TNW Creations named Top 11 Military Veteran Owned IT Companies in the United States since 2021 Read More

Clutch Ranks TNW Creations in the Top Cybersecurity Companies in Austin again for 2025 Read More

TNW Creations, LLC.

Web Development & Cyber Security

Austin, Texas

Constant Contact Malicious Link Warning

05/29/2021
TNW Creations

Carefully examine links before clicking emails using Constant Contact, the popular email campaign service.

Update [03/31/2022]: This is an active incident. Microsoft will post more details as they become available. Microsoft detailed NOBELIUM’s latest early-stage toolset, composed of four tools utilized in a unique infection chain: EnvyScout, BoomBox, NativeZone, and VaporRage. https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

 

The NOBELIUM indicators of compromise (IOCs) associated with this activity are available in CSV on the MSTIC GitHub.
https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv
 

Updated NOBELIUM IOCs to include MD5 hashes. 
https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv

Any humanitarian organization who works directly with US Aid, as well as those who are connected indirectly through another program - need to be cautious with email links as well as scan for current compromised networks.

Woman on orange and white background, phishing email icon, tnw creations

Microsoft announced a sophisticated and widespread attack that sent 3,000 malicious links to 150 organizations. And the threat is still active.

Tom Burt, a vice president at Microsoft stated on Thursday May 27, "The hackers appeared to target "many humanitarian and human rights organizations"

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Microsoft states NOBELIUM, the threat actor who orchestrated the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components is behind this spear-phishing campaign meant to corrupt networks of organizations who work with US AID.

Screenshot of US Aid Constant Contact Email Phishing

Malicious US Aid email example courtesy of Microsoft.Com

Before opening any emails from Constant Contact or other email campaigns, always check the senders and links by hovering over the link. Make sure your operating systems are up to date, make sure your antivirus security software is up to date.

What you can do if you suspect you may have been part of this compromise

For Microsoft Windows Users, apply these mitigations to reduce the impact of this threat. Check the recommendations on Microsoft for the deployment status of monitored mitigations.

 

  1. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  2. Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
  3. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  4. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  5. Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
  6. Enable multifactor authentication (MFA) to mitigate compromised credentials. Microsoft strongly encourages all customers download and use passwordless solutions like Microsoft Authenticator to secure your accounts.
  7. For Office 365 users, see multifactor authentication support.
  8. For Consumer and Personal email accounts, see how to use two-step verification.
  9. Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes. NOTE: Assess rule impact before deployment.

 

Indications you have been compromised

ashainfo@usaid.gov

Email  -  Spoofed email account


mhillary@usaid.gov
Email  - Spoofed email account
 

2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252SHA-256
Malicious ISO file (container)
 

d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142SHA-256
Malicious ISO file (container)
 

94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916SHA-256
Malicious ISO file (container)

 

48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0SHA-256
Malicious shortcut (LNK)

 

ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088cSHA-256
Cobalt Strike Beacon malware

 

ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330SHA-256
Cobalt Strike Beacon malware

 

usaid.theyardservice[.]com
Domain, Subdomain used to distribute ISO file


worldhomeoutlet[.]com
Domain, Subdomain in Cobalt Strike C2
 

dataplane.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2

 

cdn.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2
 

static.theyardservice[.]com
Domain, Subdomain in Cobalt Strike C2

 

192[.]99[.]221[.]77IP address
IP resolved to by worldhomeoutlet[.]com
 

83[.]171[.]237[.]173IP address
IP resolved to by *theyardservice[.]com
 

theyardservice[.]com
DomainActor controlled domain

Antivirus Detection

Microsoft Defender Antivirus detects threat components as the following malware:


Trojan:Win32/NativeZone.C!dha

What to do next

Read more about resolution and further protection from Microsoft.

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

 

Bookmark our Blog. And follow TNW Creations on LinkedIn for the latest security tips and updates.

 

 

www.tnwcreations.com

Need Website Help? We do it all - security, development, email & more!
Send an email or request a callback.

TNW Creations™️and Brand Tawaci Media™️is a Web Development & Media Publishing Agency headquartered in Austin, Texas. Web Development, cybersecurity, design, clean energy web host, digital marketing.

Our Company Links:

LinkedIn:  https://www.linkedin.com/company/tawaci-media/

Youtube:  https://www.youtube.com/@tawacimedia

Twitter:  https://x.com/TawaciMedia

I am a software engineer, artist and voice actress. As a child, I became part of the grassroots development for teaching my Lakhota language online. When I'm not developing and creating, you'll find me motivating a community of Indie Game Developers, play testing new games on Twitch and YouTube, developing video content, voice acting for games, acting as cultural consultant for Native vibe games, investigating and initating hostile website takedowns, and enjoying time with my family.