Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 10/11/2022

    CISA Shares Actionable Intelligence in Advanced Persistent Threat (APT) Activity Report

    Overview

    Last month’s report by Group-IB highlights a rising trend of text message-based phishing, which is known as “smishing”. The report describes a high success rate for smishing as compared to more traditional email phishing. 

    On September 28, 2022, an IRS press release reported a “significant increase in texting scams”. The IRS reports that “IRS-themed smishing has increased exponentially” in 2022.  

    The high attacker success rate for smishing suggests that this will become an increasingly common avenue of attack.

    Impact

    As with most modern scams, the impact of smishing ranges from low-level gift-card scams to corporate credential theft leading to ransomware and extortion.  Because it’s not tracked by EDR or corporate spam filters, smishing can be difficult to alert on and investigate.

    Recommended Actions

    This report is well-worth reading, especially the recommendations section.  Most recommendations read like a “back to basics” campaign for information security initiatives.  Some of the more straightforward recommendations include:

    • Implementation of Multi-Factor Authentication (MFA) wherever possible
    • Restrict and secure usage of remote administration tools
    • Manage vulnerabilities and configurations
    • Log monitoring:

      – Connections from VPN providers
      – “Impossible travel” – whereby an account might show activity from Washington DC and Seattle, WA in the same 30-minute period
      – Activity from multiple users coming from the same IP address not associated with the organization
      – Activity in normally dormant accounts
      – 
      Unauthorized changes to user accounts

     

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      BazaCall Social Engineering Attacks

      Overview

      In July of 2021 Microsoft published a security blog detailing their investigations into the BazaCall social engineering campaigns. These identified social engineering campaigns primarily focused on email messages and links that point users to calling various ever-changing phone numbers used by the threat actor ‘call centers.’ Threat actors would then trick users into downloading various malware, normally being the BazaLoader payload. BazaLoader gives backdoor capabilities to attackers as well as hands-on-keyboard control to affected devices.

      However, in recent months, the BazaCall tactics have increased in sophistication, surpassing basic ‘call center’ interactions with new scare tactics convincing users that their devices have been compromised. From there, users would be connected with a certified ‘incident responder’ who could solve their problems, for a hefty fee of course, often sent via PayPal. These ‘responders’ would then be the primary source of remote control over victim devices and would often deploy various malware sources, including the ever-present BazaLoader.

      BazaCall has also used the ‘subscription renewal’ tactic where users would receive emails containing fraudulent invoices of various subscription services. These invoices, would of course, have telephone numbers for ‘support lines’ where, when called, threat actors would begin ‘over-compensated refund’ scams. Here, threat actors would convince their victims that not only were their subscriptions cancelled and refunded, but they were wrongly given a refund of a high-tier subscription price – e.g., instead of receiving a $50 refund, they received a $500 refund. The users would then be walked through the process of paying back the ‘owed’ amount, again often via PayPal.

      Potential Impact

      Although users being scammed for financial loses is a significant issue, organizations should especially be concerned about the impact of BazaLoader infections in the corporate environment, as the BazaLoader malware continues to develop its capabilities have expanded wildly. Originally being a main source for second-stage malware, BazaLoader now internally contains many post-exploitation capabilities, including privilege escalation, credential dumping, service discovery, lateral movement, and data exfiltration. 

      BazaLoader has also expanded its ability to evade security defenses. The malware has primarily utilized Cobalt Strike, a highly sophisticated framework known for its command and control (C2) channels, to remain hidden in the network. Additionally, BazaLoader has been observed utilizing over twenty-five native Windows binaries to remain stealthy on infected devices via a ‘living-off-the-land’ methodology for persistence.

      Recommended Actions

      As social engineering is the primary tactic of BazaCall campaigns and BazaLoader attack vectors, organizations must be focused on user awareness training. Corporate users need to be educated and trained to detect malicious/fraudulent emails and phone calls to defend against these tactics. Many times, these tactics employ fear, uncertainty, and doubt (often shortened to FUD) to convince victims to act quickly and irrationally. Organizations must train users to understand these tactics and stay vigilant against them. GreyCastle Security recommends organizations use well-crafted and sophisticated user awareness training tactics such as employee phishing to demonstrate the often very legitimate-looking phishing attacks that BazaCall utilizes. This is especially effective during this month (October) as it is Cybersecurity Awareness Month!

      Sources
      https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html?&web_view=true
      https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
      https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/

      CFortinet Authentication Bypass Vulnerability

      Overview

      Fortinet has issued an alert to customers for a vulnerability affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow a malicious actor to perform unauthorized actions on vulnerable devices. The vulnerability is tracked as CVE-2022-40684 (CVSS score: 9.6) and is an authentication bypass vulnerability that can be exploited by sending crafted HTTP requests to the administrative interface.

      Potential Impact

      Wide-spread exploitation of the vulnerability has not yet been observed. However, upgrading to fixed versions is recommended as soon as possible. Information that would be at risk if successful exploitation were to occur is not yet understood, but credentials and other sensitive information could certainly be included as potential targets.

      Recommended Actions

      Updating to fixed versions is recommended as soon as possible. Impacted FortiOS versions are 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1. Impacted FortiProxy versions are 7.0.0 to 7.0.6 and 7.2.0. Workarounds include disabling Internet-facing HTTPS management interfaces or implementing a local-in-policy to limit access to the management interface.

      Sources
      https://www.tenable.com/blog/cve-2022-40684-critical-authentication-bypass-in-fortios-and-fortiproxy
      https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html

      Android and IOS Apps Stealing User Login Credentials

      Overview

      Meta Platforms has disclosed over 400 malicious mobile apps that are targeting users to steal their Facebook credentials. These apps, listed on both the Google Play and Apple App stores, were disguised as real apps, such as photo editors, VPN services, and games with fake reviews to trick users into downloading them. The majority of these malicious apps were fake ad managers, followed by 42.6% being photo editors, 15.4% as business utilities, 14% phone utilities, 11.7% games, 11.7% VPN services and 4.4% lifestyle apps.

      Potential Impact

      Credential theft allows malicious actors to gain access to Facebook accounts and subsequently lock users out by changing multifactor authentication information and passwords. This is especially critical for users with access to business social media profiles on their mobile devices, as these actors could potentially hijack and post malicious or unwanted content on an organization’s Facebook profile.

      Recommended Actions

      A full list of the malicious apps can be found here: https://github.com/facebook/malware-detection/blob/main/indicators/csv/2022_malicious_mobile_apps.csv. Users are urged to check for these apps and to change passwords immediately if impacted. Furthermore, ensure multifactor authentication is enforced for all business social media accounts.

      Sources
      https://thehackernews.com/2022/10/cisa-warns-of-hackers-exploiting.html
      https://about.fb.com/news/2022/10/protecting-people-from-malicious-account-compromise-apps/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us