Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberbreaches. Show all posts
Group IB
Credential Theft Cyber Attacks Cyberbreaches Cybercrime Ecosystem Digital Supply Chain Risk Global Supply-Chain Attack Group IB

Group-IB Warns Supply Chain Attacks Are Becoming a Self-Reinforcing Cybercrime Ecosystem

 

Cybercrime outfits now reshape supply chain intrusions into sprawling, linked assaults - spinning out data leaks, stolen login details, and ransomware in relentless loops, says fresh research by Group-IB. With each trend report, the security group highlights how standalone hacks have evolved: today’s strikes follow blueprints meant to ripple through corporate systems, setting off chains of further break-ins. 

Instead of going after one company just to make money fast, hackers now aim at suppliers, support services, or common software tools - gaining trust-based entry to many users at once. Cases highlighted in recent reports - the Shai-Hulud NPM worm, the break-in at Salesloft, and the corrupted OpenClaw package - all show how problems upstream spread quickly across systems. Not limited to isolated targets, these attacks ripple outward when shared platforms get hit. 

Modern supply chain attacks unfold in linked phases, says Group-IB. One stage might begin with a tainted open-source component spreading malicious code while quietly collecting login details. Following that, attackers may launch phishing efforts - alongside misuse of OAuth tokens - to seize user identities, opening doors to cloud services and development pipelines. Breached data feeds these steps, supplying access keys, corporate connections, and situational awareness required to move sideways across systems. Later comes ransomware, sometimes followed by threats - built on insights gathered during earlier stages of breach. One step enables another, creating loops experts call self-sustaining networks of attack. 

Soon, Group-IB expects artificial intelligence to push this shift further. Because of AI-powered tools, scanning for flaws in vendor networks, software workflows, or browser add-on stores happens almost instantly. These systems let hackers find gaps faster - operating at speeds humans cannot match. 

Expectations point to declining reliance on classic malware, favoring tactics centered on stolen identities. Rather than using obvious harmful software, attackers now mimic authorized personnel, slipping into everyday operational processes. Moving quietly through standard behaviors allows them to stay hidden longer, gradually reaching linked environments. Because they handle sensitive operations like human resources, customer data, enterprise planning, or outsourced IT support, certain platforms draw strong interest from threat actors. 

When a compromise occurs at that level, it opens doors not just to one company but potentially hundreds connected through shared services - multiplying consequences far beyond the initial point of failure. Cases like Salesloft and the breach tied to Oracle in March 2025 show shifts in how data intrusions unfold. Rather than seeking quick payouts, hackers often collect OAuth credentials first. Missteps in third-party connections give them room to move inward. 

Once inside client systems, fresh opportunities open up. Data copying follows naturally. Trust-based communication chains become tools for disguise later. Infected updates spread quietly through established channels. Fraud grows without drawing early attention. Fault lines in digital confidence now shape modern cyber threats, according to Dmitry Volkov, who leads Group-IB. Rather than one-off breaches, what unfolds are ripple effects across systems. Because outside providers act like open doors, companies should treat them as part of their own risk landscape. 

Instead of reacting late, they build models for supply chain risks early. Automated scans track software links continuously. Insight into how information moves becomes essential - without it, gaps stay hidden until exploited. With breaches in supply chains turning into routine operations, protecting confidence among users, collaborations, and code links has shifted from being a backup measure to a core part of today’s security planning. 

What once seemed secondary now shapes the foundation. Trust must hold firm where systems connect - because failure at one point pulls down many. Security can no longer treat relationships as external risks; they are built-in conditions. When components rely on each other, weakness spreads fast. The report frames this shift clearly: resilience lives not just in tools but in verified connections. Not adding layers matters most - it is about strengthening what already ties everything together.
Read more »
Sophos
Cyberbreaches CyberCrime Fake IT Support malware Micrpsoft Teams ransomware attacks Sophos

Fake IT Support Used by Ransomware Gangs in Microsoft Teams Breaches

 


The Sophos security team has identified two ransomware campaigns that are utilizing Microsoft Teams to steal data from organizations, and the crooks may be allied with Black Basta and FIN7. In the X-Ops Managed Detection and Response (MDR) service, Sophos X-Ops responds to incidents related to two different groups of threat actors. In each case, the attackers gained access to targeted organizations by using the Microsoft Office 365 platform to steal data and deploy ransomware to steal data. 

