Kaspersky’s team has discovered several credential-stealing campaigns that target industrial enterprises.
The actors deploy off-the-shelf spyware tools only for a short time to avoid detection. Examples of such commodity malware include AgentTesla/Origin Logger, HawkEye, and HawkEye.
These types of attacks are considered anomalous by Kaspersky. This is because they are known to have a short-lived nature with the lifespan of roughly 25 days and can be easily manipulated by attackers. The number of compromised systems in these campaigns is also small, usually less than one hundred. Half of them are ICS (integrated computer systems) machines.
Another unusual aspect of these campaigns is that they use the SMTP protocol for sending and receiving data. This method is only suitable for exfiltrating sensitive information.
The attackers use stolen employee credentials to infiltrate a company’s network. They then use this information to move laterally in the organization’s network. They also use corporate mailboxes that were previously compromised in previous attacks to carry out new attacks. This makes detection of malicious internal emails very challenging.
“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders,” explains Kaspersky’s report.
The company found over 2,000 corporate email accounts that were abused as temporary C2 servers. It also identified over 7,000 accounts that were abused in other ways.
Many of the email accounts and passwords stolen in these campaigns are sold on dark web forums. According to the company, around 3.9% of all RDP accounts sold in these markets belong to industrial companies.