Microsoft disrupted a hacking operation linked conducted by Russia-linked APT SEABORGIUM aimed at NATO countries.
The Microsoft Threat Intelligence Center (MSTIC) has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), a Russia-linked threat actor that is behind a persistent hacking campaign targeting people and organizations in NATO countries.
SEABORGIUM has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
The SEABORGIUM group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.
SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.
“Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.” reads the post published by Microsoft.“MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. “
Threat actors used fake identities to contact target individuals and start a conversation with them to build a relationship and trick them into opening an attachment sent via phishing messages
The phishing messages used PDF attachments and in some cases, they included links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.
Upon opening the PDF file, it will display a message stating that the document could not be viewed and that they should click on a button to try again.
Clicking the button, the victim is redirected to a landing page running phishing frameworks, such as EvilGinx, that displays the sign-in page for a legitimate provider and intercept any credentials
After the credentials are captured, the victim is redirected to a website or document to avoid raising suspicion.
Once the attackers have gained access to the targeted email account, they exfiltrate intelligence data (emails and attachments) or set up forwarding rules from victim inboxes to actor-controlled dead drop accounts.
In several cases, SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest.
Microsoft confirmed it has taken action to disrupt SEABORGIUM’s operations by disabling accounts used for surveillance, phishing, and email collection. The IT giant also shared Indicators of compromise (IOCs) for this threat actor, which includes a list of more than sixty domains used by the APT in its phishing campaigns.
The complete list of domains can be found in Microsoft’s advisory, as well as safeguards that network defenders can use to prevent similar attacks.
Defenses include disabling email auto-forwarding in Microsoft 365, using the IOCs to investigate for potential compromise, requiring MFA on all accounts, and for more security, requiring FIDO security keys.
Microsoft has also released Azure Sentinel hunting queries [1, 2] that can be used to check for malicious activity.
Researchers from threat intelligence firm Cyble reported a surge in attacks targeting virtual network computing (VNC).
Virtual Network Computing (VNC) is a graphical desktop-sharing system that leverages the Remote Frame Buffer (RFB) protocol to control another machine remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network.
Researchers from Cyber looked for VNC exposed over the internet and discovered over 8000 VNC instances with authentication disabled, most of them in China, Sweden, and the United States.
Cyble observed a surge in attacks on the default port for VNC, port 5900, most of them originated from the Netherlands, Russia, and Ukraine. Exposing VNCs to the internet, increases the likelihood of a cyberattack.
Threat actors could use the access through VNC to carry out a broad range of malicious activities, such as deploying ransomware, malware, or spy on the victims.
The researchers discovered multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet
Cyble also reported that threat actors are selling access to systems exposed on the Internet via VNC on cybercrime forums.
“Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below.” Cyble states.
The experts pointed out that even if the count of exposed VNCs is low compared to previous years, some of the exposed VNCs belong to various organizations in the Critical Infrastructures sector such as water treatment plants, manufacturing plants, research facilities, etc.
“Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.” Cyble concludes. “Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).”
Security researchers from Cleafy reported that the SOVA Android banking malware is back and is rapidly evolving.
The SOVA Android banking trojan was improved, it has a new ransomware feature that encrypts files on Android devices, Cleafy researchers report.
The malware has been active since 2021 and evolves over time. The latest version of the SOVA Trojan, 5.0, targets over 200 banking and cryptocurrency exchange apps.
The authors also enhanced its evasion capabilities.
In March 2022, SOVA authors released version 3.0 which was able to capture 2FA codes and cookies, it also implemented new injections to target applications from multiple banks.
Version 4, which was released in July, unlike previous versions includes several new codes. The most interesting capability is the VNC (virtual network computing).
“Starting from SOVA v4, TAs can obtain screenshots of the infected devices, to retrieve more information from the victims. Furthermore, the malware is also able to record and obtain any sensitive information, as shown in Figure 5. These features, combined with Accessibility services, enable TAs to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA).” reads the analysis published by Cleafy. “With SOVA v4, TAs are able to manage multiple commands, such as: screen click, swipe, copy/paste and the capability to show an overlay screen to hide the screen to the victim.”
In SOVA v4, the author has further improved and refactored the cookie stealer mechanism. Another interesting feature updated in SOVA v4 is the protection module, which was designed to protect the malware from the victim’s actions, such as the manual uninstall of the malicious code.
If the user tries to uninstall the malware from the settings or pressing the icon, SOVA is able to intercept these actions and prevent them from abusing the Accessibilities services by returning to the home screen and showing a popup displaying “This app is secured”.
The SOVA v4 also includes a new module designed to target the Binance exchange and the Trust Wallet (official crypto wallet of Binance). The module allows operators to obtain different information, including the balance of the account, the history of the actions performed by the victim, and the seed phrase to access the crypto wallet.
Version 5 was completely refactored and new features and changes were added, including the communications between the malware and the C2 server. Experts noticed that the VNC module has yet to be integrated into the latest version.
The most interesting feature added in SOVA v5 is the ransomware module, which was already announced in the roadmap for September 2021.
