Work From Home Opens New Remote Insider Threats

Remote work is opening up new insider threats – whether it’s negligence or malicious employees – and companies are scrambling to stay on top of these unprecedented risks.

Employees working from home face a new world of workplace challenges. With childcare facilities mostly closed, many are juggling crying babies or barking dogs, all while tending to job responsibilities. Under those conditions mistakes happen, like sending an email – with critical internal company data – to the wrong address.

This is just one of many insider threat risks that security experts worry will become a regular occurrence. That’s because remote employees have been thrust into new working environments, with no face-to-face supervision and little to no training for handling new security risks. And, they are also facing more distractions from their home settings, as well as new emotional stresses tied to COVID-19.

All of these factors are creating a ticking time bomb for insider threats risks – which according to a report released last week, have already increased by 47 percent since 2018. Worse, security experts warn that organizations aren’t ready for this influx of remote work induced challenges.

“The [work from home] trend due to the COVID-19 pandemic has significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are doing or accessing,” Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic, told Threatpost.

Negligent Insiders: Lack of Training

Insider threats can stem from either “negligent insiders” – which according to Proofpoint is the most common and accounts for 62 percent – or from malicious insiders, who intentionally steal data or company secrets.

The “negligent insiders” are the bigger threat here, researcher say. They may be employees who are well-intentioned, but who mistakenly give away company data or put company data at risk. They might open a phishing email, fall victim to a business email compromise (BEC) scam, or leave a cloud storage bucket misconfigured.

The work from home world has paved the way to an unsecured environment that allows these mistakes to happen more easily, security experts argue. For starters, many remote employees have not been given the appropriate training for how to secure their laptops and how to handle sensitive data in a work from home environment.

recent survey from IBM Security found that more than half surveyed have yet to be given any new security policies on how to securely work from home. Also, more than half surveyed have not been provided with new guidelines on how to handle personal identifiable information (PII) while working from home, despite more than 42 percent newly being required to do so as consumers lean on customer service representatives for a variety of services.

insider threat remote work

In addition to a lack of employee training, experts worry remote employees are using company devices that may have been dependent on network security for protection – such as email gateways, web gateways, intrusion detection systems or firewalls – and moving them to unsecured networks.

The IBM Security survey for instance found that 53 percent of remote employees are using their personal laptops and computers for business operations – and 61 percent say their employer hasn’t provided tools to properly secure those devices.

Remote employees are also dealing with the challenges of working remotely and potentially needing to juggle childcare. That, coupled with the overlying stresses from the pandemic and the pressures of regular work, can open the door for simple mistakes. For instance, on average, 800 emails are sent to the wrong person every year in companies with 1,000 employees, according to Tessian. Experts worry that the new workplace environment could make this type of mistake more common.

“Initially, the sudden shift in environment was taxing on employees, which increased the likelihood for mistakes to be made that could have incredible repercussions for data privacy – for example, sending an email to an incorrect recipient or clicking on a phishing link,” said Durbin. “As remote working continues, organizations continue to digitalize traditionally physical process, such as reliance on post or face-to-face meetings, inevitably driving more sensitive data online.”

Malicious Insiders

While “malicious insider” threats are less common (according to Proofpoint, these types of threats only occur 14 percent of the time), coronavirus-spurred changes to the workforce is making it more difficult for organizations to root out these threats.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), malicious insider threat motivations vary. Financial motivations are the most popular, but espionage or disgruntled employees are listed as other common reasons.

coronavirus insider threat

Malicious insider threats may stem from the emotional toll of change. Earlier in May, for instance, a former BlueLinx IT manager, unhappy after his company was acquired by a large Atlanta-based building products distributor, was sentenced to federal prison for hacking his former Atlanta-based employer.

Experts worry what kind of emotional toll the current changes in today’s coronavirus world will have on employees. Many employees currently have concerns, need support and require protection. Employees may react maliciously to potentially limited hours, lowered compensation, reduced promotion opportunities.

These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future, said Steve Durbin, managing director of the Information Security Forum.

“Under these conditions, employees might become resentful or disgruntled towards the organization, resulting in occurrences of information leakage and theft of intellectual property,” said Durbin.

