Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants

 

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack, Microsoft has revealed.

"The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report.

Microsoft, which is tracking the cluster under its emerging moniker Storm-1167, called out the group's use of indirect proxy to pull off the attack.

This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks.

The modus operandi is unlike other AitM campaigns where the decoy pages act as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.

"The attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service," Microsoft said.

"The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim's credentials."

The attack chains commence with a phishing email that points to a link, which, when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and entering their credentials and TOTPs.

The harvested passwords and session cookies are then used to impersonate the user and gain unauthorized access to the email inbox by means of a replay attack. The access is then abused to get hold of sensitive emails and orchestrate a BEC attack.

What's more, a new SMS-based two-factor authentication method is added to the target account in order to sign in using the pilfered credentials sans attracting any attention.

In the incident analyzed by Microsoft, the attacker is said to have initiated a mass spam campaign, sending more than 16,000 emails to the compromised user's contacts, both within and outside of the organization, as well as distribution lists.

The adversary has also been observed taking steps to minimize detection and establish persistence by responding to incoming emails and subsequently taking steps to delete them from the mailbox.

Ultimately, the recipients of the phishing emails are targeted by a second AitM attack to steal their credentials and trigger yet another phishing campaign from the email inbox of one of the users whose account was hacked as a result of the AitM attack.

"This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud," the company added.

The development comes less than a month after Microsoft warned of a surge in BEC attacks and the evolving tactics employed by cybercriminals, including the use of platforms, like BulletProftLink, for creating industrial-scale malicious mail campaigns.

Another tactic entails the use of residential internet protocol (IP) addresses to make attack campaigns appear locally generated, the tech giant said.

"BEC threat actors then purchase IP addresses from residential IP services matching the victim's location creating residential IP proxies which empower cybercriminals to mask their origin," Redmond explained.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks."

Guardz Launches AI-Powered Multilayered Phishing Protection To Secure SMEs

27

SHARES

ShareTwee[TEL AVIV, Israel, June 8, 2023] – Guardz, the cybersecurity company securing and insuring SMEs, today announced a new AI-powered Multilayered Phishing Protection solution to help small and medium-sized enterprises (SMEs) and managed service providers (MSPs) prevent phishing attacks before their security is compromised. The hassle-free and cost effective solution uses AI to provide small businesses and the MSPs that support them with automatic detection and remediation capabilities to protect against phishing attacks – the number one threat they face. By combining email security, web browsing protection, perimeter posture, and awareness culture in one native solution, businesses can now efficiently safeguard against phishing threats, bolstering resilience and future-proofing their systNinety percent of all cyber attacks are initiated with phishing, which relies on social engineering to prey on human nature. Cybercriminals attempt to obtain sensitive information such as usernames, passwords, and credit card details by tricking recipients clicking on malicious links or providing personal information, which can then be used for identity theft, ransomware attacks, or other malicious activities. These attacks can result in data breaches, financial loss, and reputational damage to small businesses and even compromise the security of a business’s entire network, leading to the exposure of further confidential information.

Guardz’s new Multilayered Phishing Protection: continuously scans for all inbound traffic with its advanced anti-phishing email protection solution; initiates detection through AI-powered anti-phishing and anti-malware engines; removes risky emails from users’ inboxes and automatically sends them to quarantine; monitors internet browsing to detect potential phishing attempts and delivers real-time alerts to system admins to enable timely responses; and  provides ongoing, active cyber awareness training and tailored phishing simulations for employees, fostering a culture of caution and vigilance. Perhaps most importantly when dealing with phishing, the Guardz solution empowers every employee to behave in ways that support and strengthen the business’s cybersecurity posture.

“The proliferation of phishing attack as a service (AaaS) tools sold on the dark web is putting the SME ecosystem increasingly at risk. Our new AI-powered phishing protection solution provides SMEs and MSPs with a holistic and accessible solution to prevent the success of phishing attacks,” said Dor Eisner, CEO and Co-Founder of Guardz. “This is a significant addition to Guardz’s holistic cyber security offering for small businesses, ensuring that they can react to cyber risks in real time with swift remediations, but also be protected by cyber insurance for complete peace of mind – a true secure and insure approach.”

