The number of senior business executives stymied by an ongoing phishing campaign continues to rise with cybercriminals registering hundreds of cloud account takeovers (ATOs) since spinning it up in November.
Researchers from Proofpoint listed many C-suite roles as prime targets for the unnamed attackers, as well as other senior positions such as VPs, sales directors, and finance managers. The customers caught out by the scam were not listed.
The overarching goal, as with all these types of assaults, is to gain access to as many privileged accounts as possible and tap into all the resources available for follow-on crimes.
In addition to the hundreds of ATOs, “dozens” of Azure environments were also compromised, Proofpoint said.
Naturally, this meant the criminals stole data in some cases, including sensitive files containing financial assets, internal security protocols, and user credentials.
A specific Linux user-agent was identified as one of the most notable indicators of compromise (IoCs), mainly using it to access the “OfficeHome” sign-in application: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/184.108.40.206 Safari/537.36.
The same user-agent was used to access a number of other Microsoft 365 apps too:
Office 365 Shell WCSS-Client: Indicates a browser was used to access Office 365 apps
Office 365 Exchange Online: Suggests mailboxes were abused and data may have been stolen
My Signins: Indicates attempts made to manipulate MFA methods
Proofpoint hasn’t officially attributed the attacks to a specific group, but some evidence points to them being possibly based in Russia and Nigeria.
Other post-intrusion activities include attackers manipulating MFA to establish persistent access to systems after making the initial compromise. The attackers were spotted implementing their own MFA methods – an authenticator app is the preferred choice, it seems – but other techniques such as registering different phone numbers were also observed.
Armed with full control of a legitimate business email account, the crims went on to launch internal and external phishing campaigns using the new identity. A legitimate account, in theory, adds a greater sense of authenticity to an email and is less likely to trigger spam filters, potentially offering a greater chance of success.
Email access was also abused to scan for secrets and perform lateral movement across the target organization, in addition to the numerous financial fraud attempts made by sending personalized messages targeting HR and finance departments.
Attackers would also add their own mailbox rules designed to mask their malicious activity.
While the phishing campaign remains ongoing, the researcher advised users to remain wary of all unexpected emails and exercise extreme caution when opening links – the usual stuff.
The sample phishing emails seen by researchers are said to be individualized to their target, directing them to what appears to be a shared document but the link instead redirects to a malicious phishing page.
As security conscious Reg readers know only too well, being sent a link to a document from an unknown sender should immediately be a red flag for any user, even if it is personalized to the target, but the campaign’s success rate shows that phishing attempts don’t need to be especially sophisticated to achieve their goals.
Looking at the campaign’s infrastructure, the attackers use proxy services set up close to their targets to evade geofencing policies and also local fixed-line internet service providers (ISPs). Examples of the non-proxy sources were from Russia-based Selena Telecom LLC, and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.
As for locking down systems, the usual advice applies here: monitoring logs for IoCs, enforcing credential changes for compromised users, ensuring security products are configured correctly to detect ATOs, and implementing auto-remediation policies. ®