Hackers Steal Over 40k Logins for Gov Services in 30 Countries
(Dec 11, 2018)
More than 40,000 users across the globe fell victim to a phishing attack that compromised various online government services accounts. Unknown threat actors sent phishing emails that distributed spyware such as Pony Formgrabber, AZORult, and Qbot (Qakbot) that logged username and password credentials for civilians, government employees, and military officials in. The targeted individuals resided in or were affiliated to the following: Bulgaria, Croatia, France, Hungary, the Israel Defence Forces, the Ministry of Finance of Georgia, the Ministry of Foreign Affairs of Romania, the Italian Ministry of Defence and Foreign Affairs, the Norwegian Directorate of Immigration, Poland, Romania, and Switzerland. The malicious attachment pretended to be a legitimate file and, if opened, would target credentials located in configuration files, databases, and secret storages that would then be sent to the threat actor's Command and Control (C2) server.
Recommendation: It is important that your company institutes policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications. Ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.