Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label multifactor authentication. Show all posts

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.

Akira Ransomware Adapts to Linux Systems, Incorporates New Tactics and TTPs

 

Arika ransomware, which initially targeted Windows systems, has evolved significantly since its emergence in March. It has now expanded its scope to include Linux servers, employing a diverse set of tactics, techniques, and procedures (TTPs).

A comprehensive report by LogPoint delves into the highly sophisticated nature of Akira ransomware. This malware encrypts victim files, erases shadow copies, and demands a ransom for data recovery. The attack chain actively exploits the CVE-2023-20269 vulnerability, focusing on Cisco ASA VPNs lacking multifactor authentication as an entry point.

As of early September, the group had successfully targeted 110 victims, with a particular emphasis on the US and the UK. A notable recent victim was the British quality-assurance company Intertek. The group also set its sights on manufacturing, professional services, and automotive organizations.

According to a recent report from GuidePoint Security's GRI, educational institutions have borne a disproportionate brunt of Akira's attacks, accounting for eight out of its 36 observed victims.

The ransomware campaign involves multiple strains of malware that carry out distinct steps, including shadow copy deletion, file search, enumeration, and encryption when executed.

Akira employs a double-extortion technique: it steals personal data, encrypts it, and then extorts money from the victims. If payment is refused, the group threatens to release the data on the Dark Web.

Upon gaining access, the group utilizes tools such as AnyDesk and RustDesk for remote desktop access, as well as WinRAR for encryption and archiving. Additionally, the advanced system information tool and task manager PC Hunter assist the group in lateral movement through compromised systems, alongside wmiexc.

The group can also disable real-time monitoring to avoid detection by Windows Defender, and shadow copies are eliminated through PowerShell. Ransom note files are deposited across the victim's system, containing payment instructions and decryption assistance.

Anish Bogati, a security research engineer at Logpoint, highlights that Akira's use of Windows internal binaries (also known as LOLBAS) is particularly concerning. These binaries typically go unnoticed by endpoint protection and are already present in the system, sparing adversaries the need to download them.

Bogati emphasizes that the ability to create a task configuration for encryption parameters without manual intervention shouldn't be underestimated.

Taking Countermeasures
Bogati underscores the need for organizations to implement MFA and restrict permissions to prevent brute-force attacks on credentials. Keeping software and systems up-to-date is crucial in staying ahead of adversaries exploiting newly discovered vulnerabilities.

The report also recommends auditing privileged accounts and providing regular security awareness training. Network segmentation is advised to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati suggests organizations should consider blocking unauthorized tunneling and remote access tools, like Cloudflare ZeroTrust, ZeroTier, and TailScale, which are often employed by adversaries to gain covert access to compromised networks.

Changing Landscape of Ransomware

The Akira group, named after a 1988 Japanese anime cult classic, emerged as a significant cyber threat force in April of this year, primarily focusing on Windows systems.

The transition by Akira into Linux enterprise environments mirrors similar moves by more established ransomware groups like Cl0p, Royal, and IceFire. Akira represents a new wave of ransomware actors reshaping the threat landscape, marked by the emergence of smaller groups and new tactics. Established gangs like LockBit are witnessing fewer victims.

Among the newer ransomware groups are 8Base, Malas, Rancoz, and BlackSuit, each with its distinct characteristics and targets.

Bogati warns that, judging by their victim count, Akira is poised to become one of the most active threat actors. They are developing multiple variants of their malware with various capabilities and are poised to exploit unpatched systems at every opportunity.