Ransomware/Malware Activity
Tycoon 2FA Phishing Kit Bypasses MFA for M365 and Gmail
Tycoon 2FA is a phishing-as-a-service (PHaaS) platform which has been on the dark market since at least August 2023. A new version of the Tycoon 2FA was released in 2024, introducing a stealthier phishing kit with updates to its JavaScript and HTML code. Tycoon 2FA has been observed in thousands of phishing attacks targeting login credentials for M365 and Gmail. The attack leverages a reverse proxy server which hosts a phishing webpage designed to mimic a legitimate service to steal credentials provided by the victim. In the first step of the attack chain, victims are sent a phishing email containing a malicious link or QR code crafted to lure them into visiting the phishing webpage. The phishing webpage presented is determined by extracting the victim’s email address from the original malicious URL which directs them to the spoofed page of either M365 or Gmail. The phishing site prompts users to input their credentials, which when entered are exfiltrated back to the malicious operator via WebSockets. Victims are then presented with a 2FA challenge, and the token or 2FA response entered by the victim is similarly exfiltrated back to the attacker. Using the credentials and 2FA information, the attacker can authenticate into the victim’s email account which is used to carry out further attacks. Tycoon 2FA is not the only PHaaS platform on the market. Similar PHaaS platforms include LabHost, Greatness, and Robin Banks. The uptick in the sale of the Tycoon 2FA kit is a reminder for organizations to remain vigilant on educating and training employees on how to identify and report phishing emails. CTIX analysts will continue to provide updates on novel and escalating strains of malware and malware campaigns.
- Bleeping Computer: New MFA Bypassing Phishing Kit Targets M365, Gmail Accounts
- Sekoia: Tycoon 2FA: An In-Depth Analysis
Threat Actor Activity
INC Ransom Breaches NHS Scotland's IT System
Following reports of a cybersecurity incident on March 15 that affected services relating to the National Health Service (NHS) of Scotland, cybercriminals from the INC Ransom extortion gang posted images containing medical documents related the organization, saying they would soon leak more data. The cyber extortion gang first emerged in July 2023 with notable attacks on education, healthcare, government, and industrial entities, targeting both public and private sectors. NHS Scotland is the country's public health system, who provides services such as primary care, hospital care, dental care, pharmaceutical, and long-term care. A spokesperson from the Scottish Government stated that the cyber incident remained isolated to just one (1) of the fourteen (14) regional health boards that make up the whole of NHS Scotland, which was reported as NHS Dumfries and Galloway. The sample documents the threat actor published in their initial post contained sensitive information about doctors and patients, including medical assessments, analysis results, and psychological reports. The INC Ransom affiliates claim to have stolen three (3) terabytes of data that they plan on releasing if the ransom is not paid. Thus far, the health service's patient-facing portal seems to be functioning normally. The organization is working with police and the National Cyber Security Center (NCSC) as they continue to navigate and respond to the situation, while the government spokesperson simultaneously asserted that they are coordinating with the health board, Police Scotland, and other agencies to investigate the impact of the breach. NHS Dumfries and Galloway consists of eleven (11) hospitals covering an area of south Scotland that has a population size of roughly 150,000 individuals. NHS Scotland will be directly informing any patients whose information was leaked.
Vulnerabilities
CISA Adds Critical Vulnerabilities Exploited at the Pwn2Own Hacking Contest to the KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified the active exploitation of critical vulnerabilities in Microsoft SharePoint Server, prompting urgent security updates. The first flaw, tracked as CVE-2023-24955, is a code injection vulnerability, allowing authenticated attackers with Site Owner privileges to conduct remote code execution (RCE). The second vulnerability, tracked as CVE-2023-29357, is a privilege escalation flaw enabling attackers to gain administrative rights via spoofed JWT auth tokens. Demonstrated at the Pwn2Own hacking contest in Vancouver by STAR Labs researcher Nguyễn Tiến Giang, these vulnerabilities can be chained for remote code execution on unpatched servers, significantly elevating security risks. In response, CISA has added the flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply patches by no later than April 16, 2023, to prevent potential exploits, including those that might not yet have been used in ransomware attacks but pose significant risks to both federal enterprise and private organizations. The move highlights the urgency of addressing these vulnerabilities to protect critical infrastructure and data from malicious cyber actors. CTIX analysts recommend that all administrators ensure their SharePoint instances are up to date with the most recent software update.
- Bleeping Computer: CVE-2023-24955, CVE-2023-29357 Article
- The Hacker News: CVE-2023-24955, CVE-2023-29357 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
