Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Our XDR team’s investigation leading to the events that transpired on the 28th of September has confirmed the Business Email Compromise attempt to be the work of the Cobalt Terrapin threat group.
The TTPs (i.e., Tactics, Techniques, and Procedures) leveraged by the team matched data extracted from open- and closed-source intelligence sources, all pointing toward the (allegedly) Turkey-based threat actor. This article will further detail the incident’s timeline by showcasing IOCs and the social engineering techniques the group has employed in order to perform malicious actions on target.
A New Hunter Joins the Game
Cobalt Terrapin is a rather obscure threat group; based on all of the available data, this group has presumably emerged somewhere around March 2022, banding together Turkish-speaking black-hat hackers.
Its distinctiveness comes from leveraging materials belonging to reputable vendors such as ZoomInfo and LinkedIn. To increase the attack’s likelihood of success, the group also employs an executive impersonation technique.
This double-pronged approach adds to the legitimacy of the claim – the phrasing and information conveyed are very unlikely to pass as suspicious for the unaware company representative.
Cobalt Terrapin’s Contribution to Business Email Compromise, Vendor & Executive Impersonation Legacy, and Stealth Ops
As observed by Heimdal®’s XDR team, Cobalt Terrapin uses a fine-grained social engineering-based approach consisting of vendor and executive impersonation. In the case at hand, the deception began with the threat actor impersonating Heimdal®’s CEO forwarding an email on an outstanding LinkedIn invoice. Attached to the forwarded email were two pdf documents: the LinkedIn Invoice and a W9 (i.e., Request for Taxpayer Identification Number and Certification).
Our XDR team’s foray into Cobalt Terrapin’s TTPs revealed that the threat group has leveraged the same attachments to stage out attacks on other HVTs (i.e., High-Value Targets). However, this does not constitute the group’s distinguishing trait. As pointed out in the previously published security alert, the kill chain was interrupted soon after the targeted individual contacted the company’s CEO for verification purposes.
In regards to Cobalt Terrapin’s modus operandi, our analysis revealed several facts of interest that may aid our customers and other companies improve their defenses and increase awareness. In profiling the threat actor, it was remarked that the individuals employ a special enveloping technique to avoid triggering a response in the victim.
For instance, in this case, the threat actor appended the CEO’s name to the email’s header. From a social engineering standpoint, this technique significantly increases the stealth factor, since most email users will not be interested in reading the field that comes after the sender’s name. Email formatting, style, and tone of writing are also to be considered points of interest when investigating this particular threat actor. We have ascertained that there are discernible changes in all three email composition areas – the style appears to be more relaxed, detached, and friendly to some extent, far from the coarseness of typical spearphishing attempts.
Second, this new approach seems to lean more on the cost-willingness trade-off implied by the “can” method (e.g. “Can you take X action?”) and less on the authoritative imposition heavily leveraged by this type of infiltration attempt (e.g., “Urgent”, “Act now!”, “You have X minutes to get this done” etc.). A closer look at the overall writing style can also offer us additional insight into Cobalt Terrapin’s social engineering strategy. The email itself contains no grammatical errors, typos, or any kind of logical inconsistencies, elements that are associated with this type of online fraud. This level of meticulosity indicates ample planning on the attacker’s side.
One can venture into saying that Cobalt Terrapin might have wanted to remove all the guesswork from Business Email Compromise, by devising an attack matrix that can be customized depending on the target’s characteristics (e.g., company size, annual revenue, number of employees, the security awareness level of employees in key positions, etc.). The last item on the agenda is the email’s format – Cobalt Terrapin appears to have discarded any of the on-screen elements that cause suspicion (e.g., using bolded fonts or graphical elements, adding subject lines that stress out the urgency of the request).
Our XDR’s team investigation was not fruitless, managing to shed more light on the threat group’s modus operandi. On that note, it is of some concern the fact that the email itself passed all the standard security checks. Email header analysis indicated that the spearphishing email scored green in all inbound verification tests (e.g. Anti-spoofing SPF, DKIM, and DMARC).
