Cybercriminals are using advanced techniques to target executives with mobile-specific phishing attacks.

****KEY SUMMARY POINTS****

*   **Targeted Attacks:** Sophisticated spear phishing campaigns are increasingly targeting corporate executives via mobile devices, using social engineering tactics.

*   **Exploitation of Trust:** Attackers mimic legitimate services like DocuSign and Google, leveraging urgency and credibility to deceive victims.

*   **Advanced Techniques:** Campaigns use CAPTCHAs, mobile-specific fake login pages, and compromised domains to bypass detection mechanisms.

*   **Infrastructure Abuse:** Attackers utilize platforms like Cloudflare for SSL encryption and DDoS protection, complicating detection efforts.

*   **Proactive Defense:** Regular employee training, advanced mobile device management (MDM) solutions, and automated incident response platforms are critical to mitigating these threats.

Mobile devices have become a prime target for sophisticated phishing attacks, particularly those aimed at corporate executives. These targeted attacks, known as spear phishing, leverage social engineering tactics to steal valuable credentials and gain access to sensitive information.

The Phishing and Data Analytics Team at Zimperium uncovered a recent spear phishing campaign targeting executives. The attack involves using a mimicked legitimate DocuSign document requiring immediate review, a common tactic that exploits urgency and authority.

Spear phishing is a popular attack vector against corporate executives, compromising high-value credentials that grant access to sensitive data and systems. The attack begins with a seemingly innocent link disguised as a DocuSign document. The link used a legitimate domain (clickmethryvcom) to mask its origin, and once clicked initiates a series of redirects. First, it redirects to a compromised university website, leveraging its credibility to bypass detection. 

Screenshot of the DocuSign phishing email and the university’s landing page (Via Zimperium)

Researchers noted that attackers have used CAPTCHAs to prevent automated detection and implemented mobile-specific targeting. Moreover, if the link is accessed via a mobile device, the attack presents a fake Google sign-in page to steal credentials whereas desktops are redirected to legitimate Google sites. Another observation is that the phishing site (diitalwaveru) and its SSL certificate were created just days before the attack, highlighting the attackers’ focus on rapid deployment.

Further probing as per Zimperium’s blog post, revealed that the attackers had utilized Cloudflare’s infrastructure for DDoS protection, SSL encryption, and fast content delivery, making it harder to detect. And, in addition to email-based attacks, the campaign also used PDF documents containing embedded phishing URLs. These PDFs mimicked legitimate DocuSign workflows, bypassing traditional URL scanning and exploiting trust in business documents.

The incident highlights the evolving nature of mobile phishing attacks, with attackers investing heavily in infrastructure to bypass security controls, targeting mobile devices often overlooked in security strategies, and exploiting compromised domains for credibility. 

Therefore, it has become essential to conduct regular security awareness training programs to educate employees about the latest phishing tactics and best practices for identifying and avoiding such attacks. Organizations must also deploy advanced Mobile Device Management (MDM) solutions to enforce security policies, such as password complexity, screen lock timeouts, and remote wipe capabilities.

Mika Aalto, Co-Founder and CEO at Hoxhunt weighed in on the situation emphasizing the importance of proactive training for employees and management to identify and report phishing attacks, as technical tools alone may not catch all threats.

_“_The most important thing that companies can do is to shift left and equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing (mishing) attack. We can hope that technical filters and endpoint detection and response technologies quickly develop to be able to pick up these highly obfuscated, native code-based Malware attacks and pinpoint irregular signals and traffic,_“_ said Mika.

_“_Ultimately, it comes down to people. Attackers will launch a complex attack with what might just be a simple phishing message. It’s up to people to be able to listen to that little voice in their head that is telling them that something is wrong and report suspicious messages as a matter of habit. From there, you want to have a platform that will automatically categorize and escalate their reports to the SOC for accelerated response,_“_ he explained.

1.  99% of UAE’s .ae Domains Exposed to Phishing and Spoofing
2.  Scammers Exploit Fake Domains in Dubai Police Phishing Scams
3.  Ongoing Phishing Attack Targets Employees Across 12 Industries
4.  Rockstar 2FA Phishing-as-a-Service Kit Hits Microsoft 365 Accounts
5.  Xiū gǒu Phishing Kit Hits UK, US, Japan, Australia Across Key Sectors

New Mobile Phishing Targets Executives with Fake DocuSign Links

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about  malicious Windows drivers.

Exploring vulnerable Windows drivers

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

KEY SUMMARY POINTS Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at…

****KEY SUMMARY POINTS****

*   **New Linux Malware Campaign**: Cybersecurity researchers identified an active Linux malware campaign leveraging eBPF technology and targeting businesses and users globally.

*   **eBPF Exploitation**: Hackers are abusing eBPF’s low-level capabilities to hide activities, gather data, and bypass security measures, making detection challenging.

*   **Trojan Deployment**: Attackers use eBPF rootkits to conceal their presence and drop remote access Trojans capable of tunnelling traffic and maintaining communication within private networks.

*   **Public Platforms for Command Control**: Instead of private servers, malware configurations are stored on public platforms like GitHub and blogs, disguising malicious activity as legitimate.

*   **Rising eBPF Malware**: The use of eBPF-based malware, including families like Boopkit and BPFDoor, is increasing, with over 100 new vulnerabilities discovered in 2024 alone.

Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at businesses and users in Southeast Asia. The discovery came during an investigation into a malware attack reported by one of their clients.

The investigation began when a client approached Dr. Web with concerns about a possible compromise in their computer infrastructure. Upon analyzing the client’s data, Dr. Web identified multiple similar cases, indicating a large-scale and active campaign. Despite the initial uncertainty about how the attackers gained access, the researchers successfully tracked the initial stages of the attack.

****Exploiting eBPF Technology****

Researchers found that hackers have been abusing eBPF (extended Berkeley Packet Filter) technology in their attacks. For your information, eBPF is originally designed to provide better control over the Linux operating system’s network functions.

What’s noteworthy is the growing attention around eBPF, especially after August 2021, when tech giants like Google, Isovalent, Meta, Microsoft, and Netflix collaborated to establish the eBPF Foundation under the Linux Foundation to support the growth and adoption of eBPF technologies.

However, in the ongoing attack, eBPF’s low-level capabilities have allowed attackers to hide network activity, gather sensitive information, and bypass security measures. This has made it difficult for researchers to detect, and a lucrative opportunity for hackers particularly for advanced persistent threat (APT) groups looking to maintain long-term access to a target system.

In this specific campaign, as detailed by Dr. Web in its report published on December 10, the attackers used eBPF to load two rootkits. The first, an eBPF rootkit, hid the presence of a second rootkit, which then dropped a remote access Trojan (Trojan.Siggen28.58279 or Trojan:Win32/Siggen.GR!MTB) capable of tunnelling traffic, allowing attackers to communicate with infected devices even within private networks.

****Hiding in Plain Sight: Public Platforms as Command Centers****

The threat actors have also changed how they store their malware configurations. Instead of relying on private command-and-control servers, they are using popular, publicly accessible platforms.

The malware analyzed by Dr. Web was found retrieving settings from platforms like GitHub and even a Chinese cybersecurity blog. This tactic makes the malicious traffic appear legitimate, as it combines it with normal network activity. It also eliminates the need for the attackers to maintain separate control infrastructure, which can be more easily detected and shut down.

Screenshot shows malware hosted on GitHub and a Cybersecurity blog in Chinese language (Via Dr. Web)

Nevertheless, since 2023, the use of malicious eBPF software has been on the rise, with several malware families emerging, including Boopkit, BPFDoor, and Symbiote. The discovery of numerous vulnerabilities in eBPF technology has further worsened the situation.

This ongoing cyberattack is yet another example of how far government-backed hackers and cybercriminals are willing to go without fear of consequences. Their tactics, including exploiting advanced technologies like eBPF and using public platforms for configuration storage, make this quite clear.