The malware encrypts the files inside the infected devices using an AES algorithm and renaming them with the extension “.enc”.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data.” concludes the report. “
With the discovery of SOVA v4 and SOVA v5, we uncovered new evidence about how TAs are constantly improving their malware and the C2 panel, honouring the published roadmap.Although the malware is still under development, it’s ready to carry on fraudulent activities at scale.“
Security Researchers discovered a new PyPI Package designed to drop fileless cryptominer to Linux systems.
Sonatype researchers have discovered a new PyPI package named ‘secretslib‘ that drops fileless cryptominer to the memory of Linux machine systems.
The package describes itself as “secrets matching and verification made easy,” it has a total of 93 downloads since August 6, 2020.
“Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.”” reads the post published by the experts. “On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.”
The package fetches a Linux executable from a remote server and execute it to drop an ELF file (“memfd“) directly in memory. It is a Monero crypto miner likely created via the ‘memfd_create‘ system call.
“Linux syscalls like ‘memfd_create’ enable programmers to drop “anonymous” files in RAM as opposed to writing the files to disk. Because the intermediate step of outputting the malicious file to the hard drive is skipped, it may not be as easy for antivirus products to proactively catch fileless malware, that now resides in a system’s volatile memory, although the task is certainly not impossible.” continues the analysis. “Moreover, since ‘secretslib’ package deletes ‘tox’ as soon as it runs, and the cryptomining code injected by ‘tox’ resides within the system’s volatile memory (RAM) as opposed to the hard drive, the malicious activity leaves little to no footprint and is quite “invisible” in a forensic sense.”
It is interesting to note that threat actors behind the ‘secretslib’ used the name of an engineer working for Argonne National Laboratory (ANL.gov), an Illinois-based science and engineering research lab operated by UChicago Argonne LLC for the U.S. Department of Energy.
A few days ago, Check Point researchers discovered another ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.
China-linked threat actors Iron Tiger backdoored a version of the cross-platform messaging app MiMi to infect systems.
Trend Micro researchers uncovered a new campaign conducted by a China-linked threat actor Iron Tiger that employed a backdoored version of the cross-platform messaging app MiMi Chat App to infect Windows, Mac, and Linux systems.
The Iron Tiger APT (aka Panda Emissary, APT27, Bronze Union, Lucky Mouse, and TG-3390) is active at least since 2010 and targeted organizations in APAC, but since 2013 it is attacking high-technology targets in the US.
Trend Micro experts discovered a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” While HyperBro is a malware family that is associated with APT27 operations, the Mach-O sample appears to be a new malware family targeting the Mac OS platform. The researchers also found samples compiled to infect Linux systems.
“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” reads the analysis published by Trend Micro. “Further investigation showed that MiMi chat installers have been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the Mac OS platform.”
The Chinese hackers compromised the installers of the chat application MiMi and the malicious code was used to download and install HyperBro samples for the Windows operating system and rshell for Linux and macOS.
This appears as a supply chain attack because the Iron Tiger APT compromised the server hosting the legitimate installers for this MiMi chat application.
The rshell executable is a standard backdoor that allows operators to collect OS information and send it to the C2 server, receive commands from the C2 server, and send command execution results back to the C2.
The experts noticed that running the DMG installer on a macOS system, the user is displayed several warnings before the backdoored app is installed, such as an alert about an unverified developer.
Both the legitimate and the backdoored versions of the installer were unsigned, this implies that Mac users that want to install MiMi chat were probably used to all these extra steps to finally install it and ignore the warnings.
This is the first time the attackers attempted to target macOS alongside Windows and Linux systems.
Experts found 13 different systems infected by this campaign, eight were compromised with she’ll, six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines. The remaining ones were infected with HyperBro (four in Taiwan and one in the Philippines).
Below is the timeline of the campaign:
June 2021: Oldest Linux rshell sample found
November 2021: Threat actor modified version 2.2.0 of Windows MiMi chat installer to download and execute HyperBro backdoor
May 2021: Threat actor modified version 2.3.0 of Mac OS MiMi chat installer to download and execute “rshell” backdoor
The analysis also includes a list of Indicators of Compromise (IOCs) for this campaign.
“We attribute this campaign to Iron Tiger for multiple reasons.” concludes the analysis.
Flaws in Xiaomi Redmi Note 9T and Redmi Note 11 models could be exploited to disable the mobile payment mechanism and even forge transactions.
Check Point researchers discovered the flaws while analyzing the payment system built into Xiaomi smartphones powered by MediaTek chips.
Trusted execution environment (TEE) is an important component of mobile devices designed to process and store sensitive security information such as cryptographic keys and fingerprints.
TEE protection leverages hardware extensions (such as ARM TrustZone) to secure data in this enclave, even on rooted devices or systems compromised by malware.
The most popular implementations of the TEE are Qualcomm’s Secure Execution Environment (QSEE) and Trustronic’s Kinibi, but most of the devices in the wider Asian market are powered by MediaTek chips, which is less explored by security experts.
The experts explained that on Xiaomi devices, trusted apps are stored in the /vendor/thh/ta directory. The apps are in the format of unencrypted binary file with a specific structure.
