Malware Activity
Midnight Blizzard Observed Conducting Highly Targeted Social Engineering Attacks Through Microsoft Teams
Microsoft Threat Intelligence researchers have observed the Russian nation-state threat group Midnight Blizzard conducting social engineering attacks over Microsoft Teams. In this latest campaign, Midnight Blizzard, otherwise known as NOBELIUM, APT29, and CozyBear, has been observed targeting approximately forty (40) global organizations within government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Researchers explained that malicious activity involving this attack pattern began in May 2023 and consisted of Midnight Blizzard utilizing previously compromised Microsoft 365 tenants owned by small businesses. New domains were created using these tenants, which appeared as technical support operations, and used as lures by the threat group in Microsoft Teams messages. The lures were noted by researchers to "attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts." CTIX analysts urge organizations to continually educate users on social engineering attack techniques and risks. Additional attack details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
- The Hacker News: Microsoft Teams Campaign Lure Article
- Bleeping Computer: Microsoft Teams Campaign Lure Article
- Microsoft: Microsoft Teams Campaign Lure Report
Threat Actor Activity
Threat Profile: Mysterious Team Bangladesh
Hacktivists from the emerging Mysterious Team Bangladesh (MTB) have significantly ramped up activity over the last year, reaching over 840 attacks globally. Mysterious Team Bangladesh was founded back in 2020 but only recently started making waves in the last year after launching cyber-attacks against high-level targets in Israel, India, and other countries, including government institutions, financial operations, and transportation organizations. Since June 2022, Mysterious Team Bangladesh actors have launched more than 750 distributed denial of service (DDoS) attacks against numerous entities, alongside seventy-eight (78) website defacements to date. After a successful attack against a targeted entity, these hacktivists will often post exfiltrated data within their Telegram channel. Security researchers believe that the actor “D4RK_TSN” (a.k.a “jisan417”) is the founder of Mysterious Team Bangladesh according to numerous open-source intelligence sources. Recent cyber campaigns from the group have targeted organizations throughout Senegal, Ethiopia, Australia, Netherlands, and have caused disruptions to network services and occasionally website defacement. Activity from the group is predicted to continue on-trend and pick up over the next several months. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Ivanti Mobile Device Management Software Vulnerable to Exploitation
Ivanti, an IT software solution provider, informed its customers of a critical vulnerability in their MobileIron Core mobile device management software. If successfully exploited, this vulnerability could allow unauthorized remote attackers to access the API endpoints on an exposed management server. This would allow the threat actor to access sensitive personally identifiable information (PII) as well as make configuration changes and chain the vulnerability with other flaws to compromise servers by installing web shell backdoors. MobileIron Core is a comprehensive security and Unified Endpoint Management (UEM) tool including mobile device management (MDM), mobile application management (MAM), and mobile content management (MCM). With MobileIron Core, administrators can securely manage the lifecycle of mobile devices and mobile applications, from registering devices, to retiring devices. The flaw, tracked as CVE-2023-35082, is described as a remote authentication bypass API access vulnerability affecting MobileIron Core version 11.2 and previous versions. The researchers who discovered the vulnerability have provided indicators of compromise (IOC) to help network defenders to detect the signs of exploitation, which can be viewed in the report linked below. This platform is very popular and according to Shodan scans, there are more than 2,200 MobileIron user portals currently exposed to the public internet as well as "over a dozen connected to U.S. local and state government agencies." MobileIron Core 11.2 will not be patched since it has been out of support since March 15, 2022. CTIX analysts urge all vulnerable users to upgrade to Ivanti’s latest rebrand called Ivanti Endpoint Manager Mobile (EPMM) as soon as possible to prevent exploitation.
- Bleeping Computer: CVE-2023-35082 Article
- The Hacker News: CVE-2023-35082 Article
- Rapid7: CVE-2023-35082 Report
- Ivanti: CVE-2023-35082 Advisory
Honorable Mention
Google Will Soon Begin Rolling Out Upgrades to its Privacy Tool
Google will begin rolling out upgrades to its "Results about you" tool, which is a privacy-focused tool that was originally announced in May 2022 and began rolling out September 2022. Included in the latest upgrade will be a feature that makes it easier for users to remove their personally identifiable information (PII) and explicit images from search results that are present in Google Search and the Google application. Users are currently able to see and request removal of information within search results that include their personal phone numbers, home address, and email address. A new dashboard is available in this upgrade that lets users see what, if any, contact information is showing up on Google Search, and additionally includes notifications of when personal information appears, which will help users more quickly request its removal. Users can request removal of any present information by clicking on their Google account photo in the Google app and choosing the "Results about you" option or by directly visiting the "Results about you" page. The upcoming tool upgrade will only be available in the United States and in English, but Google has stated that expansion efforts for additional languages and regions are underway. Google hopes this update will bring greater functionality and effectiveness to the tool.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
