Phishing Threat Intelligence May 2024
Created by ChatGPT
These are the articles and blogs I’ve read over the last month with a lean towards phishing and healthcare. I share this internally with the security team. Feel free to take and use for your own programs.
Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Okta identified a substantial rise in credential stuffing attacks targeting online services in the past month. These attacks exploit widely available resources like stolen login credentials, residential proxies, and scripting tools to gain unauthorized access to user accounts. The attacks appear to originate from anonymizing services like Tor and leverage proxies to bypass security measures.
Key Takeaways:
Identity and access management (IAM) provider Okta has observed a significant increase in credential stuffing attacks over the past month.
These attacks leverage readily available resources like residential proxy services, stolen credential lists, and scripting tools.
The attacks target online services and seem to originate from anonymizing tools like Tor exit nodes and various proxies.
Indicators of Compromise (IOCs):
The timeframe for this attack surge is noted to be between April 19th and April 26th, 2024.
Okta's Identity Threat Research detected the activity.
While specific IoCs aren't listed, the report mentions attacks targeting VPN appliances and routers from various vendors.
Black Hat SEO Techniques Used to Distribute Malware
This report details a malware distribution campaign that leverages black hat SEO techniques. Attackers create malicious websites designed to look legitimate and rank high in search results. These websites are then used to trick users into clicking on them and downloading malware.
Technical Details:
The malware payloads are delivered through multi-level zipped files.
Once downloaded and executed, the malware can steal sensitive information such as browsing history and user credentials.
Phishing Remains a Top Threat Despite Decline in Q4
Phishing attacks continue to be a major threat to organizations of all sizes. According to a recent report by the Anti-Phishing Working Group (APWG), 2023 saw a significant increase in phishing activity, making it the worst year on record. Over 5 million phishing attacks were detected in 2023, highlighting the prevalence of this cyber threat.
The report also details a decrease in phishing attacks during the fourth quarter of 2023. This decline is attributed to the takedown of Freenom, a service frequently abused by attackers to register domains that spoofed legitimate companies. While this is a positive development, it serves as a reminder that threat actors are constantly evolving their tactics.
Key Takeaways
2023 was the worst year on record for phishing attacks, with over 5 million attempts detected.
While there was a decline in Q4 2023 due to the takedown of Freenom, phishing remains a significant threat.
Security awareness training is crucial for educating employees on how to identify and avoid phishing attempts.
Organizations should implement a layered security approach that includes email filtering, employee training, and staying informed about the latest phishing tactics.
New Technique for Detecting Malware Stealing Browser Data
A recent blog post by Google Security Blog details a new technique for detecting malware that steals browser data. The technique involves monitoring Windows Event Logs for signs of unauthorized access to browser data.
How Browser Data Theft Works
Many malware programs target browser data, such as cookies and saved credentials. This data can be valuable to attackers, as it can be used to gain access to online accounts, steal financial information, or launch other attacks.
Traditional Detection Methods
Traditional methods for detecting malware that steals browser data often rely on behavioral analysis or signature-based detection. However, these methods can be ineffective against new or sophisticated malware.
Detecting Browser Data Theft with Windows Event Logs
The new technique described by Google Security Blog involves monitoring Windows Event Logs for DPAPI events. DPAPI (Data Protection API) is a Windows API that is used to protect sensitive data. When an application attempts to decrypt data protected by DPAPI, a DPAPI event is generated in the Windows Event Log.
By monitoring DPAPI events, it is possible to identify unauthorized attempts to access browser data. This is because legitimate applications should not need to decrypt browser data unless the user is actively using the browser.
Benefits of This Technique
This technique has several benefits over traditional methods for detecting browser data theft. First, it is less reliant on signatures, making it more effective against new and unknown malware. Second, it can provide valuable forensic information, such as the time and process that attempted to access the data.
Security Implications
This technique highlights the importance of monitoring Windows Event Logs for security threats. By monitoring these logs, security professionals can gain valuable insights into the activities of applications running on their systems.
