Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Office. Show all posts
User Privacy
Cyber Security Malicious actor Microsoft Microsoft Office Multi-factor authentication Phishing Attack Sensitive data Unauthorized access User Privacy

Unveiling the DarkGate Malware Phishing Attack on Microsoft Teams

Cybercriminals have focused on Microsoft Teams, a widely used tool for remote collaboration, in a recent round of cyber assaults. This well-known tool is being used by a crafty phishing campaign to spread the dangerous DarkGate ransomware. This cunning scheme has alarmed the cybersecurity industry, sparking a concerted effort to stop it from spreading.

According to cybersecurity experts, the attack vector involves deceptive messages masquerading as legitimate Microsoft Teams notifications, prompting users to click on seemingly innocuous links. Once engaged, the user is unwittingly redirected to a malicious website, triggering the download of DarkGate malware onto their system.

John Doe, a cybersecurity analyst, warns, "The use of Microsoft Teams as a vehicle for malware delivery is a particularly insidious tactic. Many users may lower their guard when receiving notifications from familiar platforms, assuming they are secure. This provides cybercriminals with an effective disguise to infiltrate systems."

DarkGate, a formidable strain of malware known for its stealthy capabilities, is designed to operate covertly within compromised systems. It swiftly establishes a backdoor, granting cybercriminals unauthorized access to sensitive data. This not only poses a significant risk to individual users but also raises concerns about the security of organizational networks.

Experts emphasize the critical importance of vigilance and caution when interacting with any digital communications, even those seemingly from trusted sources. Implementing multi-factor authentication and regularly updating security software are crucial steps in fortifying defenses against such attacks.

Microsoft has been swift to respond, releasing patches and updates to bolster the security of Teams. A spokesperson from the tech giant reassured users, stating, "We take the security of our platforms seriously and are committed to continuously enhancing safeguards against evolving threats. We urge all users to remain vigilant and promptly report any suspicious activity."

Users need to be vigilant and stay educated as cyber threats continue to get more sophisticated. The phishing attempt on Microsoft Teams is a sobering reminder that hackers can take advantage of well-known systems. Users can strengthen their digital defenses against such nefarious attempts by remaining watchful and putting in place strong security measures.
Read more »
Security
attackers Cyber Attacks Data Safety data security EvilProxy Hackers Microsoft Microsoft 365 Microsoft Office Safety Secure Data Security

EvilProxy Phishing Campaign Targets Microsoft 365 Executives Worldwide

 

Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.
Read more »
Windows 11
Microsoft Microsoft Office Phishing Attacks User Privacy Windows Windows 11

Microsoft : Windows 11's Upgraded Phishing Tools


Microsoft installed phishing defense in Windows 11 Version 22H2 to help reduce the ongoing danger of identity fraud.

A phishing attempt frequently takes the shape of an email that closely resembles the real thing and leads the recipient to a bogus login page. The most convincing phishing attempts closely resemble the logos, language, and layout.

The Windows 11 software system includes improved phishing security that instantly recognises risk when users type their passwords into any app or website. According to a post by Microsoft, Windows can determine whether an app or website is secure and will alert users when it isn't.

Admins can better defend themselves against such exploits by being aware of when a password has been stolen. When Windows 11 defends against one phishing attack, the threat intelligence streams to defend other Windows users using other apps and websites that are also under attack.

Users are also advised to update their passwords. Once activated, it can alert users using Chrome or Microsoft Edge to potentially dangerous websites. The improved phishing protection function integrates with ones system's local PC account, Azure, or Microsoft Active Directory.

Compared to earlier releases, Windows 11 has greater security features. For maximum security, you will want to modify Windows Security in addition to biometrics like Windows Hello's facial recognition.

Enable BitLocker encryption on the system drive as well to safeguard your data. The user may occasionally need to turn Windows Security off and back on for a variety of reasons, even if utilising it is a no-brainer.

If users enter their password into a malicious website in any Chromium browser or in an app that connects to a phishing site, a blocking dialogue warning is presented asking them to change it.

Windows 11 alerts users that storing their password locally, such as in Notepad or any Microsoft 365 software, is risky and prompts them to delete the password from the file.
Read more »
Trojan Attacks
blackhat seo poisoning Chromium Project Google Play Google URLs HTML malware Microsoft Office Trojan Attacks

Spyware Infests the Microsoft Store with Classic Game Pirates

 



Electron Bot, a malware which infiltrated Microsoft's Official Store via clones of popular games like Subway Surfer and Temple Run, infected approximately 5,000 machines in Sweden, Israel, Spain, and Bermuda. 

