Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users - including top-level executives - in just three months' time, researchers have found.
The attacks target a range of industries and enter corporate environments through browsers, allowing them to get past network infrastructure security controls and cloud network services and demonstrating an evolution in capabilities on the part of adversaries, according to researchers from Menlo Security who discovered them.
The campaigns - called LegalQloud, Eqooqp, and Boomer - are characterized by their deployment of what the researchers call highly evasive and adaptive threat attack techniques that can circumvent controls such as multifactor authentication and URL filtering.
Tactics used by the campaigns include bypassing MFA and using phishing kits and adversary-in-the-middle tactics to take over user sessions; impersonating entities, primarily Microsoft, familiar to or associated with the organizations targeted; and using dynamic phishing links that make it hard for filtering technologies to track and thus detect.
Though researchers have established some attribution to a group previously tracked by Microsoft as Storm-1101/DEV-1101 - known for its development of AitM tactics that are used in the campaigns - it's not entirely clear exactly to which nation the attacks are linked.
All told, the campaigns targeted more than 3,000 unique domains across more than 10 industries and government institutions, and six out of 10 malicious links that users clicked on were connected to some kind of phishing campaign or fraud, with one of four of phishing links getting past legacy URL filtering, the researchers found.
Specific Credential-Stealing Campaigns Though the campaigns have similarities, each has its own unique set of targets and tactics, all with the ultimate goal of extracting credentials from corporate users for further malicious purposes, primarily cyber-espionage.
LegalQloud, so-named because it impersonates legal firms to steal Microsoft credentials, targeted 500 enterprises in 90 days and is exclusively hosted on Tencent Cloud, which is from the largest Internet company in China.
This hosting enables the URLs to bypass traditional categorization and allow-list controls, the researchers said.
Eqooqp has been targeting multiple government and private sector organizations - including logistics, finance, petroleum, manufacturing, higher education, and research firms - with AitM attacks that can defeat MFA. Menlo found nearly 50,000 attacks associated with the campaign, which uses malicious HTML attachments or links to pages that mimic Microsoft to phish credentials.
Another phishing campaign, Boomer, is especially intricate, targeting the government and healthcare sectors with advanced evasive techniques that include dynamic phishing sites, custom HTTP headers, tracking cookies, bot-detection countermeasures, encrypted code, and server-side generated phishing pages.
The campaign's Web application also employs a hidden iframe that's designed to detect bots and scan automation as a further advanced evasion tactic, the researchers found.
Demand for Stronger Defense What all this amounts to is that organizations continue to have their work cut out for them to keep up with the evolving nature of attacks, especially from well-resourced state-sponsored actors, security experts say.
This Cyber News was published on www.darkreading.com. Publication date: Sat, 29 Jun 2024 04:43:05 +0000