Biweekly Threat Report
New attacks use Windows security bypass zero-day to drop malware
LockBit ransomware is now moving to a triple extortion tactic
LockBit ransomware is now moving to a triple extortion tactic. Exfiltrating and encrypting data, leaking the data and DDoS attacking the victim. They've also increased the amount of infrastructure hosting leaked data to prevent further DDoS attacks, this was necessary due to LockBit being DDoS attacked after threatening to leak data stolen from Entrust.
EvilProxy Phishing-As-A-Service with MFA bypass Emerged in Dark Web
EvilProxy actors are utilizing Reverse Proxy and Cookie Injection methods to bypass 2FA authentication with realistic login pages for Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, PyPi, Yahoo, Yandex and others.
InterContinental Hotels Group have been compromised
Parts of their technology systems have been subject to unauthorized activity, leading to operations being disrupted since Monday (5th of September) leaving people unable to reserve rooms online, with hotels still being able to operate and to take reservations directly.
Ransomware is increasingly utilizing intermittent encryption to Evade Detection
This encryption method helps ransomware operators to evade detection systems and encrypt victims’ files faster. Encryption of files can be a time-intensive process, the faster they can encrypt the victims’ files, the less likely they are to be detected and stopped in the process. Ransomware detection systems may evaluate the intensity of file IO operations, with partial encryption the file IO operations are significantly lower in intensity and therefore can avoid detection. Intermittent encryption has been detected to be used by: Qyick Ransomware, Agenda Ransomware, BlackCat (ALPHV), PLAY Ransomware and Black Basta Ransomware.
Threat actors are exploiting the death of Queen Elizabeth II
The death of Queen Elizibeth ll is being used as bait in phishing attacks to steal Microsoft account credentials. The messages sent to the victims purported to be from Microsoft then invited recipients to an “artificial technology hub” in Queen Elizabeth II's honor, upon clicking the button embedded within the email, the recipients are redirected to the phishing landing page which has been created using EvilProxy phishing kit.
Hackers steal Steam accounts in new Browser-in-the-Browser attacks phishing attacks
This starts as an invite to a tournament, and when accessing the website, the victim is told to link their Steam account for authentication. When the user attempts to link their Steam account they are directed to what appears to be a legitimate Steam popup to log in however this is just an interactable window within the original page, making it hard to spot it’s a fake site as it appears to be the correct URL and a green SSL padlock symbol. This method also can be used to capture MFA codes.
References
New attacks use Windows security bypass zero-day to drop malware
Fake POCs on GitHub Target Security Researchers
Email is the most common type of threat vector, and 23% of people click on malicious emails. It only takes one click for your whole network to be...