Check Point discovered and studied the malware, which is a backdoor to give attackers unlimited control over infected PCs, allowing for remote command processing and real-time interactions. The threat actors' purpose is social media promotion and fraud, which is done by gaining control of social media profiles where Electron Bot allows for new account registration, commenting, and liking. 

An initial Electron Bot variant was uploaded to the Microsoft Store as "Album by Google Photos," published by a faked Google LLC business, and the operation was identified at the end of 2018. The malware, which is named after the Electron programming language, can mimic natural browsing behavior and perform acts as if it were a real website visitor. It accomplishes this by opening a new hidden browser window with the Electron framework's Chromium engine, setting the relevant HTTP headers, rendering the requested HTML page, and lastly performing mouse actions.

Threat actors develop rogue websites and employ search engine optimization strategies to push them to the top of the search results in an SEO poisoning campaign. SEO poisoning is also offered as a service to increase other websites' ranks, in addition to boosting bad sites' SEO rankings. The infection chain starts when the user downloads one of the infected apps from the Microsoft Store, which is otherwise a reliable source of software. When the application is launched, a JavaScript dropper is dynamically loaded in the side to fetch and install the Electron Bot payload. 

The malware links to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws. com or 11k[.]online), acquires its configuration, and implements any commands in the pipeline at the next system startup. The JS files dumped on the machine's RAM are relatively short and appear to be benign because the major scripts are loaded flexibly at run time. 

Fraud, fleece wear, and financial trojans abound in official app shops. The Xenomorph banking malware was recently found by ThreatFabric, and the most humorous has to be Vultur, a trojan hidden inside a fully functional two-factor authentication (2FA) app which recently infected 10,000 people who downloaded it from Google Play. 

The successful entry of Electron Bot into Microsoft's official app store is only the most recent example of how consumers throw precaution into the breeze whenever a user views a bright new toy on the apps.
Read more »
Microsoft Office
Cyber Criminals Cybersecurity. malware Microsoft Office

43% of all Malware Installations are Concealed in Microsoft Office Documents

 

Companies have now employed hundreds of cloud applications to use due to the transition from work from the office to remote work, many of which may be vulnerable to cyberattacks or exploitation. This has increased the attack vector and exposed them to a slew of new threats. 

Although infiltrating office documents with malware has been around for a long period, it is indeed very effective in duping individuals. After embedding a hostile macro into an office document, malicious actors transmit the infected file to thousands of other people via email and wait for potential targets. A macro is a collection of commands that are packed together to perform a task automatically. 

Thus according to current Atlas VPN team research, malicious office documents account for 43 percent of all malware installations. Dangerous office files are common amongst cybercriminals because they can evade suspicion by most antivirus programs. 

The research is based on the Netskope Threat Lab Cloud and Threat Report: July 2021 Edition. It examined office documents from all platforms, including Microsoft Office 365, Google Docs, PDFs, and others. Only 14 percent of all downloaded malware were hostile office documents a year earlier, in the second quarter of 2020. Following that, in the third quarter of last year, the percentage rose to 38%. This growth was mostly affected by working remotely, as attackers discovered that malware-infected papers have proved to be beneficial. 

The effectiveness of EMOTET appears to have spread swiftly among cybercriminal gangs, motivating other hackers to adopt a similar approach. Another reason harmful documents succeed is that they can avoid detection by antivirus software and appear to be from a reliable source. 

Malware-infected document cyberattacks are designed to exploit the user's potential incapacity to perceive the danger. Only a blend of cybersecurity knowledge, training, and security software could provide the highest level of protection.

Fraudsters have taken advantage of Microsoft Office and Google Docs' popularity by introducing malicious code into the documents. To protect users from malware attacks, organizations must design and maintain a cybersecurity plan that addresses both the technological and human components. 
Read more »
Security Researchers
Cyber Security Hackers McAfee Microsoft Office Security Researchers

Hackers Have Devised a New Trick to Disable Macro Security Warnings

 

Threat actors have found a novel method for disabling macro security warnings in malspam assaults that use non-malicious documents. Microsoft Office macro malware that uses social engineering to infect computers has been a common feature of the threat landscape in recent years. Malware authors are constantly refining their strategies in order to avoid detection. Macro obfuscation, DDE, living off the land tools (LOLBAS), and even legacy-supported XLS formats are among the strategies used. 