The Multilayered Phishing Protection enables MSPs to provide their SME customers complete protection across all potential phishing attack vectors. It does so by automatically scanning the perimeter posture, inbound email traffic and internet browsing, and by providing ongoing, tailored cyber awareness training and simulation for employees. The platform automatically verifies emails for authentication protocols including Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and checks for malicious forwarding rules.

Fake Android Apps Ran Adware Campaign For Months

 

Researchers caught a sneaky adware campaign targeting Android users for months. This campaign used several fake Android apps mimicking different utilities like pdf readers, weather apps, VPNs, game cracks, streaming services such as Netflix and YouTube, etc.

Fake Android Apps Deployed Adware

According to a recent report from Bitdefender, they detected 60,000 fake Android apps stealthily running adware campaign since (at least) October 2022.

The researchers caught the malware following the alerts from the anomaly detection technology in the Bitdefender Mobile Security.

Briefly, unlike most adware campaigns exhibiting intrusive behavior, this campaign spread organically. The malicious apps would appear to a target user upon searching for certain apps, such as mod games, free VPNs, etc. Then, owing to their apparent legitimacy, the app ads would lure users into downloading the malicious app.

After reaching the device, the malware relies on the default strategy for Android app installation, requiring user input. Then, once the user taps the “Open” button to launch the newly installed app, the malware executes in the background.

However, on the screen, an error message appears to trick the user into believing that the app failed to install. Yet, the lack of an app icon makes it difficult for the victim to uninstall it.

Upon gaining persistence on the device, the malware remains dormant for some time. Then, after receiving the relevant commands from its servers, the malware starts displaying ads on the device when the user unlocks the phone.

Bitdefender caught this campaign because the malware used the device’s browser to show the malicious ad, which their Mobile Security tool efficiently detected. Similarly, the malware also displays full-screen web view of ads.

The researchers have shared the following demonstration of the malware in action.

As always, to repel such threats, users must avoid interacting with apps or links from unknown sources. Likewise, equipping their devices with robust antimalware solutions is the key to preventing most malware attacks.

Let us know your thoughts in the comments.

North Africa Targeted by Stealth Soldier Backdoor in Espionage Attacks

 

Check Point Research has discovered a sequence of cyberespionage attacks using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. This advanced malicious software is a customized modular backdoor that possesses surveillance capabilities.

Libyan organizations as the target and the malware infrastructure indicate the potential return of a threat actor referred to as "The Eye on the Nile." which was seen in action in 2019.

Diving into details

The Command and Control (C&C) network of Stealth Soldier is a component of a broader infrastructure that has been used, at least partially, for spear-phishing attacks targeting government entities.

• The infection commences with the downloader, which initiates the attack chain. While the precise method of delivery used by the downloader remains undisclosed, social engineering is considered a likely possibility.
• The most recent version of the implant was reportedly compiled in February 2023.
• The malware's infection procedure encompasses the retrieval of numerous files from the C&C server, including the loader, watchdog, and payload.

Let’s discuss its versions

Security experts have identified three distinct infection chains involving three different versions of Stealth Soldier malware: 6, 8, and 9. 

• Different versions vary by factors such as filenames, mutex names, XOR keys, and directory names. 
• Moreover, there is a discrepancy in the values assigned to the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key for persistence:
• "Cache" for Version 6
• "WinUpdate" for Version 8
• "DevUpdate" for Version 9

Nonetheless, the overall flow follows a similar pattern for different versions and exhibits the same underlying logic.

Attribution

• Check Point Research uncovered similarities between the present operation and the previously identified "Eye on the Nile" campaign, which Amnesty International and Check Point Research had associated with government-affiliated entities. 
• The presence of overlapping infrastructure implies a potential correlation between these two campaigns, highlighting the tenacity and flexibility of the threat actor responsible for their orchestration.

