The extensive media coverage of high-profile cyberattacks can lead to the raising of awareness of the inherent dangers from system vulnerabilities, the installation of more comprehensive security and defense solutions, and even new government guidelines, like those putt in place after the Colonial Pipeline attack. But there is also a downside, as among the avid newshounds there are many cybercriminals who seek to exploit the momentum and public concern in order to carry out attacks of their own.
Cyber defense company Inky, which specializes in anti-phishing solutions, reports that over the past few weeks it has seen dozens of attempted attacks trying to leverage the one against Colonial Pipeline using sophisticated methods disguised as security. According to the company, following the attack that shut down the supply of fuel to large parts of East Coast, many of their clients received emails - supposedly from their organizations' help desks - which included instructions for downloading "anti-ransomware system updates". Needless to say, the "defense" software was actually malware.
"Phishers excel at leveraging current events and other cyber-attacks to create urgency in their communications. In this case, no doubt many recipients wanted to 'do the right thing and help out the IT team' by clicking on the bad link," Inky's report said. "An IT policy stating that employees will not be asked to download certain file types might be a good start to combat attacks like this."
The company also points out that phishers are becoming more sophisticated. "They try to make their emails look as if they come from the target’s employer, lending them an air of greater legitimacy. By using newly created domains, the email can evade traditional phishing analysis," Inky said. "The important analysis to be done here is not whether the email comes from a legitimate host but whether it comes from where it appears to come. If it looks as if it was sent by the company itself (e.g., from HR, IT or Finance), does it in fact originate from an email server under the company’s control?"
Meanwhile, further information on the Colonial Pipeline has been revealed. Over the weekend, it was reported that the attackers succeeded in accessing the network using a single compromised password. Charles Carmakal, senior vice president of Mandiant (a division of FireEye), said that the password was linked to a private networking account used for remote access to the company's computer network. During the attack the account was no longer in use, but could still be exploited to gain access. Carmakal confirmed to CNN that the account did not have an additional layer of security.
The ease with which the cybercriminals succeeded in bringing one of the nation's critical infrastructures to its knees emphasizes not only the grave risks involved, but also the lack of awareness by some major businesses, which do not adopt basic digital hygiene. Tomorrow (Tuesday), Colonial Pipeline's CEO Joseph Blount will testify before Congress regarding the damage that was caused, and the company's decision to pay the ransom.