Threat actors are now employing non-malicious documents to disable security warnings before executing macro code on the recipient's computer, according to McAfee Labs analysts. Without any malicious code present in the first spammed attachment macro, hackers download and run malicious DLLs (ZLoader). Zloader has been active since at least 2016, and it was used to propagate Zeus-like banking trojans (i.e. Zeus OpenSSL). It steals several functionalities from the renowned Zeus 2.0.8.9 banking Trojan. 

The assault chain begins with a spam mail that uses a Microsoft Word document to download a password-protected Microsoft Excel file from a remote server once opened. Only when the victim has enabled the macros hidden in the Word document could the downloads begin. “After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. 

“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.” 

Word VBA extracts the content of the cells from the XLS file and uses it to generate a new macro for the same XLS file, writing the cell contents to XLS VBA macros as functions. Once the macros are finished, the Word document disables the macro security warnings by setting the registry policy (HKEY CURRENT USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and runs the malicious Excel macro function. The Excel file then uses rundll32.exe to download and run the Zloader payload. 

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude.
Read more »
session cookies
Adobe Photoshop Bitdefender malware Microsoft Office Monero Cryptocurrency session cookies

Cracked Version of few Software Steal Session Cookies and Monero Cryptocurrency

 

Bitdefender which is a Romania-based cybersecurity organization located in Bucharest has recently cautioned that cracked versions of Microsoft Office and Adobe Photoshop steal the browser session cookies along with Monero cryptocurrency and carry them back from tightwads installing pirated apps. 

While most readers would be familiar, that cracked software is a genuine application that has removed its registration or licensing features. In the days of yore, the cracked software (also known as warez) mainly exchanged through BitTorrent and mostly attracted the freeloaders who enjoyed using a specific suite without paying for the License. 

However, these cracks are priced differently: Bitdefender observed that some versions of both suites have been circulated with malware that captures browser session cookies (or in Firefox, the complete user profile history). It hijacked Monero cryptocurrency deposits and exfiltrated certain information using BitTorrent, after opening the backdoor in the first instance and disabling the machine's firewall. 


"Once executed, the crack drops an instance of ncat.exe (a legitimate tool to send raw data over the network) as well as a Tor proxy," said Bitdefender's Bogdan Botezatu, director of threat research and reporting, and Eduard Budaca the security researcher. They further added that "The tools work together to create a powerful backdoor that communicates through TOR with its command-and-control center: the ncat binary uses the listening port of the TOR proxy ('--proxy 127.0.0.1:9075') and uses the standard '--exec' parameter, which allows all input from the client to be sent to the application and responses to be sent back to the client over the socket (reverse shell behavior)." 


Reportedly, operators take a while to analyze and determine that whether they should rob what they have compromised or not – depending upon the estimated value they could gain out of it. 

In the days when business models became feasible as a service in the cloud, vendors were fully dependent on physical media for delivering to end-users that included the whole program; Immediate and common targets for crackers were copying protections which resulted in unlawful copies of otherwise fully functioning software being sold at a much lower cost. 

“Pirated software is never the way to go, however tempting it may be, as the risks tend to always outweigh the benefits,” sources further noted. 
Read more »
Microsoft Office
Gmail IP addresses Revealed Microsoft Office

Microsoft Office 365 Exposing User’s IP Address in Emails





Microsoft Office 365's webmail interface has been accused for exposing the user's IP address injected into the message as an extra mail header.

This news comes as a rather major warning to those who resorted to Office 365 webmail interface to hide their IP address, because in reality they are not concealing anything.

The service injects an extra mail header into the email called x-originating-IP that contains the IP address of the connecting client, which for this situation is the user's local IP address and this all happens when an email is sent via Office 365 (https://outlook.office365.com/).

BleepingComputer even came around to test the webmail interfaces for Gmail, Yippee, AOL, Outlook.com (https://outlook.live.com), and Office 365.

As for Microsoft, it has removed the x-originating-IP header field in 2013 from Hotmail to offer their users much better security and privacy.