Trusted apps of the Kinibi OS have the MCLF format, while Xiaomi uses its own format.
A trusted app can have multiple signatures following the magic fields and the magic fields are the same across all trusted apps on the mobile device.
The researchers noticed that the version control field is omitted in the trusted app’s file format, this means that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Using this trick, the TEE will load the app transferred by the attacker.
“Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. To prove the issue, we successfully overwrote the thhadmin trusted app on our test device running MIUI Global 188.8.131.52 OS with an old one extracted from another device running MIUI Global 10.4.1.0 OS.” reads the analysis published by Check Point researchers “The old thhadmin app was successfully launched, even though its code is significantly different from the original.”
The experts also found multiple flaws in “thhadmin,” app that could be exploited to leak stored keys or to execute malicious code in the context of the app.
Check Point researchers have analyzed an embedded mobile payment framework, named Tencent Soter, used by Xiaomi devices. This framework provides an API for third-party Android applications to integrate the payment capabilities. Tencent soter allows to verify payment packages transferred between a mobile application and a remote backend server, it is supported by hundreds of millions Android devices.
A heap overflow vulnerability in the soter trusted app could be exploited to trigger a denial-of-service by an Android app that has no permissions to communicate with the TEE directly.
The researchers demonstrated that it is possible to extract the private keys used to sign payment packages by replacing the soter trusted app with an older version affected by an arbitrary read vulnerability. Xiaomi tracked the issue as CVE-2020–14125.
“This vulnerability [CVE-2020–14125] can be exploited to execute a custom code. Xiaomi trusted apps do not have ASLR. There are examples on the Internet of exploiting such a classic heap overflow vulnerability in Kinibi apps. In practice, our goal is to steal one of the soter private keys, not execute the code. The key leak completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.” concludes the report.
“To steal a key, we used another arbitrary read vulnerability that exists in the old version of the soter app (extracted from the MIUI Global 10.4.1.0). As noted, we can downgrade the app on Xiaomi devices.”
Xiaomi addressed the CVE-2020-14125 vulnerability on June 6, 2022.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of Zeppelin ransomware attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory to warn of Zeppelin ransomware attacks.
The Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin.
The ransomware was involved in attacks aimed at technology and healthcare, defense contractors, educational institutions, manufacturers, companies across Europe, the United States, and Canada. At the time of its discovery, Zeppelin was distributed through watering hole attacks in which the PowerShell payloads were hosted on the Pastebin website.
Before deploying the Zeppelin ransomware, threat actors spend a couple of weeks mapping or enumerating the victim network to determine where data of interest is stored. The ransomware can be deployed as a .dll or .exe file or contained within a PowerShell loader.
Zeppelin actors request ransom payments in Bitcoin, they range from several thousand dollars to over a million dollars.
The group uses multiple attack vectors to gain access to victim networks, including RDP exploitation, SonicWall firewall vulnerabilities exploitation, and phishing attacks.
The threat actors also implement a double extortion model, threatening to leak stolen files in case the victims refuse to pay the ransom.
Zeppelin is typically deployed as a .dll or .exe file within a PowerShell loader. To each encrypted file, it appends a randomized nine-digit hexadecimal number as an extension. A ransom note is dropped on the compromised systems, usually on the desktop.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” reads the joint advisory.
The US agencies recommend not paying the ransom because there is no guarantee to recover the encrypted files and paying the ransomware will encourage the illegal practice of extortion.
The alert also included Indicators of Compromise (IOC) along with MITRE ATT&CK TECHNIQUES for this threat.
The FBI also encourages organizations to report any interactions with Zeppelin operators, including logs, Bitcoin wallet information, encrypted file samples, and decryptor files.
To mitigate the risks of ransomware attacks, organizations are recommended to define a recovery plan, implement multi-factor authentication, keep all operating systems, software, and firmware up to date, enforce a strong passwords policy, segment networks, disable unused ports and services, audit user accounts and domain controllers, implement a least-privilege access policy, review domain controllers, servers, workstations, and active directories, maintain offline backups of data, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file” concludes the alert.
Russian hacker group Killnet claims to have launched a DDoS attack on the aerospace and defense giant Lockheed Martin.
The Moscow Times first reported that the Pro-Russia hacker group Killnet is claiming responsibility for a recent DDoS attack that hit the aerospace and defense giant Lockheed Martin.
The Killnet group also claims to have stolen data from a Lockheed Martin employee and threatened to share it.
The group has been active since March, it launched DDoS attacks against governments that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.
In a video shared by the group on Telegram, the group claimed to have stolen the personal information of the Lockheed Martin employees, including names, email addresses, phone numbers, and pictures.
The group also shared two spreadsheets containing a message in Russian:
“If you have nothing to do, you can email Lockheed Martin Terrorists – photos and videos of the consequences of their manufactured weapons! Let them realize what they create and what they contribute to.” (Tanslated with Google).
At this time it is impossible to determine the real source of these data. Lockheed Martin is aware of the Killnet claims, but it did not comment on them.
Researchers discovered a flaw in three signed third-party UEFI boot loaders that allow bypass of the UEFI Secure Boot feature.
