The campaign attacked healthcare, government, and education organizations, targeting around 150 victims, according to Abnormal Security. The attacks aim to get access to corporate mail accounts for sending emails to more victims inside a company or launch money motivated campaigns such as business e-mail compromise (BEC), where the money is directly sent to the attackers’ accounts.
ADFS from Microsoft is a verification mechanism that enables users to log in once and access multiple apps/services, saving the troubles of entering credentials repeatedly.
ADFS is generally used by large businesses, as it offers single sign-on (SSO) for internal and cloud-based apps.
The threat actors send emails to victims spoofing their company's IT team, asking them to sign in to update their security configurations or accept latest policies.
When victims click on the embedded button, it takes them to a phishing site that looks same as their company's authentic ADFS sign-in page. After this, the fake page asks the victim to put their username, password, and other MFA code and baits then into allowing the push notifications.
The phishing page asks the victim to enter their username, password, and the MFA code or tricks them into approving the push notification.
The security report by Abnormal suggests, "The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organization's configured MFA settings.” Additionally, "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification."
After the victim gives all the info, they are sent to the real sign-in page to avoid suspicious and make it look like an authentic process.
However, the threat actors immediately jump to loot the stolen info to sign into the victim's account, steal important data, make new email filter rules, and try lateral phishing.
According to Abnormal, the threat actors used Private Internet Access VPN to hide their location and allocate an IP address with greater proximity to the organization.
Daily, at least one suspicious email escapes Secure Email Getaways (SEGs), like Powerpoint and Microsoft, every 45 seconds, showing a significant rise from last year’s attack rate of one of every 57 seconds, according to the insights from Cofense Intelligence’s third-quarter report.
A sudden increase in the use of remote access Trojans (RATs) allows hackers to gain illegal access to the target’s system, which leads to further abuse, theft, and data exploitation.
Remcos RAT, a frequently used tool among hackers, is a key factor contributing to the surge in RAT attacks. It allows the attacker to remotely manipulate infected systems, exfiltrate data, deploy other malware, and obtain persistent access to vulnerable networks.
According to the data, the use of open redirects in phishing attempts has increased by 627%. These attacks use legitimate website functionality to redirect users to malicious URLs, frequently disguised as well-known and reputable domains.
TikTok and Google AMP are frequently used to carry out these attacks, leveraging their worldwide reach and widespread use by unknowing users.
The use of malicious Office documents, particularly those in.docx format, increased by roughly 600%. These documents frequently include phishing links or QR codes that lead people to malicious websites.
Microsoft Office documents are an important attack vector due to their extensive use in commercial contexts, making them perfect for targeting enterprises via spear-phishing operations.
Furthermore, there has been a substantial shift in data exfiltration strategies, with a rise in the use of.ru and.su top-level domains (TLDs). Domains with the.ru (Russia) and.su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it more difficult for victims and security teams to track data theft activities.
Cybercriminals have recently targeted the Dubai Police in an elaborate impersonation scam aimed at defrauding unsuspecting individuals in the UAE. Thousands of phishing text messages, pretending to be from law enforcement, were sent to trick recipients into clicking on malicious links. These links redirected victims to fake websites designed to steal sensitive information, including bank details and personal identification.
According to researchers at BforeAI, these campaigns employ official branding to appear legitimate, showcasing a calculated level of sophistication. While specifically targeting UAE residents, the campaign adopts a broad “spray-and-pray” phishing approach. It leverages fear and trust in law enforcement — a psychological factor especially potent in a country like the UAE, where respect for authority is deeply ingrained.
Abu Qureshi, a threat intelligence expert at BforeAI, emphasized how cybercriminals misuse Dubai Police branding to deceive victims. This tactic highlights an advanced understanding of social engineering, combining fear and the appearance of credibility. UAE citizens with limited awareness of digital threats are particularly susceptible to such scams, mistaking fraudulent communication for genuine correspondence.
