Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond

Plenty of successful attacks observed with dangerous follow-on activity

Connor Jones Tue 13 Feb 2024  //  14:20 UTC

The number of senior business executives stymied by an ongoing phishing campaign continues to rise with cybercriminals registering hundreds of cloud account takeovers (ATOs) since spinning it up in November.

Researchers from Proofpoint listed many C-suite roles as prime targets for the unnamed attackers, as well as other senior positions such as VPs, sales directors, and finance managers. The customers caught out by the scam were not listed.

The overarching goal, as with all these types of assaults, is to gain access to as many privileged accounts as possible and tap into all the resources available for follow-on crimes. 

In addition to the hundreds of ATOs, "dozens" of Azure environments were also compromised, Proofpoint said.

Naturally, this meant the criminals stole data in some cases, including sensitive files containing financial assets, internal security protocols, and user credentials.

A specific Linux user-agent was identified as one of the most notable indicators of compromise (IoCs), mainly using it to access the "OfficeHome" sign-in application: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36.

The same user-agent was used to access a number of other Microsoft 365 apps too:

Proofpoint hasn't officially attributed the attacks to a specific group, but some evidence points to them being possibly based in Russia and Nigeria.

Other post-intrusion activities include attackers manipulating MFA to establish persistent access to systems after making the initial compromise. The attackers were spotted implementing their own MFA methods – an authenticator app is the preferred choice, it seems – but other techniques such as registering different phone numbers were also observed.

Armed with full control of a legitimate business email account, the crims went on to launch internal and external phishing campaigns using the new identity. A legitimate account, in theory, adds a greater sense of authenticity to an email and is less likely to trigger spam filters, potentially offering a greater chance of success.

Email access was also abused to scan for secrets and perform lateral movement across the target organization, in addition to the numerous financial fraud attempts made by sending personalized messages targeting HR and finance departments.

Attackers would also add their own mailbox rules designed to mask their malicious activity.

While the phishing campaign remains ongoing, the researcher advised users to remain wary of all unexpected emails and exercise extreme caution when opening links – the usual stuff.

The sample phishing emails seen by researchers are said to be individualized to their target, directing them to what appears to be a shared document but the link instead redirects to a malicious phishing page.

As security conscious Reg readers know only too well, being sent a link to a document from an unknown sender should immediately be a red flag for any user, even if it is personalized to the target, but the campaign's success rate shows that phishing attempts don't need to be especially sophisticated to achieve their goals.

Looking at the campaign's infrastructure, the attackers use proxy services set up close to their targets to evade geofencing policies and also local fixed-line internet service providers (ISPs). Examples of the non-proxy sources were from Russia-based Selena Telecom LLC, and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited.

As for locking down systems, the usual advice applies here: monitoring logs for IoCs, enforcing credential changes for compromised users, ensuring security products are configured correctly to detect ATOs, and implementing auto-remediation policies. ®
Send us news
6 Comments

Uncle Sam pulls $2.4B Leidos deal to support CISA after rival alleges foul play

Nightwing claims insider intel helped secure lucrative CISA work but US says decision is unrelated

'We still have embeds in CISA': CTO of Brit cyber agency talks post-Trump relationship with US counterpart

Both agencies seem unbothered despite tech world's clear concerns for US infoseccers

Eeek! p0wned Alabama hit by unspecified 'cybersecurity event'

PLUS: Euro-cops take down investment scammers; Fancy Bear returns to Ukraine; and more

Marks & Spencer admits cybercrooks made off with customer info

Market cap down by more than £1B since April 22

IT chiefs of UK's massive health service urge vendors to make public security pledge

Enormous org has been hit by ransomware again and again, on multiple fronts, over the past year

FBI, Microsoft, international cops bust Lumma infostealer service

Credit card theft losses in 2023 alone totaled $36.5M

Attackers pwn charter airline helping Trump's deportation campaign

Intruders claim they stole GlobalX's flight records and manifests

Britain's cyber agents and industry clash over how to tackle shoddy software

Providers argue that if end users prioritized security, they'd get it

Darcula adds AI to its DIY phishing kits to help would-be vampires bleed victims dry

Because coding phishing sites from scratch is a real pain in the neck

Russia's Fancy Bear swipes a paw at logistics, transport orgs' email servers

Their connection? Aiding Ukraine, duh

Good luck to Atos' 7th CEO and its latest biz transformation

We suspect Philippe Salle will need it, not to mention staff and customers

Everyone's deploying AI, but no one's securing it – what could go wrong?

Crickets as senior security folk asked about risks at NCSC conference