1.  Telegram-Controlled TgRat Trojan Targets Linux Servers
2.  Play Ransomware Variant Targeting Linux ESXi Environments
3.  North Korean Hackers Deploy Linux Malware for ATM Cashouts
4.  Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files
5.  Godot Engine Abused to Drop Malware on Windows, macOS, Linux

Hackers Exploiting Linux eBPF to Spread Malware in Ongoing Campaign

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

Source: Funtap via Shutterstock

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

**Careful Planning**

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Midnight Blizzard Taps Phishing Emails, Rogue RDP Nets

Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure.
The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical,

HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft

The cyberattack impacts at least 1.4 million patients, as tranches of highly sensitive personal, medical, and financial data fall into the hands of cyber crooks who have everything they need to carry out convincing social engineering and fraud attacks.

Source: Kirby Lee via Alamy Stock Photo

NEWS BRIEF

Texas Tech University's Health Sciences Centers (HSCs) in Lubbock and El Paso are the latest victims of a disruptive cyberattack. The incident impacted the data of 1.4 million patients, exposing a treasure trove of valuable information that could be used for convincing follow-up social engineering attacks, identity theft, and more.

The attackers had access to the university's medical environments between Sept. 17 and 29, during which time they made off with "certain files and folders from the HSCs' network," according to a website notice.

**Cyberattackers Steal Reams of Sensitive Patient Data**

The folders contained patient names, dates of birth, Social Security numbers, driver's license numbers, financial data, medical information, billing and insurance data, medical records numbers, and more.

"The health and social-care sector has always been a popular target for cybercriminals," Brian Higgins, security specialist at Comparitech, said via email. "The combination of plentiful data points along with the often very sensitive nature of some of the information serves not only to add increased pressure on breached organizations to settle any ransom demands, but also to render individual client-side victims more susceptible to follow-up attacks seeking password or logon access and other personal information."

Related:Microsoft Teams Vishing Spreads DarkGate RAT

In October, a ransomware group called Interlock claimed to be behind the hack, saying that it stole 3.2 terabytes of data from the Red Raiders.

"The group posted images of what it says are stolen documents on its leak site," Paul Bischoff, consumer privacy advocate at Comparitech, said via email. "TTHUSC hasn't verified that claim, but no other groups have claimed responsibility at this time. Interlock is a new ransomware gang that first started adding targets to its leak site in October. This was one of the biggest medical data breaches of 2024."

**Texas Tech's Block & Tackle Incident Response**

For its part, the school is offering somewhat boilerplate information: "The HSCs are in the process of notifying individuals whose information may be involved in this incident," according to the notice, which added that free credit monitoring is available. "To help prevent a recurrence, the HSCs are reviewing existing security policies and procedures as part of the investigation and are implementing additional safeguards to enhance system protection and monitoring."

It also noted that affected individuals should monitor their credit reports and bank accounts for evidence of identity theft and fraud, review account statements, and scrutinize health care and health insurance billing statements for suspicious activity or errors.

Related:'Dubai Police' Lures Anchor Wave of UAE Mobile Attacks

"One can only hope that Texas Tech will offer a decent level of security mitigation measures … to try to alleviate what is an incredibly stressful situation for all involved," Higgins noted. "It's reasonable, after so many documented attacks, that users should expect high-risk sectors to harden, but that doesn't seem to be happening with the force and frequency necessary to combat the threat."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Texas Tech Fumbles Medical Data in Massive Breach

Yet another day, yet another data leak tied to Cisco!

****SUMMARY:****

*   **Partial Data Leak**: Hackers leaked 2.9GB of Cisco’s data on _Breach Forums_ on December 16, 2024.

*   **Exposed Records**: The leaked data is part of a 4.5TB dataset that was allegedly left unprotected by Cisco in October 2024.

*   **Previous Incident**: IntelBroker previously claimed responsibility for accessing the exposed data and attempted to sell it, including sensitive information from companies like Verizon, AT&T, and Microsoft.

*   **Cisco’s Response**: Cisco previously denied any compromise of core systems, attributing the issue to a misconfigured public-facing DevHub resource.

*   **Proof of Legitimacy**: IntelBroker released this partial leak to demonstrate the validity of their claims and attract buyers for the remaining data.

**RIBridges Breach**: Hackers infiltrated Rhode Island’s health and benefits system, demanding ransom and threatening to leak sensitive data.

