Critical Chatter: Russian hackers exposed, Google AMP phishing, Salesforce zero-day and more

Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).

Top stories – 4 August 2023

• Microsoft exposes Russian hackers’ sneaky phishing tactics via Microsoft Teams chats
• Threat actors abuse Google AMP for evasive phishing attacks
• Splunk SOAR unauthenticated log injection let attackers execute malicious code
• Phishers exploit Salesforce’s email services zero-day in targeted Facebook campaign
• Russian cyber adversary linked to 94 new domains following recent disclosures

Microsoft exposes Russian hackers’ sneaky phishing tactics via Microsoft Teams chats

Key takeaways:

• Microsoft exposes Russian nation-state threat actor Midnight Blizzard’s social engineering attacks using compromised Microsoft 365 tenants.
• Attack involves phishing through Teams chats, exploiting less than 40 organisations since late May 2023.
• Methods include token theft and authentication spear-phishing, leading to account takeovers and post-compromise activities.

The details:

Microsoft has disclosed a series of targeted social engineering attacks conducted by a Russian nation-state threat actor, identified as Midnight Blizzard (also known as Nobelium, APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes). The attacks involved credential theft phishing lures sent as Microsoft Teams chats.

Midnight Blizzard used previously compromised Microsoft 365 tenants owned by small businesses to create new domains that masqueraded as technical support entities. They then leveraged Teams messages to send phishing lures and attempt to steal credentials from targeted organizations by convincing users to enter multi-factor authentication (MFA) codes.

The campaign, which has been ongoing since at least late May 2023, impacted less than 40 organisations worldwide, including government, non-government organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors. The threat actor gained initial access through token theft techniques and employed other methods such as authentication spear-phishing, password spray, and brute-force attacks.

The attacks involved adding a new onmicrosoft.com subdomain to a previously compromised tenant, followed by creating a new user to initiate Teams chat requests pretending to be from Microsoft’s Identity Protection team or technical support. If the target user accepted the message request and followed instructions, the attacker gained access to their account through a token, leading to account takeover and post-compromise activities.

The threat actor also attempted to add a device to the organisation as a managed device via Microsoft Entra ID to bypass conditional access policies that restricted access to specific resources to managed devices only.

These attacks followed Midnight Blizzard’s previous phishing attempts targeting diplomatic entities in Eastern Europe to deliver a new backdoor called GraphicalProton. Additionally, new Azure AD (AAD) Connect attack vectors were discovered, allowing malicious actors to create an undetectable backdoor by stealing cryptographic hashes of passwords through a hash syncing process and launching adversary-in-the-middle (AitM) attacks to intercept credentials.

The severity of the attacks has prompted Microsoft to issue warnings and advise organisations to be vigilant in protecting their systems and credentials from such sophisticated threats.

Article link: https://www.bleepingcomputer.com/news/security/over-400-000-corporate-credentials-stolen-by-info-stealing-malware/

Threat actors abuse Google AMP for evasive phishing attacks

Key takeaways:

• Security researchers are alarmed by increasing phishing attacks that exploit Google Accelerated Mobile Pages (AMP), sidestepping email security and reaching employee inboxes.
• Phishing emails with AMP URLs dodge security by leveraging Google’s trusted domain, redirecting recipients to malicious sites, complicating analysis.
• Anti-phishing data shows a notable uptick in AMP-related attacks since mid-July, underlining the need for heightened vigilance and strong security measures.

The details:

Security researchers have raised concerns about a rise in phishing attacks that exploit Google Accelerated Mobile Pages (AMP) to bypass email security measures and reach enterprise employees’ inboxes. Google AMP is an open-source HTML framework developed with 30 partners to improve mobile web content loading speeds.

Phishing emails containing Google AMP URLs are designed to evade email protection technology, which often relies on Google’s reputable domain to avoid flagging messages as suspicious. The use of AMP URLs triggers a redirection to a malicious phishing site, adding an analysis-disrupting layer to the attack.

Data from anti-phishing protection company Cofense indicates a significant increase in phishing attacks using AMP since mid-July, suggesting that threat actors are adopting this method. Some attackers even utilise an additional redirection step, abusing a Microsoft.com URL to redirect victims to a Google AMP domain and eventually to the actual phishing site. To further thwart security bots, attackers employ Cloudflare’s CAPTCHA service, preventing automated analysis of the phishing pages.

These multi-layered detection-evading techniques make it increasingly challenging for targets and security tools to identify and block phishing threats effectively. Organisations need to stay vigilant and implement robust security measures to protect against such sophisticated phishing attacks.

Article link: https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-amp-for-evasive-phishing-attacks/

Splunk SOAR unauthenticated log injection let attackers execute malicious code

Key takeaways:

• Splunk discovered a severe vulnerability in Splunk SOAR, allowing unauthenticated log injection that could lead to harmful code execution.
• The vulnerability requires a terminal application with ANSI escape code interpretation and proper permissions.
• Assigned CVE-2023-3997 with a CVSS score of 8.6, the exploit involves a malicious web request triggering code execution. Upgrading Splunk SOAR is advised to prevent potential attacks.

The details:

Splunk has discovered a high-severity vulnerability in Splunk SOAR (Security Orchestration, Automation, and Response) that allows unauthenticated log injection. This vulnerability could potentially enable malicious actors to execute harmful code on the system.

The vulnerability exists in Splunk SOAR and requires a terminal application capable of interpreting ANSI escape codes. Additionally, the terminal must have the necessary permissions for the exploitation to occur.

The CVE-2023-3997 has been assigned to this vulnerability, and it has a CVSS score of 8.6, indicating a high level of severity.

To exploit the vulnerability, a threat actor sends a malicious web request to an endpoint in the SOAR. When a terminal user attempts to view the compromised logs, it triggers the execution of malicious code on the system.

