**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

131.0.2903.112

12/19/2024

131.0.6778.205

CVE-2024-12693: Chromium: CVE-2024-12693 Out of bounds memory access in V8

CVE-2024-12692: Chromium: CVE-2024-12692 Type Confusion in V8

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Welcome to the party, pal!

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Source: Poptika via Shutterstock

When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider's Jira server. 

Once inside the company's project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

"A year ago, the term NHI did not exist, and now everyone is talking about them," says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

**Where NHIs Are Vulnerable**

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there's greater likelihood that they have excessive permissions without expiration dates.

"There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership," explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

"As NHI continues to evolve, so are the notable vendors in this space," says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian's initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

**Role of NHI Security **

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

"To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates," noted GitGuardian product manager Soudanya Ain in a blog post. "They've become the number one vector for a successful attack, frequently overlooked."

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

*   Microsoft's Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.
    
*   The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.
    
*   Last summer's GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.
    
*   A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 
    

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia's Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

"That figure is only likely to increase going forward," he wrote. 

"We do expect NHI growth is going to accelerate further," added Maxine Holt, senior director of Omdia's cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

"These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability," she said. "Of course, we need the audit trail there as well. We believe that it's really important to recognize non-human identities as a vital link in the cyber threat chain."

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

"There's definitely that trend toward understanding NHI security better and addressing them," said John Yeoh, CSA's global VP of research, at a public meeting in September. "We only expect the NHI field to explode and get out further."

**Blending NHIs and Human Identities **

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix's Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

"Our customers are asking for a 360-degree view of the human and the non-human identities," Jackson says. "But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it's creating the connections in a secure manner."

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

"That's the plan," says Pierre Le Clézio, the company's lead product manager. "But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems."

**Anticipate M&A Activity **

As NHI security continues to evolve, so will the notable providers, EMA's Steffen says.

"It seems very likely that larger technology players are going to jump into this space," he says. "Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution."

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

"They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions."

Omdia's Holt also anticipates M&A activity.

"The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities," she said. "But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Vendors Chase Potential of Non-Human Identity Management

Seemingly innocent "white pages," including an elaborate Star Wars-themed site, are bypassing Google's malvertising filters, showing up high in search results to lure users to second-stage phishing sites.

Source: Bits And Splits via Shtterstock

Threat actors appear to have found yet another innovative use case for artificial intelligence in malicious campaigns: to create decoy ads for fooling malvertising-detection engines on the Google Ads platform.

The scam involves attackers buying Google Search ads and using AI to create ad pages with unique content and absolutely nothing malicious about them. The goal is to use these decoy ads to then lure visitors to phishing sites for stealing credentials and other sensitive data.

With malvertising, threat actors create malicious ads that are rigged to surface high up in search engine results when people search for a particular product or service. The ads often spoof popular and trusted brands and involve webpages and content that are replicas of the originals but serve instead to redirect users to phishing pages or download an attacker's malware of choice on systems of users who interact with the malicious ads.

While many malvertisement campaigns are targeted at consumers, there have been several recently focused on corporate users as well. One example is a campaign that sought to distribute the Lobshot backdoor on corporate systems, and another that phished employees at Lowe's.

**A Steady, Post-Macro Increase in Malvertising**

"We are seeing more and more cases of fake content produced for deception purposes," researchers at Malwarebytes said in a report on the campaign this week. These so called "white pages," as they are being referred to in the criminal underground, serve as legitimate-looking decoys, or front-end webpages that hide malicious content and activities behind them, according to Malwarebytes.

Related:Manufacturers Lose Azure Creds to HubSpot Phishing Attack

"The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check," Malwarebytes security researcher Jerome Segura wrote. White pages, incidentally, are in contrast to "black pages," which are the actual malicious landing pages containing harmful content or malware.

The use of AI to plant decoy content on Google Ads adds a new wrinkle to malvertising scams, which have seen a remarkable surge in volume recently. Malwarebytes has pinned the increase to Microsoft's decision in 2022 to block macros in Word, Excel, and PowerPoint files downloaded from the Internet — a top malware vector for threat actors. That decision forced attackers to look for other malware distribution vectors, one of which happens to be malvertising, according to Malwarebytes.