At the same time, the shift to remote work is creating challenges for organizations to detect such internal, nefarious acts due to limited access controls and a lack of capabilities in detecting unusual activity.

Protecting Against the Insider Threat

Organizations can take several steps to reduce the risks of these insider threats. The implementation of training measures for employees to better understand remote workplace security policies is an important first step.

However, going beyond that, companies also need better visibility into the devices that are being used by employees handling sensitive information, Tim Bandos, vice president of cybersecurity at Digital Guardian, told Threatpost.

Identity and access management (IAM) has an important role to play here. As employees have moved outside the company perimeter, IAM will help organizations maintain a full audit trail, which can help follow an employee’s tracks.

“Users are now less restricted with how they collaborate with information and what services or devices they can use in order to transfer data,” said Bandos. “Unless there was an established data protection policy in place that took into consideration remote employees with outlined controls, companies will experience data loss whether they realize it or not.”

BofA Phish Gets Around DMARC, Other Email Protections

The June campaign was targeted and aimed at stealing online banking credentials.

A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC.

The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn’t done.

“The email language and topic was intended to induce urgency in the reader owing to its financial nature,” according to analysis from Armorblox. “Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”

The messages contain a link that purports to take visitors to a site to update their information – but clicking the link simply takes the recipients to a credential-phishing page that closely mirrors a legitimate Bank of America home page, researchers said.

The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets, researchers said in a posting on Thursday.

“With the enforcement of Single Sign On (SSO) and two-factor authentication (2FA) across organizations, adversaries are now crafting email attacks that are able to bypass these measures,” Chetan Anand, co-founder and architect of Armorblox, told Theatpost. “This credential-phishing attack is a good example. Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security-challenge questions, which is often used as a second/additional form of authentication. Asking security-challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”

More interesting, the emails are able in some cases to get past existing email security controls – because they don’t follow the patterns of more traditional phishing attacks.

For instance, the campaign, while using a classic “spray-and-pray” lure, is not a mass email effort, according to the firm. In examining one of the emails, researchers noticed that “this was not a bulk email and only a few people in the target organization received it,” they wrote. “This ensured that the email wasn’t caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway (SEG).”

Anand told Threatpost, “We’re working on identifying scope of impact outside of our customer base but campaigns like this in the past have been fairly broad in their attack scope since the content is generic enough to cut across organizations and industry verticals. Within our customer base, it was not a mass email but not a single email either. A few key VIPs or VAPs (Very Attacked Persons) got the email.”

Also, the email they examined was able to get past common authentication checks, such as DMARC. DMARC (which stands for Domain-based Message Authentication, Reporting and Conformance) is an industry standard that flags messages where the “from” field in an email header has been tampered with. It ensures emails are authenticated before they reach users’ mailboxes and confirms that they have been sent from legitimate sources. If configured correctly, potential phishing emails can be stopped at the gateway, or redirected to the junk folder.

“Although the sender name – Bank of America – was impersonated, the email was sent from a personal Yahoo account via SendGrid. This resulted in the email successfully passing all authentication checks such as SPF [Sender-Policy Framework], DKIM [DomainKeys Identified Mail] and DMARC,” explained the researchers.

DMARC is useful but has a few key gaps, Anand told Threatpost.

“Firstly, DMARC is mainly designed to protect against direct domain spoofs (which this was not),” he said. “Secondly, to protect an organization using DMARC, all domains used in communication with employees should have DMARC enabled on them (which doesn’t happen today). Emails sent from legitimate domains (Gmail, Yahoo) while not being a direct domain spoof have a good chance of passing DMARC.”

The attackers also used a brand-new, never-before-used URL to set up their phishing website. Because the page is hosted on a new domain, it was able to get past any filters that were created to block known bad links.

Also, the effort exhibits much better social engineering than what is usually seen in attacks like these, according to the firm. For instance, the final credential phishing page was “painstakingly made to resemble the Bank of America login page,” explained the researchers.

