Financial cybercrime trends: Reverse BEC & ‘shoxing’

Turla — a Russian advanced persistent threat (APT) group closely affiliated with the FSB Russian intelligence agency — is attacking Ukrainian defense forces with spying malware, according to research published on July 18 by the country’s computer emergency response team (CERT-UA).

Active since at least the early 2000s, Turla — aka Waterbug, Venomous Bear, Snake, Uroboros and KRYPTON — is targeting Ukrainian defense forces with Capibar and Kazuar spyware, according to CERT-UA. 

In yet another example of what MITRE calls the group’s calling card of “targeted intrusions and innovative stealth,” Turla is using Capibar spyware to compromise Microsoft Exchange servers using a PowerShell tool, thereby turning a legitimate server into a malware control center. After the APT establishes a foothold, it loads the Kazuar backdoor onto infected computers in order to amass and exfiltrate all manner of data, including, for example, databases and configuration files of programs including KeePass, Azure, Gcloud, AWS and others. 

It’s just the latest example of how Turla and other APTs are commandeering trusted organizations’ infrastructure. They’re not just doing so to spy on Russia’s enemies. In fact, similar tactics, techniques, and procedures (TTPs) are being used in a type of fraud that’s been trending since at least 2019: namely, reverse business email compromise (BEC). 

Fraud trend: reverse BEC

Traditional BEC attacks have led to losses of tens of billions of dollars over the past several years. In such an attack, hackers hijack finance-related email threads and trick employees into wiring money to the wrong accounts. They do so by first spoofing an email account or website — for example, with slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) — in order to fool victims into thinking that the fake accounts are authentic.

Then, the attackers send spearphishing emails that look like they’re from a trusted sender as they try to trick victims into revealing confidential information that can grant access to company accounts, calendars and data: information they need to carry out the BEC schemes.

BEC has been modernized; reverse BEC does away with the need for kludgy spelling-variation spoofs. Rather, adversaries exploit vulnerabilities so as to commandeer a victim organization's Office 365 admin rights and, very selectively, through the use of machine learning, send out fileless malware against the board and the most senior executives from other companies that communicate with that organization. 

Turla has lately been hijacking Office 365 administrator rights during application attacks or exploits of Microsoft vulnerabilities. Once the hackers are within the network and have gained admin rights of the victim company, they can kick BEC fraud into high gear because they no longer need to spoof the victim’s domain. Rather, they can simply send email that comes from the organization's legitimate domain. 

Though Turla began to use reverse BEC years ago for espionage — including hacking information out of victims such as Department of Defense contractors — it’s now being used to manifest financial fraud.

How to protect against reverse BEC

• Given that filters won’t pick up on phishing email being sent from legitimate domains, it’s important for organizations to understand behavioral anomalies in their O365 environments — i.e., who should have admin rights, and when?  
• In addition, all employees who control money should use alternative forms of verification when asked to wire money. For example: Use the Signal encrypted messaging service for instant messaging/voice/video calls, or simply verify via a phone call. 

e-fraud trend: Shoxing

As noted in Contrast Security’s 2023 Cyber Bank Heists report, digital front running is real, and cyberattacks are giving cyber crooks the ability to turn it into a state-of-the-art form. 

Cybercrime cartels, of course, have brokerage accounts. In order to fund them, Russian cybercrime cartels are stealing information, trading on that insider info, and then doxing it to the media or regulators: a new type of e-fraud I’m calling “shoxing,” as in, shorting the stock and then doxing the confidential data  Within 24 hours, the hackers will proceed to short the victimized company’s stock. 

Has your company been breached? Even if you’re not being extorted, your internal secrets could be doxed, and your company’s stock could be shorted. 

How to protect from shoxing

• Set up a good crisis communication plan, crate an FAQ and establish strong relationships with law enforcement before your organization is shoxed. Make sure to bring in law enforcement as soon as possible, and have a plan in place: The sooner you react, the less impact to your stock.
• Your incident response plan shouldn’t be a static one. Rather, make it specific to attack trends: For example, customize a plan for distributed denial-of-service (DDoS) attacks, another plan for data theft, one for ransomware, another for island hopping, yet another for shoxing, etc.

Introducing ‘Below the Waterline’

This is the first in a new series, entitled “Below the Waterline,” in which I’ll explore threats that organizations aren’t aware of or which they aren’t detecting. Stay tuned to find out what new threats are lurking below the surface and how to best protect your organization.

If you want to detect and block run-time attacks on known and unknown code vulnerabilities with greater precision, you want to check out Contrast Protect. 

Read more:

• Brand protection in an era of island hopping
• Report: Cyberattacks against financial sector surge 64%
• Cyber Bank Heists Report
• Even the Secret Service is blown away by cyberattacks on banks
• Who’s your fed buddy?