Though Google and operators of other major online ad distribution networks have been battling against the scourge — and have gotten better at quickly identifying and removing malvertising content — bad actors have consistently managed to remain a step ahead. A Malwarebytes study found Amazon to be the most spoofed brand in malvertising campaigns, followed by Rufus, Weebly, NotePad++, and TradingView.

Related:CISA Directs Federal Agencies to Secure Cloud Environments

**Spoofing Brands With AI-Generated Content**

In its report, Malwarebytes provided two examples of AI-generated decoy ads it spotted recently on Google Ads. One of the decoy ads targeted users searching the Internet for the Securitas OneID mobile app, and the other targeted users of the Parsec remote desktop app, which is popular among gamers.

The Securitas OneID scam involved an entirely AI-generated website, complete with AI-generated images of supposed executives of the company.

"When Google tries to validate the ad, they will see this cloaked page with pretty unique content and there is absolutely nothing malicious within it," Segura wrote.

With the Parsec ad, the threat actors used some creative license of their own to generate a heavily Star Wars\-influenced website, replete with references to the parsec astronomical measurement unit. The artwork for the website even included several AI-generated Star Wars-themed posters, which while impressive, would likely have suggested to users that the site had nothing to do with the legitimate Parsec app.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

"Ironically, it is quite straightforward for a real human to identify much of the cloaked content as just fake fluff. Sometimes, things just don’t add up and are simply comical," Segura wrote. Even so, as a cloaking mechanism for a malvertising campaign," he added, "the website would have passed Google's validation checks.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malvertisers Fool Google With AI-Generated Decoy Content

Cybercriminals are using advanced techniques to target executives with mobile-specific phishing attacks.

****KEY SUMMARY POINTS****

*   **Targeted Attacks:** Sophisticated spear phishing campaigns are increasingly targeting corporate executives via mobile devices, using social engineering tactics.

*   **Exploitation of Trust:** Attackers mimic legitimate services like DocuSign and Google, leveraging urgency and credibility to deceive victims.

*   **Advanced Techniques:** Campaigns use CAPTCHAs, mobile-specific fake login pages, and compromised domains to bypass detection mechanisms.

*   **Infrastructure Abuse:** Attackers utilize platforms like Cloudflare for SSL encryption and DDoS protection, complicating detection efforts.

*   **Proactive Defense:** Regular employee training, advanced mobile device management (MDM) solutions, and automated incident response platforms are critical to mitigating these threats.

Mobile devices have become a prime target for sophisticated phishing attacks, particularly those aimed at corporate executives. These targeted attacks, known as spear phishing, leverage social engineering tactics to steal valuable credentials and gain access to sensitive information.

The Phishing and Data Analytics Team at Zimperium uncovered a recent spear phishing campaign targeting executives. The attack involves using a mimicked legitimate DocuSign document requiring immediate review, a common tactic that exploits urgency and authority.

Spear phishing is a popular attack vector against corporate executives, compromising high-value credentials that grant access to sensitive data and systems. The attack begins with a seemingly innocent link disguised as a DocuSign document. The link used a legitimate domain (clickmethryvcom) to mask its origin, and once clicked initiates a series of redirects. First, it redirects to a compromised university website, leveraging its credibility to bypass detection. 

Screenshot of the DocuSign phishing email and the university’s landing page (Via Zimperium)

Researchers noted that attackers have used CAPTCHAs to prevent automated detection and implemented mobile-specific targeting. Moreover, if the link is accessed via a mobile device, the attack presents a fake Google sign-in page to steal credentials whereas desktops are redirected to legitimate Google sites. Another observation is that the phishing site (diitalwaveru) and its SSL certificate were created just days before the attack, highlighting the attackers’ focus on rapid deployment.

Further probing as per Zimperium’s blog post, revealed that the attackers had utilized Cloudflare’s infrastructure for DDoS protection, SSL encryption, and fast content delivery, making it harder to detect. And, in addition to email-based attacks, the campaign also used PDF documents containing embedded phishing URLs. These PDFs mimicked legitimate DocuSign workflows, bypassing traditional URL scanning and exploiting trust in business documents.

The incident highlights the evolving nature of mobile phishing attacks, with attackers investing heavily in infrastructure to bypass security controls, targeting mobile devices often overlooked in security strategies, and exploiting compromised domains for credibility. 