The increase in cybercrime campaigns across the UAE and the Middle East mirrors global trends in cybercriminal activity. A report by Kaspersky revealed that 87% of UAE-based companies have encountered cyber incidents in the past two years. Several factors contribute to the UAE being an attractive target for cybercriminals:
Financially motivated campaigns often focus on wealthy regions or individuals, while geopolitical dynamics and economic factors play a role in the increasing cyber threats in the region.
In the Dubai Police impersonation scam, attackers used automated domain generation algorithms (DGA) and bulk domain registration techniques to host malicious web pages. These domains, typically short-lived, make detection challenging. Investigations by BforeAI traced many of these domains to Tencent servers in Singapore.
Although Singapore is known for its strong cybersecurity measures, its status as a global tech hub makes it a prime location for cybercriminals to exploit legitimate platforms. Tencent, a China-based firm with a significant presence in Singapore, has faced scrutiny for its servers being previously linked to malicious activity.
To combat threats like the Dubai Police impersonation scam, organizations and individuals must adopt proactive cybersecurity measures:
Enhancing vigilance and implementing robust incident response plans can significantly mitigate risks. Additionally, cross-border cooperation and threat intelligence sharing are essential to address the globalized nature of cybercrime effectively.
In traditional malware distribution attacks, hackers used malicious downloads, compromised websites, and phishing emails. But the new attack method uses auto-replies, experts from F.A.C.C.T explained that the new technique was employed in delivering the Xmrig crypto-miner to workers at Russian tech companies, insurance firms, financial businesses, and retail marketplaces. Experts found 150 emails that contained Xmrig earlier this year.
Dmitry Eremenko, senior analyst at F.A.C.C.T said “This method of malware delivery is dangerous because the potential victim initiates communication first. This is the main difference from traditional mass mailings, where the recipient often receives an irrelevant email and ignores it.”
Despite not looking convincing, E-mails sent through auto-replies didn't raise suspicions. To avoid detection, the hackers used a scan of a real invoice for equipment payment, different than subject mail. It means the companies as well as users who are in contact with the breached mail can become targets.
Xmrig is an open-source cryptocurrency mining software mainly used for mining Monero (XMR). Cybercriminals have been using new techniques to deliver Xmrig to target devices. For instance, in one campaign, the hackers used a pirated version of Final Cut Pro (a video editing software) to deploy the crypto-miner on Apple computers.
F.A.C.C.T doesn't have any information regarding the main culprit behind the attack and their success. Experts do believe that the breached email accounts had a history of their credentials leaked on darknet, including their data. Breached accounts include construction companies, a furniture factory, a farm, and small trading firms.
To stay safe, the report suggests “do not save passwords in browsers, install unlicensed software, because it may contain stealers, do not follow dubious links in the mail and do not enter your data on dubious sites (phishing)
RansomHub is a relatively new player in the ransomware scene, but it has quickly made a name for itself with its advanced techniques and targeted attacks. Unlike traditional ransomware groups that rely on brute force methods or simple phishing campaigns, RansomHub employs a more nuanced strategy. By using legitimate software tools in unexpected ways, they can evade detection and maximize the impact of their attacks.
Kaspersky’s TDSSKiller is a well-known tool in the cybersecurity community, designed to detect and remove rootkits from infected systems. Rootkits are a type of malware that can hide the presence of other malicious software, making them particularly dangerous. TDSSKiller is widely trusted and used by security professionals to clean compromised systems.
However, RansomHub has found a way to exploit this tool for malicious purposes. By incorporating TDSSKiller into their attack chain, they can disable EDR software that would otherwise detect and block their ransomware. This tactic is particularly insidious because it uses a trusted tool to carry out malicious actions, making it harder for security teams to identify and respond to the threat.
RansomHub’s attack chain typically begins with a phishing email or a compromised website that delivers the initial payload. Once the ransomware is on the target system, it uses a variety of techniques to escalate privileges and gain control over the machine. This is where TDSSKiller comes into play.