Researchers from hardware security firm Eclypsium have discovered a vulnerability in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that can be exploited to bypass the UEFI Secure Boot feature.
Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”
According to the experts, these three new bootloader vulnerabilities affect most of the devices released over the past 10 years, including x86-64 and ARM-based devices.
“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process; enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls.” reads the post published by the experts. “Much like our previous GRUB2 BootHole research, these new vulnerable bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority. By default, this CA is trusted by virtually all traditional Windows and Linux-based systems such as laptops, desktops, servers, tablets, and all-in-one systems.”
Experts pointed out that these bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority, the good news is that the IT giant has already addressed this flaw with the release of Patch Tuesday security updates for August 2020.
The flaws identified by the experts have been rated as:
CVE-2022-34301 – Eurosoft (UK) Ltd
CVE-2022-34302 – New Horizon Datasys Inc
CVE-2022-34303 – CryptoPro Secure Disk for BitLocker
The two CVE-2022-34301 and CVE-2022-34303 are similar in the way they involve signed UEFI shells, the first one the signed shell is esdiags.efi while for the third one (CryptoPro Secure Disk), the shell is Shell_Full.efi.
Threat actors can abuse built-in capabilities such as the ability to read and write to memory, list handles, and map memory, to allow the shell to evade Secure Boot. The experts warn that the exploitation could be easily automated using startup scripts, for this reason, it is likely that threat actors will attempt to exploit it in the wild.
“Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux). However, local privilege escalation is a common problem on both platforms. In particular, Microsoft does not consider UAC-bypass a defendable security boundary and often does not fix reported bypasses, so there are many mechanisms in Windows that can be used to elevate privileges from a non-privileged user to Administrator.” continues the post.
The exploitation of the New Horizon Datasys vulnerability (CVE-2022-34302) is more stealthy, system owners cannot detect the exploitation. The bootloader contains a built-in bypass for Secure Boot that can be exploited to disable the Secure Boot checks while maintaining the Secure Boot on.
“This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. The simplicity of exploitation makes it highly likely that adversaries will attempt to exploit this particular vulnerability in the wild.” continues the post.
Experts highlighters that the exploitation of these vulnerabilities requires an attacker to have administrator privileges, which can be achieved in different ways.
“Much like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,” the post concludes. “these issues highlight how simple vulnerabilities in third-party code can undermine the entire process.”
The U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware gang.
The U.S. State Department announced a $10 million reward for information on five prominent members of the Conti ransomware gang. The government will also reward people that will provide details about Conti and its affiliated groups TrickBot and Wizard Spider.
The reward is covered by the Rewards of Justice program operated by the a U.S. Department of State which offers rewards for information related to threats to homeland security.
According to Wired, which first reported the announcement, the State Department is looking for the members’ physical locations and vacation and travel plans.
This is the first time that the U.S. Government shows the face of a Conti associate, referred to as “Target.”
“Today marks the first time that the US government has publicly identified a Conti operative,” says a State Department official who asked not to be named and did not provide any more information about Target’s identity beyond the picture. “That photo is the first time the US government has ever identified a malicious actor associated with Conti,”
The other members of the Conti gang for which the US Government is offering a reward are referred to as “Tramp,” “Dandis,” “Professor,” and “Reshaev.”
CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerability was chained with CVE-2022-37042 which allows for unauthenticated remote code execution.
CVE-2022-37042 – Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability: Zimbra Collaboration (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated remote code execution.
CISA orders federal agencies to fix both issues by August 25, 2022.
The vendor has already released security updates to address both vulnerabilities.
Cybersecurity firm Volexity described confirmed that the flaw is actively exploited in attacks in the wild.
In July and early August 2022, the company worked on multiple incidents where the organizations had their Zimbra Collaboration Suite (ZCS) email servers compromised. Volexity discovered that threat actors have exploited the CVE-2022-27925 remote-code-execution (RCE) vulnerability in these attacks.
The flaw was patched in March 2022, since the release of security fixes, it was reasonable that threat actors performed reverse engineering of them and developed an exploit code.
“As each investigation progressed, Volexity found signs of remote exploitation but no evidence the attackers had the prerequisite authenticated administrative sessions needed to exploit it. Further, in most cases, Volexity believed it extremely unlikely the remote attackers would have been able to obtain administrative credentials on the victims’ ZCS email servers.” reads the advisory published by Volexity.
“As a result of the above findings, Volexity initiated more research into determining a means to exploit CVE-2022-27925, and if it was possible to do so without an authenticated administrative session. Subsequent testing by Volexity determined it was possible to bypass authentication when accessing the same endpoint (mboximport) used by CVE-2022-27925. This meant that CVE-2022-27925 could be exploited without valid administrative credentials, thus making the vulnerability significantly more critical in severity.” reads the post published by Volexity.
Volexity researchers scanned the Internet for compromised Zimbra instances belonging to non-Volexity customers. The security firm identified over 1,000 ZCS instances around the world that were backdoored and compromised. The compromised ZCS installs belongs to a variety of global organizations, including government departments and ministries, military branches, worldwide billionaire businesses, and a significant number of small businesses.
