Malicious Applications by Verified Accounts

Summary: Threat actors were detected in a consent phishing campaign using fake Microsoft Partner Network accounts. The hackers were detected creating malicious OAuth applications and publishing them with verified publisher accounts added during the registration process. These applications were designed to breach corporate cloud environments and steal users’ emails. The malicious actors have created fake accounts to trick Microsoft into giving them a verified publisher status. The fake applications were then created to mimic real applications to trick users into giving them the required permissions for their malicious applications to work.

These attacks primarily targeted users based in the United Kingdom and Ireland and targeted financial, marketing, managers, and senior executives. Microsoft has since announced that all fraudulent applications have been disabled and affected users have been notified. The company recommends users to review the applications and determine if additional remediation is required.

Why it matters: Verified accounts are common across multiple platforms including social media. Their purpose is to confirm whether the poster or publisher of the suspected content is in fact who is expected. In the case of software, verified accounts allow customers to feel confident and secure that the software they are downloading are non-malicious. By creating fake applications using verified accounts, the attackers gain the users’ trust and allow their programs to be downloaded. By further mimicking existing apps, the applications successfully trick users into providing them with sufficient permissions. This new form of consent phishing is a useful trick to bypass safeguards built to protect users. It is evidence of the continued evolution against protection from malicious applications.

Point-of-Sales Attack

Summary: Attackers have released new versions of the Prilex point-of-sale (PoS) malware that can block near-field communications (NFC) payment technologies, which force users to insert their credit cards for data theft. The malware is installed on PoS terminals and detects when shoppers attempt to pay with an NFC-enabled payment option such as smart watches, phones, and NFC-enabled credit cards.  The malware can be customized to target specific credit card tiers and can generate cryptograms and “GHOST transactions”.

The inclusion of these new features by Prilex is another adaptation created by malicious actors to circumvent the safeguards created against them. Normally, credit cards use NFC chips and PINs to help protect their users. Additionally, mobile payments institute their own safeguards to protect credit card information. This new tactic, rather than directly finding a way to break through the safeguards instead subverts them for an easier attack.

Why it matters: The Point-of-Sales attack is an effective tool against credit card users. As it stands, credit cards usually generate one-time use transaction IDs when using NFC. This decision protects credit card users as information gathered can only be used once. However, by inserting a credit card directly into a terminal where there is no NFC protection, its information can easily be stolen by malware or other malicious actors. In addition, the stolen information can be used to generate new cryptograms which would help the attacker avoid fraud detection. The biggest concern right now is that there is no way to stop this attack as it occurs and so the best way to prevent becoming victims is to inspect machines for signs of tampering.

Google Fi SIM Swap Attacks

Summary: A data breach from an undisclosed network provider for Google Fi has allowed hackers to carry out SIM swap attacks. The data breach allowed for the disclosure of customers’ phone numbers, SIM card serial numbers, and account and service plan details. Although a data breach has occurred, Google confirms that personal information such as Social Security Numbers, full names, email addresses, and other sensitive information have not been exposed.

Despite the lack of sensitive personal information for the users, hackers have been able to socially engineer SIM swap attacks with information gathered from the SIM card. This attack specifically has allowed malicious actors to takeover accounts, emails, and even MFA authentication. Authentication that uses SMS as well as the MFA application named Authy have allowed attackers to receive copies of users’ verification codes.

Why it matters: Phones are commonly used as the primary device for secondary authentication. These phone-based authentications are used by users commonly through an app or SMS. Attackers committing SIM swap attacks can receive their target’s authentication codes by fraudulently porting the target’s number to a new phone. Upon gaining access to the target’s SMS authentication, attackers can then take over the victim’s accounts if they have the victim’s other authentication.  This recent breach thus increases the number of possible victims to SIM Swapping. As SIM swap attacks can be initiated without the target knowing, it is important to place a lock pin on the card to prevent unauthorized SIM porting.

