It has been reported that over 200 industrial companies were affected by an info-stealing APT campaign. The victims of advanced persistent threat (APT) group mainly from South Korea but it has been reported to affect firms reside in other countries including Japan, Indonesia, Turkey, Germany and United Kingdom.
An ongoing cyberespionage campaign against industrial, engineering, and manufacturing organizations has been exposed by researchers: https://t.co/nixCsteXvH
— Adam Levin (@Adam_K_Levin) December 17, 2019
It\’s not surprising to once again see phishing being used in this attack, as it continues to be the most effective way to spread malware, ransomware and perform financial scams. These phishing emails appear to be fairly targeted, using industry-specific topics to trick the victims into opening infected documents. In addition, the attackers are likely using publicly available information, called Open Source Intelligence (OSINT), to further refine the emails to be more effective.
Many organizations underestimate how much information is available publicly through press releases, corporate websites and sources such as LinkedIn. This information can be quickly gathered and used to make very convincing phishing emails that use relevant topics and events to convince the victims that the email is legitimate.
While a fairly simple type of malware, Separ continues to be very viable as seen here.
To defend against this threat, organizations should block outbound FTP connections where possible and monitor any connections that are required, block or inspect any incoming .ZIP files at the email server and educate employees on how to spot and report these types of phishing emails.