Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SEKOIA. Show all posts

Mamba 2FA Emerges as a New Threat in Phishing Landscape

 

In the ever-changing landscape of phishing attacks, a new threat has emerged: Mamba 2FA. Discovered in late May 2024 by the Threat Detection & Research (TDR) team at Sekoia, this adversary-in-the-middle (AiTM) phishing kit specifically targets multi-factor authentication (MFA) systems. Mamba 2FA has rapidly gained popularity in the phishing-as-a-service (PhaaS) market, facilitating attackers in circumventing non-phishing-resistant MFA methods such as one-time passwords and app notifications.

Initially detected during a phishing campaign that imitated Microsoft 365 login pages, Mamba 2FA functions by relaying MFA credentials through phishing sites, utilizing the Socket.IO JavaScript library to communicate with a backend server. According to Sekoia's report, “At first, these characteristics appeared similar to the Tycoon 2FA phishing-as-a-service platform, but a closer examination revealed that the campaign utilized a previously unknown AiTM phishing kit tracked by Sekoia as Mamba 2FA.” 

The infrastructure of Mamba 2FA has been observed targeting Entra ID, third-party single sign-on providers, and consumer Microsoft accounts, with stolen credentials transmitted directly to attackers via Telegram for near-instant access to compromised accounts.

A notable feature of Mamba 2FA is its capacity to adapt to its targets dynamically. For instance, in cases involving enterprise accounts, the phishing page can mirror an organization’s specific branding, including logos and background images, enhancing the believability of the attack. The report noted, “For enterprise accounts, it dynamically reflects the organization’s custom login page branding.”

Mamba 2FA goes beyond simple MFA interception, handling various MFA methods and updating the phishing page based on user interactions. This flexibility makes it an appealing tool for cybercriminals aiming to exploit even the most advanced MFA implementations.

Available on Telegram for $250 per month, Mamba 2FA is accessible to a broad range of attackers. Users can generate phishing links and HTML attachments on demand, with the infrastructure shared among multiple users. Since its active promotion began in March 2024, the kit's ongoing development highlights a persistent threat in the cybersecurity landscape.

Research from Sekoia underscores the kit’s rapid evolution: “The phishing kit and its associated infrastructure have undergone several significant updates.” With its relay servers hosted on commercial proxy services, Mamba 2FA effectively conceals its true infrastructure, thereby minimizing the likelihood of detection.

Sekoia Reports: Latest in the Financial Sector Cyber Threat Landscape


France-based cybersecurity company Sekoia published a new report regarding the evolution in the financial sector threat landscape. 

Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.

Also, the report noted that the finance sector is subject to attacks on the software supply chain. 

Phishing as a Service Massively Hits the Sector

Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.

One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.

In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”

QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.

The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”

According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.

Multiple Supply Chain Risks

Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.

One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage. 

There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.

"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.

Financially Oriented Malware 

Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like: 

Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.

Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.

Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.

According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.

Reduce Cyber Threat Risks

The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.

However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.  

Dark Web Malware Steals Your Data

 


As the dark web seeks new customers and victims, it appears that updated versions of information-stealing malware have made their way onto it and are now circulating the dark web. 

There have been reports from cybersecurity researchers from SEKOIA that they have found content promoting a new information stealer called Stealc on several underground forums and Telegram channels. 

Unlike some other info stealers, Stealc is not built from the ground up. Instead, it is an enhanced version of others, such as Vidar, Racoon, Mars, and Redline Stealer, which are popular information stealers. In January 2023, a report of the phenomenon was first noticed, but in February 2023, it gained more attention. 

It has been reported that Stealc was developed by a threat actor called Plymouth who is trying to advertise it as an attack against the country. There appears to be a new patch or update added somewhere between once a week and once a month, and it is currently at version 1.3.0.  Several new features have been added to the website, including a randomizer for C2 URLs, and a system that allows logging searches and sorts to be improved. 

There was also a report that the Ukrainian government spared the lives of those affected by Stealc. 

The SEKOIA team was able to analyze a sample of the info stealer in more depth and discovered that it uses legitimate third-party DLLs, is written in C, exploits Windows API functions to achieve its goals, is lightweight (only 80KB), uses RC4 and base64 to obfuscate most of its strings, and automatically exfiltrates stolen files (the threat actor need not do anything to do anything). 

It was also found that Stealc was capable of stealing data from 22 web browsers, 75 plugins, and 25 desktop wallets, which was also confirmed by SEKOIA.  

Plymouth was also busily deploying it to target devices to advertise it on the dark web as well as distributing it. To do so, they create fake YouTube tutorials as well as employ other ways to make it appear like they know how to crack software. The description of the exploit also provides a link that, in place of executing the advertised crack, instead launches the info stealer in place. That's very helpful since it prevents the use of the crack itself. 

The researchers have already discovered more than 40 C2 servers, thus leading them to conclude that Stealc is gaining quite a bit of popularity in the online world. 

They speculate that the popularity of stealer samples may be because crooks that can access the admin panel can easily generate new stealer samples, therefore allowing the range of stealer samples to extend.  SEKOIA believes that Stealc is quite popular since it is suitable for a wide range of hackers, including low-level hackers.