“The level of polish involved in this attack is noteworthy,” Anand said. “The phishing sites are unerringly made to resemble Bank of America pages at first glance. The other sign of sophistication in this attack is the fact that attackers asked targets for their security challenge questions as well. If attackers successfully harvest any such answers, they can potentially brute-force their way into other accounts where security challenge questions are involved (since these questions tend to be common across apps).”

Microsoft Joins Ban on Sale of Facial Recognition Tech to Police

Microsoft has joined Amazon and IBM in banning the sale of facial recognition technology to police departments and pushing for federal laws to regulate the technology.

Microsoft is joining Amazon and IBM when it comes to halting the sale of facial recognition technology to police departments. In a statement released Thursday by Microsoft President Brad Smith, he said the ban would stick until federal laws regulating the technology’s use were put in place.

“We will not sell facial recognition tech to police in the U.S. until there is a national law in place… We must pursue a national law to govern facial recognition grounded in the protection of human rights,” Smith said during a virtual event hosted by the Washington Post.

On Wednesday, Amazon announced a one-year ban on police departments using its facial recognition technology. In a short statement the company said it would be pushing for “stronger regulations to govern the ethical use of facial recognition technology.”

The actions by both tech behemoths dovetail actions by IBM earlier this week. In a statement by IBM’s new CEO Arvind Krishna, he said that it will no longer offer general purpose facial recognition or analysis software “for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.”

Krishna’s statements were part of a letter to Congress where he advocated policy reviews such as “police reform, responsible use of technology, and broadening skills and educational opportunities.”

The moves align with a broader demand for law enforcement reforms and calls for racial justice by social justice activists in the wake of the death of George Floyd by Minneapolis, Minnesota police and the weeks of protests that followed.

“It should not have taken the police killings of George Floyd, Breonna Taylor, and far too many other black people, hundred of thousands of people taking to the streets, brutal law enforcement attacks against protesters and journalists, and the deployment of military-grade surveillance equipment on protests led by black activists for these companies to wake up to the everyday realities of police surveillance for black and brown communities,” said Matt Cagle, technology and civil liberties attorney with the American Civil Liberties Union of Northern California in a statement to NBC News this week.

Boom in Technology Prompts Privacy Alarms

The debate over the use of facial recognition has been simmering for years. Big questions about privacy, civil rights and civil liberties have been raised by the American Civil Liberties Union (ACLU), Surveillance Technology Oversight Project and the Electronic Frontier Foundation (EFF).

Objections to police use of facial recognition include a lack of consent by citizens to have their biometric profiles captured by law enforcement agencies. Civil liberties activists argue the technology is imperfect and could lead to a mistaken detainment or arrests. The EFF cites a 2012 FBI study (.pdf) that found the accuracy rates of facial recognition and African Americans were lower than for other demographics.

“Face recognition can be used to target people engaging in protected speech. For example, during protests surrounding the death of Freddie Gray, the Baltimore Police Department ran social media photos through face recognition to identify protesters and arrest them,” the EFF wrote.

In March, the ACLU filed a suit against the Department of Homeland Security (DHS) over its use of facial recognition technology in airports, decrying the government’s “extraordinarily dangerous path” to normalize facial surveillance as well as its secrecy in making specific details of the plan public.

Currently, 22 airports are using what is called the Traveler Verification Service (TVS), which as of June 2019 had scanned the faces of more than 20 million travelers entering and exiting the country, the ACLU said. Several major airlines, including Delta, JetBlue and United Airlines, have already partnered with U.S. Customs and Border Protection to build this surveillance infrastructure, while more than 20 other airlines and airports have committed to using CBP’s face-matching technology.

Facial Recognition has also come under fire as it relates to the technology’s use globally to track the spread of coronavirus. The technology is seen as a zero-contact solution for identifying and tracking individuals exposed to someone infected with COVID-19.

Hawaii’s KHON2 News reported Thursday that the U.S. Department of Transportation is behind a test of facial recognition technology at Honolulu’s international airport. It reported that “facial recognition will be tested along with thermal temperature scanning… in the next couple of weeks.”