Recommendations
Enable logging of DPAPI events in Windows Event Logs.
Monitor Windows Event Logs for suspicious DPAPI events.
Investigate any unauthorized attempts to access browser data.
Regularly update your security software and operating system.
By following these recommendations, organizations can improve their ability to detect and prevent browser data theft.
Healthcare Organizations Targeted in Social Engineering Campaign with Deceptive Tactics
High Importance
A recent report by ReliaQuest exposes a cunning social engineering campaign targeting healthcare organizations' revenue cycle management (RCM) departments. Then attackers employed deceptive tactics to manipulate help desk staff into resetting multifactor authentication (MFA) credentials. This allowed them to infiltrate the system and steal funds by altering bank routing information for fraudulent money transfers.
Social Engineering Techniques Used:
The report details how attackers impersonated legitimate users, often healthcare staff, by leveraging readily available personal information. This information might have been obtained through various means, including phishing emails, data breaches, or even social media. Once impersonating a staff member, attackers would contact the help desk, feigning an issue with their MFA and requesting a reset. To heighten their legitimacy, they might provide seemingly valid personal details associated with the target user, such as the last four digits of their Social Security number, date of birth, or home address. By exploiting trust and creating a sense of urgency, attackers could potentially trick help desk personnel into resetting the MFA, compromising the account's security.
LockBit Black Ransomware Delivered via Phorpiex Botnet Spam Campaign
High Importance
A recent phishing campaign leveraged the Phorpiex botnet to distribute LockBit Black ransomware. Millions of malicious emails were sent, targeting a widespread audience.
Campaign Details:
Phishing emails with malicious ZIP attachments
LockBit Black ransomware deployed upon opening the attachment
Ransomware likely based on leaked LockBit 3.0 source code
LockBit Black Ransomware:
LockBit Black is a ransomware variant known for encrypting victim files and demanding a ransom payment for decryption. This iteration is likely derived from a leaked version of LockBit 3.0, raising concerns about potential widespread attacks.
Alert: Threat Actors Expand Malicious Use of DNS Tunneling
High Importance
Security researchers warn of a growing trend: threat actors are increasingly exploiting DNS tunneling for malicious purposes. DNS tunneling involves encoding data within legitimate DNS requests, creating covert communication channels that bypass traditional security measures.
Why is this concerning?
Evasion Capabilities: DNS tunneling allows attackers to fly under the radar of firewalls and security tools, making detection difficult.
Operational Flexibility: This technique offers attackers a versatile tool for various malicious activities, including:
Phishing Email Monitoring: Attackers can use DNS tunneling to monitor how users interact with phishing emails, allowing them to refine their tactics.
Network Vulnerability Scanning: Malicious actors can leverage DNS tunneling to scan networks for vulnerabilities without raising red flags.
Security Measure Bypassing: This technique can be used to bypass security controls and establish persistence within a compromised network.
Cybercriminals Exploit Docusign Phishing Templates
Summary: Cybercriminals are increasingly targeting Docusign users by distributing customizable phishing templates on cybercrime forums. These templates closely mimic legitimate Docusign emails, luring recipients into providing sensitive information or clicking malicious links. These attacks facilitate various malicious activities, including credential theft and business email compromise (BEC) scams.
Rising Shadow AI Accounts Elevate Corporate Data Risks
Summary: Recent research by Cyberhaven Labs reveals a 485% surge in AI tool usage among workers, with 90% occurring through personal "shadow AI" accounts. This trend exposes sensitive corporate data to public AI models, posing significant security risks. Key findings highlight that tech workers are the highest contributors, with substantial portions of sensitive data like legal documents, source code, and HR records being inputted into non-corporate accounts. Companies must address these vulnerabilities to safeguard their data.
Action Points:
Implement strict AI usage policies.
Educate employees on the risks of shadow AI.
Monitor AI tool usage within the organization.