This pair of separate clusters of activity were investigated by Sophos MDR in November and December 2024 as a result of customer reports, and the threat is tracked as STAC5143 and STAC5777, respectively. The two groups are utilizing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations, according to Sophos, who has observed over 15 incidents in just the past two weeks, the majority of which took place between November and December 2024. 

According to Sophos, the attackers took advantage of a Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users, thereby taking advantage of a default configuration, he warned. As a result of threat actors exploiting Microsoft Teams to pose as tech support personnel, attackers gain initial access to victim organizations by using the platform, and their goal is to steal data and deploy ransomware, according to a report released on Tuesday by Sophos, which examined ongoing threat campaigns related to these two threats. 

A customer who received over 3,000 spam emails in 45 minutes in November of last year first brought STAC5143 to the attention of the Sophos team. Shortly thereafter, a Microsoft Teams call from outside the organization, coming from a bogus "Help Desk Manager" account, reached out to the customer, and he was instructed to allow a remote screen control session through Microsoft Teams to resolve the issue. 

As it turned out, the attacker was exploiting this vulnerability to inject malicious files into the victim's computer as well as infect the computer with malware by opening a command shell and dropping some files on it. The attacker had downloaded a Java archive (JAR) file (MailQueue-Handler.jar), as well as Python scripts (RPivot backdoor). As soon as the attackers have established a command-and-control channel with their target, they utilize the target's credentials to disable multifactor authentication and antivirus protections. 

They then connect to other computers in the network and move laterally to compromise additional computers and systems. Java code performed some reconnaissance work as well, mostly scoping out the user's account name and local network, before extracting and running from the snow.zip archive the payload contained a Python-based backdoor that could be used to remote control the Windows computer remotely. 

Python code included a lambda function to obfuscate the malware, which matched Python malware loaders previously spotted as part of the FIN7 malware campaign.  Two other Python pieces were extracted as part of the malware, including copies of the publicly available reverse SOCKS proxy RPivot, which FIN7 had previously used in its earlier attacks. 

As with the STAC5777 attacks, the malware started with large amounts of spam emails being sent to targeted organizations, followed by team messages claiming to be from the organization's IT department and requesting that they be contacted to stop the spam. CyberScoop spoke to Sean Gallagher, Sophos's principal threat researcher, and the study's lead author. 

Gallagher explained that his team had observed multiple individuals and at least 15 organizations using these tactics, and most of them were blocked before they were able to compromise the device they were attempting to compromise. Using the social engineering technique of posing as a technical support representative is a well-known social engineering method used by malicious hackers to compromise large, multinational companies.

Cybercriminal groups such as Lapsus$ have used this scheme for several years to compromise large, multinational corporations. It is, however, mainly smaller organizations that have been targeted by Office 365 and Teams, and it illustrates how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to adopt cloud computing and digitization, especially after the COVID-19 virus pandemic. 

A significant portion of these small organizations were left vulnerable by the fact that, for the first time, they were using unfamiliar software like Microsoft Office 365, Teams, and Azure. It is a piece of malware, winhttp.dll, that is sideloaded into a legitimate oneDriveStandaloneUpdater.exe process, which is then relaunched by a PowerShell command when Windows starts up. Through the Windows API, the malicious DLL logs the user's keystrokes, gathers credential information from files and the registry, and scans the network for potential pivot points via SMB, RDP, and WinRM. 

Once a C2 connection has been established, the OneDriveStandaloneUpdater.exe process is started and a check is performed to see if there are any Remote Desktop Protocol hosts or Windows Remote Management hosts that can be accessed with stolen credentials. It appears that the attackers then attempted to move laterally to other hosts to continue their attack. 

One instance of this was when the attackers used the backdoor to uninstall local multifactor authentication integration on a compromised device, and Sophos has also found that the attackers have been hoovering up local files whose names contained the word "password". In one instance, STAC5777 was trying to infect the machine with the Black Basta ransomware - even though Sophos assured that its security protections blocked it from infecting the machine. 

According to the researchers, the threat actor has access to Notepad and Word files that have the word "password" in them. Moreover, the attackers also accessed two Remote Desktop Protocol files, likely searching for credentials. To prevent external domains from initiating messages and calls on Microsoft Teams and disabling Quick Assist in critical environments, organizations should consider implementing these tactics in the ransomware space as they become more prevalent.
Read more »
Subscribe to: Comments (Atom)