Displaying items by tag: Phishing

If you look at common attack vectors and especially Initial Access Broker attacks, there are a few parts of the attack chain which stand out. These are the pivot through some form of communication/collaboration app to the phishing landing page. These apps are also often part of insider threats where someone might use their own personal email, OneDrive, or other web/app-based app to exfiltrate information they want outside of an organization. Many companies are very exposed to this either through a lack of tools, skilled staff or being oblivious to the exposure.

There is nothing like an unresolved security flaw in a major product. Especially when the flaw is one that the developer knows about but does not consider important enough to fix in a timely manner. If the flaw is in a commonly used product, it is even better. In this case we are talking about a flaw we covered back on the 23rd of June. This is a bug that can allow an attacker to mimic an internal sender to get around file handling from external senders. In our opinion, it is significant, but Microsoft has no plans to remediate it any time soon. I guess they have other things on their plate like Privacy Investigations in the EU (Over Teams and Office) and the pending Activision/Blizzard deal in court in the US.

You have to love Microsoft Teams. Teams is the Frankenstein Monster of Microsoft’s Lync, which then became Skype for Business, and then morphed into the problematic service we now know as Teams. The journey from Lync to Teams has been a mishmash of features added in and removed while trying to maintain the semblance of feature parity with the products that came before it. One of the big pushes for teams was the integration of SharePoint for file storage and collection. SharePoint integration has been and continues to be a HUGE push from Microsoft in all of their MS365 products and it is not always for the better.

Although Banking, Mortgage, and other financial institutions are always under attack, it is never a good thing to see a coordinated campaign targeting them. Microsoft has disclosed once such campaign using Attacker (Adversary, Man)-in -the-Middle tactics for phishing and BEC (Business Email Compromise) attacks. This style of attack is also not new and one that is often seen in the financial world. These campaigns typically start with one organization that gets popped.

The news that a feature in Gmail that shows a verification check mark for a sender is being abused by attackers should come as a surprise to no one. After all attackers have coopted, code singing certificates, legitimate web sites, and more as part of their attack processes, why wouldn’t a simple blue check mark be difficult? The new feature was introduced last month and, on the surface, looks like a great idea. Show that the sender of an email is who they say they are.

The RomCom backdoor malware appears to have a new campaign running. The new campaign is using impersonation attacks for different software packages (some real, some not). The goal is to trick the unwary into downloading, and hopefully launching malicious payloads. This type of campaign leverages ad services like Google Ads as a “trusted” platform using ads for software that is either often sought after or currently very popular, like ChatGPT, PDF readers, Remote Management software, etc. They are also, at times, leveraged as links in targeted or blanket phishing and social engineering attacks to get the malware on the targeted systems.

This one will get filed in the “you knew it was going to happen” file. After the announcement of a few new top-level domains (TLDs) including .zip and .mov by Google the security world silently shook its head. The concept of using file extensions as TLDs is one that defies logic. As soon as I read about these new domains, I knew someone was going to create phishing or malware attacks with URLs that look like common file names. These attacks can leverage modern web design to make a target think they are using an application to run or open the file when they are really executing commands in the background to compromise their systems. Lo and behold! We now have file archiver in the browser as shown off by mr.d0x.

The popular socialization platform, Discord, is alerting users to a data breach that occurred due to the compromise of a support agent account. The breach appears to be limited in scope to the ticket queue that the third-party agent was responsible for. The ticket queue contained email addresses, attachments and all messages that might have been exchanged during ticket resolution with this agent.

TA542 the wonderful people that brought you Emotet appears to be in the middle of a development and testing cycle on new delivery methods. According to researchers at ProofPoint the creators or the Emotet Botnet are potentially looking to find a new delivery method in response to the, long overdue, default disabling of VBA based Macros by Microsoft in their office products. Although ProofPoint seems to think this is development testing, the activity could also be part of a more targeted campaign.

The FBI, on March 29th, released a Private Industry Notification with vague details on a potential Phishing campaign targeting election officials in at least nine US states. The information in the advisory gives very broad information without really saying much. There is no information in the notification on which states were targeted and the phishing campaign sounds a lot like ones that are sent out to millions of people every day.