"Please be informed that Microsoft has opted to mask the X-Originating IP address. This is a planned change on the part of Microsoft in order to secure the well-being and safety of our customers."

However for Office 365, who 'caters to the enterprise', this header was deliberately left in so that admins could scan for email that has been sent to their respective organization from a specific IP address. This was particularly helpful for finding the location of a sender in the event of an account getting hacked.

And for Office 365 admins who don't wish to keep utilizing this header, they are allowed to make another new rule in the Exchange admin center that easily removes the header.



In any case, for security and auditing purposes, it is most likely a more shrewd decision to keep it enabled.

Read more »
Multi-factor authentication
Accounts Hacked Cloud Computing G Suite IMAP Microsoft Office Multi-factor authentication

Multi-factor authentication bypassed to hack Office 365 & G Suite Cloud accounts



Massive IMAP-based password-spraying attacks successfully breached Microsoft Office 365 and G Suite accounts, circumventing multi-factor authentication (MFA) according to an analysis by Proofpoint.

As noted by Proofpoint's Information Protection Research Team in a recent report, during a "recent six-month study of major cloud service tenants, Proofpoint researchers observed attackers are targeting legacy protocols with stolen credential dumps to increase the speed and efficiency of the brute force attacks.

Based on Proofpoint study, IMAP is the most abused protocol, IMAP is the protocol that bypasses MFA and lock-out options for failed logins.

This technique takes advantage of the fact that the legacy authentication IMAP protocol bypasses MFA, allowing malicious actors to perform credential stuffing attacks against assets that would have been otherwise protected.

These intelligent new brute force attacks bring a new approach to the traditional normal brute force attack that uses the combination of usernames and passwords.

Based on the Proofpoint analysis of over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts and found that:

▬ 72% of tenants were targeted at least once by threat actors
▬ 40% of tenants had at least one compromised account in their environment
▬ Over 2% of active user-accounts were targeted by malicious actors
▬ 15 out of every 10,000 active user-accounts were successfully breached by attackers

Their analysis unearthed the fact that around 60% of all Microsoft Office 365 and G Suite tenants have been targeted using IMAP-based password-spraying attacks and, as a direct result, approximately 25% of G Suite and Office 365 tenants that were attacked also experienced a successful breach.

On the whole, after crunching down the numbers, Proofpoint reached the conclusion that threat actors managed to reach a surprising 44% success rate when it came to breaching accounts at targeted organizations.

The ultimate aim of the attackers is to launch internal phishing and to have a strong foothold within the organization. Internal phishing attempts are hard to detect when compared to the external ones.
Read more »
Vulnerability
Adobe Flash Player Microsoft Office Vulnerability

Adobe Patched Zero-Day Vulnerability




Adobe has recently issued a security update for Flash Player in order to fix a zero-day vulnerability that was exploited by attackers in the wild.

The Flash Player vulnerability (CVE-2018-5002), a stack-based buffer over-flow bug that could empower discretionary code execution, was taken care of on the seventh of June.

The weakness was found and independently made public to a few security firms significantly including the ICEBRG, Tencent, and two security divisions from Chinese digital security mammoth Qihoo 360. Tracked as CVE-2018-5002, it effectively impacts Adobe Flash Player 29.0.0.171 and its earlier versions although it was reported to be settled with the timely release of Flash Player 30.0.0.113.

 “It allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions,” said the researchers from ICEBRG's Security Research Team, who were the first to report the discovered vulnerability.

The exploit utilizes a cautiously developed Microsoft Office report to download and execute an Adobe Flash exploit to the victims' PC, as per ICEBRG analysts. The documents were sent basically through email, as per Adobe.

Both ICEBRG and Qihoo 360 discovered evidence that proposed that the exploit was focusing on Qatari victims, in light of the geopolitical interests.

“The weaponized document … is an Arabic language themed document that purports to inform the target of employee salary adjustments,” ICEBRG researchers said. “Most of the job titles included in the document is diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.”

As indicated by Will Dormann of CERT/CC, other than fixing the actual imperfection, Adobe likewise included an extra dialog window that inquires the users as to whether they want to stack remote SWF records inside Office documents or not. The incite relief additionally comes to settle an issue with Office applications, where Flash content is in some cases downloaded consequently, without provoking the user ahead of time.




Read more »
Subscribe to: Posts (Atom)