General Worldwide activity:

1st: Midnight Blizzard conducts targeted social engineering over Microsoft Teams

Overview: Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious. Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Breakdown: More great research out of Microsoft’s TI team on the escalating threat from Teams. As the owner of the products being targeted, they are in the unique position to see all the telemetry behind the attacks and how detections work on these tools. The recommendations section is a valuable reference in this case for multiple excellent suggestions on remediation and mitigation. Business email compromise is a constant top end threat, and this is just another attack method using already compromised tenants to attack new organizations. The suggestion to use phishing resistant multi-factor authentication, reviewing user behavior analytics and the steps you can take if you are a customer using their security tools are all great suggestions.

2nd: Discarded medical devices found to have troves of information on healthcare facilities

Overview: Infusion pumps being sold on secondary markets like eBay were found to still carry troves of sensitive information about the hospitals that once owned them, researchers have found. Rapid7 principal security researcher Deral Heiland and several others examined 13 infusion pump device brands, like Alaris, Baxter and Hospira, finding access credentials and authentication data for their previous owners. The machines are crucial devices which sit next to hospital beds and transmit fluids, medication or nutrients into a patient’s circulatory system. The examination sheds light on a persistent problem within the medical device field: the critical stored data left on infusion pump devices that is not properly purged prior to de-acquisition. The devices are often sold on secondary markets when hospitals upgrade them or replace them with newer models.

Breakdown: IoT and non-traditional compute devices have long been an area of concern that tends to not get first priority when considering overall network security risk to an organization. They are harder to baseline in a general way compared to standard end user computing devices and servers, and can be forgotten as a source of attack and information disclosure. There is also research released recently on printers as a source of network information and then we have this research, showing medical devices can be just as big of a concern. Wiping all devices that require, or have had any network access, needs to be a standard operating procedure included in Information Technology policies and procedures at every organization, or this will continue to happen every time a researcher investigates discarded devices.

3rd: Google explains how Android malware slips onto Google Play Store

Overview: The Google Cloud security team acknowledged a common tactic known as versioning used by malicious actors to slip malware on Android devices after evading the Google Play Store’s review process and security controls. The technique works either by introducing the malicious payloads through updates delivered to already installed applications or by loading the malicious code from servers under the threat actors’ control in what is known as dynamic code loading (DCL). It allows the threat actors to deploy their payloads as native, Dalvik, or JavaScript code on Android devices by circumventing the app store’s static analysis checks. “One-way malicious actors attempt to circumvent Google Play’s security controls is through versioning,” the company says in this year’s threat trends report. “Versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate and passes our checks, but later receives an update from a third-party server changing the code on the end user device that enables malicious activity.”

Breakdown: The Android operating system is always going to be a primary target considering the number of devices running the OS worldwide. Here we have research from Google itself, on attack techniques that can abuse their general processes for applications on their app store. Android also has a problem with security updates and the way they are handled by service providers, which leads to vulnerabilities being available to malicious attacker groups much longer than they should be in comparison to Apple’s control over their entire ecosystem and pushing forced patches to all devices quickly. Tie both issues together and you have a very fertile landscape in which to cause havoc and profit for interested criminal organizations.

4th: LESS THAN ZERO DAY: WHAT’S CAUSING THE DROP IN USAGE OF UNKNOWN BUGS

Overview: The number of zero days detected in the wild dropped significantly in 2022, down 40 percent from the previous year, but researchers who track zero day exploit activity closely warn that’s not necessarily an entirely positive sign. Last year, researchers detected 41 zero day vulnerabilities being used in the wild, down from 69 in 2021, which was the most since Google began tracking them in 2015. Most years, the number hovers somewhere in the low twenties, so 41 is still a significant number of zero days to find in the wild. And just because the number goes down from one year to the next doesn’t mean that product security is getting better or that defenders are getting better at detecting the use of zero days. Maddie Stone of Google’s Threat Analysis Group, who heads the company’s efforts to detect and analyze the use of zero days, said the picture is quite complex and includes the behavior of both attackers and defenders as well as the work of security researchers. Detecting the use of zero days in the wild gives defenders some more information with which to make decisions, but it is not a singular determining factor.

Breakdown: Awesome research article on the ways in which zero days have been used and abused in the last year. It is also interesting to note that even though the overall count went down, it was still much higher than the average, and the drop is not indicative of massive forward progress in product/application security or that detections have suddenly spiked and made using zero days a much less profitable endeavor.

5th: Russia-based hackers building new attack infrastructure to stay ahead of public reporting

Overview: A Russia-based hacking group implicated in previous attacks on governments is shifting its tactics due to increased public reporting by security researchers and tech giants like Microsoft and Google. In a report from Recorded Future, researchers said that since March 2023, the group tracked as BlueCharlie has built new infrastructure to launch attacks against a variety of targets. BlueCharlie’s goal is information gathering and credential theft, as well as hack-and-leak operations targeting Ukraine and North Atlantic Treaty Organization (NATO) nations. The group — tracked by several companies as Calisto, COLDRIVER or Star Blizzard/SEABORGIUM — has previously targeted an array of government, higher education, defense, and political sector entities, as well as non-governmental organizations (NGOs), activists, journalists, think-tanks and national laboratories.

Breakdown: We wrap up this week with a look at another APT group and their moves to maintain more anonymity as their public profile has increased over time. Tracking APT groups, their actions and interactions with other groups is a great way to keep up on the general threat landscape. APT groups, as the organizations with the most funding and at the same time, potentially the most exposure due to their activity levels compared to smaller criminal groups, serve as a focal point for tracking the overall threat levels to the worldwide internet landscape.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 07/31 to 08/04/2023