make a good business better

Blog Information Security

Print Divider Print Divider Branding

Threat Intelligence Updates: February 2018

02/26/2018  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

Phishing Season in Full Swing

February was more of the same with respect to organized phishing campaigns coming out of Africa. As we’ve reported for the past several months, the majority of these attacks appear to originate out of Lagos, Nigeria and are focused on businesses employees with corporate email addresses rather than private citizens with personal email accounts (e.g. Gmail, Hotmail, etc.). We saw this activity spike in Q3 of 2017, and it’s showing no signs of slowing down.

So far, all the investigations we’ve worked have turned out to be smash-and-grab-style attacks, where the attackers attempt to quickly monetize their access and—in parallel—send out lots of additional phishing emails from the victim’s account to the victim’s contacts. They also frequently create email rules to delay detection by the email account owner.

We strongly recommend disabling OWA if you don’t need it or protecting OWA with multi-factor authentication if do you need it. Geo-IP restrictions are another good defensive layer—assuming you don’t have business interests in Africa. Detective controls for user-behavior anomalies and phishing activity are a couple more layers that can be utilized to mitigate these attacks.   

In addition to the African phishing adventures detailed above, it’s noteworthy that tax season has begun. Everyone should be on the lookout for phishing scams that target tax returns and W-2 data. Last year, hundreds of organizations fell victim to a phishing scam that tricked payroll personnel into disclosing employees' W-2 information. The attackers often pose as company executives, sending an email to HR or payroll requesting copies of W-2 forms for employees. With the increase in phishing activity targeting OWA, attackers could also utilize stolen credentials to send the emails from an authorized user’s email account, adding a significant appearance of legitimacy to the request. 

We recommended educating your employees on this phishing scheme and implementing additional verification procedures when receiving W-2 or wire transfer requests. The IRS also urges companies to limit the number of employees who handle W-2 requests.

For more information, visit:

ShurL0ckr Ransomware Evades Detection While Targeting Office 365 and Google Drive

A new strain of ransomware called Shurl0ckr failed to be detected by most major antivirus platforms, including both Google Drive and Microsoft Office 365’s built-in malware protection. The ransomware is a variant of the Gojdue ransomware and is mainly distributed by phishing or drive-by downloads. Upon successful infection, ShurL0ckr will encrypt the victim’s files and offer the keys to decrypt the files in exchange for a Bitcoin ransom. Researchers have found that ShurL0ckr is similar to the Satan ransomware, a ransomware-as-a-service (RaaS) variant, which allows anyone to customize and deploy the malware as long as they provide a percentage of their earnings with RaaS developers.

More information available at:

Newly Discovered DarkSky Botnet Armed with Several Evasion Mechanisms

Radware’s Threat Research team began monitoring a new botnet, dubbed DarkSky, in May 2017. By December, the team noted a spike in different variants of the malware as its developers made enhancements. The bot is currently sold for only $20 over the Darknet and is armed with multiple evasion mechanisms, a malware downloader, as well as several DDoS attack vectors. The malware also has anti-virtual machine capabilities to prevent it from running in a sandbox. Researchers have reported that the malware silently infects machines and has recently been downloading cryptocurrency miners to infected hosts.

For more information on this, please visit:

Automated Mass Exploitation Tool Makes Attacking Easier

A security researcher released a new tool, AutoSploit, which aims to automate the majority of an attack. The tool combines the penetration testing tool Metasploit and, a search engine of Internet-connected devices. This combination allows a user to search for potential targets and let Autosploit determine and execute the appropriate Metasploit modules against them. Additionally, the tool can launch a “Hail Mary” attack to perform a range of Metasploit modules against each target.

For more information on this, please visit: