A new attack vector that bypasses all your software defences has been discovered by Israeli cybersecurity company Cyberint. At the moment the bad guys are targeting US and UK energy companies which could cause power cuts and even cost lives, but this tactic could be used against anyone.
Here is how it plays out. A “honey-doc” masquerades as a resume attached to a harmless email. Both email and attachment are totally clean and contain no malicious code whatsoever. That’s what makes them undetectable to any kind of incoming email filter.
However, the Word doc *is* weaponized with a template reference that, when the document is loaded, connects to the attacker’s server via Server Message Block and downloads a Word template which has an extremely well-hidden malicious payload.
The connection to the SMB server also provides the attacker with the victim’s credentials, which can then be used to acquire sensitive information and/or infiltrate the network and/or control systems used by the targeted employee.
The campaign appears to have started in May, and as it is targeted at infrastructure control systems of US and UK energy companies, it’s not too hard to guess who is behind it.
The problem is that once this type of attack is out there in the wild (remember StuxNet?) all kinds of bad guys get their hands on it.