In callback phishing emails, hackers pretend to be well-known cybersecurity firms like CrowdStrike in order to obtain early access to business networks.
Most phishing efforts involve links to landing pages where login information is stolen or emails with malicious attachments that allow malware to be installed.
Threat actors, on the other hand, have been using “callback” phishing campaigns more frequently over the past year, in which they pose as well-known businesses and ask you to call a certain number in order to address a problem, stop a subscription renewal, or talk about another matter.
The threat actors utilize social engineering to persuade individuals to install remote access software on their devices when the target contacts the numbers, granting them initial access to corporate networks. The entire Windows domain is then compromised using this access.
posing as cybersecurity companies
The hackers are mimicking CrowdStrike in a fresh callback phishing campaign to alert recipients that dangerous network intruders have compromised their workstations and that a thorough security audit is necessary.
As seen in the email snippet below, these callback phishing efforts are primarily concerned with social engineering and describe the reasons why they should be granted access to a recipient’s device.
“We have found unusual activity relating to the network segment that your work station is a part of during the daily network assessment. The exact domain administrator that oversaw the network has been located, and we fear a potential compromise that might impact all workstations on this network, including yours. As a result, we are thoroughly auditing every workstation.
We have already contacted your information security department directly, however in order to resolve a potential location workstation compromise, they directed us to the specific users of these workstations, i.e., employees.”
Finally, the phishing email requests a phone call from the employees at the provided number in order to schedule the security audit of their workstations.
If contacted, the hackers will instruct the worker on how to set up remote administration tools (RATs), which provide threat actors total control over the workstation.
Now that they have the ability to remotely install new tools, these threat actors can more easily infiltrate networks, steal business data, and possibly even use ransomware to encrypt devices.
According to a research by CrowdStrike, the organization predicts that, like previous callback phishing campaigns, this campaign would probably result in a ransomware assault.
Given the urgency of cyber intrusions, CrowdStrike cautions that this is the first known callback campaign that impersonates cybersecurity groups.
According to CrowdStrike, in March 2022, its analysts discovered a similar campaign where threat actors installed Cobalt Strike via AteraRMM and then moved laterally across the victim’s network before deploying malware.
Perhaps connected to the Quantum ransomware
With the introduction of the BazarCall phishing campaigns, which the Conti ransomware gang used to first access corporate networks in 2021, callback phishing campaigns became widespread.
Since then, callback phishing efforts have included a variety of baits, such as online course renewals, antivirus and support subscription renewals, and support subscriptions.
The effort observed by CrowdStrike is thought to be run by the Quantum ransomware group, who have started their own BazarCall-like campaign, according to AdvIntel’s Vitali Kremez, who spoke with BleepingComputer.
On June 21, 2022, AdvIntel learned that Quantum was preparing a new IOC based on a threat actor pretending to be an IT expert from Mandiant or CrowdStrike in an effort to persuade a victim to enable the threat actor to do a “examination” of the victim’s computer. read the Andariel Threat Prevention solution report that the company gave to BleepingComputer.
A recent attack on PFC, which affected over 650 healthcare organizations, has been linked to Quantum, one of the most rapidly growing enterprise-targeting ransomware operations at the moment.
Security experts have also verified that a large number of former Conti members have switched over to Quantum after the former operation was shut down owing to heightened attention by researchers and law authorities.
While it would have been challenging for such phishing emails to achieve widespread success in the past, the current environment, in which many workers operate remotely from home and apart from their IT staff, greatly increases the potential for threat actors.
