Goal Is to Deliver Harmful Files Via Email
Article in Healthcare Info Security Marianne Kolbasuk McGee (HealthInfoSec) • August 10, 2021
The Health Information Sharing and Analysis Center has issued an advisory about attackers leveraging masquerade and obfuscation techniques in an attempt to deliver harmful files via email to healthcare organizations.
In a threat bulletin released Monday, H-ISAC warns: “The threat actors are using a legitimate feature of Right-to-Left Override – or RTLO – Unicode to email malicious files to potential victims and have them appear benign in an attempt to deliver attacks that leverage the Cobalt Strike toolkit.”
RTLO is a special character within unicode, an encoding system that allows computers to exchange information regardless of the language used, H-ISAC notes.
“Unicode covers all the characters for all writing systems of the world, modern and ancient. It also includes technical symbols, punctuations and many other characters used in writing text. For example, a blank space between two letters, numbers or symbols is expressed in unicode as “U+0020”.”
Innocuous-Looking Files
The RTLO character – or U+202e in Unicode – is designed to support languages that are written right to left, such as Arabic and Hebrew, H-ISAC notes. “The problem is that this override character also can be used to make a malicious file look innocuous.”
Attackers attempt to deliver malicious files to potential victims using masquerade and obfuscation techniques, either independently or in tandem, to make htm and htm/eml files appear as a mp3, wav or pdf attachment, H-ISAC warns.
“Threat actors also attempt to deliver malicious htm files masqueraded as a pdf file. The htm file contains obfuscated JavaScript, which includes a base64 encoded string to a URL that may not be blocked by commercial email filter and security products,” the organization states.
No Known Successful Attacks
H-ISAC says it’s unaware of any successful compromises in the healthcare sector involving RTLO attacks. But it warns that an RTLO-type attack technique “cannot be easily mitigated with preventive controls, since it is based on the abuse of system features.”
Detection methods should include looking for common formats of RTLO characters within filenames such as u202E, [U+202E], and %E2%80%AE, H-ISAC advises.
“Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.”
In its alert, H-ISAC also lists other threat indicators, including suspicious email addresses and URLs.
A Long-Standing Risk
RTLO attacks have been attempted for email attacks for years, some security experts note.
“Cyberthreat intelligence and infosec professionals always see innovation and updated attack techniques by malicious actors,” Errol Weiss, chief security officer at H-ISAC, tells Information Security Media Group.
“We expect this and try to plan for it. The attack technique has been known since at least 2015, or maybe even earlier. That’s why it’s so important to not forget any of the old lessons learned in this cybersecurity business.”
RTLO attacks leverage legitimate system functions to disguise the actual file type contained in an email sent by malicious actors, he says.
“In theory, a user might think they’re clicking on a voicemail wav file or an invoice in a PDF, when in actuality, the file is an evil executable or Word doc containing macros – or other malicious files – that ultimately deliver malware,” he says.
“The resulting malware could do just about anything the bad guys can think of – infect systems with ransomware; steal information – resulting in a data breach, for example; shut down or corrupt systems; and more. RTLO is just a clever way of evading some detection systems and tricking end users to install malware.”
Steps to Take
Weiss says RTLO usage in filenames should be considered highly suspicious. “We do suggest organizations scan email looking for attachment file names that contain the RTLO characters and block or quarantine them,” he says.
“We also suggest enterprise networks use a secure email gateway and host-based EDR [endpoint detection and response] products to help detect and prevent attacks like this from being successful.”
Link to original article: https://www.healthcareinfosecurity.com/h-isac-attackers-leveraging-rtlo-unicode-a-17253