Italian organizations victim of cyber attacks

This time major Italian organizations of a diverse nature seem to be in the crosshairs of the Gozi, their “stage” name.

In charge of the case is Cynet, an Israeli cybersecurity company.

Cynet 360 is the world’s first Autonomous Breach Protection platform that natively integrates endpoint attack prevention and detection capabilities.

Ursnif attacks again, and this time it comes after Italian organizations

Italy asks Cynet for help

Ursnif, a criminal group repeatedly associated with Russia and with a long history of cyber attacks behind it, in the latest period seems to want to attack and weaken mainly Italian organizations.

The data come directly from the careful analysis of Cynet, a leading Israeli company in the detection and management of advanced threats in the field of cybersecurity.

Over the past week, the company has observed a steady and not insignificant growth in cyber attacks targeting Italian clients. 

How hackers operate

After significant analysis, it has emerged that Ursnif’s modus operandi is predominantly geared toward data exfiltration; although variants have been observed that add capabilities such as backdoors, spyware, and file injectors.

As mentioned above from Cynet’s analysis, it also emerges that the clients that have been victims of the Gozi attacks appear to have almost nothing in common with each other.

So far, there seems to be no clear and defined strategy behind these hacks. In fact, there is no market homogeneity among the targeted customers on whom an attack attempt has been detected.

Data exfiltration attempts have been detected against the health sector, the armed forces, e-commerce and large retailers.

The attack usually begins with spearfishing activity.

Hackers first derive online information about the victim so that the malicious e-mail appears personalized and tied to a service actually used by the user. The latter is then guided to fill out a form, in this case an excel file, that contains the malicious payload.

All that’s left to do at this point is to download and run a DLL through the regsvr32 crash, a Windows system file capable of manipulating other programs and monitoring applications, to activate a command-and-control server for the victim’s environment.

Marco Lucchina, Channel Manager Italy, Spain & Portugal at Cynet states:

“The primary objective of the Ursnif group is data theft aimed at receiving unauthorized earnings and carrying out other attacks using the information present.

Ursnif has already been reported in several phishing campaigns in recent weeks, associated with messages such as ‘Ricevuta AgenziaEntrate’ or ‘sollecito DHL’ but, thanks to the work carried out by our Orion Group (Threat Intelligence), we have detected much wider use and targeted attacks customized per individual customer. 

In addition, the fact that Cynet detected and blocked the threat the moment the user double-clicks and triggers the first malicious payload means that previous layers of protection, such as antispam and user training, were not effective enough, a wake-up call that indicates the importance of adopting a Defense in Depth strategy”.