News: 1734586210

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

(2024/12/19)


Unknown criminals went on a phishing expedition that targeted about 20,000 users across the automotive, chemical and industrial compound manufacturing sectors in Europe, and tried to steal account credentials and then hijack the victims' Microsoft Azure cloud infrastructure.

After taking over victims' accounts, the miscreants signed into new devices using stolen creds so they could maintain access to the cloud environment – and sensitive data therein.

Palo Alto Networks' Unit 42 researchers spotted the campaign, which peaked in June and remained active as of September.

[1]

While they can't attribute the attacks to a particular crew or individual, they did find both Ukrainian and Russian language websites linked to the attack infrastructure. "However we cannot determine the nature or rationale for these links," Unit 42 senior threat researcher Nathaniel Quist told The Register .

[2]

[3]

The threat hunters can't put an exact number on compromised victims, as the team was "only able to collect a handful of data regarding the countries and organizations," he added. "We have strong confidence that the targets were primarily based within the UK and Europe."

Unit 42 has seen an increase in attacks targeting cloud infrastructure, and these typically point toward data theft being the crooks' primary goal. Stolen information and credentials can then be used to extort a ransom payment from the victim org, or simply be sold on cyber crime marketplaces.

[4]

"During the investigation we found that primary actions taken by the actors were to establish persistence within the cloud environment," Quist explained. "They also made several failed attempts to access cloud storage and create new users. These actions could have a long tail strategic goal – however, they were blocked before successfully completing their objectives."

The attackers sent phishing emails that included a Docusign-enabled PDF file or an embedded HTML link directing victims to malicious HubSpot Free Form Builder. As Docusign’s purpose is gathering digital signatures on documents, the presence of such files creates a feeling of urgency that action is needed – classic social engineering bait that phishers love to employ.

Victims would end up at the HubSpot [5]Free Form Builder , from which they would be redirected to the attackers' credential harvesting pages that mimic a Microsoft Outlook Web Access login page. This would prompt the victims to enter their email and password for Azure at which point the attackers steal them, gaining access to their cloud environments.

[6]

"We verified that the phishing campaign did make several attempts to connect to the victims' Microsoft Azure cloud infrastructure," Unit 42 researchers Shachar Roitman, Ohad Benyamin Maimon and William Gamazo [7]wrote in a report published Wednesday.

At least 17 working Free Forms were used to redirect victims, we're told, and the researchers list these URLs in the report's [8]Indicators of Compromise section.

[9]Phishers cast wide net with spoofed Google Calendar invites

[10]The only thing worse than being fired is scammers fooling you into thinking you're fired

[11]Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

[12]Russian spies may have moved in next door to target your network

Most of the infrastructure behind this campaign had been taken offline by the time Unit 42 started tracking the attacks, but the researchers found two active implementations, which allowed them to collect phishing-pace source code. It used a Base64-encoded URL for credential harvesting and redirecting the victims to an Outlook Web Access login page:

The sample source code revealed that the phishing links led victims to websites using a URL that simulated the target victim organization's name. The phishing websites presented to the victim included their organization's name followed by the top-level domain .buzz (i.e., http[:]//www.acmeinc[.]buzz):

Some of the phishing infrastructure used providers that claim to provide resilient and secure anonymous hosting services. The attacker also used the same hosting infrastructure for multiple campaigns, and for accessing compromised Microsoft Azure tenants.

Quist assured us that the attackers were blocked before they could complete their evil deeds, there is no shortage of other phishing lures being cast into email inboxes.

Earlier this week, Check Point researchers reported they had spotted a financially motivated phishing campaign that sent 4,000 emails to more than 300 organizations over four weeks. This one [13]spoofed Google Calendar emails for financial scams.

Considering that these phishes only work if they can elicit an urgent or emotional response in the targeted victims – such as responding to an employer's event invite or DocuSign file, reviewing a [14]you're-fired notice , or weighing in on a [15]return-to-work survey – it's always a good idea to think before you click. And always verify the sender's address and any URL contained in an email.

