSMTPD sender validation function, and can be exploited by sending a specially-crafted SMTP message to the server.
• A newly-discovered vulnerability in Intel’s CPU, dubbed CacheOut, may allow sensitive information leakage from the secured SGX enclave, the OS kernel and virtual machines.

THREAT INTELLIGENCE REPORTS

• The newest variant of Predator the Thief has been examined by Check Point Research. The current version of the info-stealer was found to use various anti-debugging and anti-analysis techniques. Researchers traced the stealer back to its underground market sales and the potential authors.
  • Check Point Anti-Virus and Anti-Bot blades provide protection against this threat (Trojan-PSW.Win32.Predator)

• After analyzing Phorpiex botnet’s infrastructure and monetization methods, Check Point Research has published the first part of a thorough analysis of the malicious modules deployed onto victim machines.
  • Check Point Anti-Bot and Anti-Virus blades provide protection against this threat (Worm.Win32.Phorpiex.*)

Tags: #Botnet

• Researchers have uncovered a highly-targeted campaign operated by the Winnti APT group targeting Hong-Kong universities using the ShadowPad backdoor and Winnti malware.
  • Check Point Anti-Bot blade provides protection against these threats (Backdoor.Win32.Shadowpad; Backdoor.Win32.Winnti)

Tags: #APT

• A series of targeted attacks on the US government research contractor Westat has been observed by researchers, who attributed the campaign to the Iranian OilRig group (also known as APT34). The group used a phishing document masquerading as an employee satisfaction survey that installed the TONEDEAF backdoor as well as the VALUEVAULT password stealer.
  • Check Point Anti-Bot blade provides protection against this threat (Backdoor.Win32.TONEDEAF; Infostealer.Win32.VALUEVAULT)

Tags: #APT