Search This Blog

Showing posts with label URLs. Show all posts

Alert! Large-Scale AiTM Attacks Targeting Enterprise Users

 

A new large-scale phishing effort has been reported that use adversary-in-the-middle (AitM) tactics to circumvent security safeguards and attack business email accounts. 

Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu said in a Tuesday report, "It uses an adversary-in-the-middle (AitM) attack technique capable of bypassing multi-factor authentication. The campaign is specifically designed to reach end users in enterprises that use Microsoft's email services." 

Fintech, lending, insurance, energy, manufacturing, and federal credit union verticals are major objectives in the United States, United Kingdom, New Zealand, and Australia. This is not the first time a phishing attack has been identified. Microsoft revealed this month that over 10,000 businesses had been targeted by AitM tactics to compromise accounts protected by multi-factor authentication since September 2021 (MFA). 

The ongoing campaign, which began in June 2022, starts with an invoice-themed email addressed to targets that include an HTML file with a phishing URL placed within it. Opening the attachment in a web browser takes the email recipient to a phishing website posing as a Microsoft Office login page, but not before fingerprinting the infected system to assess whether the victim is the targeted target. 

AitM phishing attacks go beyond standard phishing tactics aimed to steal credentials from unsuspecting users, primarily when MFA is implemented - a security barrier that prohibits the attacker from login into the account using just the stolen credentials. To get around this, the rogue landing page created using a phishing kit acts as a proxy, capturing and relaying all traffic between the client (i.e., victim) and the email server. 

"The kits intercept the HTML content received from the Microsoft servers, and before relaying it back to the victim, the content is manipulated by the kit in various ways as needed, to make sure the phishing process works," the researchers stated. 

This also includes replacing any links to Microsoft domains with identical connections to the phishing domain to guarantee that the back-and-forth with the phoney website continues throughout the session. According to Zscaler, the attacker manually logged into the account eight minutes after the credential theft, reading emails and verifying the user's personal information. 

Furthermore, compromised email inboxes are often used to send further phishing emails as part of the same campaign to conduct business email compromise (BEC) frauds. The researchers noted, "Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions."

Hackers are Using LNK Files to Deploy Malicious Payload

 

Earlier this month, researchers at McAfee Labs spotted a sophisticated technique where hackers employed email spam and malicious URLs to deliver LNK files to victims. The files command authentic applications like PowerShell, CMD, and MSHTA to download malicious files. 

LNK files are shortcut files that link to an application or file commonly found on a victim’s desktop or throughout a system and end with an .LNK extension. LNK files can be created by the user or automatically by the Windows operating system. 

To identify the true nature of these files we will go through recently identified Emotet malware. In this particular campaign, the hacker targets the victims’ by manually accessing the attached LNK file. Threat actor replaces the original shortcut icon with that of a .pdf file, so that the unsuspecting victim, once they receive the email attachment, can’t spot the difference with a basic visual inspection. 

But the threat is real. Windows shortcut files can be employed to deploy pretty much any malware onto the target endpoint, and in this case, the Emotet payload is downloaded into the victim’s %TEMP% directory. If successful, the malware will be loaded into memory using “regsvr32.exe”, while the original dropper gets deleted from the %TEMP% directory. 

Precautionary tips 

Emotet is a sophisticated and long-lasting malware that has impacted users globally. Threat Actors are constantly adapting their techniques to stay one step ahead of cybersecurity researchers. McAfee Labs is continuously monitoring the activity of Emotet and has published the guidelines to protect users from malware infection. 

• It is important to note that Emotet is an endpoint threat spread via email, therefore endpoint detection and response (EDR) and antivirus tooling are imperative to disrupting this threat. 

• Don’t keep important files in common locations such as the Desktop, My Documents, etc. 

• Use strong passwords and enforce multi-factor authentication wherever possible. 

• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 

• Use a trusted anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

• Avoid clicking on untrusted links and email attachments without verifying their authenticity. 

• Conduct regular backup practices and keep those backups offline or in a separate network.