Therefore, it has become essential to conduct regular security awareness training programs to educate employees about the latest phishing tactics and best practices for identifying and avoiding such attacks. Organizations must also deploy advanced Mobile Device Management (MDM) solutions to enforce security policies, such as password complexity, screen lock timeouts, and remote wipe capabilities.

Mika Aalto, Co-Founder and CEO at Hoxhunt weighed in on the situation emphasizing the importance of proactive training for employees and management to identify and report phishing attacks, as technical tools alone may not catch all threats.

_“_The most important thing that companies can do is to shift left and equip senior management and employees with the skills and tools to recognize and safely report a mobile phishing (mishing) attack. We can hope that technical filters and endpoint detection and response technologies quickly develop to be able to pick up these highly obfuscated, native code-based Malware attacks and pinpoint irregular signals and traffic,_“_ said Mika.

_“_Ultimately, it comes down to people. Attackers will launch a complex attack with what might just be a simple phishing message. It’s up to people to be able to listen to that little voice in their head that is telling them that something is wrong and report suspicious messages as a matter of habit. From there, you want to have a platform that will automatically categorize and escalate their reports to the SOC for accelerated response,_“_ he explained.

1.  99% of UAE’s .ae Domains Exposed to Phishing and Spoofing
2.  Scammers Exploit Fake Domains in Dubai Police Phishing Scams
3.  Ongoing Phishing Attack Targets Employees Across 12 Industries
4.  Rockstar 2FA Phishing-as-a-Service Kit Hits Microsoft 365 Accounts
5.  Xiū gǒu Phishing Kit Hits UK, US, Japan, Australia Across Key Sectors

New Mobile Phishing Targets Executives with Fake DocuSign Links

This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about  malicious Windows drivers.

Exploring vulnerable Windows drivers

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Source: Ascannio via Alamy Stock Photo

A full 20,000 employees of European manufacturing companies have been targeted by a phishing campaign.

According to Palo Alto Networks' Unit 42, the activity peaked in June and survived until at least September. The cyberattackers targeted automotive, chemical, and industrial compound manufacturing companies, primarily in Western European countries like the UK, France, and Germany.

The attackers' goal was to lure employees into divulging credentials to their Microsoft accounts, particularly in order to gain access to their enterprise Azure cloud environments.

**DocuSign, HubSpot & Outlook Phishing**

The infection chain began either with an embedded HTML link or a DocuSign-enabled PDF file named after the targeted company (e.g., darkreading.pdf). In either case, the lure funneled victims to one of 17 HubSpot Free Forms. Free Forms are HubSpot's customizable online forms for gathering information from website visitors.

The forms were not actually used to gather any information from victims. They were bare, and clearly written by a non-native speaker. "Are your \[sic\] Authorized to view and download sensitive Company Document sent to Your Work Email?" they asked, with a button to view the purportedly sensitive document in "Microsoft Secured Cloud."

Related:CISA Directs Federal Agencies to Secure Cloud Environments

Those who fell for this step were redirected to another page, mimicking a Microsoft Outlook Web App (OWA) login page. These pages — hosted on robust, anonymous bulletproof virtual private servers (VPS) — incorporated their targets' brand names, with the top-level domain (TLD) ".buzz" (as in www.darkreading.buzz). Victims' Microsoft credentials were harvested here.

With stolen accounts in hand, the threat actor set about burrowing into targets' enterprise cloud environments. The next important step to that end involved registering their own device to victims' accounts. Doing so allowed them to log in thereafter as an authenticated user, and thus avoid triggering security alerts. They enhanced their disguise further by connecting through VPN proxies located in the same country as their target.

Registering a device also provided a point of persistence against any attempts to unseat the attacker. In one case Unit 42 observed, for example, an IT team was stymied as soon as they tried to regain control of a stolen account. Seeing that they might be booted, the attacker initiated a password reset, knowing that the link to do so would be sent to them. A "tug-of-war scenario" ensued, Unit 42 reported, triggering several more security alerts along the way until the matter was resolved.