The bottom line

The recent Stealth Soldier malware campaign directed at Libyan organizations underscores the growing complexity of cyberespionage activities. The utilization of personalized backdoors and advanced surveillance functionalities presents substantial risks to the data security and privacy of the entities being targeted.

Protecting your Facebook account

Protecting your Facebook account from hackers involves implementing several security measures. Here are some essential steps you can take to enhance the security of your Facebook account:

1. Strong and Unique Password: Use a strong, unique password for your Facebook account. Include a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using common words or personal information that can be easily guessed.

2. Enable Two-Factor Authentication (2FA): Activate 2FA for your Facebook account. This adds an extra layer of security by requiring a second form of verification, usually a code sent to your mobile device, in addition to your password when logging in.

3. Be Cautious with Links and Downloads: Avoid clicking on suspicious links or downloading files from untrusted sources, as they can be used to install malware or phishing attacks. Be particularly cautious of messages or emails asking for your login credentials or personal information.

4. Keep Software and Antivirus Updated: Regularly update your operating system, web browser, and antivirus software to protect against the latest security vulnerabilities and threats.

5. Recognize and Avoid Phishing Attempts: Be wary of phishing attempts that try to trick you into revealing your login credentials or personal information. Double-check the URL of any login page and only enter your credentials on official Facebook websites.

6. Review App Permissions: Periodically review the permissions granted to third-party apps connected to your Facebook account. Remove any unnecessary or suspicious apps that may have access to your personal information.

7. Use a Secure Internet Connection: Avoid logging into your Facebook account using public Wi-Fi networks, as they may be insecure. Instead, use a secure and private internet connection, such as your mobile data or a trusted home network.

8. Regularly Monitor Account Activity: Keep an eye on your account activity and review the login history regularly. If you notice any suspicious activity or unauthorized access, change your password immediately and report it to Facebook.

9. Educate Yourself: Stay informed about common hacking techniques and security best practices. Regularly educate yourself on the latest threats and security measures to protect your Facebook account.

Remember, maintaining a secure Facebook account is crucial for safeguarding your personal information and online presence.

WikiLeaks Website Gets Defaced By Hacking Group OurMine

WikiLeaks Website Gets Defaced By Hacking Group OurMine 

WikiLeaks website wikileaks.org just got defaced by a hacking group OurMine.

OurMine Hacking Group is already known for hacking into high profile social media accounts including Google CEO Sundar Pichai, Facebook CEO Mark Zuckerberg, former Twitter CEOs Dick Costolo and Ev Williams, Netflix, Sony, HBO.

Proper reason has still not been found how this website got hacked but it seems their DNS entries have been compromised using DNS poisoning attack.

As of Today morning, the WikiLeaks.orghomepage displayed a message that read: “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

“Anonymous, remember when you tried to dox us with fake information for attacking wikileaks?” the message continues. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter!”

And here is the screenshot of the message which was shown on the website when it got hacked.

• 
  

Game of Thrones Social Media Accounts Gets Hacked Just After Its Latest Episode Leak

Game of Thrones Social Media Accounts Gets Hacked Just After Its Latest Episode Leak.

The Game of Thrones official Twitter and Facebook Account gets Hacked. Hacker Group OurMine tweeted from Game of Thrones Official Twitter account and said,

Hi, OurMine are here, we are just testing your security , HBO team please contact us to upgrade the security .

• OurMine is one of the most notorious hacking group from Saudi Arabia that previously hacked top social media accounts of Companies and Business Persons including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, Wikipedia co-founder Jimmy Wales and many more.

HBO has been going through a tough time even before this OurMine hacks came into the place. Earlier, HBO itself leaked Game of Thrones Episode 6 accidentally.

Last month we have reported Game Of Thrones Scripts Got Hacked, Hackers claimed to have obtained 1.3 Terabytes (TB) of data stolen from the company. Upcoming episodes of Ballers and Room 104 have apparently been hacked, Hackers group were also demanding a ransom of approx $6 Million in Bitcoins.