The impact of the vulnerability depends on the permissions of the terminal users trying to read the log file. If the malicious log file is copied and read on a local machine, that machine will be affected instead of the entire instance.

To mitigate this risk, Splunk advises users of Splunk SOAR to upgrade to the latest versions. By doing so, organisations can protect their systems from potential exploitation by threat actors.

It is crucial for users to take immediate action and apply the recommended updates to ensure the security and integrity of their Splunk SOAR instances.

Article link: https://cybersecuritynews.com/splunk-soar-log-injection/

Phishers exploit Salesforce’s email services zero-day in targeted Facebook campaign

Key takeaways:

• A sophisticated Facebook phishing campaign leverages a Salesforce zero-day vulnerability to send targeted phishing emails using Salesforce’s domain.
• Phishing emails pretend to be from Meta but are sent from “@salesforce.com” addresses, exploiting the flaw to deceive recipients into clicking malicious links.
• The campaign also involves a high-severity Splunk SOAR vulnerability (CVE-2023-3997), urging immediate upgrades to prevent potential exploits.

The details:

A sophisticated Facebook phishing campaign has been discovered, exploiting a zero-day vulnerability in Salesforce’s email services. This flaw allows threat actors to create targeted phishing messages using Salesforce’s domain and infrastructure.

The phishing emails masquerade as coming from Meta (previously known as Facebook), but they are sent from email addresses with the “@salesforce.com” domain. The emails claim that the Splunk has discovered a high-severity vulnerability in Splunk SOAR that allows unauthenticated log injection. This vulnerability could potentially enable malicious actors to execute harmful code on the system.

The vulnerability exists in Splunk SOAR and requires a terminal application capable of interpreting ANSI escape codes. Additionally, the terminal must have the necessary permissions for the exploitation to occur.

The CVE-2023-3997 has been assigned to this vulnerability, and it has a CVSS score of 8.6, indicating a high level of severity.

To exploit the vulnerability, a threat actor sends a malicious web request to an endpoint in the SOAR. When a terminal user attempts to view the compromised logs, it triggers the execution of malicious code on the system.

The impact of the vulnerability depends on the permissions of the terminal users trying to read the log file. If the malicious log file is copied and read on a local machine, that machine will be affected instead of the entire instance.

To mitigate this risk, Splunk advises users of Splunk SOAR to upgrade to the latest versions. By doing so, organisations can protect their systems from potential exploitation by threat actors.

It is crucial for users to take immediate action and apply the recommended updates to ensure the security and integrity of their Splunk SOAR instances. Recipients’ Facebook accounts are under investigation for impersonation, urging them to click on a link for further details.

Once users click on the link, they are directed to a rogue landing page designed to capture their account credentials and two-factor authentication (2FA) codes. The attack is notable because the phishing kit is hosted as a game under Facebook’s apps platform, using the domain apps.facebook[.]com. This tactic evades traditional anti-spam and anti-phishing measures as it includes legitimate links to Facebook and is sent from a valid email address associated with Salesforce.

Although Meta retired the Web Games feature in July 2020, support for legacy games still exists. The attackers cleverly circumvented protective measures by configuring an Email-to-Case inbound routing email address using the salesforce.com domain, thus verifying salesforce.com email addresses.

Following responsible disclosure, Salesforce addressed the zero-day vulnerability on July 28, 2023, with new checks to prevent the use of email addresses from the @salesforce.com domain.

As phishing attacks continue to exploit legitimate services for malicious purposes, organisations must remain vigilant and implement robust security measures to protect against such threats. The prevalence of phishing campaigns highlights the need for ongoing efforts to strengthen email distribution infrastructure and security measures.

Article link: https://thehackernews.com/2023/08/phishers-exploit-salesforces-email.html

Russian cyber adversary linked to 94 new domains following recent disclosures

Key takeaways:

• Recorded Future identifies the Russia-linked adversary BlueCharlie, active since 2017, adapting with 94 new domains post-March 2023 to counter public disclosures.
• BlueCharlie, possibly linked to Russia’s FSB, conducts phishing campaigns impersonating various entities for credential theft, now using IT and cryptocurrency-related domain names.
• To counter this advanced threat, organisations are advised to enforce MFA, disable Microsoft Office macros, and maintain strong security practices.

The details:

Cybersecurity firm Recorded Future has linked a Russia-nexus adversary known as BlueCharlie to 94 new domains registered since March 2023. This suggests that the group is actively modifying its infrastructure in response to public disclosures about its activities, demonstrating a level of sophistication to evade detection.

BlueCharlie, also referred to as Blue Callisto, Callisto, COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446, is believed to be affiliated with Russia’s Federal Security Service (FSB). The threat actor is known for conducting phishing campaigns aimed at credential theft, using domains that impersonate login pages of private sector companies, nuclear research labs, and NGOs involved in Ukraine crisis relief. The group has been active since at least 2017.

The latest findings show that BlueCharlie has adopted a new naming pattern for its domains, incorporating keywords related to information technology and cryptocurrency. The group conducts extensive reconnaissance to enhance the success of its attacks.

To defend against state-sponsored advanced persistent threat (APT) groups like BlueCharlie, organisations are advised to implement phishing-resistant multi-factor authentication (MFA), disable macros by default in Microsoft Office, and enforce a frequent password reset policy.

Recorded Future highlights that while the group employs common attack techniques such as phishing and open-source offensive security tools, its consistent use of these methods and its evolving tactics make it a formidable and capable threat actor.

Staying vigilant and implementing robust security measures is crucial for organizations to protect against such advanced threat actors.

Article link: https://thehackernews.com/2023/08/russian-cyber-adversary-bluecharlie.html