The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.
“CVE-2022-27925 was originally listed as an RCE exploit requiring authentication. When combined with a separate bug, however, it became an unauthenticated RCE exploit that made remote exploitation trivial. Some organizations may prioritize patching based on the severity of security issues. In this case, the vulnerability was listed as medium—not high or critical—which may have led some organizations to postpone patching.” concludes the post.
A few days ago, CISA added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog.
In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.
The Conti ransomware gang is using BazarCall phishing attacks as an initial attack vector to access targeted networks.
BazarCall attack, aka call back phishing, is an attack vector that utilizes targeted phishing methodology and was first used by the Ryuk ransomware gang in 2020/2021.
The BazarCall attack chain is composed of the following stages:
Stage One. Attackers send a mail to the victims that notify them that they have subscribed to a service for which payment is automatic. The email includes a phone number to call to cancel the subscription.
Stage Two. The victim is tricked into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, to help them cancel their subscription service.
Stage Three. Once accessed the victim’s desktop, the attacker silently extended a foothold in the user’s network, weaponizing legitimate tools that are known to be in Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
Stage Four. The initiated malware session yields the adversary access as an initial point of entry into the victim’s network.
The researchers at cybersecurity firm AdbIntel state that currently at least three autonomous threat groups are adopting and independently developing their own targeted phishing tactics derived from the call back phishing methodology. The three groups are tracked as Silent Ransom, Quantum, and Roy/Zeon, they emerged after the Conti gang opted to shut down its operation in May 2022.
In March 2022, formed members of the Conti, who were experts in call back phishing attacks, created “Silent Ransom” when it became an autonomous group.
Silent Ransom’s previous bosses, tracked as Conti Team Two, who were the main Conti subdivision, rebranded as Quantum and launched their own version of call back phishing campaigns. On June 13, 2022, AdvIntel researchers uncovered a massive operation called “Jörmungandr”.
The third iteration of the BazarCall group was observed in late June 20 and goes by the name of Roy/Zeon. The group is composed of old-Guard members of Conti’s “Team One,” which created the Ryuk operation. This group has the advanced social engineering capabilities of the three groups.
It involved large investments into hiring spammers, OSINT specialists, designers, call center operators, and expanding the number of network intruders. As a highly skilled (and most likely government-affiliated) group, Quantum was able to purchase exclusive email datasets and manually parse them to identify relevant employees at high-profile companies.
The adoption of Callback phishing campaigns has impacted the strategy of ransomware gangs, experts observed targeted attacks aimed at Finance, Technology, Legal, and Insurance industries. The industries are considered privileged targets in almost all internal manuals, which were shared between ex-Conti members.
“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain.” concludes the report published by Advintel. “Although the first to begin using this TTP as its primary initial attack vector, Silent Ransom is no longer the only threat group utilizing the highly specified phishing operations that they pioneered. Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaign as a base and developing the attack vector into their own.”
Palo Alto Networks devices running the PAN-OS are abused to launch reflected amplification denial-of-service (DoS) attacks.
Threat actors are exploiting a vulnerability, tracked as CVE-2022-0028 (CVSS score of 8.6), in Palo Alto Networks devices running the PAN-OS to launch reflected amplification denial-of-service (DoS) attacks.
The vendor has learned that firewalls from multiple vendors are abused to conduct distributed denial-of-service (DDoS) attacks, but it did not disclose the name of the impacted companies.
“Palo Alto Networks recently learned that an attempted reflected denial-of-service (RDoS) attack was identified by a service provider. This attempted attack took advantage of susceptible firewalls from multiple vendors, including Palo Alto Networks. We immediately started to root cause and remediate this issue.” reads the advisory published by Palo Alto Networks. “Exploitation of this issue does not impact the confidentiality, integrity, or availability of our products.
The root cause of the issue affecting the Palo Alto Network devices is a misconfiguration in the PAN-OS URL filtering policy that allows a network-based attacker to conduct reflected and amplified TCP DoS attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against a target chosen by the attackers.
The issue could be exploited if the firewall configuration has a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.
The flaw can be mitigated by removing the URL filtering policy, the company also recommends enabling only one security feature between packet-based attack protection and flood protection on their Palo Alto.
If exploited, this flaw would not impact the confidentiality, integrity, or availability of Palo Alto Networks products. However, the company pointed out that the resulting denial-of-service (DoS) attack may allow threat actors to hide their identity and implicate the firewall as the source of the attack.
Below is the Product Status shared by the vendor:
>= 10.2.2-h2 (ETA: week of August 15, 2022)
>= 10.0.11-h1 (ETA: week of August 15, 2022)
>= 9.1.14-h4 (ETA: week of August 15, 2022)
>= 9.0.16-h3 (ETA: week of August 15, 2022)
>= 8.1.23-h1 (ETA: August 15, 2022)
Prisma Access 3.1
Prisma Access 3.0
Prisma Access 2.2
Prisma Access 2.1
The US Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory to warn of this vulnerability.
