1. Financial Executives Are Targets of a New Office365 Phishing Campaign
- Threat actors are leveraging organizational changes across the U.S. to deploy targeted Microsoft Office365 phishing attacks aimed at luring newly-appointed executives who are in a transition period of their careers. This specific phishing campaign is currently targeting executives in the insurance and financial services industries, with the goal of harvesting email credentials to launch future business email compromise (BEC) attacks.
- This sophisticated phishing campaign appears to be far-reaching, such that different strains are designed to target C-suite executive assistants, who are often in close proximity to critical data pertaining to executives, including appointment schedules.
- One strain of this phishing campaign spoofs Microsoft Office 365 security updates, which appears to have been sent from Microsoft-themed domains for added legitimacy. In the process, said threat actors also configured SPF records to ensure that their scams are legitimately authenticated so as to evade detection.
Expert Commentary: Threat actors have been leveraging popular Microsoft enterprise tools, such as Office 365, Teams, etc., to steal targeted credentials with elevated access – lateral movement is the ultimate goal. Therefore, the use of Microsoft Office 365 as a launching base for BEC attacks is nothing new. However, the merging of multiple attack methodologies, such as spoofing of domains and system security updates; the use of fake SPF records; and the use of open-source front-end web development tools to create fake Microsoft sites and monitor user activities on the site, simply increases an attacker’s chances at infiltrating corporate email systems.
2. Hackers Abuse Misconfigured and Out-of-Date Servers
- According to security researchers, hackers for hire, who are specialized in Distributed Denial of Service (DDoS) attacks, have been discovered abusing Datagram Transport Layer Security (D/TLS) servers that are either misconfigured or out-of-date due to the lack of adequate security patching.
- A D/TLS-based DDoS attack gives less-sophisticated attackers the ability to amplify malicious traffic to compromised devices, thus causing several levels of network-wide disruptions, including server unavailability. Therefore, this server attack methodology has been leveraged by pranksters, hacktivists, and cybercriminals alike.
- This DDoS style of attack is currently being commercialized by sophisticated attackers, such that it can be replicated and sometimes customized depending on the type of infrastructure that is being targeted.
Expert Commentary: The Transport Layer Security (TLS) protocol was initially designed to prevent eavesdropping and tampering of data packets in delay-sensitive services. However, threat actors for hire have devised a commercialized method of circumventing said protocol to initiate an effective way of compromising the availability of critical services, including database servers and applications. Although compromising the availability of a critical resource is a ‘low hanging fruit’ method of attack, it is often disastrous; Gartner pinpoints the average cost of a 24-hour IT service downtime to be roughly $140,000 per hour.
3. REvil Ransomware Now Reboots Infected Devices
- The notorious ransomware gang, REvil has updated its attack toolkit by adding new malware capabilities, which allows the attackers to reboot an infected device after encrypting it. According to security experts, these new capabilities are powered by two new command lines called ‘AstraZeneca’ and ‘Franceisshit,’ which are both applied in Windows Safe Mode to grant access to the startup setting screen of Windows devices.
- The ‘AstraZeneca’ command line is used to run REvil ransomware samples in Windows safe mode, while the ‘Franceisshit’ command line is deployed in the safe mode to make sure that the device runs in normal mode after the next rebooting process.
- By deploying ransomware in safe mode, REvil ransomware attackers are able to institute system changes that may otherwise not be allowed if the targeted device was operational in normal running mode.
Expert Commentary: Ransomware gangs are always evolving, thus developing more innovative ways to improve their likelihood and probability of impact. For ransomware attackers, one of the most important factors that guarantees success is the ability to evade detection. Therefore, by encrypting vulnerability devices in Windows Safe Mode, the attacker is able to disable certain security softwares that has been tasked with protecting devices against malicious intrusions.
4. A Custom Malware Actively Scans the Internet for Exposed Windows Systems
- A customized malware known as ‘Purple Fox,’ which is being used in several phishing exploit kits, has been retrofitted with worm-like capabilities that allows it to scan the internet for and infect vulnerable Windows systems using password bruteforce tactics.
- After being used as a downloader to introduce other malware variants, Purple Fox malware successfully infected up to 30,000 devices in 2018. According to security experts monitoring the effects of the Purple Fox malware, the attacks associated with said malware intensified up to 600% since May 2020, such that a total of 90,000 attacks have been recorded since then.
- Thus far, Purple Fox’s new and improved capability infects Windows users by compromising their web browsers, then exploiting unpatched memory corruption and privilege elevation vulnerabilities within said system. While relying on an army of botnets, said malware are accurately programmed to target Windows servers running IIS version 7.5 and Microsoft File Transfer Protocol (FTP); and servers running popular Microsoft-based services, including Microsoft Remote Procedure Call (RPC), Microsoft Server SQL Server 2008 R2, Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.
Expert Commentary: The active port scanning and vulnerability exploitation attempts by Purple Fox malware underscores the importance of proactive vulnerability scanning. As threat actors continue to evolve in today’s dynamic threat landscape, they can always count on users maintaining a bad security hygiene, including failure to apply available security patches at a reasonable time.
5. An Increase in Security Tools is Causing Fatigue and Burn-Out
- Most organizations usually have reasonable requirements and good intentions when purchasing security tools to secure their corporate infrastructure. However, the average organization maintains 19 different security tools, with only 22% of such tools impacting the enterprise security goals and objectives at hand.
- While surveying IT teams across major U.S. industries, they reveal that the success of a security tool is often measured based on its return on investment (ROI). But, there are currently unreliable means of actually measuring the effectiveness of each security tool deployed within their infrastructure because only about 47% of said tools are used on a daily basis.
- The increase in security tools tends to overwhelm IT teams, hampering proper visibility and insights required to make proactive and operational IT security-based decisions.
Expert Commentary: Oftentimes, security leaders tend to view investment and direction differently than those who are charged with security execution. Though the individuals charged with security execution have their eye on business goals and putting out fires, being able to accurately measure the ROI for security tools is a major challenge that is often buried by purchasing more security tools. Although there will never be a ‘one-size-fits-all’ security tool, it is imperative that IT teams are equipped with better process integration and automation to help focus their sights on proper detection, prevention, and correction of emerging security threats plaguing every industry to date.