Related:Azure Data Factory Bugs Expose Cloud Infrastructure

**Cyberattackers Broaden their Horizons to the Cloud**

The volume of compromised users and organizations in this campaign is unknown, though likely low. As Nathaniel Quist, senior threat researcher at Unit 42, points out, "since this operation equates to a double breach event, as the phishing email must be opened, then an additional operation of successfully requesting Azure credentials needed to occur. We suspect that an even smaller number of victims would have also provided the cloud credentials. For example, not every victim would also be using Azure infrastructure for their cloud operations."

What's clearer is what would have happened to those organizations that were breached. With account credentials and a point of persistence, the attackers would have embedded themselves deeper into enterprise cloud environments, "by either escalating their access to create, modify, or delete cloud resources by attaching more privileged \[identity and access management\] policies, or they would have moved laterally within the cloud environment toward storage containers that the victim IAM account may have had access to," Quist says.

Though at first glance it might appear a fairly standard phishing operation, Quist says, it also reflects something broader about cyberattack trends lately — a gradual move toward broader, more ambitious cloud attacks.

Related:Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

"From my view, we are starting to see a growing trend of phishing operations that are not establishing a malware-focused beachhead on the victim system, but instead are targeting the user's access credentials to either cloud platforms, like Azure in this case, or SaaS platforms," he says. "The victim endpoint is only the initial access into the larger cloud platform it is connected to."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

KEY SUMMARY POINTS Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at…

****KEY SUMMARY POINTS****

*   **New Linux Malware Campaign**: Cybersecurity researchers identified an active Linux malware campaign leveraging eBPF technology and targeting businesses and users globally.

*   **eBPF Exploitation**: Hackers are abusing eBPF’s low-level capabilities to hide activities, gather data, and bypass security measures, making detection challenging.

*   **Trojan Deployment**: Attackers use eBPF rootkits to conceal their presence and drop remote access Trojans capable of tunnelling traffic and maintaining communication within private networks.

*   **Public Platforms for Command Control**: Instead of private servers, malware configurations are stored on public platforms like GitHub and blogs, disguising malicious activity as legitimate.

*   **Rising eBPF Malware**: The use of eBPF-based malware, including families like Boopkit and BPFDoor, is increasing, with over 100 new vulnerabilities discovered in 2024 alone.

Cybersecurity researchers Dr. Web have uncovered a new and active Linux malware campaign aimed at businesses and users in Southeast Asia. The discovery came during an investigation into a malware attack reported by one of their clients.

The investigation began when a client approached Dr. Web with concerns about a possible compromise in their computer infrastructure. Upon analyzing the client’s data, Dr. Web identified multiple similar cases, indicating a large-scale and active campaign. Despite the initial uncertainty about how the attackers gained access, the researchers successfully tracked the initial stages of the attack.

****Exploiting eBPF Technology****

Researchers found that hackers have been abusing eBPF (extended Berkeley Packet Filter) technology in their attacks. For your information, eBPF is originally designed to provide better control over the Linux operating system’s network functions.

What’s noteworthy is the growing attention around eBPF, especially after August 2021, when tech giants like Google, Isovalent, Meta, Microsoft, and Netflix collaborated to establish the eBPF Foundation under the Linux Foundation to support the growth and adoption of eBPF technologies.

However, in the ongoing attack, eBPF’s low-level capabilities have allowed attackers to hide network activity, gather sensitive information, and bypass security measures. This has made it difficult for researchers to detect, and a lucrative opportunity for hackers particularly for advanced persistent threat (APT) groups looking to maintain long-term access to a target system.

In this specific campaign, as detailed by Dr. Web in its report published on December 10, the attackers used eBPF to load two rootkits. The first, an eBPF rootkit, hid the presence of a second rootkit, which then dropped a remote access Trojan (Trojan.Siggen28.58279 or Trojan:Win32/Siggen.GR!MTB) capable of tunnelling traffic, allowing attackers to communicate with infected devices even within private networks.

****Hiding in Plain Sight: Public Platforms as Command Centers****

The threat actors have also changed how they store their malware configurations. Instead of relying on private command-and-control servers, they are using popular, publicly accessible platforms.

The malware analyzed by Dr. Web was found retrieving settings from platforms like GitHub and even a Chinese cybersecurity blog. This tactic makes the malicious traffic appear legitimate, as it combines it with normal network activity. It also eliminates the need for the attackers to maintain separate control infrastructure, which can be more easily detected and shut down.

