Not logged in » Login

Recent Discussion:

GGiner | 16.09.2020, 19:02
Today I've spent several hours trying to access ServerView RAID Manager in one of our remote servers...
NunoCosta | 10.07.2020, 10:56
Hi Michel.Our troubleshooting team has no more information on this subject. However, if you need mor...
mlegrafleitas | 09.07.2020, 17:28
Hi Nuno,Very thanks for your response, the storage DX100 S5 is configure with 4 iSCSI CA for SAN red...
Aug 20 2016

Kaspersky Warning: Ghouls Loom Large


Security experts at Kaspersky Lab have spotted a new wave of so-called targeted attacks that originated from the Middle East in June and keep harassing organizations in the EMEA region and Asia. According to senior researcher Mohamad Amin Hasbini, the assaults – dubbed "Operation Ghoul" – started nearly a year and a half ago, in March 2015 and are mainly directed at small and medium businesses (SMBs).

While definitely a concerted effort, the campaign doesn't appear to be overly sophisticated from a technical perspective: the attackers basically resorted to sending out spear-phishing emails with compressed 7z files attached that allegedly contain payment documents from a bank in the United Arab Emirates (UAE). Recipients who can't resist the urge to open the attachments are 'rewarded' with a malware executable that collects sensitive data such as passwords and keystrokes and will even take screenshots before sending the lot back to the attackers, who in turn use the information to rob their victims' bank accounts or to sell off these folks' stolen intellectual property. The malware itself builds on HawkEye, a commercial key logger and spyware first spotted in 2015, thus making it particularly hard to reliably identify the campaign creators or at least the country or countries they operate from. So far, the scheme seems to be profitable enough. As Hasbini points out in his detailed report, the ghouls have befallen some 130 organizations in more than countries (see picture at the top, courtesy of Kaspersky), and it doesn't look as though their continued raid would end anytime soon.

Further according to this report, another characteristic of Operation Ghoul is that it targets SMBs. By Kaspersky's definition, these are companies with 30 to 300 employees – somewhat unusual for a spear-phishing effort, which you'd normally expect to hunt high-profile victims at international corporations with thousands of staffers. Though the ghouls mainly feed off industrial, engineering and manufacturing companies, they will not turn their back on retailers, travel agencies, ICT vendors or educational services that look mildly attractive. The majority of phishing mails is sent to C-level executives and sales staff; however, engineers in leading positions also appear on the target list. Geographically, the attackers seem to prefer targets located in the Mediterranean and Gulf regions and South Asia – at the moment, by far the most victims reside in Spain, followed by organizations from Pakistan, the UAE, India, and Egypt. Still, this is by no means a problem of emerging markets or problem-laden economies: positions no. 6 and 7 on Hasbini's list go to the UK and Germany.

Right now, successful technical solutions to the problem, such as malware signatures or mail filters, do not seem to exist. And even if they did, they could be easily circumvented, e.g. by exchanging the phishing mails' storyline or sending them from a different spambot in another domain. Consequently, Kaspersky advises users to be "extra cautious" whenever they want to open a mail attachment – better still, they should decide against it as soon as an email starts smelling too phish-, er, fishy. That won't be too hard to do; after all, how many SMBs in most targeted countries will actually make or receive payments through a bank located in the UAE?

Moral takeaway: if a modern company's most valuable asset is its data, then it's okay for its employees to get paranoid about it.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now