Read on Twitter
[Thread] My takes on the incident with @SubwayUK links to #TrickBot malware. By now it's pretty clear that at the least Subways @CampaignMonitor account was breached. This account was already loaded up with all customer email addresses so all the threat actor had to do was to
type up a lure with some links to the #TrickBot xls files. The campaign was then sent out yesterday morning UK time, and @olihough86 was one of the first to note that this was a huge campaign at around 10 am and started to dig. https://twitter.com/olihough86/status/1337340281415479296
By 10:35 I had verified the links to lead to #TrickBot XLS and supplied samples and IOC's for the security community work with. https://twitter.com/ffforward/status/1337345314278281219
At 11:00 we got access to a mail header that clearly stated that @CampaignMonitor was the sender and they were notified: https://twitter.com/ffforward/status/1337352260557398017
We also knew that the emails only were sent to verified Subway customers, and included recipients with single-use addresses.
We also knew that the emails only were sent to verified Subway customers, and included recipients with single-use addresses.
Subway didn't start to replying to questions until around 14:00, giving a very generic answer "we’re aware of some disruption to our systems [...] as a precautionary measure, please delete the email" https://twitter.com/olihough86/status/1337399123704737798
This morning they started to send out mails that their marketing system had been breached, and again only recommended to delete the emails received. Not a word about the links leading to a malicious file or anything. https://twitter.com/KukiChatbotDev/status/1337747509838491648
It is also unclear if the email database can be downloaded from @CampaignMonitor and if that's the case, if that function is audited so we know if it has been exfiltrated or not. We also don't know if anything else was breached, or if it was a single account on there or bigger.
Now you might wonder if you might be affected if you, or someone in your organization, got the email and followed the links. For those into cyber security, you already know what #TrickBot is, and that it can be really bad. For anyone else new to this:
If you, or someone else downloaded the linked documents, opened it and entered the password, that computer is most likely infected with TrickBot, even if you have a standard anti-virus installed, as the infection can be completely silent and evades standard protections.
If it's a private computer, this might "just" mean that all your passwords has been leaked, that the computer might be monitored, and that the computer is used as a part of a Botnet used to infect other computers and other malicious things.
If the computer is, or will be, connected to a company network there is a big risk that the entire network will be compromised, and it might lead to sensitive data being exfiltrated and #Ryuk ransomware being deployed, leading to millions in damage, even if the ransom is paid.
Did you run the document? Shut down the computer and don't use it until it has been completely reinstalled, and change passwords to ANY accounts that has been used on it.
Are you working in IT for a business in UK/GB/IE, check for the following IOC's to make sure no one opened the document from personal or business email:
Download domains for TrickBot XLS: usawks,com iremotely,com
Download domains for TrickBot DLL: starkdoor,com sukusenterprises,com
TrickBot C2's observed: 45.141.59.212 186.47.209.222
This is only what I have observed so there might be more.
Thanks for tuning in!
Download domains for TrickBot DLL: starkdoor,com sukusenterprises,com
TrickBot C2's observed: 45.141.59.212 186.47.209.222
This is only what I have observed so there might be more.
Thanks for tuning in!