Screenshot shows malware hosted on GitHub and a Cybersecurity blog in Chinese language (Via Dr. Web)

Nevertheless, since 2023, the use of malicious eBPF software has been on the rise, with several malware families emerging, including Boopkit, BPFDoor, and Symbiote. The discovery of numerous vulnerabilities in eBPF technology has further worsened the situation.

This ongoing cyberattack is yet another example of how far government-backed hackers and cybercriminals are willing to go without fear of consequences. Their tactics, including exploiting advanced technologies like eBPF and using public platforms for configuration storage, make this quite clear.

1.  Telegram-Controlled TgRat Trojan Targets Linux Servers
2.  Play Ransomware Variant Targeting Linux ESXi Environments
3.  North Korean Hackers Deploy Linux Malware for ATM Cashouts
4.  Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files
5.  Godot Engine Abused to Drop Malware on Windows, macOS, Linux

Hackers Exploiting Linux eBPF to Spread Malware in Ongoing Campaign

The Russian-based attack group uses legitimate red-team tools, 200 domain names, and 34 back-end RDP servers, making it harder to identify and block malicious activity.

Source: Funtap via Shutterstock

An ongoing cyber-espionage campaign by Russia's Midnight Blizzard threat group may be much larger in scope than generally assumed, targeting international entities in government, armed forces, and academic institutions, Trend Micro said in recently released research.

At its peak in October, Trend Micro researchers observed Midnight Blizzard — which they track as Earth Koshchei — hitting as many as 200 entities a day with phishing emails containing a malicious Remote Desktop Protocol (RDP) file and red-team testing tools to take control of victim systems and steal data or plant malware on them. That volume is roughly what other groups with similar capabilities to — such as Pawn Storm — typically target over multiple weeks, Trend Micro said in a report this week.

In these attacks, intended victims received tailored spear-phishing emails containing a malicious or rogue RDP configuration file that, if used, would direct the victim's system to a remote attacker-controlled system. RDP configuration files simplify and automate remote access to enterprise systems by storing settings — such as a target computer's address and connection preferences — to enable remote desktop connections.

Trend Micro found the threat actor using the open source PyRDP tool as a sort of adversart-in-the-middle proxy to redirect connection requests from victim systems to attacker-controlled domains and servers. "The attack technique is called 'rogue RDP,' which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file," the researchers explained. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation."

**Careful Planning**

In August, Midnight Blizzard began setting up what would eventually be more than 200 domain names to direct victims to as part of the attack chain. Trend Micro also observed the attacker using 34 rogue RDP backend servers as part of its sprawling infrastructure.

The domain names that the threat actor used suggested government and military targets in the US, Europe, Japan, Australia, and Ukraine. Intended victims included ministries of foreign affairs, academic researchers, and military entities.  "The scale of the RDP campaign was huge," Trend Micro found.

Midnight Blizzard is a cyber-espionage group that the US government has identified as working for on or behalf of Russia's foreign intelligence service. The group is tied to numerous well known breach incidents, including ones at Microsoft, SolarWinds, HPE, and multiple US federal government agencies. Its campaigns typically involve sophisticated spear-phishing emails, stolen credentials, and supply chain attacks to gain initial access to target systems. It is also known to target vulnerabilities in widely used networking and collaboration tools from vendors such as Pulse Secure Citrix, Zimbra, and Fortinet.

The group has also has a penchant for using legitimate pen testing and red-team tools to evade detection by endpoint security controls. In the current campaign. Midnight Blizzard's use of legitimate tools like RDP and PyRDP has allowed the threat actor to operate largely under the radar on compromised networks. In addition, the threat actors often have a tendency to tap resident proxy services, Tor, and VPNs as anonymization layers while it operates in stealth on compromised networks.

"Notably no malware is installed on the victim's machines per se. Instead, a malicious configuration file with dangerous settings facilitates this attack, making it a stealthier living-off-the-land operation that is likely to evade detection," according to Trend Micro's report.

The security vendor wants organizations that don't block outbound RDP connection requests to begin doing so straight away. They also recommend blocking RDP configuration files in email.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#microsoft