Wikileaks Unveiled 'Dumbo' Tool Which CIA Used To Spy Webcams And Microphones

Wikileaks Unveiled 'Dumbo' Tool Which CIA Used To Spy Webcams And Microphones

What Dumbo Can Do?

1. To identify, control the webcam and microphones.
2. Disables all network adapters
3. Suspends any processes using a camera recording device
4. Selectively corrupted or delete recordings
5. Support Windows 

WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

How Microsoft Cleverly Cracks Down On "Fancy Bear" Hacking Group

What could be the best way to take over and disrupt cyber espionage campaigns?

Hacking them back?

Probably not. At least not when it's Microsoft, who is continuously trying to protect its users from hackers, cyber criminals and state-sponsored groups.

It has now been revealed that Microsoft has taken a different approach to disrupt a large number of cyber espionage campaigns conducted by "Fancy Bear" hacking group by using the lawsuit as a tool — the tech company cleverly hijacked some of its servers with the help of law.

Microsoft used its legal team last year to sue Fancy Bear in a federal court outside Washington DC, accusing the hacking group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft's trademarks, according to a detailed report published by the Daily Beast.

Fancy Bear — also known as APT28, Sofacy, Sednit, and Pawn Storm — is a sophisticated hacking group that has been in operation since at least 2007 and has also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.

The hacking group is believed to be associated with the GRU (General Staff Main Intelligence Directorate), Russian secret military intelligence agency, though Microsoft has not mentioned any connection between Fancy Bear and the Russian government in its lawsuit.

Instead of registering generic domains for its cyber espionage operations, Fancy Bear often picked domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, in order to carry out its hacking and cyber espionage campaigns.

This inadvertently gave Microsoft an opportunity to drag the hacking group with "unknown members" into the court of justice.

Microsoft Sinkholed Fancy Bear Domains

The purpose of the lawsuit was not to bring the criminal group to the court; instead, Microsoft appealed to the court to gain the ownership of Fancy Bear domains — many of which act as command-and-control servers for various malware distributed by the group.

"These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents," the report reads.

Although Microsoft did not get the full-ownership of those domains yet, the judge last year issued a then-sealed order to domain name registrars "compelling them to alter" the DNS of at least 70 Fancy Bear domains and pointing them to Microsoft-controlled servers.

Eventually, Microsoft used the lawsuit as a tool to create sinkhole domains, allowing the company's Digital Crimes Unit to actively monitor the malware infrastructures and identify potential victims.

"By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers," the report reads.

Microsoft has appealed and is still waiting for a final default judgment against Fancy Bear, for which the hearing has been scheduled on Friday in Virginia court.

Tor Launches Bug Bounty Program — Get Paid for Hacking!

With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Following major companies and organisations, the non-profit group behind Tor Project – the largest online anonymity network that allows people to hide their real identity online – has finally launched a "Bug Bounty Program."

The Tor Project announced on Thursday that it joined hands with HackerOne to start a public bug bounty program to encourage hackers and security researchers to find and privately report vulnerabilities that could compromise the anonymity network.

HackerOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.

Bug bounty programs are cash rewards gave by companies or organisations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose them.

The Tor Project announced its intention to launch a public bug bounty program in late December 2015 during a talk by the Tor Project at Chaos Communication Congress (CCC) held in Hamburg, Germany. However, it launched the invite-only bounty program last year.

The highest payout for the flaws has been kept $4,000 — bug hunters can earn between $2,000 and $4,000 for High severity vulnerabilities, between $500 and $2,000 for Medium severity vulnerabilities, and a minimum of $100 for Low severity bugs.

Moreover, less severe issues will be rewarded with a t-shirt, stickers and a mention in Tor's hall of fame.

"Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online," Tor browser developer Georg Koppen said in a blog post. "Help us protect them and keep them safe from surveillance, tracking, and attacks."

The Tor Project is a non-profit organisation behind the Tor anonymizing network that allows any online user to browse the Internet without the fear of being tracked.


The Project first announced its plan to launch the bug bounty program weeks after it accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to help them Unmask Tor users and reveal their IP addresses, though FBI denies the claims.