The Social Engineering Behind Operation Sharpshooter, Rising Sun
We are learning more about Operation Sharpshooter, an espionage campaign that targeted financial services, government and critical infrastructure primarily focused in German, Turkey, the UK and the US. It is important to show how easily this attack was delivered to end users and how quickly it can infect your enterprise. Despite millions invested in user awareness training and anti-phishing tests, enterprises are still breached daily by simple social engineering, which relies on two key human nature “hacks” that can trick even the most skeptical users: Overload and Fear of Missing Out (FOMO).
Maybe My Invoice Is Overdue?
Everyone is overloaded, at work and with our personal lives, and important things sometimes slip through the cracks. Panic sets in when we think we missed a payment and our mind races: Did I overlook an email? Did the bill get lost in the mail? Or does this bill notify me via an app?
Since clicking a links seems safer than opening an attachment, many users see little risk and succumb to the “overload” hack. They click the link. Strike one.
Unfortunately, this link leads directly to a weaponized document. The user is already committed to figuring out what bill was missed. Since the file was not blocked, then it must be OK?
Now the document is opened. Strike two.
Maybe my Office Suite Is out of date?
If a user has already “invested” two clicks into this process, s/he is not likely to be deterred from the third and most deadly click: enabling active content.
Since users are afraid of missing out on something important, they succumb to the “FOMO” hack and enable the malicious content, quite literally inviting the malware into the organization. Strike three.
Word promptly launches the Command Prompt, then downloads and runs a malicious executable.
The thing is, this isn’t a bug, an exploit, or a Zero-day attack. It’s simple, garden-variety social engineering, preying on busy users and “living off the land” using built-in features of the Microsoft Office Suite.
Once they gain a foothold on a single machine, the attacker is free to download additional malware, escalate privileges, steal credentials, and move laterally within the organization.
Nobody’s perfect. People slip up. With application isolation and control, your users — and your entire organization — are protected against the inevitable foibles of human nature. Overload and FOMO aren’t going away anytime soon so isolate risky activity on endpoints to be sure!