Tuesday, May 15, 2018

Sharepoint Email Phishing









Summary:
At about 12:33 PM Eastern an E-mail was delivered to multiple mailboxes within the company. These purported to be from an internal employee. The address was legitimate and was not obfuscated to hide a different originating address. There were at least two variations of the email. Both emails contained links to a malicious domain (sued[.]co[.]ke) Link was hidden behind an alternate text that said “DownloadAttachments”. Clicking the link would prompt some users to enter their email address and password. 

The URL and parent domain were immediately added to the company's Umbrella solution to prevent any furtherDNS resolution to the domain when users click on the link.

The IP addresses that the link resolved to were added to the firewalls at all sites to be shunned.
It appears that approximately 35 – 40 users clicked on the link and entered credentials. All users that have contacted IT Support or HelpDesk have had their domain password changed.

Investigation leads to this email having come from an external IP address and not necessarily sent from an internal device. The Originating IP address in the email header is unknown by threat intel resources. The addresses is located in Illinois, coming from a VPN block that belongs to LogicWeb. There are no domains hosted at this IP.
The email body was created in Gmail as indicated by the tags around the source and the alternate text to the Sharepoint logo appears to be in Spanish: img alt="Resultado de imagen para sharepoint logo"


Known malicious sample download
SHA256 - f9e8e6107cb0ff5ad3b891ad99580aac57eaa8f519c8ba9baa9c779d4b6f68f8
File Type: HTML
Magic: HTML document text
SSDeep: 768:DHxjTggziQuAr7SpF9G9h919/ozio/InD:6GiQuAr7SpEozio/ID
File Size: 28.77 KB
Main detection: Trojan.HTML.Phishing
Domain Info
Domain Name:  sued.co.ke

IP Addresses Resolved to:
·       208.91.199.87
·       162.213.252.60 <-- All our traffic was centered around this IP

   
   Screenshot of the email:

 
 

E-Mail Message Sample 1 Header and Source

Received: from BN7xxxxxxx113.xxxxxxx.prod.outlook.com (2603:10b6:4:ae::39) by
DMxxxxxB4105.xxxxxx.prod.outlook.com with HTTPS via
DM5xxxx0.NAMxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:33:27 +0000
Authentication-Results: domain.com; dkim=none (message not signed)
header.d=none;domain.com; dmarc=none action=none
header.from=<company name>;
.
.
.
From: "Dennis B. Manning" <dennis.manning@bioglobal.co>
To: "Dennis B. Manning" <dennis.manning@bioglobal.co>
Subject: INVOICE
Thread-Topic: INVOICE
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Organization-AuthSource: BN7PRxxxxmprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-Originating-IP: [173.239.199.110]
X-MS-Exchange-Organization-Network-Message-Id: 61d1100c-e50e-4798-2591-08d5b9b868a9
X-MS-PublicTrafficType: Email
X-Microsoft-Exchange-Diagnostics: 1;BN7PR04MB4307;35:hYQ8ykDJvNTkVuzaeSsSAZpmmFrC1R5Ulntep7gMcSI/UhbDiIALU6UQOhBeYZY2UCllhTuswM3SWrmuDe6GIw==
Return-Path: dennis.manning@bioglobal.co
X-MS-Exchange-Organization-ExpirationStartTime: 14 May 2018 16:33:22.6051
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;

E-Mail Message Sample 2 Header and Source

Received: from BN7xxxx04.xxxxxxx4.prod.outlook.com (2603:10b6:4:ae::44) by
DxxxxxB4105.namprd04.prod.outlook.com with HTTPS via
DM5xxxx0115.NAxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:34:11 +0000
Received: from BNxxxxxB4050.xxxxxx.prod.outlook.com (20.176.18.18) by
BN7Pxxxx04.xxxx4.prod.outlook.com (20.xx6.xx.155) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
15.20.755.16; Mon, 14 May 2018 16:34:09 +0000
Authentication-Results: teijin.co.jp; dkim=none (message not signed)
header.d=none;teijin.co.jp; dmarc=none action=none
header.from=<Company name>;
.
.
.

From: "Dennis B. Manning" <dennis.manning@bioglobal.co>
To: "Dennis B. Manning" <dennis.manning@bioglobal.co>

Subject: INVOICE
Thread-Topic: INVOICE
Date: Mon, 14 May 2018 16:34:04 +0000
X-Originating-IP: [173.239.199.110]


E-Mail Body Source Code (interesting sections)

<a href="http://sued.co.ke/sharepoint/sharepoint/" rel="noopener noreferrer" id="LPlnk981628" class="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-OWAAutoLink OWAAutoLink" target="_blank" style="color:rgb(17,85,204)" previewremoved="true"><font size="2" color="#1155CC"><span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-LPlnk375107" style="font-size:16px; background-color:transparent">DownloadAttachments</span></font></a>
.
.
.
<span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-ms-rterangepaste-start" style="font-size:16px; background-color:transparent"></span></font><img alt="Resultado de imagen para sharepoint logo" width="152" height="48" src="https://mvpcluster.com/wp-content/uploads/2016/03/0001-SP-2013-Logo.png"><font size="2" color="#1155CC"><span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-ms-rterangepaste-end" style="font-size:16px; background-color:transparent"></span>



First Query seen in SC
May 14 09:41:14 nnm: 10.x.x.101:53|10.x.x.111:53|17|7024|DNS Client Queries|PVS has observed this host perform a DNS lookup. The most recent DNS query performed was for: |sued.co.ke to the server at 10.x.x.111|

SecurityCenter Events
·       530 Web_Request events tracked by SC. Almost all were GET requests for .css files. The ones below were unique in the list of GET/POST events:

HTTP request detection|The following GET/POST request was observed:|DIP: 162.213.252.60:80 Type: POST;URI: /?wc-ajax=get_refreshed_fragments;Referer: http://sued.co.ke/sharepoint/sharepoint/Office%20365_files/SuiteServiceProxy.htm

Random Variations (showed up 4 or 5 times out of 140 events):
GET;URI: /s/opensans/v15/mem5YaGs126MiZpBA-UN_r8OXOhv.woff;
GET;URI: /sharepoint/sharepoint/Office%20365_files/shellwofficons_f991c945.woff;









Posted by at No comments:

Spam vs. Junk

...And what to do about it.


There is a difference between emails. There is spam and there is junk. Do you know the what the difference is? Junk is anything that comes from a legitimate source, usually in the form of a marketing email. Spam comes from a less-than ethical source and can take any form. Usually with the intent of getting a user to click on a link. The link can then lead to a variety of sites with varying purposes. If the email is a 'Phishing" email, then the intent is to get you to provide credentials or other sensitive information that can then be utilized by the threat actor to perform some nefarious action.

The other type of link is to provide you with a piece of malicious software and that is usually without your consent or knowledge. This can allow even more serious activity to take place on your system and with your data. In the rare case, the link will provide both a place to enter in credentials and a download to your system. In all three cases, company data and personal data are placed at great risk.
Junk mail on the other hand just fills your mailbox and provides you the activity of having to take time to delete it. Not nefarious, just a pain.

Training users to know the difference and how to respond to it can save a lot of work for the security analyst. 

For instance, in Outlook there is an option to set up Junk E-mail Options. This can be a great tool for end users, but they must be trained on what it means to them and their daily mail habits. Not only junk will get caught by this, and new addresses need to be constantly added to the Safe Senders list.




Posted by at No comments:
Subscribe to: Posts (Atom)