We've detected a phishing scam that has already stolen 1 million pieces of data; learn how to protect yourself
Phishing scam

We've detected a phishing scam that has already stolen 1 million pieces of data; learn how to protect yourself

ISH Tecnologia 's threat intelligence team detected the leak of almost 1 million passwords, collected in a spear phishing scam. The initial infection vector is a fake billing email from major Brazilian operators. Upon accessing the content of the e-mail, the victim is directed to a malicious PDF, which installs a trojan aimed at stealing passwords. The executable injects code into common browser processes, such as Opera, Firefox, Google Chrome and Microsoft Edge. Then hooks into important dlls in the target browser redirect the processor to the malicious routine.

Hook
Figure 1: hook

Evolution

The trojan acquires logins and passwords saved on target browsers, formats the data, and inserts it into a text file for exfiltration. This data is forwarded to a command and control server (C2), where it is concentrated in a list with credentials obtained from other infected machines.

Figure 2: recording in memory

Due to the amount of emails sent and the fact that the attackers impersonate several nationwide service providers, this list concentrates a large number of credentials for both private and corporate accounts.

Even though the use of more up-to-date browser versions is recommended, it is important to note that this attack does not depend on the browser version used, since it is not an exploit but rather a shellcode injection into a legitimate process.

As a way to avoid this type of attack, instruct your team not to use the corporate e-mail to register for services of any nature. Unexpected messages in the corporate box should be ignored, with special care with those that bring links in the body of the text.

Figure 3: example of a malicious email used by the trojan

Ways to mitigate the attack

Awareness raising; guide the team

Also instruct your employees not to save credentials in browsers, as they are easily accessible by various malicious techniques. As a complementary action, you can completely disable the option to save passwords for Chrome, Firefox and Internet Explorer via GPO.

Disable password managers from Chrome, Edge, Firefox, IE via GPO

A good security measure is to disable the saving of passwords used by web browsers. Just below we present an example of how to implement a group policy (GPO) that disables the native password manager of the browsers below. This prevents corporate passwords from being saved in browsers, as well as synchronised with personal accounts and available outside the corporation.

We present examples of application for the browsers below. Remembering that the recommendation should be adapted to the reality of the institution by a Microsoft specialist:

  • Edge
  • Internet Explorer (IE)
  • Chrome
  • Firefox

How to disable native password manager on Edge via GPO?

Follow these steps:

1. Log in to a Windows server and open the Group Policy Editor;

2. Download the Edge Policy Templates if you have not already done so;

3. In the Group Policy Editor, create a new GPO for Edge - Disable PWM;

4. Choose the desired scope;

5. Right click on the new Group Policy Object > Edit;

6. In the Group Policy Management Editor, go to User Configuration > Policies > Administrative Templates > Microsoft Edge;

7. Define the following policies:

  • Disable the Enable Autofillpolicy for addresses;
  • Disable the Enable Autofillpolicy for credit cards;
  • Under "Password Manager and Protection", disable the policy Enable saving passwords in the password manager;
  • Optionally, you can enable the Disable data synchronization using Microsoft synchronization servicespolicy.

8. Once completed, the GPO settings will look like this:

9. Ensure that the GPO link is enabled.

Testing the functionality

On the user's computer, open a command prompt and type gpupdate /force which will prompt a logout to complete the new settings. Then open Edge and click the three dots for settings ...> Settings > Passwords . Make sure the "Offer to save passwords" option is disabled and managed by the organization.

Note that 'Log in automatically' is still checked, because at the time of writing this guide, there was no policy setting to disable it.

Important: Note that any passwords previously saved in Edge will not be removed and will continue to be shown to the user, even with Edge auto-fill disabled.

How to disable the native password manager in Internet Explorer (IE) via GPO?

1. Log in to a Windows server and open the Group Policy Editor;

2. Create a new GPO called "IE - Disable PWM";

3. Choose the desired scope;

4. Right click on the new Group Policy Object > Edit;

5. In the Group Policy Management Editor, go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer;

6. Define the following policy models:

  • Enable the Disable AutoFillpolicy for forms;
  • Disable the policy Enable the auto-complete feature for usernames and passwords on forms.

