CyberSecurity news
FlagThis
@securebulletin.com
//
A new wave of cyberattacks is leveraging sophisticated social engineering techniques combined with technical exploits to breach corporate networks. Security firms are reporting a rise in attacks linked to the 3AM ransomware operation. These attacks begin with an overwhelming flood of emails, known as email bombing, directed at specific employees. This is followed by spoofed phone calls where the attackers impersonate the organization's IT support team, attempting to trick the employee into granting remote access to their computer. The attackers’ use of real phone calls marks a notable escalation in social engineering sophistication.
Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges.
Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration.
References :
Once the attackers have gained the trust of the employee, they will try to convince them to run Microsoft Quick Assist, a legitimate remote access tool. This grants the attackers remote access to the victim's machine under the guise of fixing a problem. This initial access is then used to deploy a malicious payload, which may include virtual machines or other tools designed to evade detection by security software. After gaining control of the system they install malicious software, create new user accounts, and gain admin privileges.
Sophos has documented multiple ransomware actors leveraging an attack pattern first reported by Microsoft using “email bombing” to overload a targeted organization’s employee with unwanted emails, and then making a voice or video call over Microsoft Teams posing as a tech support team member to deceive that employee into allowing remote access to their computer. BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year. This allows the attackers to perform reconnaissance, create local admin accounts, and install remote management tools for persistence and lateral movement within the network, often resulting in significant data exfiltration.
Share:
References :
- bsky.app: Bsky post about 3AM ransomware posing as a call from IT support to compromise networks.
- securebulletin.com: Secure Bulletin post covering 3AM Ransomware attacks
- www.bleepingcomputer.com: BleepingComputer post about 3AM ransomware uses spoofed IT calls
- www.tripwire.com: Tripwire State of Security blog post on 3AM ransomware attack posing as a call from IT support.
- www.scworld.com: BleepingComputer reports that highly targeted intrusions involving email bombing and fake IT support calls have been launched by threat actors linked to the 3AM ransomware operation during the first quarter of this year.
- BleepingComputer: A 3AM ransomware affiliate is conducting highly targeted attacks using email bombing and spoofed IT support calls to socially engineer employees into giving credentials for remote access to corporate systems.
- The DefendOps Diaries: Explore the sophisticated tactics of 3AM ransomware, including social engineering and advanced encryption, to protect your network.
- Graham Cluley: 3AM ransomware attack poses as a call from IT support to compromise networks
Classification:
- HashTags: #3AMRansomware #SocialEngineering #CyberAttack
- Company: Tripwire, SecureBulletin
- Target: Corporate Networks
- Attacker: 3AM Ransomware Affiliate
- Feature: Social Engineering
- Type: Ransomware
- Severity: High