The State of Ransomware

Summary: Microsoft announced that there are over 100 threat actors that deploy ransomware in their attacks. Additionally, over 50 different families of ransomware were actively used last year. These various strains are created and ran by a small number of threat actors creating ransomware and providing them to others as a service. These ransomware for pay services have significantly increased the number of malicious actors able to commit cybercrimes.

Inversely, although the industry’s individuals have increased in number, variety, and attacks, the crime itself became significantly less profitable in 2022. Although it remains one of the most widely used malware, the public stance against ransomware has matured. Many companies have begun to pay the attackers less causing a significant drop in cybercriminal revenue. The causes for this are various but include the effects of cyber insurance requirements, sanctions of companies associated with ransomware, and the improved cybersecurity posture of companies.

Why it matters: Ransomware is a lucrative business for many criminals. For the past several years, ransomware profits grew at an astonishing rate meaning the cost of ransomware for victims has increased. However, in 2022 the ransomware industry saw a significant 40% drop in profits. This drop has correlated with the shortening ransomware lifespan and the increased number of ransomware strains. Despite the numerous ransomware strains out there, the delivery methods themselves are limited. The limitations allow companies to focus on general ransomware protection rather than specific ones. With the simplification of ransomware defense and the maturation of companies’ cybersecurity posture, ransomware profits are expected to continue declining within the next several years.

ESXiArgs ransomware prevents VMware ESXi recovery

Summary: VMware ESXi is important software used by hundreds if not thousands of enterprise networks around the world and is an integral way to partition servers into multiple virtual machines (VMs). Ransomware attacks specifically targeting these VMs are making it increasingly difficult to recover compromised assets. These new attacks leverage old VMware SLP vulnerabilities, and some victims have stated that systems were breached even after SLP was disabled.

Initially, VM files that were smaller than 128 MB were encrypted into 1 MB increments, and file sizes larger than 128 MB, only a portion of the file would be encrypted; leaving almost 90% of the file unencrypted. An updated version of the malicious code changed this process and all files greater than 128 MB will now have 50% of the file encrypted, making it nearly impossible to recover any usable information from the VMs.

Why it matters: In the event VMs are compromised, CISA has created a recovery script to decrypt files from the first version of this attack. To prevent compromise, VMware encourages customers to install the latest security updates and disable OpenSLP. VMware goes on to state that threat actors are specifically targeting products that are significantly out of date or have reached the “End of General Support.” Attackers are currently exploiting a known vulnerability that was first reported via CVE-2021-21974. To date, this malware has been deployed as part of a massive wave of ongoing attacks that has already impacted thousands of vulnerable targets worldwide.

Security Tip of the Month – Mark-of-the-Web Controls

Summary: Organizations worldwide have been warned of an increase in the number of attacks abusing Microsoft OneNote documents for malware delivery. “Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW” [referenced from MITRE]. Files with this tag are protected from performing certain actions and notify users with a pop-up to prevent their execution.

The concern however is that certain Microsoft applications, like OneNote, do not have these protections, along with certain file extensions like .zip and .iso. These files are treated as local files on the system and run without protections. Microsoft has since patched OneNote for attachments, but embedded files in OneNote documents can be executed by users, like “enable editing” works in MS Word that allows the execution of malicious code. Microsoft is working on an official patch to add a security banner to files that contain enabled macros, and Microsoft recommends concerned organizations to block macros from running Office files from the internet to prevent users from inadvertently clicking on “enable” within the document.

Why it matters: Attackers are always looking for ways to circumvent security protocols and detection tools, which is why it is important that users are vigilant about what they click on and where documents and emails originate from. In December 2022 and January 2023, Proofpoint observed more than 50 malicious campaigns abusing OneNote documents for the delivery of malware such as AsyncRAT, AgentTesla, DoubleBack, NetWire RAT, Redline, Quasar RAT, and XWorm. These attacks are efficient because the target interacts with the malicious document. Thus, educating users and employees on not opening files received from untrusted sources can mitigate risks.