7. Once completed, the GPO settings will look like this:

8. Ensure that the GPO link is enabled.

Testing the functionality

On the user's computer, open a command prompt and type gpupdate /force which will prompt a logout to complete the new settings. Open Internet Explorer and click the gear icon > Internet Options > Content tab > Autofill settings. Make sure the password settings are dimmed out.

How to disable the native password manager in Chrome via GPO?

1. Download the Google Chrome administrative templates here;

2. Copy the file ADMX:
FROM downloaded folder 'policy_templates \ windows \ admx \ chrome.admx & google.admx
TO C: \ Windows \ PolicyDefinitions

3. Copy the file ADML:
DE'policy_templates \ windows \ admx \ en-us \ chrome.adml & google.adml
TO C: \ Windows \ PolicyDefinitions \ en-us

4. On a Windows server, open the Group Policy Editor;

5. Create a new GPO called "Chrome - Disable PWM";

6. Choose the desired scope;

7. Right click Group Policy Object > Edit;

8. Go to User Settings > Policies > Administrative Templates > Google > Google Chrome;

9. Edit the following settings:

  • Enable the browser login settings policy, click Options and select Disable browser login;
  • Disable the Enable AutoComplete for Addressespolicy;
  • Disable the Enable Autofillpolicy for credit cards;
  • Under "Password Manager", disable the policy Enable saving passwords in the password manager;

10. Once completed, the GPO settings will look like this:

11. Make sure that the GPO link is enabled.

Testing the functionality

On the user's computer, open a command prompt and type gpupdate /force which will prompt a logout to complete the new settings. Open Chrome and click the profile icon in the top right corner. See if the user is not logged in.

Open Chrome, click the three dots .. . > Settings > Passwords. Make sure the offer to save passwords is unchecked and managed by the organization.

How to disable the native password manager in Firefox via GPO

1. Log in to a Windows server that you use to manage your Group Policies;

2. Download the latest Firefox policy templates .zip file here;

3. Copy the ADMX file:
FROM downloaded folder 'policy_templates_v1 ## \ windows \ firefox.admx & mozilla.admx.
TO C: \ Windows \ PolicyDefinitions

4. Copy the file ADML:
DE'policy_templates \ windows \ en-us \ firefox.adml & mozilla.adml
TO C: \ Windows \ PolicyDefinitions \ en-us

5. Open the Group Policy Editor;

6. Create a new GPO called "Firefox - Disable PWM";

7. Choose the desired scope;

8. Right click on the new group policy > Edit;

9. Open User Configuration > Policies > Administrative Templates > Mozilla > Firefox;

10. Edit the following policies:

  • Disable the Disable Firefox accountspolicy
  • Disable the Offer to save loginspolicy
  • Disable the Offer to save loginspolicy (default)
  • Disable the Password Managerpolicy

11. Once completed, the GPO settings will look like this:

12. Ensure that the GPO link is enabled.

Testing the functionality

Log in as a user that is part of the scope, open the command line and run gpupdate / force. Open Firefox and select Logins and passwords from the menu bar.

Make sure that the message "Page locked" is displayed.

Final Recommendations

Finally, keep an eye out for suspicious domains and IP addresses in logs of tools such as Firewall and Web Filter, since this attack uses legitimate processes to reach the command server(command & control), it is not enough to inspect only the traffic of applications you deem suspicious.

Policies of conscious use of corporate assets as well as monitoring the use of corporate resources and keeping references to these actions in the Information Security Policy are ways with comprehensive effectiveness in cases similar to this one.

Limiting administrative access to only specialized teams should be a practice for network administrators and cybersecurity teams.

Implementation ofUser and Entity BehaviorAnalytics (UEBA) solutions can compound your security solutions with important results, analyzing anomalous behavior in your environment.

By André Phanebecker, Alexandre Siviero and Paulo Trindade

Tags: , , , , , LEAKING, AKING
Copyright © 2022 ISH Tecnologia, All Rights Reserved.