The FBI issued a warning about a callback phishing scam orchestrated by the Silent Ransom Group to gain initial access to organizations the gang targeted in a recent ransomware campaign.
Callback phishing attacks involve threat actors emailing employees at a target company, typically seeking payment of a fake account, and asking them to phone the gang’s call center to resolve the issue.
Once they had the victim on the phone, the threat group used social engineering tactics to manipulate the caller into installing malware on their computer, giving the gang initial access into the target organization.
Callback phishing is an appealing way for ransomware groups to gain entry to the networks of organizations whose data they want to steal and encrypt because it poses a low risk of detection, is cheap to execute, and can generate results quickly.
Silent Ransom Group using legitimate tools used to make remote connections
In a Nov. 7 private industry notification (PDF) the FBI’s Cyber Division said the Silent Ransom Group was using “legitimate system management tools to elevate network permissions” in callback phishing attacks dating back to July.
“Once the victims called the provided phone number, malicious actors directed them to join a legitimate system management tool via a link provided in a follow-up email,” the FBI said.
“The threat actors then used the management tools to install other legitimate system management tools that can be repurposed for malicious activity.”
The FBI did not provide further details on the tools used, however, threat groups employing callback phishing tactics have previously abused legitimate remote connectivity tools such as AnyDesk, TeamViewer or Zoho Assist.
“The actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies,” the FBI said.
Silent Ransom Group turns to old tricks: callbacks
Silent Ransom Group, also known as Luna Moth, has a history of using callback phishing scams to lure its victims.
The gang has been active since about April 2022 and was formed by members of the now defunct Conti cartel, which fell apart around that time.
Silent Ransom Group, along with the Quantum and Roy/Zero gangas, filled out of the remnants of Conti and were linked to callback phishing attacks within months of being established.
In its notification, the FBI recommended a range of mitigations it said organizations should take to minimize their risk of falling victim to callback phishing attacks targeting their employees, and to ransomware attacks more generally.
Among its recommendations, the FBI said organizations should implement listing policies that only allowed known and permitted remote access solutions to execute under an established security policy.
The bureau said solutions approved for remote management and maintenance should be documented and security teams should immediately investigate if an unapproved solution was installed on a workstation.
Ransomware gangs hit small casinos
Meanwhile, in the same private industry notification, the FBI made brief reference to what it said was another emerging ransomware trend: an uptick in attacks against small U.S. casinos.
“Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors,” the bureau said.
“The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons.”
Recent industry headlines have focused on the fallout from attacks against organizations at the opposite end of the gaming sector, namely big-name Las Vegas casino operators MGM Resorts and Caesars Entertainment.
