Light Dark
August 16, 2024 By Jonathan Reed 3 min read
News

Phishing attacks in the wake of a service, system or network outage are always a danger. For example, during the massive PlayStation Network outage in 2011, phishers took advantage of user confusion and frustration. Intruders sent phishing emails pretending to be from Sony, offering solutions or compensation to resolve outage problems. These emails contained links to rogue websites designed to steal login credentials and other personal information.

Year after year, threat actors continue to take advantage of outages to deploy malware via phishing attacks. The IBM X-Force Threat Intelligence Index 2024 revealed that, overall, phishing was the top initial access vector of 30% of cases in 2023. Also, 92% of organizations fell victim to a successful phishing attack in their Microsoft 365 environment in 2023.

This scenario continues to play out after the most recent outage that occurred with Microsoft Windows, which impacted 8.5 million systems. So, if you get an email advising you to update your systems due to an outage, be wary. And the plot thickens from there considerably.

Multi-headed phishing problem

In the aftermath of the latest Microsoft-related attack, reports have surfaced about a malware campaign targeting BBVA bank customers, where a fake update installs the Remcos RAT. This bogus update was promoted through a phishing site, portalintranetgrupobbva[.]com, masquerading as a BBVA Intranet portal.

The malicious archive included instructions for employees and partners to install the update to prevent errors when connecting to the company’s internal network. The “instrucciones.txt” file, written in Spanish, read, “Mandatory update to avoid connection and synchronization errors to the company’s internal network.”

In a separate warning, AnyRun highlighted another campaign in which attackers distributed a data wiper disguised as an update. “It decimates the system by overwriting files with zero bytes and then reports it over #Telegram,” AnyRun stated. The wiper attack was attributed to the pro-Iranian hacktivist group Handala, who allegedly claimed responsibility for the malicious activity on Twitter.

More system headaches

As if that wasn’t bad enough, new Windows threats were also reported during July that require immediate protection. And many millions of PCs remain at risk.

On July 9, Check Point issued a warning that attackers are using special Windows Internet Shortcut files. When these files are clicked, they trigger the retired Internet Explorer (IE) to visit attacker-controlled URLs. By using IE instead of more secure browsers like Chrome or Edge on Windows, attackers gained significant advantages in exploiting victims’ computers, even if they were running modern operating systems like Windows 10/11.

Just days later, Trend Micro provided more threat intelligence, revealing that the vulnerability was being used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML. This allowed attackers to infect victim machines with the Atlantida info-stealer, which targets system information and sensitive data such as passwords and cookies from various applications.

Following Check Point’s disclosure, the U.S. government added the vulnerability to its Known Exploit Vulnerability catalog. They warned users about a spoofing vulnerability in Windows that poses a high risk to confidentiality, integrity and availability.

Although the vulnerability has been patched, users need to ensure their Windows PCs are updated. CISA has mandated that U.S. federal employees apply the update by July 30 or stop using their PCs. All other organizations — and even home users — are strongly advised to follow update recommendations as well. According to Check Point, Trend Micro and CISA, this vulnerability has been exploited in the wild, with attacks ongoing for more than 12 months.

Breaking the vicious cyber cycle

With the myriad of phishing attacks occurring but with actual system updates required, many might be confused about what to do. Or maybe an email paranoia might set in, where everything seems suspicious, even legitimate update advice. The best practice is to check directly with official channels and representatives about updates. And think two (or three) times before you click.

 |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from News
March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature