For example, when the wording of an inbound message seems odd or if the request doesn’t quite fit with what is typical for your organization, be immediately suspicious. The best protection against these types of social engineering attacks is to remain vigilant and proceed with extreme caution any time you see something that is out of the ordinary. Especially in cases where the domain is from OneDrive, Google Docs, or other commonly used and whitelisted sites. Protection Against Bumblebee Malwareīecause the threat actor uses shared storage sites to deliver the bumblebee malware, and the malicious links are most likely personalized for each attack target, attempting to block the URLs at the domain level is not always practical. Immediately followed by the RFP shared via Smash. After a couple of emails back and forth with the target, the threat actor sent the following email message and the password for the document shared on Smash. In this case, the individual had spoofed the LinkedIn profile of an actual employee at an actual, legitimate business. In a different example, a threat actor (possibly the same threat actor) attempted to engage the target via a LinkedIn connection request. Most companies will use some type of autoresponder message to sales form enquiries, which the attacker then used to create a notification from WeTransfer that Ryan Nelson shared a product requirements document with a link to download the file and a password to download the document. In this case, the target was unable to verify whether or not the supposed employee who submitted the form actually existed or not. net indicated by the email in the form submission, raised suspicions. The oddly worded message, plus a quick verification via LinkedIn showed that the legitimate Damcosoft company using a. The threat actors begin by submitting a contact us form via a vendor or company’s website using a spoofed company and identity. The characteristics of the attacks that zvelo has seen in the last few weeks are consistent with the same tactics, techniques, and procedures ( TTPs ) that were originally observed by TAG. EXOTIC LILY operates by spoofing legitimate companies and employees as a means of gaining trust of targeted organizations, using legitimate file-sharing services like Smash and WeTransfer to evade malicious detection tools and deliver their payload disguised as business requirements or proposals. In September of 2021, Google Threat Analysis Group (TAG) began observing Bumblebee malware and identified EXOTIC LILY as the threat actor.įinancially motivated, EXOTIC LILY operates as an Initial Access Broker (IAB) and has been associated with data exfiltration and human-operated ransomware, including Conti and Diavol. Bumblebee is distributed by phishing email campaigns recently observed masquerading as a Product Requirement Document (PRD) or a Request for Proposal (RFP). Bumblebee Threat Overview and Attack Characteristicsīumblebee is a stealthy malware loader that is not easily detected by antivirus vendors because it often can install itself in memory without touching the disk which then allows additional malware to be installed such as ransomware or Cobalt Strike. As a follow up to that post, we wanted to share a couple of additional recent examples showing how attackers are using the file sharing sites WeTransfer and Smash to distribute Bumblebee malware via sales Request For Proposals (RFPs). One of the posts from January featured several basic social engineering attack examples. Also include hints and tips for less technical readers.Over the last couple of months, we have been sharing blog posts on the topic of social engineering with the intent to help raise awareness about the increasingly sneaky tactics attackers are using. We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Service: Blogger - Alternative: WordPress Service: Google Reader - Alternative: Tiny Tiny RSS Service: Dropbox - Alternative: Nextcloud While you're here, please Read This FirstĪnd why not Visit the Official Wiki Github?Ī place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |