"Spyware Blitzes Compromise, Cannibalize ICS Networks"

Researchers have discovered attackers targeting industrial enterprises with spyware campaigns aiming to steal corporate credentials for financial gain and cannibalizing compromised networks to launch additional attacks. Although the campaigns use off-the-shelf spyware, they are unique because they limit each malicious sample's scope and lifetime. The researchers consider the attacks anomalous because they are not typical spyware attacks. One researcher explained that the attackers use spearphishing emails sent from compromised corporate mailboxes. These emails contain malicious attachments that deliver the spyware. The attackers use industrial enterprises' SMTP services to send spearphishing emails and collect data stolen by the spyware as a command-and-control (C2), which allows them to launch future attacks. The initially stolen data is believed to be used by the threat operators to spread the attack inside the local network of the compromised organization and to attack additional organizations. The researchers noted that the malware used in the attacks was typically found to belong to AgentTesla/Origin Logger, Snake Keylogger, Azorult, Noon/Formbook, and other well-known commodity spyware families. Nearly 45 percent of the computers targeted in the campaigns are Industrial Control System (ICS)-related and have access to their respective company's corporate email service. Over 2,000 corporate email accounts belonging to industrial companies have been stolen and leveraged as next-attack C2 in the malicious campaigns. However, the researchers estimate that more than 7,000 corporate email accounts have been stolen, sold, or used in other ways. This article continues to discuss findings regarding the spyware campaigns aimed at collecting corporate credentials. 

Threatpost reports "Spyware Blitzes Compromise, Cannibalize ICS Networks"