“Palo Alto Networks has released a security update to address a vulnerability in PAN-OS firewall configurations. A remote attacker could exploit this vulnerability to conduct a reflected denial-of service,” reads the advisory published by CISA.
A former Twitter employee was found guilty of spying on certain Twitter users for Saudi Arabia.
A former Twitter employee, Ahmad Abouammo (44), was found guilty of gathering private information of certain Twitter users and passing them to Saudi Arabia.
“Ahmad Abouammo, a US resident born in Egypt, was found guilty by a jury Tuesday of charges including acting as an agent for Saudi Arabia, money laundering, conspiracy to commit wire fraud and falsifying records, following a two-week trial in San Francisco federal court.” reported Bloomberg.
The man faces from 10 up to 20 years in prison when he’s sentenced.
In November 2019, the former Twitter employees Abouammo and the Saudi citizen Ali Alzabarah have been charged with spying on thousands of Twitter user accounts on behalf of the Saudi Arabian government. The two former Twitter employees operated for the Saudi Arabian government with the intent of unmasking dissidents using the social network.
Representatives of the Saudi Arabian government recruited the duo in 2014, their mission was to gather non-public information of Twitter accounts associated with known prominent critics of the Kingdom of Saudi Arabia and the Royal Family.
Abouammo and Alzabarah had unauthorized access to information associated with some profiles, including email addresses, devices used, user-provided biographical information, birth dates, logs that contained the user’s browser information, a log of all of a particular user’s actions on the Twitter platform at any given time, and other info that can be used to geo-locate a user such as IP addresses and phone numbers.
According to the indictment, Alzabarah joined Twitter in August 2013 as a “site reliability engineer,” he worked with the Saudi officials between May 21 and November 18, 2015. He is accused of allegedly spied on more than 6,000 Twitter accounts, including tens of users for which Saudi Arabian law enforcement had submitted emergency disclosure requests to Twitter.
Abouammo was charged with acting as a foreign agent on US soil, it also provided falsified records to feds to interfere with their investigation.
The man also deleted certain information from the social media platform and in some cases, he shut down Twitter accounts at the request of Saudi government officials. Of course, he was also able to unmask the identities of some users on behalf of the Saudi Arabian Government.
Saudi officials paid up to $300,000 to Abouammo for his work, the indictment explained that it was possible by masquerading the payments with faked invoices. The document also states that the man received a Hublot Unico Big Bang King Gold Ceramic watch.
According to an indictment, Abouammo lied to FBI agents saying the watch was a replica costing $500 and that the last $100,000 wire from Al-Asaker was for legitimate freelance consulting work.
US DoJ Department of Justice has also charged the Saudi national Ahmed al Mutairi, also known as Ahmed ALJBREEN, who directed a Saudi Saudi social media marketing company with ties to the royal family.
Ahmed al Mutairi, was acting as an intermediary between the two former Twitter employees and the officials of the Saudi Arabian Government.
Abouammo was arrested by the FBI in November 2019 in Seattle
Cisco addressed a high severity flaw, tracked as CVE-2022-20866, affecting Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
Cisco addressed a high severity vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
The flaw, tracked as CVE-2022-20866, impacts the handling of RSA keys on devices running Cisco ASA Software and FTD Software, an unauthenticated, remote attacker can trigger it to retrieve an RSA private key. Once obtained the key, the attackers can impersonate a device that is running ASA/FTD Software or to decrypt the device traffic.
“This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key.” reads the advisory published by the IT giant.
The advisory states that the following conditions may be observed on an affected device:
This issue will impact approximately 5 percent of the RSA keys on a device that is running a vulnerable release of ASA Software or FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key.
The RSA key could be valid but have specific characteristics that make it vulnerable to the potential leak of the RSA private key.
The RSA key could be malformed and invalid. A malformed RSA key is not functional, and a TLS client connection to a device that is running Cisco ASA Software or Cisco FTD Software that uses the malformed RSA key will result in a TLS signature failure, which means a vulnerable software release created an invalid RSA signature that failed verification. If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic.
The flaw impacts products running vulnerable Cisco ASA (9.16.1 and later) or Cisco FTD (7.0.0 and later) software that perform hardware-based cryptographic functions:
ASA 5506-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
Firepower 1000 Series Next-Generation Firewall
Firepower 2100 Series Security Appliances
Firepower 4100 Series Security Appliances
Firepower 9300 Series Security Appliances
Secure Firewall 3100
Cisco recommends administrators of ASA/FTD devices to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys, because it is possible that the RSA private key has been leaked to a malicious actor.
The flaw was reported by Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder.
Cisco has credited Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting the security flaw.
The Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this issue.
Cisco discloses a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.
Cisco disclosed a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.
The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker.
Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.” reads the analysis published by Cisco Talos. “After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
According to Talos, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. Then the threat actors escalated to administrative privileges before logging into multiple systems. The attackers were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket.
Talos researchers added that the attackers were not able to steal sensitive data from the IT giant.
“We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive.” continues the analysis.
Cisco said that the Yanluowang gang did not deploy any ransomware on its network during the attack.
The Yanluowang ransomware group is attempting to extort the company and published a list of files stolen from the company threatening to leak all stolen data if Cisco will not pay the ransom.