Political Prospects of Change

Staunch privacy advocate U.S. Sen. Ron Wyden, on Thursday, urged the Trump administration to stop “weaponizing” facial recognition technology against protesters. In a letter co-signed by U.S. Sens. Cory Booker and Sherrod Brown to Attorney General William Barr and the Department of Homeland Security, Wyden chided federal law enforcement for its use of facial recognition technology on the peaceful protesters marching against the police killing of George Floyd.

“Advances in facial recognition technologies should not be weaponized to victimize Americans across the nation who are standing up for change,” Wyden wrote. “It is no secret that Clearview AI’s controversial facial recognition tool is used by law enforcement throughout your departments despite the numerous legal challenges it faces. However, scientific studies have repeatedly shown that facial recognition algorithms are significantly less accurate for people with non-white skin tones.”

One legal victory came last September when California lawmakers passed a bill to ban the use of facial recognition-equipped cameras by law enforcement. Meanwhile, a number of legal challenges attempt to slow the widespread use of the technology.

Last month the ACLU sued New York-based facial-recognition startup Clearview AI for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge. The complaint, filed in Circuit Court of Cook County in Illinois, accused the company of violating an Illinois law that protects people “against the surreptitious and nonconsensual capture of their biometric identifiers.”

Clearview AI founder, Hoan Ton-Thatand, has defended his company’s practices and intentions. He said he welcomes the privacy debate, stating in various published reports that the technology is meant to be used by law enforcement to help solve crimes and not to violate people’s privacy.

Whether or not Microsoft, Amazon and IBM have the market might and political capital to force new regulations is unclear. Meanwhile, the EFF reminds that the list of facial recognition vending firms  is long – including 3MCognitecDataWorks PlusDynamic Imaging SystemsFaceFirst, and NEC Global.

Thanos Ransomware First to Weaponize RIPlace Tactic

Thanos is the first ransomware family to feature the weaponized RIPlace tactic, enabling it to bypass ransomware protections.

Researchers have uncovered a new ransomware-as-a-service (RaaS) tool, called Thanos, which they say is increasing in popularity in multiple underground forums.

Thanos is the first ransomware family observed that advertises the use of the RIPlace tactic. RIPlace is a Windows file system technique unveiled in a proof of concept (PoC) last year by researchers at Nyotron, which can be used to maliciously alter files and which allows attackers to bypass various anti-ransomware methods.

Beyond its utilization of RIPlace, Thanos does not incorporate any novel functionality, and it is simple in its overall structure and functionality. But this ease-of-use may be why Thanos has surged in popularity amongst cybercriminals, according to Wednesday research from Recorded Future’s Insikt Group, shared with Threatpost.

“Ransomware-as-a-service provides a means for less-experienced cybercriminals to employ ransomware as part of their operations, and to date, these services remain popular in underground forums,” Lindsay Kaye, director of operational outcomes for the Insikt Group at Recorded Future, told Threatpost. “It is hard to say whether ransomware-as-a-service itself will become more sophisticated in the future, but in general, ransomware actors are getting more sophisticated — they are investing money into adding more exploits, so this may materialize in the form of more sophisticated ransomware offered as part of the RaaS marketplace.”

Thanos was first spotted by researchers in January, up for sale on an underground forum. It was developed by a threat actor under the alias “Nosophoros.” Since then, the threat actor continued to develop Thanos over the past six months, with regular updates and new features (the new RIPlace tactic was first advertised in February, for instance).

The Thanos ransomware builder gives operators the ability to create the ransomware clients with various different options that can be used in attacks. On underground forums, it’s being sold as a “Ransomware Affiliate Program,” similar to a ransomware-as-a-service (RaaS) model. As part of this, the Thanos builder is offered either as a monthly “light” or lifetime “company” subscription. The “company” version includes additional features, compared to the light version, such as data-stealing functionalities, RIPlace tactics and lateral-movement capabilities.

Thanos Builder

The ransomware offers various configuration options, features and classes depending on the service. Researchers observed more than 80 Thanos “clients” with different configuration options enabled.

One of the company-tier features is the ability to change the Thanos encryption process to use the RIPlace technique, which was released last year by Nyotron as a PoC. The PoC showed how ransomware can replace a victim’s files with encrypted data, by writing the encrypted data from memory to a new file, and then using the “Rename” call to replace the original file. After this sensitive file is replaced (hence the name, “RIPlace”) it enables bad actors to bypass ransomware protections.

