The CyberPeace Institute has recently detected that a number of NGOs have fallen victim to an ongoing malspam campaign. If you think your NGO may have been affected, please reach out to us as our Assistance team and CyberPeace Builders program may be able to help. Contact us at: [email protected]
Further information on this malware
Following the compromise of the Microsoft Exchange servers, organizations’ email accounts are sending phishing emails containing malicious links to their partner organizations. The emails are in response to existing email threads and are normally written in the same language. The emails contain a short greeting followed by two URLs, the email ends with content from the original thread.
Indicators of compromise (IoCs) from the cases the CyberPeace Institute has analysed have matched to IoCs published in TrendMicro’s article. Below is a sanitized example from TrendMicro of one of the emails; if you receive such an email do not click on the links!
Greeting! Our specialists composed desired document and I send it to you. Document can be found through this link:
Our analysis has shown that in at least one of the incidents the victim’s Microsoft Exchange server was compromised. We highly recommend those running an on-premise Microsoft Exchange server to ensure they have installed the latest version.
If your server was compromised before the system was updated / patched, your server may still be compromised. If you suspect an infection, CIRCL.LU recommends:
- re-installing every compromised server from scratch and then recovering and copying the data over.
- Initiating a full incident response process including the security review of the system.
- Checking out the guidance from Microsoft.
More about the CyberPeace Builders
The CyberPeace Builders is a network of corporate volunteers providing free assistance to Non Governmental Organizations (NGOs) protecting vulnerable populations anywhere in the world.