Nothing is safe anymore. While tricking users into giving up their credentials still seems pretty impressive, new updates to the FTCode ransomware target the IDs and passwords on your endpoints.
According to threat researchers at Zscaler, new PowerShell code has been added to decrypt stored credentials from the following web browsers and email clients on Windows machines:
- Internet Explorer
- Mozilla Firefox
- Mozilla Thunderbird
- Google Chrome
- Microsoft Outlook
While FTCode primarily is focused on attacking Italian-language users, there is little to suggest once this tactic gets out, it will be duplicated by other cybercriminal organizations. The repercussions are massive: In addition to holding data for ransom, attackers could lock massive numbers of an organization’s users out of any and all cloud-based applications, could use the newfound credentials to island hop, could provide access to Office 3656 via OAuth API access, commit BEC scams, identity theft, and much more.
This new PowerShell code is VERY bad news.
There are two parts to stopping these kind of attacks (assuming we’re very likely going to see more of this code in the future):
- Endpoint protection – you need a solution in place on your endpoints that is scrutinizing each and every process that runs, looking to see if it’s an expected process and if it’s performing an action that is allowed. This is your reactive control.
- Security Awareness Training – by educating your users on the dangers of phishing attacks (the FTCode attacks start with emails containing malicious macro documents as attachments that users must first click), you lower the likelihood they will engage with suspicious email content, reducing the risk of successful attack.