Tuesday January 28, 2025

Advisory ID: NCC-CSIRT-150823-030

Summary: Researchers at Proof point have identified an EvilProxy phishing campaign that is focused on compromising Microsoft 365 user accounts on a global scale. This campaign involves the distribution of nearly 120,000 phishing emails to over 100 organizations worldwide. The primary objective is to gain control of the cloud accounts belonging to high-level executives, with the aim of executing more advanced attacks within the organization's internal systems.

Threat Type(s): Phishing

Impact/Vulnerability: CRITICAL/MEDIUM

Product(s): Microsoft 365

Platform(s): EvilProxy phishing-as-a-Service Platform

Version(s): All Versions 

Description: Based on the researchers' discoveries, the attackers behind this campaign are leveraging an EvilProxy phishing strategy. EvilProxy operates as a phishing-as-a-service platform, utilizing reverse proxies to facilitate the exchange of authentication requests and user credentials between the targeted user and the authentic service website. Despite the commonly recommended use of multi-factor authentication (MFA) as a defense against phishing, tools like EvilProxy and similar reverse-proxy techniques are simplifying the efforts of malicious actors to bypass this security measure.

The malicious actors employ the EvilProxy service to dispatch deceptive emails that mimic reputable brands like Adobe, DocuSign, and Concur. Clicking on the embedded link guides the recipient through a sequence of open redirections via platforms like YouTube or SlickDeals, followed by subsequent redirections aimed at reducing the likelihood of detection and analysis. Ultimately, the victim arrives at an EvilProxy phishing page, which functions as a reverse proxy for the Microsoft 365 login page. This page is designed to mimic the organization's theme, lending an air of authenticity to the victim's experience.

To evade automated scanning tools, the attackers utilize specialized encoding for user email addresses. Compromised legitimate websites are exploited to upload PHP code, facilitating the decoding of the targeted user's email address. Once decoded, the user is directed to the final website, which hosts the tailored phishing page meticulously crafted for the specific target organization. 

Consequences: The phishing emails often imitate reputable and trusted services or applications while employing scan-blocking techniques to evade detection by a wide range of security tools.

Solution: Organizations can defend against this threat through the following ways:

  1. User Awareness: Educate users about the associated risks when utilizing Microsoft 365.
  2. Email Protection: Block and monitor malicious email threats directed at users.
  3. Cloud Protection: Utilize cloud security mechanisms with the following functionalities:
    1. Detecting occurrences of account takeover (ATO) and unauthorized access to sensitive resources within the cloud environment.
    2. Ensuring accurate and timely detection of both the initial account breach and subsequent unauthorized activities, including the monitoring of service and application misuse.
    3. Incorporating automated remediation capabilities to reduce the duration of attacker presence in the system and mitigate potential harm.
  4. Web Security: Isolate potentially harmful sessions initiated via links embedded in email messages.
  5. FIDO: Consider adopting “Fast Identity Online” (FIDO) based physical security keys. FIDO is a technical standard designed for authenticating online user identities. It is applicable in various scenarios like fingerprint and two-factor login. This enables users to utilize biometric features or a FIDO security key for logging into their online accounts.

References:
https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-targets-120-000-microsoft-365-users/ 

https://www.infosecurity-magazine.com/news/evilproxy-campaign-120000-phishing/ 

https://www.darkreading.com/cloud/evilproxy-cyberattack-flood-execs-microsoft-365 

https://www.proofpoint.com/uk/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level 

https://www.darkreading.com/threat-intelligence/downfall-bug-billions-intel-cpus-design-flaw 

Advisory ID : ngCERT-2023-0034

Summary: Cyber threat actors are focusing their efforts on Android users through a technique referred to as "versioning." This involves evading the malware checks of the Google Play Store by introducing a clean version of the app during the initial security validation. Subsequently, after the app passes the initial checks and is made available on the Play Store, these actors later inject the app with malicious code through updates.

Threat Type(s): Malware

Damage/Probability: CRITICAL/HIGH

Description: The method of versioning operates through the mechanism of dynamic code loading. In this strategy, a threat actor sends an update to the app, integrating it with malicious code. This update originates from a server that the threat actor controls. Consequently, the app is transformed into a concealed entry point, allowing unauthorized access to the device. Noteworthy examples of such apps include "iRecorder - Screen Recorder" and “SharkBot,” which camouflage themselves as legitimate applications while concealing detrimental components within.

