The industry verticals seem to be mainly confined to fintech, insurance, lending, and energy. geographies are being targeted, along with Australia and New Zealand currently. Microsoft says that this isn’t MFA vulnerability, but rather the theft of session cookies which are then used to access an authenticated session, and one that is authenticated regardless of user sign-in methods.īoth the U.S. The Zscaler report, however, suggests this latest campaign is using a "custom proxy-based phishing kit capable of bypassing multi-factor authentication." The Microsoft security analysis stated that the campaigns it saw were using an off-the-shelf phishing kit known as Evilginx2 for the AiTM infrastructure. Microsoft says that the Microsoft 365 Defender product “detects suspicious activities related to AiTM phishing attacks and their follow-on activities.” The activities mentioned include the session cookie thefts and the use of the same to sign into compromised accounts. Based on the threat data compiled by Microsoft researchers, at least 10,000 organizations have been targeted by such attacks since September 2021. Only last month, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team confirmed that they had spotted phishing campaigns using the AiTM technique in order to skip the authentication process with MFA enabled. Where things don't differ from most phishing expeditions is in the 'how it all starts' phase: an email is sent to the target which contains a malicious link. By stealing the 'authentication cookies' the attackers have their method of evading MFA to get back into the account. The MFA request is relayed by the proxy server to the victim who enters their code but on the attacker’s device, and this is then forwarded on. The AiTM part of the attack employs a proxy between the victim and the Microsoft servers. The takeaway? While any form of additional verification of your login credentials remains a must-have security essential, that doesn't mean you should rest on your laurels if you have 2FA/MFA enabled. "It uses an adversary-in-the-middle (AiTM) attack technique capable of bypassing multi-factor authentication," the Zscaler research notes, "there are multiple evasion techniques used in various stages of the attack designed to bypass conventional email security and network security solutions." That this threat can bypass multi-factor authentication account protections immediately makes it stand out from your average phishing campaign. According to a Bleeping Computer report, the ultimate goal is the compromise of these corporate email accounts to aid in " diverting payments to bank accounts under their control using falsified documents. Instead, it is Microsoft's email services, specifically those within enterprises, that are in the crosshairs. The 'large scale’ campaign, spotted by researchers from the Zscaler ThreatLabz, does not target Gmail users, though. The concerns for Microsoft users don't end there, though, as new reports have revealed, like the SHARPEXT campaign, multi-factor authentication is also being bypassed by other threat actors targeting email accounts. There is also confirmation that, so far at least, only Windows users appear to be targeted. It has now been confirmed that the SharpTongue/Kimsuky group is using, as was always likely the case, "spear phishing and social engineering" tactics linked with a malicious document to initiate the SHARPEXT attacks against Gmail users. The user logs in to their Gmail account from their normal browser on the expected system. Once that's done and the extension runs quietly in the background, it is tough to detect. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VBS script that replaces the system preference files. Unfortunately, we know all too well that system compromise is not as difficult as it should be. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea." MORE FROM FORBES Inside The Russian Cybergang Thought To Be Attacking Ukraine-The Trickbot Leaks By Davey Winder What's different about the SHARPEXT threat to Gmail? S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |