CrowdStrike Intelligence team discovered a hacking campaign involving threat actors impersonating reputable cybersecurity companies to execute phishing attacks.
The attackers sent professional emails informing the target that they identified potential network compromise during their routine audit. They included a number the recipient should call to discuss the situation and provide additional information to resolve the problem.
CrowdStrike warned that the callback campaign had the potential for high success due to the urgency of a potential data breach. Additionally, the phishing email had no malicious links, thus unlikely to be flagged by anti-phishing security solutions. Similarly, working from home increased the probability of success.
Beware of phishing attacks impersonating reputable cybersecurity companies
The attackers claim to have identified “abnormal activity” on the network segment that the target belongs to during their “daily network audit.” Additionally, they claim to have identified the implicated network admin, and all workstations, including the targets, were compromised.
They warn that the compromise potentially exposed critical information on the network and the target’s workstation. Citing the California Consumer Privacy Act of 2018, they warn of potentially dire regulatory impacts.
“We have already reached out directly to your information security department, however, to address potential compromise of location workstation, they referred us to the individual operators of these workstation, i.e. employees.”
The cybersecurity company noted that this was the first of a kind phishing tactic. “This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches,” CrowdStrike wrote.
Subsequently, the cybersecurity firm warned that it does not use the aforementioned methods to reach out to its customers. Most cybersecurity companies directly work with internal security staff through approved channels.
“CrowdStrike does not contact customers in this manner,” the cyber security firm warned in a blog post.
While impersonating cybersecurity companies is a new tactic, hackers have previously impersonated popular brands such as Amazon, Walmart, and Target in callback phishing attacks. Similar phishing attacks involve antivirus and support subscriptions, renewals, and cancelations.
“Cybercriminals will try all kinds of emotional or scare tactics to get users to click on links or open attachments,” James McQuiggan, Security Awareness Advocate at KnowBe4, said. “For many years, we’ve seen them pretend to be Microsoft support by calling or emailing users to notify them their computer is infected with a virus. The focus now shifts to the company’s users, letting them infect their work computer or network.”
McQuiggan advises employees to verify communications because cybersecurity companies would not contact individual users about malware.
“The security company would go directly to the cybersecurity or IT senior manager. Within a robust security awareness program, if users were to receive that email, they would know to report to their IT department to deal with it.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said that the most effective user training was educating workers on the proper communication channels.
“One of the most important facets of effective cybersecurity awareness training is educating users beforehand on how they will or will not be contacted, and what information or actions they may be asked to take.”
Clements also recommended creating “trusted paths” for verifying communication. This strategy should not only apply to cybersecurity companies also but to others, including HR departments.
“By educating users on similar trusted paths they can use to verify any incoming requests, you increase your organization’s overall resiliency to these types of cyberattacks.”
Callback phishing attacks lure victims to install remote access and post-exploitation tools
When the target calls the number, the threat actors would trick them into installing legitimate remote administration tools (RATs) to grant them access to the network.
Additionally, they lured the victims to install pentesting tools such as Cobalt Strike for lateral movement.
In March 2022, CrowdStrike observed threat actors using AteraRMM to install Cobalt Strike and propagate laterally across networks in a similar phishing campaign.
CrowdStrike did not disclose which other cybersecurity companies the attackers impersonated or the type of employees targeted.
However, the tactic suggests that the target victims are individuals with some cybersecurity knowledge or administrative rights. Nevertheless, they could also target unskilled employees and guide them to install malware on their workstations during the phone call.
According to Crowdstrike, installing remote administration tools was the primary tactic. However, threat actors are unlikely to squander a golden opportunity to explore other exploitation paths.
Consequently, the attack could take a different trajectory, including compromising the target’s email address to send phishing links to co-workers or performing BEC attacks. Such attacks have become very common, dominating the security news headlines.
Quantum ransomware potentially involved in callback phishing attacks
CrowdStrike suggested that the callback phishing campaign would lead to ransomware attacks, like in previous callback campaigns by Conti ransomware. The cybersecurity firm did not determine the ransomware variant likely to be deployed in the campaign.
However, AdvIntel threat intelligence had warned about Quantum ransomware prepping for a similar campaign impersonating Mandiant or CrowdStrike on June 21, 2022.