Further investigation revealed a pattern wherein threat actors maintain multiple apps on the Play Store, each tied to distinct developer accounts. Of these apps, only one is activated with its malicious code at any given time. In the event that this app is identified and removed, the threat actors proceed to activate another app from their arsenal. This maneuver ensures a continuous cycle of deceptive apps used for malicious purposes.

Consequences: The "versioning" technique in malicious Android apps, using dynamic code loading, can lead to severe consequences. These include unauthorized access, data theft, device compromise, malware spread, financial loss, privacy violations, reputation damage, resource exploitation, delayed detection, erosion of trust, regulatory implications, and increased security awareness.

Solution: The following precautions should be heeded to:

  1. Only utilizetrusted app sources like the Google Play Store.
  2. Enable Google Play Protect to receive alerts about potentially harmful apps.
  3. In enterprise settings, limit app sources and use mobile device management for added security.
  4. Exercise caution when downloading apps.
  5. Keep mobiledevices updated.
  6. Only Install reliable security software, and be mindful of the permissions requested by apps.
  7. Developers should follow secure coding practices, conduct regular security audits, and employ app vetting mechanisms to prevent malicious code injection

References:

https://thehackernews.com/2023/08/malicious-apps-use-sneaky-versioning.html

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf

https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/

Advisory ID : ngCERT-2023-0031

Summary: The Kenyan government, via the Ministry of Interior, claimed that some of the country's online infrastructures had been struck by a wave of Distributed Denial of Service (DDoS) attacks, rendering the country's online platforms unreachable. The attack began on 23 July 2023, just barely four weeks after President Ruto released thousands of government services on the e-citizen platform in an effort to boost efficiency and reduce corruption. This platform hosts services such as passport applications and renewals, e-visa issuance, driver's licences, identification cards, and national health records. Kenya's well-known mobile payment system, M-Pesa, as well as the National Transport and Safety Authority (NTSA), Kenya Power and Lighting Company (KPLC), and Kenya Railways, have all been impacted. Anonymous Sudan has claimed responsibility for the attacks. 

Threat Type(s): DDoS

Damage/Probability: CRITICAL/HIGH

Description: A Distributed Denial of Service (DDoS) assault is intended to disrupt service. This is accomplished by employing many computers to flood a targeted system's bandwidth or resources (such as a web server) with traffic. By overloading the targeted system, it will either crash or fail to function properly. The online platform attack included several efforts to overload the systems with unusual requests with the goal of clogging the system. Anonymous Sudan, a group with apparent ties to Russia, claims responsibility for the strikes due to Kenya's intervention in Sudan's domestic affairs. The group stated that it was aiming for other government digital services.

Consequences: In an increasingly digitalised society, when digital public services become abruptly and suddenly unavailable, it can result in indirect and direct economic and financial losses, as well as physical danger in some circumstances. The following are some of the consequences of the recent attacks:

  1. The outage of M-Pesa services paralyzed operations across many sectors including the ability of the government to collect revenues.
  2. Disruption of the country’s e-visa issuance resulted in issuing visas on arrivals to all travellers—in what appears to be a temporary visa-on-arrival program due to the attack on e-Citizen platform.
  3. The Kenya Power and Lighting Company (KPLC) left thousands of utility prepaid customers stranded and unable to purchase their tokens via their online platform and USSD code.
  4. Standard Chartared Bank Kenya was among banks whose digital banking systems were affected.
  5. Kenya Railways train services were disrupted announcing that network outage by its service provider affected purchase of tickets.
  6. National Transport and Safety Authority (NTSA) also issued a statement indicating that its services had also been attacked, thereby preventing Kenyan residents to apply and pay for driving licenses among others.
  7. Media websites were also attacked including that of The Standard Group, Kenya’s oldest newspaper, as well as the website of the government-owned Kenya News Agency.
  8. Ten (10) university websites were hit, including the University of Nairobi.
  9. Seven (7) hospitals were also targeted.

Solution: Here are some countermeasures that can be implemented to prevent a DDoS attack:

  1. Create a DDoS Response Plan.
  2. Implement a robust network security with network segmentation, firewalls, IDSs, anti-malware solutions and web security tools.
  3. Have server redundancy.
  4. Monitor network traffic and be on the lookout for warning signs.
  5. Limit network broadcasting.
  6. If possible, outsource DDoS prevention by migrating to the cloud.