Cisco said that the Yanluowang gang did not deploy any ransomware on its network during the attack.
“While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements.” Talos experts conclude. “Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments.”
70% of Large enterprises that previously addressed the Log4j flaw are still struggling to patch Log4j-vulnerable assets.
In December 2021 security teams scrambled to find Log4j-vulnerable assets and patch them. Eight months later many Global 2000 firms are still fighting to mitigate the digital assets and business risks associated with Log4j. The ease of Log4j vulnerability exploitation coupled with the critical nature of the bug, which allows attackers to run arbitrary code inside cloud and company networks, is driving a business-risk imperative to find vulnerable assets and patch them fast.
An examination by CyCognito of large enterprise external attack surfaces found 70% of firms that previously addressed Log4j in their attack surface are still struggling to patch Log4j-vulnerable assets and prevent new instances of Log4j from resurfacing within their IT stack.
Our research highlights business continuity risks such as digital asset sprawl, subsidiary risk and the importance of reducing the time it takes to identify a vulnerable Log4j asset and patch it.
Log4j: Analysis of Current and Lasting Legacy
On Dec. 9, 2021 the Log4j critical vulnerability (CVE-2021-44228) was first identified and was assigned a severity rating of 10 out of 10. It is a remote code execution class flaw found in the Apache Log4j library (part of the Apache Logging Project). This Log4j vulnerability is considered extremely dangerous because it is easy to exploit and soon after its discovery a public proof-of-concept became available.
Eight months later, Log4j has proven to be one of the worst vulnerabilities of the last few years, if not decade.
A July report (PDF) by the U.S. Department of Homeland Security stated: “The Log4j event is not over. Log4j remains deeply embedded in systems, and even within the short period available for our review, community stakeholders have identified new compromises, new threat actors, and new learnings.”
Our exclusive analysis of Log4j examines the external attack surfaces of three dozen Global 2000 companies, securely protected by CyCognito solutions. This report underscores the Log4j cybersecurity risks facing non-CyCognito customers and the at large cybersecurity community.
Incidents of vulnerable Log4j assets discovered by the CyCognito platform are based on simulated adversarial scans of exposed assets in the wild. These instances of Log4j (now mitigated) represented briefly exposed assets that, if overlooked, could have allowed an attacker access to the cloud or on-premises assets and networks of these organizations.
Top Log4j Takeaways for July 2022:
Instances of Log4j-vulnerable assets are growing, not shrinking within a subset of companies examined.
Some firms are seeing a doubling of Log4j-vulnerable digital assets within their external attack surface – not a decrease.
Only 30% of firms with at least one past Log4j issue had no Log4j-vulnerable assets at the time of our analysis.
Of those exposed Log4j-vulnerable assets, the most common were web applications.
Drilling Down on Data Points
Growing not Shrinking: After eradicating an external attack surface of Log4j-vulnerable digital assets, new instances of Log4j-vulnerable systems have come back online.
Of those firms with at least one Log4j vulnerability discovered in January 2022, 62% continued to report one or more Log4j-vulnerable assets exposed in July. Research did not indicate whether those were new or existing exposures.
Of the firms that did have an exposed asset in July, 38% experienced a gain of one or more Log4j-vulnerable assets. Data indicates that, for many companies, instances of new Log4j exposed assets remains a growing problem.
Double the Log4j Trouble: An examination of organizations revealed 21% of those with vulnerable assets in July experienced a triple-digit percentage growth in the number of exposed Log4j-vulnerable assets compared to January.
While the initial number of vulnerable assets were small within each organization examined, over a half-dozen are seeing a steady increase in the number of Log4j-vulnerable assets. One firm, with seven exposed assets in February of 2022 had 39 exposed assets in July.
Success Rates Rare: The number of organizations that experienced a drop in vulnerable assets was 38%. In each of those instances, CyCognito found zero instances of Log4J in their internet exposed attack surface in July.
Thirty-four percent of those firms with over one vulnerable asset in January had the same number of assets exposed in July.
Web App Worries: Breaking down the numbers even more, data reveals those firms with vulnerable assets had a greater number of web applications vulnerable to a Log4j exploit versus other types of systems.
This is concerning given web apps are high risk for business and their users alike because they often access or contain sensitive financial, confidential, or personally identifiable information.
Why Businesses are Struggling to Quash Log4j
A CyCognito analysis of why companies are struggling to squelch Log4j vulnerabilities once and for all are multifold.
First, organizations have underestimated the deep-rooted prevalence of Log4j software, and software vendors have not yet rid their products of the vulnerable Log4j code. The battle to mitigate Log4j-vulnerable assets is exacerbated by new instances of exploitable Log4j being introduced to an attack surface.
Further driving this trend is attack surface sprawl, subsidiary and business-unit risk, mergers and acquisitions (M&A) and a lag in the time to remediate vulnerabilities (known as mean-time-to-remediate, or MTTR).
CyCognito found that among Global 2000 companies, M&A activity is growing or shrinking an organization’s attack surface by 5.5% each month (PDF). Organizations were initially unaware of 10-to-30% of their subsidiaries, according to separate CyCognito research published in June.