However, most threat actors that conduct BEC attacks tend to pipe emails through legitimate servers in order to bypass security filters. In Cobalt Terrapin’s case, ensuring the attack email’s confidentiality and availability via enveloping is but one of the techniques used to bypass basic email security.
As our XDR experts noted, the threat actor prefers passing the financial and W9 documents after establishing contact with the company’s employee, not before. This approach serves two purposes – drop below the detection threshold and increase the legitimacy of the request.
Reshaping the Threatscape with eXtended Detection and Response (XDR)
Experience dictates that the best approach to prevention is threat-hunting coupled with round-the-clock monitoring of the business environment. Unfortunately, given the extent of this endeavor and the financial implications, not many organizations choose to implement such a system. A typical threat-hunting crew is comprised of malware analysts, SOC experts, a dedicated Incident Response team, security analysts, coordinators, team leads, and a CISO. However, the threat-hunting and event-handling efforts are not confined to an on-site team.
Severe incidents such as data breaches, and ransomware attacks require additional resources. For instance, in case of a data breach, the organization must leverage resources from the marketing and compliance departments to properly communicate with all the parties affected by the incident. Evidently, for an organization with ample resources, an on-site threat-hunting team becomes a necessity; a vital cog in the company’s business continuity plan.
Company size, industry, and resources should not become pretexts for subpar cybersecurity practices. The middle ground between inadequate protection and committing resources to an investment with a steep amortization rate is commissioning a managed service with both offensive and defensive capabilities.
Heimdal®’s eXtended Detection and Response (XDR) solution was designed specifically for this purpose – to increase your organization’s cybersecurity posture while keeping down costs. Our solution brings to the table human expertise and Artificial Intelligence, a truly unique approach to cybersecurity. Live assistance 24/7 and event mitigation, regardless of company size, devices, or enforced policies. One agent, one platform, endless possibilities.
Conclusion
Cobalt Terrapin appears to have gained some notoriety since its first appearance in March 2022. However, it’s still too early to tell if the threat group will become the next Gorgon or CozyBear. In terms of TTPs, Cobalt Terrapin uses social engineering to identify, contact, and coax the victim into undertaking some type of finance-related action. Their overall strategy can be described as being a combination between vendor impersonation and executive impersonation.
The group’s hallmark stands in its ability to use legally obtained financial documents (i.e., LinkedIn or ZoomInfo invoices and W9s) which they withhold until contact is established with the spearphished victim. In all (observed) cases, the threat actor would contact the victim under the guise of the organization’s CEO. Given the level of meticulosity, we can assume that the threat actor spends a lot of time conducting reconnaissance. The email chain relayed to the victim passes all security checks including SPF, DKIM, and DMARC.
To safeguard your assets against Cobalt Terrapin and other spearphishing threat groups, Heimdal®’s XDR team comes forward with the following recommendations.
- Security awareness training. The human factor has and always will play an important role in cybersecurity. However, studies prove that more than 50% of all cybersecurity incidents can be traced back to inattentive employees. This can be mended by conducting regular security awareness training. You can choose more than one format. For instance, you can select someone from your IT department and have him or her conduct these sessions. You may also choose to gauge your (drilled) employees’ security awareness levels by artificially creating securing events (e.g., sending a spoofed email to everyone to see who clicks on the link or opens attachments). Alternatively, you can commission a third party to take over this effort.
- DNS records. Cross-reference DNS records with SPF, DMARC, and DKIM to validate the email’s sender.
- Instate a BEC/VEC/CEO Fraud protocol. Lay down a workflow your employees can fall back to in case they receive suspicious emails. For instance, your internal protocol can read:
In case of suspicious emails related to wiring money.
Step 1. Directly contact the person and verify the claim.
Step 2. If the person confirms, take no action.
Step 3. If the person denies it, flag the email and contact security IT.
- Automatic email forwarding. In some instances, the attackers can create a rule that automatically forwards all emails received by a compromised host to an email address outside of the company. Our XDR team recommends that you disable this type of ruling by default and carefully review the exceptions.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