On Monday, December 16, 2024, hackers leaked what they referred to as “partial data” belonging to technology and cybersecurity giant Cisco. The leak occurred on the cybercrime and data breach platform Breach Forums, where IntelBroker, a notorious hacker and the forum’s owner, released 2.9 GB of data for download.

****Important Background****

The leaked data is part of the 4.5TB content that hackers claim was left exposed by Cisco without any password protection or security authentication, allowing them to download the entire dataset in October 2024.

Hackread.com exclusively reported on the incident on October 14, 2024, when IntelBroker attempted to sell the data, which allegedly included source codes, confidential documents, and credentials belonging to global firms like Verizon, AT&T, Microsoft, and others.

At the time, Cisco did not respond to Hackread.com but denied any compromise of their core systems, attributing the incident to a misconfigured public-facing DevHub resource. However, IntelBroker maintained they had access until October 18 and provided evidence to Hackread.com showing they exploited an exposed token for JFrog, a software supply chain platform, to access the exposed content.

****What’s in the Leaked Data?****

This time, IntelBroker has leaked a portion of the data in an attempt to prove its legitimacy to potential buyers. “Hopefully, this proves the legitimacy of the breach to others wanting to buy the full version,” the hacker stated.

The 2.9GB leak reportedly contains the following:

*   **Cisco ISE (Identity Services Engine)**: A security policy platform that provides secure network access control and identity management.

*   **Cisco SASE (Secure Access Service Edge)**: A cloud-delivered solution that combines networking and security functions for secure access from anywhere.

*   **Cisco Webex**: A collaboration platform offering video conferencing, messaging, and calling solutions for teams and businesses.

*   **Cisco Umbrella**: A cloud-based DNS security solution that protects users from threats by securing internet access and blocking malicious domains.

*   **Cisco IOS XE & XR**: Network operating systems used in Cisco routers and switches, enabling advanced networking, automation, and programmability.

*   **Cisco C9800-SW-iosxe-wlc.16.11.01**: A software-based Wireless LAN Controller (WLC) image that manages and controls wireless networks running on Cisco Catalyst 9800 Series platforms.

Here’s a screenshot from Breach Forums showing what the hackers have leaked and the claims they are making:

IntelBroker on Breach Forums (Screenshot credit: Hackread.com)

****Intel Broker and Previous Breaches****

Intel Broker is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Nevertheless, the partial leak goes on to show ongoing exploitation of misconfigured systems and exposed data. The scale of exploitation is evident, as even high-profile hackers like ShinyHunters and Nemesis **have targeted** misconfigured servers and S3 buckets.

While Cisco has yet to respond to this latest development, IntelBroker’s actions also show how such incidents can escalate into extortion attempts. Whether the remaining 4.5TB dataset will be sold, leaked, or resolved remains to be seen, but it’s a reminder for organizations to maintain their security practices and protect sensitive data.

1.  IntelBroker Claim Access to Nokia Internal Data, Selling for $20K
2.  Europol Hacked: IntelBroker Claims Major Law Enforcement Breach
3.  IntelBroker Space-Eyes Breach, Targeting US National Security Data
4.  IntelBroker Claims Breach of Top Cybersecurity Firm, Selling Access
5.  AMD Data Breach: IntelBroker Claims Theft of Employee, Product Info

Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records

A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.
"An attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said.
"The attacker failed to install a

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Three vulnerabilities in the service's Apache Airflow integration could have allowed attackers to take shadow administrative control over an enterprise cloud infrastructure, gain access to and exfiltrate data, and deploy malware.

Source: Aleksia via Alamy Stock Photo

Three flaws discovered in the way Microsoft's Azure-based data integration service leverages an open source workflow orchestration platform could have allowed an attacker to achieve administrative control over companies' Azure cloud infrastructures, exposing enterprises to data exfiltration, malware deployment, and unauthorized data access.

Researchers at Palo Alto Networks' Unit 42 discovered the vulnerabilities — two of which were misconfigurations and the third involved weak authentication — in Azure Data Factory's Apache Airflow integration. Data Factory enables users to manage data pipelines when moving information between different sources, while Apache Airflow facilitates the scheduling and orchestration of complex workflows.