“In the Thanos ransomware builder, a user can choose to select the option to enable RIPlace, which results in a modification of the encryption process workflow to use the technique,” Kaye told Threatpost.

Thanos Ransomware Note

Another feature offered by the Thanos client is a lateral-movement function. This makes use of a legitimate security tool called SharpExec, which is specifically designed for lateral movement. The client downloads the SharpExec tools from a GitHub repository, scans the local network to get a list of online hosts, and uses the SharpExec’s functionality to then execute the Thanos client on remote computers.

Other features of Thanos include the ability to exfiltrate all files with a specified set of extensions, an anti-analysis tool allowing the client to perform several checks to determine whether it is executing within a virtual machine environment, and two obfuscation options.

When encrypting the data for victims, Thanos uses a random, 32-byte string generated at runtime as a password for the AES file encryption. The string is then encrypted with the ransomware operator’s public key – and without the corresponding private key, recovering the encrypted files is impossible.

“The Thanos builder includes the option to use a static password for the AES file encryption,” said researchers. If this option is selected, the clients generated by Thanos will contain the AES password used to encrypt files. Importantly, this means that if a Thanos client is recovered after encryption has occurred, there is a chance that the victims may be able to recover their files without paying the ransom, researchers said.

The Future of Thanos

Based on code similarity, string reuse, the ransomware extension and the format of the ransom notes, researchers say they assess “with high confidence” that ransomware samples tracked as Hakbit are built using the Thanos ransomware builder developed by Nosophoros.

Thanos is under active development by its operators: Researchers have observed the ransomware receiving positive feedback from cybercriminals on underground forums, with claims that the tool “works flawlessly” and requests to “keep the updates coming.” That said, to date, Recorded Future researchers have not yet explicitly observed Thanos being used as part of an actual attack against a company, Kaye told Threatpost.

Researchers believe that Thanos will continue to be weaponized by threat actors, either individually, or collectively as part of its affiliate program. However, they said that “security best practices” can protect companies from the ransomware strain.

“With information security best practices such as prohibiting external FTP connections and blacklisting downloads of known-offensive security tools, the risks associated with the two key components of Thanos — data stealer and lateral movement — can be averted,” said researchers.

Microsoft June Patch Tuesday Fixes 129 Flaws in Largest-Ever Update

The June Patch Tuesday update included CVEs for 11 critical remote code-execution vulnerabilities and concerning SMB bugs.

Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates – the highest number of CVEs ever released by Microsoft in a single month.

Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.

“For June, Microsoft released patches for 129 CVEs covering Microsoft Windows, Internet Explorer (IE), Microsoft Edge (EdgeHTML-based and Chromium-based in IE Mode), ChakraCore, Office and Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps, and Microsoft Apps for Android,” according to Dustin Childs, with Trend Micro’s Zero Day Initiative, in a Tuesday post. “This brings the total number of Microsoft patches released this year to 616 – just 49 shy of the total number of CVEs they addressed in all of 2017.”

Microsoft’s June Patch Tuesday volume beats out the update from May, where it released fixes for 111 security flaws, including 16 critical bugs and 96 that are rated important.

SMBv3 Flaws

Satnam Narang, staff research engineer at Tenable, told Threatpost that a trio of fixes stuck out in the Patch Tuesday updates, for flaws in Microsoft Server Message Block (SMB). Two of these flaws exist in Microsoft Server Message Block 3.1.1 (SMBv3). All three vulnerabilities are notable because they’re rated as “exploitation more likely” based on Microsoft’s Exploitability Index.

The two flaws in SMBv3 include a denial-of-service vulnerability (CVE-2020-1284) and an information-disclosure vulnerability (CVE-2020-1206), both of which can be exploited by a remote, authenticated attacker.

Narang said the flaws “follow in the footsteps” of CVE-2020-0796, a “wormable” remote code execution flaw in SMBv3 that was patched back in March, dubbed “SMBGhost.” CISA recently warned that the release of a fully functional proof-of-concept (PoC) for SMBGhost could soon spark a wave of cyberattacks.

