Dispatch from the Front May 15, 2023

Top

Newsletter 05/20/2023 Back to Contents

Just When You Thought It Was Safe To Go Back To Your Inbox
Follina, That Big Bad BEC attacker, is Back

Follina, Follina, where you been so long?
I ain't had no spammin', since you've been gone
— With apologies to the Unknown Composer of
Corrine, Corrina, First recorded in 1918

On November 5, 2022, the Dispatches reported on Yours Truly's involvement in mitigating the negative outcomes of a Business Email Campaign (BEC). Further research led me to be convinced that the first attack, on which I had reported, was only the precursor of a second attack that clearly had all the hallmarks of the Follina Vulnerability that has, as one of its targets, users of Office 365. The Follina attack began as a concerted and specially focused spam email campaign.

Well, Sports Fans, the unfortunate news, as first reported in BleepingComputer, May 12, 2023, is that the Follina Exploit has returned with a new modus operandi. Although its payload seems even more dangerous than before, its initial means of attack is still a "phishing campaign." Attached to these suspicious emails may be Word docx files or Excel xlsx files. The BleepingComputer reporting draws on earlier research done by Elastic Security Labs, in an depth analysis published, April 07, 2023.

What Elastic Security had observed was this new attack was first launched via a "malicious word document named Card & Booking Details.docx. This document has been designed with the intent to deceive the victim and includes two falsified scanned documents, namely a credit card and a passport." The report continues with an in-depth analysis of how the attacker wreaks its destruction. After its initial infection, the malware deletes its initial attack vector. Then the attacker inflicts its real pain on its victims by "first killing the process Winword.exe and then deleting all .DOCX files located in the default Downloads and Desktop folders of every user." The report concludes this section by stating a keen observation of the obvious: "This initial step shows the malware's destructive nature and how it can potentially harm the user's data." Ah, duh!

Ultimately, the real intent of this attack, so the report maintains, is the infection of two known and dangerous worms.

During our research we discovered that the threat actor has been deploying different payloads. Namely, we observed 2 families: XWORM and AGENTTESLA.

XWORM is known for its evasion properties. AGENTTESLA is a known "trojan and credential stealer." A trojan will connect its victims to other Command and Control (C2) servers operated by known and unknown cybercrooks in known and unknown nations and/or regions somewhere on this beautiful blue orb that we call Planet Earth. Credential stealer seems self-explanatory.

For my clients and readers, what is most valuable here, is information on how to avoid nightmares such as Follina. This requires a certain degree of understanding of all the ways the attacker will come at you. To put this in military terms, knowing what are the TACTICS of a Follina Vulnerability cyberattack is the first line of defense. Elastic Labs defines these tactics thusly: "Tactics represent the “why” of a technique or sub-technique. They represent the adversary’s tactical goals: the reason for performing an action." Here, Elastic Labs, links to MITRE ATT&CK website.
[ed note:] MITRE ATT&CK is an excellent addition to your growing Cyber Security Primer.

Five different offensive tactics this new attacker employs are listed and succinctly explained .

Initial Access
The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Execution
The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Persistence
The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Command and Control
The adversary is trying to communicate with compromised systems to control them.

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Defense Evasion
The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Small Businesses, who do not have full time cybersecurity staff monitoring and filtering emails, must therefore rely on one of the most sensitive data filters there is: Their Own Human Brain. Like how Artificial Intelligence must be trained to notice the patterns that emerge from electronic human communication, so must people need to train themselves to recognize the patterns of electronic human communication that can give an indication that an attack is oncoming. The most effective action business owners, and all users, can take is to first only open their Outlook email in text only mode. This way any content in an email can be easily evaluated before interacting with any one email message. Once trained to recognize bad links or deceptive filenames, and therefore verify that the email is, "Not One of Those" — to quote the Glimmer Twins — the individual message, now verified as most likely safe, can then be safely read in HTML and turned back into its pretty and colorful state.

If you think you do not the time to do this, ask yourself how much time do you have to waste in cleaning up from an attack? Once a user practices first opening email in text only, I estimate that is maybe 30 extra seconds per email.

A Dispatch posted November 6, 2023, that was partly inspired by the first Follina attack, offers a tutorial on how to manage Outlook email in text. The graphics have been slightly improved.

As I type this, all of the cyberattackers in action bet that you are too ignorant or too lazy or too stressed out to take the needed defensive measures that can keep the cretins at bay. And so far they are rolling that bet and continue to play with the House's money.

There's an old saying in Tennessee
I know it's in Texas, probably in Tennessee
that says, fool me once, shame on — shame on you.
Fool me — you can't get fooled again.
— President George W. Bush

¯\_(ツ)_/¯
Gerald Reiff

Back to Top ← previous post next post →