April Fools! A Blooper Reel of Recent Digital Attack Campaigns


Thought Leadership

April Fools! A Blooper Reel of Recent Digital Attack Campaigns

David Bisson

Nowadays, digital attacks are a serious concern for organizations. One need only look to the growing costs of digital crime to understand why.

IBM’s 2018 Cost of a Data Breach Study found that the cost of a data breach had increased 6.4 percent over the previous year to $3.86 million. Meanwhile, Cybersecurity Ventures estimates that damages associated with digital crime will cost organizations upwards of $6 trillion annually by 2021.

While increasingly sophisticated attacks are driving the rising cost of security incidents, not all malicious campaigns are created the same. Some just aren’t up to snuff. In fact, some suffer from serious weaknesses that ruin the entire operation.

In honor of April Fool’s Day, let’s examine a few of these glaringly unsuccessful attacks.

No Malicious Payload Here!

Around the beginning of March, My Online Security received a phishing email that masqueraded as correspondence relating to an invoice. The email, which came with a spoofed sender address, said that the recipient needed to verify their company’s account for billing purposes. It therefore directed them to return a signed and stamped copy of an invoice attached to the email.

This is where the campaign fell apart. Presumably, the attackers intended to include an attachment disguised as an invoice that would load malware on the recipient’s machine. But as reported by Bleeping Computer, the phishers instead included a legitimate PowerShell command line utility found in Windows operating system. This executable, which was available on Windows 8.1, did not perform any malicious activity on the victim’s computer. Not only that, but by sending the executable via email, the attackers ensured that Outlook and all other major email providers would block the “payload” outright for security reasons.

A Buggy Condition Wins the Day

Also in early March, bad actors targeted hundreds of popular Israeli websites in a campaign known as “#OpJerusalem.” The goal of this operation was to deface targeted sites with the message “Jerusalem is the capital of Palestine.” Its intention also included infecting all users who visited any of the affected sites during the campaign with malware such as JCry ransomware.

But things didn’t go according to plan. Researchers at CyberArk observed one infection instance that compromised an Israeli site by spreading a malicious file across all subdomains of the target. In analyzing the page’s source code, as published on GitHub, the infection chain came with a significant bug: the attackers coded a condition that looked for computers running “Windows” instead of “Windows 10,” “Windows 8” or other valid versions of Windows OS. This error caused the infection process to terminate before loading the malware.

A Chink in LockerGoga’s Armor

LockerGoga made some big headlines in March 2019 after the ransomware infected systems at Norsk Hydro, one of the world’s largest aluminum providers. Norsk Hydro responded by shutting down several production plants. A week later, the company said that it had recovered 70 percent to 80 percent of its production capabilities but that the attack had cost upwards of $41 million.

As it turns out, however, this digital threat appears to suffer from a small coding error. Alert Logic observed as much in its analysis of the malware. Specifically, the firm discovered that the ransomware performs an initial reconnaissance scan to build a file list before executing its encryption routine. In the event it comes across a .lnk file, it attempts to use its hardcoded shell32/linkinfo DLLs to resolve the ‘.lnk’ path, but if that file suffers from an error, the process raises an error and causes the ransomware not to load.

Theoretically, users could thus protect themselves against infection from at least certain variants of LockerGoga by crafting their own misconfigured .lnk file. This file should either contain an invalid network path or have no associated RPC endpoint, and it should reside in “Recent Items.”

Guarding Against the Non-Bloopers

If only more bad actors botched their attack campaigns. Sadly, that’s not the case. The reality is that most attacks don’t have bugs and even go the extra mile to evade detection.

To help combat all of these well-crafted operations, organizations should use an email security solution that analyzes incoming messages based on their URLs, patterns, malware signatures and other characteristics while allowing legitimate correspondence to come through.

Don’t be fooled by digital attacks! Take a multi-layered approach to your organization’s email security.