Ransomware/Malware Activity
Phishing Platform "EvilProxy" Used in Campaign Targeting 120,000 Microsoft 365 Users
New research has shown that EvilProxy is maintaining its status as a popular platform for targeting multi-factor authentication (MFA) enabled accounts. Proofpoint researchers have seen over 120,000 phishing emails sent to Microsoft 365 accounts associated with 100 different organizations. This threat is using both Adversary-in-the-Middle phishing and other advanced techniques to bypass the increasing use of multifactor authentication. The proliferation of MFA phishing kits has created a market where even people with typically low levels of hacking skills can, for a small price, perform effective and efficient phishing attacks. The initial attack chain commences with the attacker impersonating known and trusted services such as DocuSign or Adobe. After the user clicks on the malicious link, the traffic is redirected using a combination of legitimate redirectors, malicious cookies, and 404 redirects. This eventually ends with the user landing on an EvilProxy phishing framework page that mimics the branding of the impersonated entity. Users submit their Microsoft 365 credentials from there and within seconds of an account compromise, the threat actors were entering the victim’s Microsoft 365 account. The threat actors appear to be specifically targeting the highest level they can reach within an organization, generally C-level executives, and directors. Once the threat actor has gained access, the native Microsoft application “My Sign-Ins” is used to add another multi-factor authentication method controlled by the threat actor, giving them persistent access. The threat actors can then move laterally and escalate throughout the organization, embedding further malware within localized and cloud systems.
Threat Actor Activity
Chinese Hackers Attributed to Targeting At Least 17 Countries
RedHotel, also known as Charcoal Typhoon by Microsoft, is a state-sponsored hacking group affiliated with China's Ministry of State Security. The threat group has targeted organizations globally across a wide range of industry verticals using a range of malware for both economic espionage and intelligence gathering campaigns. Notably, the group has targeted up to seventeen (17) countries, a majority of which are located across Southeast Asia, as well as the United States. Victims have primarily included countries' local governments, including prime ministers' offices, finance ministries, legislative bodies, and interior ministries. Additionally, RedHotel has been seen targeting technology R&D and historically COVID-19 research, as well as targeting other sectors including academia, aerospace, media, technology, and telecommunications. The group has used malware variants commonly used by other Chinese advanced persistent threat (APT) groups like ShadowPad and Winnti, helping them blend in and making attribution more difficult. However, the group's distinct infrastructure and high operational tempo, on top of the wider use of both custom and offensive security tools, has helped differentiate their operations from other likely Chinese state-sponsored groups'.
Vulnerabilities
Microsoft Patches Actively Exploited Zero Day Vulnerabilities
Microsoft's August 2023 Patch Tuesday fixed eighty-seven (87) vulnerabilities, including six (6) critical remote code execution (RCE) flaws. There are two (2) actively exploited zero-day vulnerabilities, tracked as CVE-2023-36884 and CVE-2023-38180, which are an RCE flaw and a DoS flaw, respectively. The first zero-day exists in Microsoft Office and Windows HTML solutions, allowing attackers to maliciously craft Microsoft Office documents that can bypass the Mark of the Web (MoTW) security feature on vulnerable systems. The exploitation of this flaw was attributed to a threat actor known as RomCom, a Russia-affiliated hacking entity that was confirmed to have targeted Ukraine as well as pro-Ukrainian targets in Eastern Europe and North America. The DoS vulnerability affects .NET applications and Microsoft's Visual Studio products. At this time there are no technical details about the exploit, but Microsoft states that the "code or technique is not functional in all situations and may require substantial modification by a skilled attacker." To mitigate these flaws, CTIX analysts recommend all Microsoft users ensure they are running the most recent patched version of the operating system. Details for each vulnerability can be found in the Microsoft August 2023 Patch Tuesday advisory linked below.
- Bleeping Computer: Microsoft August 2023 Patch Tuesday Article
- The Hacker News: Microsoft August 2023 Patch Tuesday Article
- Microsoft: August 2023 Patch Tuesday Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