References:

https://www.bbc.com/news/world-africa-66337573

https://techmonitor.ai/technology/cybersecurity/anonymous-sudan-kenya-ddos-cyberattack-ecitizen

https://cybermagazine.com/application-security/cyberattack-in-kenya-impacts-online-government-platforms

https://phoenixnap.com/blog/prevent-ddos-attacks

Advisory ID NCC-CSIRT-200723-028 

Summary: In three months' time, on October 10, 2023, Microsoft will discontinue support for Windows 11, version 21H2. This includes the Home and Pro editions of Windows 11 21H2 that were released in October 2021. Consequently, after the end-of-service (EOS) date, devices running Windows 11 21H2 with the aforementioned editions will no longer receive security updates and monthly quality updates containing fixes and patches for newly identified vulnerabilities and security concerns. 

Threat Type(s): Vulnerability

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Windows 11

Platform(s): Windows Operating System

Version(s): Windows 11 21H2 for Home, Pro Pro Education, and Pro for Workstations editions released in October 2021.

Description: On October 10, 2023, the support for Windows 11 21H2 Home and Pro editions, which were released in October 2021, will come to an end. Once the end of service (EOS) date is reached, devices running these editions of Windows 11 21H2 will no longer receive important security and quality updates that provide bug fixes and patches to address newly identified security vulnerabilities. It is therefore advised to avoid using such an operating system, particularly for sensitive functions, as it may become more vulnerable to potential risks and threats.   

Consequences: An operating system that lacks support for patches and security updates is susceptible to attacks, as any underlying vulnerabilities that may exist will remain unaddressed. 

Solution: For those who are still using Windows 11 Home and Pro version 21H2, it is recommended to take the following mitigation measures into consideration: 

  1.  Upgrade to the latest version of Windows 11.
  2. Users should consult the Windows Lifecycle FAQ and utilize the Lifecycle Policy search tool to obtain additional information about the specific end-of-service dates for Windows. 

References:
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-21h2-reaching-end-of-service-in-october/

https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2022

https://learn.microsoft.com/en-us/lifecycle/faq/windows

https://learn.microsoft.com/en-us/lifecycle/products/?terms=windows

Advisory ID: NCC-CSIRT-180723-027

Summary: Numerous vulnerabilities have been detected in the Google Chrome browser. These vulnerabilities could be exploited by a remote attacker who convinces a user to visit a specifically designed web page with malicious intent. 

Threat Type(s): Vulnerability

Impact/Probability: CRITCIAL/HIGH

Product(s): Google Chrome Browser 

Vulnerable Platform(s): Google Chrome Brower

Version(s):  

  • Google Chrome prior to  114.0.5735.198/199 (Windows) 
  • Google Chrome prior to 114.0.5735.198 (Linux) 
  • Google Chrome prior to 114.0.5735.198 (Mac) 

Description:  The vulnerabilities include the following:

  • Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
  • Use after free in Media in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
  • Use after free in Guest View in Google Chrome prior to 114.0.5735.198 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page

Successful exploitation of the vulnerabilities by hackers could allow for remote code execution, denial of service and data manipulation on the compromised system.

Consquences:  Attackers could exploit these vulnerabilities to trigger remote code execution, denial of service and data manipulation on the compromised system.  

Solution: 

  • Before installation of the Google Chrome software, please visit the software vendor website for more details.
  • Update to version 114.0.5735.198/199 (Windows) or later.
  • Update to version 114.0.5735.198 (Linux) or later.
  • Update to version 114.0.5735.198 (Mac) or later 
References: 

https://cert-in.org.in/ 

https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20230627 

https://chromereleases.googleblog.com/ 

https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html 

 

  1. A New Meduza Stealer Malware Targets Windows Users
  2. A Malicious TeamsPhisher Tool Exploits Microsoft Teams Vulnerability to Send Malware to Users
  3. NodeStealer Malware Targeting Saved Usernames and Passwords on Gmail, Outlook and Facebook Business Accounts
  4. Hackers Use New 'LOBSHOT' Malware to Hijack Infected Windows Devices

Page 13 of 22