These crooks are always innovating, and while security products can help, the end user always plays a major role in preventing phishing attacks. ®

Get our [16]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z2P83zfmiQq7f-id6OBKWwAAARU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2P83zfmiQq7f-id6OBKWwAAARU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2P83zfmiQq7f-id6OBKWwAAARU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2P83zfmiQq7f-id6OBKWwAAARU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://www.hubspot.com/products/marketing/forms

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2P83zfmiQq7f-id6OBKWwAAARU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://unit42.paloaltonetworks.com/european-phishing-campaign/

[8] https://unit42.paloaltonetworks.com/european-phishing-campaign/#post-137925-_8m9p75m3jvm9

[9] https://www.theregister.com/2024/12/18/google_calendar_spoofed_in_phishing_campaign/

[10] https://www.theregister.com/2024/11/28/fired_phishing_campaign_cloudflare/

[11] https://www.theregister.com/2024/12/09/aws_credentials_stolen/

[12] https://www.theregister.com/2024/11/25/infosec_news_in_brief/

[13] https://www.theregister.com/2024/12/18/google_calendar_spoofed_in_phishing_campaign/

[14] https://www.theregister.com/2024/11/28/fired_phishing_campaign_cloudflare/

[15] https://www.theregister.com/2024/09/29/interview_with_a_social_engineering/

[16] https://whitepapers.theregister.com/



Can these attacks trigger a browser to supply the credentials?

trindflo

I've long been curious if these phishing attacks are good enough to extract your Office 365 credentials if you stored them in your browser. Ominious in that the victim might assume a broken link and not realize their credentials had been harvested.

Re: Can these attacks trigger a browser to supply the credentials?

Bendacious

Happy to be corrected but this is not really possible from a normal phishing attack. If you have stored credentials for microsoft.com then your browser will only give up those credentials to that website name. When you visit the phishing page your browser won't even auto-complete the user name field, as it is the wrong website name. That's why phishers go to quite a lot of effort to make their websites look exactly like microsoft.com or paypal.com because they need you to be fooled into typing the user name and password. Of course a much more sophisticated attack might be able to get the credentials but then it's not really a phishing attack.

Attacker options:

Attach a file to the email, or get the user to download and run a file - then they have access to your PC and potentially your credentials

Attacker gains control of domain name, or one page of the website microsoft.com (pretty unlikely but you never know with microsoft)

Using public wi-fi could allow an attacker to make their website appear to be microsoft.com to your browser

In the mists of time it was possible to embed the microsoft.com website inside an attacker's website and grab the credentials as they were passed over. Modern browsers won't allow that but who's to say no one will find a bug that allows this attack again.

It is (almost) always the URLs that are the problem

Anonymous Coward

HTML forms should be blocked from authenticating by default. Either separate apps should be used to authenticate, or there should be a separate protocol within browsers.

URLs allowed to authenticate should be whitelisted and personalized instead of blacklisted, because number of URLs to blacklist is infinite. Whitelisted URLs should be specific pages/paths, as domains can be hijacked serving newly created malicious subpages, or some domains contain 3rd party content.

Lee D

One thing I've been saying for years - long before I watched Dragon's Den with Peter Jones - is that you never sign a damn thing just because someone is pressuring you to there and then.

If anything, it should make you MORE wary. Or even walk away.

Which is why the Peter Jones reference. I remember him giving a "countdown" to someone on how long his offer stood, trying to pressure them into accepting it.

I said at the time: That's the point at which I'd tell him I'm not interested. Who does business like that, and why would you ever do business with them?

That explains "return to office" demands

that one in the corner

> these phishes only work if they can elicit an urgent or emotional response in the targeted victims

So being physically immersed in the office culture is a cyber security defense policy: when you are dead inside...

I'm receiving a coded message from EUBIE BLAKE!!