By running TDSSKiller, the ransomware can disable EDR software and other security measures that would normally detect and block the attack. With these defenses out of the way, RansomHub can then proceed to encrypt the victim’s files and demand a ransom for their release. In some cases, they also use a credential-harvesting tool called LaZagne to extract sensitive information, further increasing the pressure on the victim to pay the ransom.
The use of legitimate tools like TDSSKiller in ransomware attacks highlights a significant challenge for the cybersecurity community. Traditional security measures are often designed to detect and block known malware and suspicious behavior. However, when attackers use trusted tools unexpectedly, these measures can be less effective.
This tactic also underscores the importance of a multi-layered approach to cybersecurity. Relying solely on EDR software or other endpoint protection measures is no longer sufficient. Organizations must implement a comprehensive security strategy that includes network monitoring, threat intelligence, and user education to detect and respond to these advanced threats.
The top trend concerning the report is the rise in campaigns that involve Chrome extensions. The extensions, often masked as genuine tools, are made to hack into users' browsers and do various activities. After installing, threat actors can hack login credentials, take screenshots, and deploy malicious scripts into web pages. The report stresses that these extensions are specifically dangerous as they can evade traditional security checks and stay hidden for longer periods.
The report also sheds light on the notorious activities of the cybercriminal group known as CyberCartel. The group has been associated with various high-profile attacks on financial organizations and government officials in LATAM. CyberCartel works via the Malware-as-a-Service (MaaS) model, offering other threat actors the tools and infrastructure needed to launch sophisticated attacks. This has allowed amateur cybercriminals to give access and contribute to the frequency and severity of attacks.
CyberCartel's main targets are high-profile entities like government offices and financial institutions. These forms are lucrative targets because of the sensitive info they manage and the possible financial gain for threat actors. The report mentions various incidents where CyberCartel successfully hacked these organizations, causing reputational and financial damage. The group's potential to adjust and develop its techniques makes it a dangerous adversary for cybersecurity experts.
One sophisticated technique is using social engineering to fool users into installing malicious software. Cybercriminals make believable phishing emails and fake websites that impersonate genuine institutions. Hackers access their accounts and launch fraudulent transactions once users are tricked into giving their credentials.
Another sophisticated technique is using polymorphic malware, infamous for changing its code to escape detection by antivirus software. This kind of malware is difficult to address as it requires consistent updates to security systems to keep up with changing threat scenarios.
The campaigns involve exploiting cloud storage platforms such as Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage. Unnamed threat actors are behind these campaigns. Their primary goal is to redirect users to malicious websites using SMS messages.
Bypassing Network Firewalls: First, they want to ensure that scam text messages reach mobile handsets without being detected by network firewalls. Second, they attempt to persuade end users that the communications or links they receive are legitimate.
Building Trust: They aim to convince end users that the messages or links they receive are trustworthy. By using cloud storage systems to host static websites with embedded spam URLs, attackers can make their messages appear authentic while avoiding typical security safeguards.
Cloud storage services enable enterprises to store and manage files and host static websites by storing website components in storage buckets. Cybercriminals have used this capacity to inject spam URLs into static websites hosted on these platforms.
They send URLs referring to these cloud storage sites by SMS, which frequently avoids firewall limitations due to the apparent authenticity of well-known cloud domains. Users who click on these links are unknowingly sent to dangerous websites.
For example, attackers utilized the Google Cloud Storage domain "storage.googleapis.com" to generate URLs that lead to spam sites. The static webpage housed in a Google Cloud bucket uses HTML meta-refresh techniques to route readers to fraud sites right away. This strategy enables fraudsters to lead customers to fraudulent websites that frequently replicate real offerings, such as gift card promotions, to obtain personal and financial information.
Enea has also detected similar approaches with other cloud storage platforms like Amazon Web (AWS) and IBM Cloud, in which URLs in SMS messages redirect to static websites hosting spam.
To protect against such risks, Enea advised monitoring traffic activity, checking URLs, and being cautious of unexpected communications including links.