The third vulnerability patched in Microsoft SMB, CVE-2020-1301, is a remote code-execution vulnerability that exists in the way SMBv1 handles requests. To exploit the flaw, an attacker would need to be authenticated and to send a specially crafted packet to a targeted SMBv1 server.

Narang said this flaw “might create a sense of déjà vu” for another remote code-execution vulnerability in SMBv1, EternalBlue, which was used in the WannaCry 2017 ransomware attacks.

“However, the difference between these two is that EternalBlue could be exploited by an unauthenticated attacker, whereas this flaw requires authentication, according to Microsoft,” he said. “This vulnerability affects Windows 7 and Windows 2008, both of which reached their end of support in January 2020. However, Microsoft has provided patches for both operating systems.”


Various critical remote code-execution flaws were discovered in VBScript, Microsoft’s Active Scripting language that is modeled on Visual Basic (CVE-2020-1214, CVE-2020-1215CVE-2020-1216CVE-2020-1230CVE-2020-1260). The flaws exist in the way that the VBScript engine handles objects in memory; an attacker could corrupt memory in such a way that allows them to execute arbitrary code in the context of the current user.

In a real-life attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” said Microsoft. “If the current user is logged on with administrative-user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.”

Other Critical Flaws

Also of note is a critical flaw (CVE-2020-1299) that exists in Microsoft Windows, which could allow remote code-execution if a .LNK file is processed. An .LNK file is a shortcut or “link.” An attacker can embed a malicious .LNK in a removable drive or remote share, and then convince the victim to open the drive or share in Windows Explorer. Then, the malicious binary will execute the code. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, according to Microsoft.

The update also addressed a Windows critical RCE flaw (CVE-2020-1300) that exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver, according to Microsoft’s update.

Another critical vulnerability (CVE-2020-1286) exists due to Windows Shell not properly validating file paths. An attacker could exploit the flaw by convincing a user to open a specially crafted file, and then would be able to run arbitrary code in the context of the user, according to Microsoft’s update.

“If the current user is logged on as an administrator, an attacker could take control of the affected system,” said Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.”

A critical flaw (CVE-2020-1181) in SharePoint server was also fixed, stemming from the server failing to properly identify and filter unsafe ASP.Net web controls. The flaw can be abused by an authenticated, remote user who invokes a specially crafted page on an affected version of Microsoft SharePoint Server, allowing them to execute code.

Microsoft also issued updates addressing Windows 10, 8.1 and Windows Server versions affected by a critical, use-after-free Adobe Flash Player flaw (CVE-2020-9633).  According to Microsoft, “In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website.”

Meanwhile, Adobe earlier on Tuesday released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.

Dark Basin Hack-For-Hire Group Targeted Thousands Over 7 Years

Thousands of journalists, advocacy groups and politicians worldwide were targeted by Dark Basin.

A hack-for-hire group, called Dark Basin, has been outed after targeting thousands of individuals and organizations worldwide – including advocacy groups and journalists, elected and senior government officials, and hedge funds — over the course of seven years.

Dark Basin conducted commercial espionage on behalf of their clients, against customers’ opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy, according to researchers at Citizen Lab. In all, more than 10,000 victim email accounts were targeted, according to Reuters, who broke the news.

“Citizen Lab has notified hundreds of targeted individuals and institutions and, where possible, provided them with assistance in tracking and identifying the campaign,” according to a report on Dark Basin released by Citizen Lab researchers on Tuesday. “At the request of several targets, Citizen Lab shared information about their targeting with the U.S. Department of Justice (DoJ). We are in the process of notifying additional targets.”

Citizen Lab first discovered the group in 2017 after it was contacted by a journalist who had been targeted with phishing attempts. The phishing was linked to a custom URL shortener, which was tied to a larger network of almost 28,000 URL shorteners containing the email addresses of targets and operated by Dark Basin.

Tactics, Techniques and Procedures

The group sent highly targeted phishing emails to its targets from a range of email accounts, including Gmail accounts and self-hosted accounts. The use of URL shorteners for masking phishing sites is a staple for the group – researchers said that over 16 months, they observed 28 unique URL shortener services that were operated by Dark Basin.

