A phishing campaign abused both the Google App Engine and the Azure App Service to steal victims’ Microsoft Outlook credentials.
A Google Cloud Platform (GCP) service used for developing and hosting web applications, Google App Engine enables customers to direct SSL-protected traffic through their appspot.com domain.
This characteristic thereby lent the domain used in this campaign a sense of legitimacy.
The phishing page informed the visitor that their account credentials were incorrect after they had submitted their username and password. It then sent those details to ‘handler.php,’ a page hosted via Azure’s App Service at “july-28[.].azurewebsites[.]net.”
This domain was one of 110 bait URLs and 72 credential hosting URLs that traced back to this phishing campaign. As noted by Netskope, however, the vast majority of those sites used Azure’s App Service
The threat actor has mostly used Azure App Service to host the credential harvester at azurewebistes.net. It appears the attacker tried out multiple different options to serve the credential harvester and chose to use Azure App Service on an ongoing basis, likely because of its ease of use and Microsoft-issued SSL certs.
The campaign described above highlights the need for organizations to defend themselves against a phishing attack. One of the ways they can do this is by training their employees to spot some of the most common types of phishing campaigns that are in circulation today. They can use this resource to lay the basis for their education efforts.
Maze ransomware group has been amongst one of the most active and fastest-growing ransomware actors. In around one year, it has targeted a number of large organizations, including the digital printing solutions provider Xerox Corporation, Cognizant, and others within the past few months.
Top targeted sectors
Based on the confirmed attack incidents revealed lately, there were a total of nine notable attacks on organizations across different sectors. The majority of which belongs to IT and healthcare.
IT seems to be the favorite sector being targeted with three victims – Lectra (a France based technology company), Westech International Inc. (New Mexico-based Logistics and IT services provider), and Xerox (Connecticut-based IT, digital and print solutions provider).
Maze carried out two attacks on organizations in the healthcare sector – Regis Aged Care Pty Ltd (Australia) and the Montana Veterans Affairs Health Care System (USA).
Maze also targeted the Thailand-based food and beverage manufacturer ThaiBev, Sydney-based strata management firm Strata Plus, the National Highways Authority Of India (NHAI), and the Texas foundry group X-FAB, suggesting that Maze attacks are not specific to a particular field of interest or geographical area.
Mode of operation
Although the initial attack vector for these attacks is not completely understood, the Maze group has now made it a practice to exfiltrate the entire target system data before encrypting it. In several cases, such as Regis Aged Care and NHAI, the attackers released around 5% data upfront to prove its attack, and hence pressurize the firms to quickly pay the ransom.
Recent History
Within the past few months, Maze operators have been busy strengthening their tie-ups and association with other threat groups as well.
At the beginning of June 2020, Maze operators were seen hosting and promoting data stolen by the LockBit gang, which provides hints about the cartel of ransomware operations between them. Very soon, Ragnar Locker also joined their cartel.
Key takeaways
Looking at its pace, Maze operators have emerged as a consistent threat group to watch out for. Although there is no sure shot way to ensure 100% security, organizations can reduce the risks and extent of damage by ensuring proper security measures, such as using strong passwords, multi-factor authentication, and also having a regular backup of the data.
Microsoft has plugged 120 flaws, two of which are being exploited in attacks in the wild
Adobe has delivered security updates for Adobe Acrobat, Reader and Lightroom
Apple has released updates for iCloud on Windows
Google has updated Chrome with security fixes
Microsoft’s updates
Microsoft has released patched for 120 CVEs, 17 of which are critical and the rest important. One (CVE-2020-1464) is publicly known and being actively exploited, and another one (CVE-2020-1380) is also under attack.
CVE-2020-1464 allows an attacker to bypass security features intended to prevent improperly signed files from being loaded, and affects all supported versions of Windows, so patching it should definitely be a priority.
“CVE-2020-1464 is proof that security organizations should not be making their patching decisions solely off the CVSS score and severity rating and instead should be approaching all the security vulnerabilities as a gap in their attack surface, welcoming any malicious player into their network,”.
“Coming in only at a CVSS of 5.3, this spoofing vulnerability has been reported exploited in both legacy and newer versions of Windows and Windows Server, which is more worrisome as 25% of connected Windows devices are still running Windows 7.”
CVE-2020-1380 is a bug in Internet Explorer’s scripting engine and allow code execution on a system running a vulnerable version of the browser.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft explained.
“The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
This flaw is also under active attack, so IE users should be protected against it as soon as possible
Trend Micro Zero Day Initiative’s Dustin Childs also singled out CVE-2020-1472, a NetLogon Elevation of Privilege Vulnerability, as very important to patch quickly.
“A vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access,”
“[The patch released today] enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC.
“There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices,” Microsoft has added.
Other critical vulnerabilities have been fixed in the .NET Framework, Media Foundation, Microsoft Edge, the Windows Codecs Library, the MSHTML Engine, the Scripting Engine, Windows Media, and Outlook.
The provided Outlook updates should also be quickly implemented, as they fix two vulnerabilities – a RCE and information disclosure bug – that could be triggered from the Preview Pane.
As announced last week, Microsoft has also delivered today a fix for CVE-2020-1337, a privilege escalation vulnerability in the Windows Print Spooler service, which affects all the Windows releases from Windows 7 to Windows 10 (32 and 64-bit). The researchers who unearthed it have promised to publish a PoC exploit this week.
Keep updated your machines to escape from these exploits untill they go wild …
Upgraded version of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.
Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.
This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.
It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.
Credentials are not so safe
After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.
“The malware has the ability to extract credentials from the registry as well as related configuration or support files,”.
Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.
Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.
“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,”.
Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.
While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.
Conclusion
Noting is safe untill proper process is put in place to overlook security.
