General Worldwide activity:

1st: Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives

Overview: Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies. According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023. Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled.

Breakdown: Phishing kits are not new by any means, but the scope of this attack, focused on C-level execs, makes it more “whaling” than standard phishing. Another important point to note is that over 1/3 of the compromised accounts were using additional account protections beyond username/password, so they had more of an assumption of safety. The attackers also used new automation tools to determine, in real-time, the status of the user, and focused on high-level targets, purposefully ignoring lower-level targets.

2nd: CISA: OLD BUGS STILL GET THE MOST ATTENTION FROM ATTACKERS

Overview: The usage of zero days by attackers is a fascinating thing to watch and analyze, but for the most part, adversaries tend to stick to the basics, targeting older, known vulnerabilities in widely deployed products that they know they can exploit with ease. In fact, most of the vulnerabilities that attackers routinely exploited last year were disclosed in 2021 or even many years earlier, a new analysis by United States cybersecurity agencies and their partners shows. The report, released Thursday by the Cybersecurity Infrastructure and Security Agency (CISA), National Security Agency (NSA), and various foreign partner agencies, again highlights the importance of timely patching and the value of routine maintenance and security basics. The majority of the 12 most commonly exploited flaws in the report are in popular enterprise applications, including Microsoft Exchange, Fortinet SSL VPN, Atlassian Confluence, F5 BIG-IP, and VMware Workspace ONE Access. Finding vulnerable instances of those apps is a trivial task for an attacker with even a modicum of ambition, and in many cases there is proof-of-concept exploit code publicly available for these bugs, especially the older ones.

Breakdown: We all fall to a certain extent for the hype cycles around newly released bugs and trying to ensure our customers have protections and patching in place. This is a great reminder that attackers use what works and use the easiest methods to perform attacks. If they can abuse older vulnerabilities because so many orgs are still not protected, then why bother to re-configure toolsets to use some brand-new vulnerability instead? We have seen this kind of intelligence reporting in the past, reminding everyone old bugs are still abused all the time, so take this as a new reminder that patching is a key factor in overall risk posture and a fundamental part of any information security program, whether you are internal staff or supporting customers as an MSSP.

3rd: Understanding Active Directory Attack Paths to Improve Security

Overview: Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a’changin’ — and a few years back, Microsoft introduced Azure Active Directory, the cloud-based version of AD to extend the AD paradigm, providing organizations with an Identity-as-a-Service (IDaaS) solution across both the cloud and on-prem apps. (Note that as of July 11th 2023, this service was renamed to Microsoft Entra ID, but for the sake of simplicity, we’ll refer to it as Azure AD in this post) Both Active Directory and Azure AD are critical to the functioning of on-prem, cloud-based, and hybrid ecosystems, playing a key role in uptime and business continuity. And with 90% of organizations using the service for employee authentication, access control and ID management, it has become the keys to the proverbial castle.

Breakdown: Active Directory is a primary software toolset used in the majority of organizations and continues to be abused by attackers as a prime target. The security configurations in AD can easily fall off the radar or get viewed as more of an IT configuration task than a primary task for information security practitioners. This is a quick and easy read to get started on the subject of AD attack paths, along with a great walk-through video. There are multiple products out there to learn more, but the best place to start in my opinion is with Bloodhound’s community edition, looking at internal attack paths tied to AD configurations.

4th: Safeguarding Against Silent Cyber Threats: Exploring the Stealer Log Lifecycle

Overview: The first seven months of 2023 have seen a continued rapid evolution of the cybercrime ecosystem. Ransomware data exfiltration attacks, stealer log distribution, and new exploits targeting organizations continue to substantially increase. This article explores a key component of the cybercrime ecosystem, stealer logs, and their role in the broader cybercrime ecosystem. Infostealer malware has risen to prominence as one of the most significant vectors of cybercrime over the past three years. Infostealers are a form of remote access trojan (RAT) that infects a victim computer, exfiltrates all of the credentials saved in the browser, as well as session cookies, while also stealing other sensitive data such as credit card information, cryptocurrency wallet data, and other information from the host. Logs are then either used or distributed to other cybercriminals as a key initial vector that enables financial fraud, account takeover attacks, ransomware distribution, and data breaches against organizations.

Breakdown: This is an excellent breakdown of the configuration and usage of stealer logs and infostealer malware. Ransomware has evolved along with the protections getting put in place to stop it, and this is another vector of attack that has skyrocketed in popularity. This allows for double extorsion on an individual target organization by charging for unlocking machines hit with ransomware along with destroying any data gathered ahead of time as well. This also complicates any attack for an affected organization, because they have locked machines and exfiltrated data, they are making larger payouts and must trust data was destroyed along with the payments. Data storage is cheap, and attackers could make all the promises in the world and then dump the data at any point going forward, at any time.

5th: NSA chief: Chinese cyber spies continue to improve — but haven’t surpassed US

Overview: China has not yet surpassed the U.S. in conducting cyber espionage despite several successful hacks that have been publicly linked to Beijing, the head of the U.S.’s premier digital spy agency said Thursday. “No. No. No,” Army Gen. Paul Nakasone, the outgoing director of the National Security Agency and the head of U.S. Cyber Command, answered during a discussion at the Center for Strategic and International Studies in Washington when asked if the U.S. had been eclipsed. But, he added, the skills used by Chinese hackers and the scope of their online attacks continues to improve. “Are they getting better? Yes.” The comments come after a series of reports that China, which spent years pilfering American intellectual property, was responsible for a number of sophisticated hacks, such as breaking into the emails of a group of senior U.S. officials like Commerce Secretary Gina Raimondo and the country’s ambassador to China.

Breakdown: Fully supported APT groups by the four nation-states most active outside the U.S., coming from China, Russia, North Korea and Iran, continue to be the prime level threat to U.S. organizations. Their funding and capabilities lead to general questions about their overall skills and ranking of attacks. This is an interesting overview of the current state of APT attacks and the opinion of a high ranking official in charge of official response to attacks.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 08/07 to 08/11/2023