These malicious links led to phishing sites, designed to look identical to popular online web services such as Google Mail, Yahoo Mail, Facebook and others. These landing pages then stole the credentials of victims.

“Sophistication of the bait content, specificity to the target, message volume and persistence across time varied widely between clusters,” researchers said. “It appears that Dark Basin’s customers may receive varying qualities of service and personal attention, possibly based on payment, or relationships with specific intermediaries.”

Widespread Targeting

Researchers tied the group to years of attacks against various targets. That includes at least two American advocacy groups who were requesting that the Federal Communications Commission (FCC) preserve net-neutrality rules in the U.S. (in a campaign previously uncovered by the EFF); U.S. non-governmental organizations Fight for the Future and Free Press; and journalists from multiple major U.S. media outlets.

For instance, the group targeted campaigners involved with #ExxonKnew, which is a campaign that claims that ExxonMobil hid information about climate change for decades. That included targeting #ExxonKnew campaigners’ family members with phishing emails – in at least one case a target’s minor child was among those targeted.

Phishing bait from Dark Basin. Click to enlarge.

As part of their investigation, researchers linked the phishing attacks with highly targeted emails, purporting to come from other campaigners or from legal counsel involved in litigation against ExxonMobil, that referenced targets’ work on ExxonMobil and climate change. In other cases, Dark Basin sent emails with fake Google News updates involving ExxonMobil. The emails would then contain a malicious URL that brought victims to the landing page.

In 2016, a private #ExxonMobil email inviting campaigners to a January 2016 meeting was  leaked by unknown parties to two newspapers, including the Wall Street Journal.

“The leak of the January 2016 email, as well as suspicious emails noticed by campaigners, led some present at the meeting to suspect their private communications may have been compromised,” said researchers. “We later determined that all but two recipients of the leaked January email were also Dark Basin targets.”

BellTroX InfoTech Services

Researchers also associated Dark Basin to BellTroX InfoTech Services, an India-based technology company, with “high confidence.” Threatpost has reached out to BellTroX InfoTech Services for comment but had not heard back by publication time.

BellTroX InfoTech home page. Click to enlarge.

“We are an independent firm of transcriptionists, designers, developers, engineers, consultants and technical specialists offering a broad range of professional services. Through our work, we make a positive difference in the world,” according to BellTroX’s website.

Several clues led researchers to link Dark Basin to the company. Initially, researchers found that timestamps in the phishing emails were consistent with the working hours in India’s UTC+5:30 time zone. Several of Dark Basin’s URL shortening services also had names associated with India (Holi, Rongali and Pochanchi, for example).

Then, upon further investigation, they were able to identify several  BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a C.V. (resume), as bait content when testing their URL shorteners.

The employees also put up social-media posts taking credit for attack techniques, which contained screenshots of links to Dark Basin infrastructure, researchers said. The company’s “staff activities” listed on LinkedIn include email penetration, exploitation, corporate espionage and more.

“BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker,’” they said. “BellTroX’s slogan is: ‘you desire, we do!’”

As of Sunday (June 7) BellTroX’s website began serving an error message. Researchers said that since then, postings and other materials linking BellTroX to these operations have been recently deleted.


Researchers said that they believe that in at least one case, Dark Basin repurposed a stolen internal email to re-target other individuals – leading them to conclude that Dark Basin had “some success” in gaining access to the email accounts of one or more advocacy groups.

Researchers said that the utilization of hack-for-hire firms may be fueled by an increasing normalization of commercialized cyber-offensive activity, including surveillance and “hacking back.” Recently for instance, researchers with Google’s Threat Analysis Group (TAG) warned that they’ve spotted a spike in activity from several India-based firms that have been creating Gmail accounts that spoof the World Health Organization (WHO) to send coronavirus-themed phishing emails.

“Dark Basin’s activities make it clear that there is a large and likely growing hack-for-hire industry,” Citizen Lab researchers said. “Hack-for-hire groups enable companies to outsource activities like those described in this report, which muddies the waters and can hamper legal investigations.”