Phishing attacks in the wake of a service, system or network outage are always a danger. For example, during the massive PlayStation Network outage in 2011, phishers took advantage of user confusion and frustration. Intruders sent phishing emails pretending to be from Sony, offering solutions or compensation to resolve outage problems. These emails contained links to rogue websites designed to steal login credentials and other personal information.

Year after year, threat actors continue to take advantage of outages to deploy malware via phishing attacks. The IBM X-Force Threat Intelligence Index 2024 revealed that, overall, phishing was the top initial access vector of 30% of cases in 2023. Also, 92% of organizations fell victim to a successful phishing attack in their Microsoft 365 environment in 2023.

This scenario continues to play out after the most recent outage that occurred with Microsoft Windows, which impacted 8.5 million systems. So, if you get an email advising you to update your systems due to an outage, be wary. And the plot thickens from there considerably.

Multi-headed phishing problem

In the aftermath of the latest Microsoft-related attack, reports have surfaced about a malware campaign targeting BBVA bank customers, where a fake update installs the Remcos RAT. This bogus update was promoted through a phishing site, portalintranetgrupobbva[.]com, masquerading as a BBVA Intranet portal.

The malicious archive included instructions for employees and partners to install the update to prevent errors when connecting to the company’s internal network. The “instrucciones.txt” file, written in Spanish, read, “Mandatory update to avoid connection and synchronization errors to the company’s internal network.”

In a separate warning, AnyRun highlighted another campaign in which attackers distributed a data wiper disguised as an update. “It decimates the system by overwriting files with zero bytes and then reports it over #Telegram,” AnyRun stated. The wiper attack was attributed to the pro-Iranian hacktivist group Handala, who allegedly claimed responsibility for the malicious activity on Twitter.

More system headaches

As if that wasn’t bad enough, new Windows threats were also reported during July that require immediate protection. And many millions of PCs remain at risk.

On July 9, Check Point issued a warning that attackers are using special Windows Internet Shortcut files. When these files are clicked, they trigger the retired Internet Explorer (IE) to visit attacker-controlled URLs. By using IE instead of more secure browsers like Chrome or Edge on Windows, attackers gained significant advantages in exploiting victims’ computers, even if they were running modern operating systems like Windows 10/11.

Just days later, Trend Micro provided more threat intelligence, revealing that the vulnerability was being used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML. This allowed attackers to infect victim machines with the Atlantida info-stealer, which targets system information and sensitive data such as passwords and cookies from various applications.

Following Check Point’s disclosure, the U.S. government added the vulnerability to its Known Exploit Vulnerability catalog. They warned users about a spoofing vulnerability in Windows that poses a high risk to confidentiality, integrity and availability.

Although the vulnerability has been patched, users need to ensure their Windows PCs are updated. CISA has mandated that U.S. federal employees apply the update by July 30 or stop using their PCs. All other organizations — and even home users — are strongly advised to follow update recommendations as well. According to Check Point, Trend Micro and CISA, this vulnerability has been exploited in the wild, with attacks ongoing for more than 12 months.

Breaking the vicious cyber cycle

With the myriad of phishing attacks occurring but with actual system updates required, many might be confused about what to do. Or maybe an email paranoia might set in, where everything seems suspicious, even legitimate update advice. The best practice is to check directly with official channels and representatives about updates. And think two (or three) times before you click.