Cyber security experts have now unearthed numerous spyware campaigns at work that are focused on industrial firms. The threat operators involved are targeting companies in the sector to steal credentials associated with enterprise email accounts and carry out financial fraud, or, in other cases, to sell on the passwords and usernames to other operators.

To avoid detection, the malicious actors behind the scheme are using off-the-shelf, ready-to-use spyware tools and are deploying variants for an exceptionally limited window of time. Some examples of the malware deployed in the attacks recently revealed include HawkEye, AgentTesla (also known as Origin Logger), Masslogger, Noon (also known as Formbook), Lokibot, Azorult and Snake Keylogger.

Anomalous spyware assaults

Researchers at Kaspersky have dubbed these attacks as “anomalous” due to their exceedingly short lifespan in comparison to other strategies involving spyware observed on the cyberthreat landscape. While the majority of spyware campaigns can run for many months and sometimes even for years, the recently uncovered attacks are restricted to run for around 25 days at a time.

To date, researchers have witnessed all campaigns involve less than 100 systems being attacked, with half of this number being integrated computer systems (ICS) machines that are deployed within industrial environments.

Kaspersky also identified another peculiar element of the attacks. To exfiltrate stolen data to the threat actor’s command and control (C2) server, the attack uses a communication protocol that is SMTP-based. In typical spyware campaigns documented, HTTPS is used for communications with C2 servers, and usually a one-way communication channel like SMTP is employed only for data theft.

As a rule, SMTP is not the first choice for most threat operators, as it is unable to fetch non-text files and binaries, but it can thrive thanks to its simplicity and capacity to blend seamlessly into standard network traffic.

Credentials stolen for deeper penetration

The threat operators employ stolen staff credentials, which they obtain through spear-phishing tactics to more deeply infiltrate before moving laterally throughout a company’s network. Furthermore, they abuse corporate mailboxes that were compromised in former attacks, using them as C2 servers for fresh attacks. This makes the flagging and detection of malevolent internal communications exceptionally challenging.

The Kaspersky report commented:

“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.”

So far, the cybersecurity analysts have identified about 2,000 corporate accounts being used as temporary command and control servers, and a further 7,000 accounts being violated and repurposed for malicious ends by other means.

Many of the credentials for emails, SMTP, cPanel, RDP and VPN accounts that were taken in these spyware campaigns are later published on dark web forums and markets and eventually find buyers in the form of other threat operators. The analysis from Kaspersky found that approximately 3.9 per cent of Remote Desktop Protocol (RDP) accounts that are sold at illegal marketplaces belong to established industrial firms.

RDP accounts are valuable to cybercriminals, as they allow them to access compromised devices remotely and interact directly with a machine without raising a single red flag.

Protect all the credentials that belong to your and your enterprise with Galaxkey’s data security solution, which you can test completely free for 14 days.