The global consultancy Bain & Company reports that M&A activity in 2022 is likely to reach US$4.7 trillion in deal value, making it the second-largest year on record. That kind of business change combined with emergent risks and poor IT ecosystem visibility make it extremely difficult for security and IT managers to have a 360-degree view of their entire external attack surface. This increases the odds of security gaps in their attack surface going unseen, opening them up to dangerous and preventable risks such as Log4j.
Why a Focus on Risk, Versus Vulnerability, is Paramount to Log4j Exposures
Trends in the growth of external attack surface sprawl are making it harder for security teams to reduce the mean time to remediate vulnerabilities – including Log4j.
In June 2021, the average time to fix a high-risk application vulnerability was estimated at 246 days (8.2 months), soaring from 194 days (6.5 months) at the start of that year, according to a study from Synopsys.
A CyCognito-sponsored research report by Informa Tech found security teams are suffering from cybersecurity debt issues. That’s when new cybersecurity issues outpace a security teams’ ability to mitigate existing ones.
Compounding the problem is inadequate and incomplete security scanning of external attack surfaces for vulnerabilities and other risks. CyCognito found competing discovery tools can leave between 10-to-50% of digital assets undiscovered and therefore untested and ignored.
Informa Tech found the majority of security teams only have the bandwidth to remediate about 50 vulnerabilities in an average month. Considering the deluge of new vulnerabilities discovered each month, current remediation rates are insufficient to keep pace with high and critical risk vulnerabilities such as Log4j issues.
That’s why CyCognito advocates a business-risk-first management approach to cybersecurity that focuses on identifying and addressing the most urgent risks (such as Log4j) immediately within an attack surface.
If you want to have info on how CyCognito can help organizations find and remediate Log4j business risks with its unmatched ability to continuously discover the external attack surfaces of its customers give a look at the original analysis of the company:
10 packages have been removed from the Python Package Index (PyPI) because they were found harvesting data.
Check Point researchers have discovered ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.
The researchers provide details about the malicious packages:
Ascii2text is a malicious package that mimics the popular art package by name and description. The code on the __init__.py file downloads and executes a malicious script that searches for local passwords and uploads them using a discord web hook.
WINRPCexploit a malicious package that steals users’ credentials as part of its setup.py installation script.
Browserdiv is able to steal the installers credentials by collecting and sending them to a predefined discord webhook.
Unfortunately, in recent months, many other malicious packages have been found on the official PyPI repository.
In June 2022, Sonatype researchers discovered multiple Python packages in the official PyPI repository that have been developed to steal secrets (i.e. AWS credentials and environment variables) and also upload these to a publicly exposed endpoint.
In November 2021, JFrog researchers discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even carry out dependency confusion attacks.
“Supply chain attacks are designed to exploit trust relationships between an organization and external parties. These relationships could include partnerships, vendor relationships, or the use of third-party software. Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations’ environments.” concludes the report. “Such attacks became more frequent and grew in impact in recent years, therefore it is essential developers make sure are keeping their actions safe, double checking every software ingredient in use and especially such that are being downloaded from different repositories, especially ones which were not self-created.”
“Yesterday, August 8, 2022, Twilio shared that they’d been compromised by a targeted phishing attack. Around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudflare’s employees.” reads the announcement published by Cloudflare. “While individual employees did fall for the phishing messages, we were able to thwart the attack through our own use of Cloudflare One products, and physical security keys issued to every employee that are required to access all our applications.”
The experts believe that this is a sophisticated attack targeting employees and systems of multiple organizations,
On July 20, 2022, the company received reports of employees receiving text messages containing links to what appeared to be a Cloudflare Okta login page. The company uses Okta as its identity provider and messages include a link to a phishing page that was designed to look identical to a legitimate Okta login page. The attackers sent the messages to at least 76 employees in less than 1 minute, but the company security team was not able to determine how the threat actors obtained the list of employees’ phone numbers.
“They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. They pointed to an official-looking domain: cloudflare-okta.com.” continues the report. “That domain had been registered via Porkbun, a domain registrar, at 2022-07-20 22:13:04 UTC — less than 40 minutes before the phishing campaign began.”
Once the recipient of the message has provided his credentials through the phishing page, the credentials were immediately sent to the attacker via the messaging service Telegram. Experts states that the real-time relay was crucial for the attackers because the phishing page would also prompt for a Time-based One Time Password (TOTP) code. Once obtained this info the attackers can access the victim company’s actual login page.
According to Cloudflare, only three employees fell for the phishing message and entered their credentials. However, the company does not use TOTP codes, instead, its employees use a FIDO2-compliant security YubiKey key. This means that without the hardware key, attackers cannot access the company systems even knowing the credentials.
Researchers also discovered that in some cases the phishing page was used to deliver the malicious payloads, including AnyDesk’s remote access software. The software would allow an attacker to control the victim’s machine remotely.
“We confirmed that none of our team members got to this step. If they had, however, our endpoint security would have stopped the installation of the remote access software.” concludes Cloudflare.