While Microsoft classified the flaws as low-severity vulnerabilities, Unit 42 researchers found that exploiting them successfully could allow an attacker to gain persistent access as a shadow administrator over the entire Airflow Azure Kubernetes Service (AKS) cluster, they revealed in a blog post published Dec. 17.

Specifically, the flaws discovered in Data Factory were: a misconfigured Kubernetes role-based access control (RBAC) in Airflow cluster; a misconfigured secret handling of the Azure's internal Geneva service, which is responsible for managing critical logs and metrics; and weak authentication for Geneva.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

The Airflow instance's use of default, unchangeable configurations combined with the cluster admin role's attachment to the Airflow runner "caused a security issue" that could be manipulated "to control the Airflow cluster and related infrastructure," the researchers explained.

If an attacker was able to breach the cluster, they also could manipulate Geneva, allowing attackers "to potentially tamper with log data or access other sensitive Azure resources," Unit 42 AI and security research manager Ofir Balassiano and senior security researcher David Orlovsky wrote in the post.

Overall, the flaws highlight the importance of managing service permissions and monitoring the operations of critical third-party services within a cloud environment to prevent unauthorized access to a cluster.

Unit 42 informed Microsoft Azure of the flaws, which ultimately were resolved by the Microsoft Security Response Center. The researchers did not specify what fixes were made to mitigate the vulnerabilities, and Microsoft did not immediately respond to request for comment.

**How Cyberattackers Gain Initial Administrative Access**

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

An initial exploit scenario lies in an attacker's ability to gain unauthorized write permissions to a directed acyclic graph (DAG) file used by Apache Airflow. DAG files define the workflow structure as Python code; they specify the sequence in which tasks should be executed, the dependencies between tasks, and scheduling rules.

Attackers have two ways to gain access to and tamper with DAG files. They could gain write permissions to the storage account containing DAG files by leveraging a principal account with write permissions; or they could use a shared access signature (SAS) token, which grants temporary and limited access to a DAG file.

In this scenario, once a DAG file is tampered with, "it lies dormant until the DAG files are imported by the victim," the researchers explained.

The second way is to gain access to a Git repository using leaked credentials or a misconfigured repository. Once this occurs, the attacker can create a malicious DAG file or modify an existing one, and the directory containing the malicious DAG file is imported automatically.

In their attack flow, Unit 42 researchers used the Git repository leaked credentials scenario to access a DAG file. "In this case, once the attacker manipulates the compromised DAG file, Airflow executes it, and the attacker gets a reverse shell," they explained in the post.

Related:336K Prometheus Instances Exposed to DoS, 'Repojacking'

The basic exploit workflow, then, involves an attacker first crafting a DAG file that opens a reverse shell to a remote server and runs automatically when imported. The malicious DAG file is then uploaded to a private GitHub repository connected to the Airflow cluster.

"Airflow imports and runs the DAG file automatically from the connected Git repository, opening a reverse shell on an Airflow worker," the researchers explained. "At this point, we gained cluster admin privileges due to a Kubernetes service account that was attached to an Airflow worker."

The attack can then escalate from there to take over a cluster; use the shadow admin access to create shadow workloads for cryptomining or running other malware; exfiltrate data from the enterprise cloud; and exploit Geneva to reach other Azure endpoints for further malicious activity, the researchers wrote.

**Cloud Security Should Extend Beyond the Cluster**

Cloud-based attacks often begin with attackers pouncing on local misconfigurations, and the exploit flow again highlights how an entire cloud environment can be exposed to risk due to flaws exploited within a single node or cluster.

The scenario demonstrates the importance of going beyond merely securing the perimeter of a cloud cluster to a more comprehensive approach to cloud security that takes into consideration what happens if attackers break this boundary, according to Unit 42.

This strategy should include "securing permissions and configurations within the environment itself, and using policy and audit engines to help detect and prevent future incidents both within the cluster and in the cloud," the researchers wrote.

Enterprises also should safeguard sensitive data assets that interact with different services in the cloud to understand which data is being processed with which data service, they added. This will ensure that service dependencies are taken into consideration when securing the cloud.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#microsoft