Tag Archive for: microsoft

Hackers using Microsoft Teams for phishing attacks to spread malware: Report

/in


Cybercriminals are leveraging Microsoft Teams for a new malware campaign, using group chat requests to push DarkGate malware paylo…
Read More
Cybercriminals are using Microsoft’s video conferencing platform Teams for a new malware campaign. According to a report by AT&T Cybersecurity research, hackers are using Microsoft Teams group chat requests as new phishing attacks to push malicious attachments that can install DarkGate malware payloads on victims’ systems. Researchers claim that the attackers may have used a compromised Teams user (or domain) to send over 1,000 malicious Teams group chat invites.

How these Microsoft Teams group chat requests can be harmfulThe report claims that once the malware is installed on a victim’s system, it will reach out to its command-and-control server. This server has already been identified as part of DarkGate malware infrastructure by Palo Alto Networks, report Bleeping Computer.

As per the report, the hackers were able to push this phishing campaign as Microsoft allows Teams users to message other users by default.

AT&T Cybersecurity network security engineer Peter Boyle has warned: “Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel. As always, end users should be trained to pay attention to…

Source…

Androxgh0st Botnet Malware Steals AWS, Microsoft Credentials

/in


Threat actors use botnet malware to gain access to the network of compromised systems that enable them to perform several types of illicit activities.

They get attracted to botnet malware due to its distributed and anonymous infrastructure, which makes it stealthy and sophisticated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently discovered that hackers are actively deploying Androxgh0st botnet malware that steals AWS and Microsoft credentials.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Androxgh0st Botnet Malware

Androxgh0st malware builds a botnet to find and exploit victims in target networks. It’s a Python-scripted threat targeting .env files with sensitive data, like credentials for AWS, Office 365, SendGrid, and Twilio. 

This botnet malware, “Androxgh0st,” also misuses SMTP for scanning, exploiting credentials and APIs, and deploying web shells on compromised targeted systems.

To scan for websites with vulnerabilities, Androxgh0st malware uses scripts by exploiting CVE-2017-9841 to run PHP code remotely via PHPUnit.

It targets /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on websites with exposed /vendor folders, which allows threat actors to execute code. 

Not only that, but this malware also enables downloading malicious files, setting up fake pages for backdoor access, and accessing databases in cyber operations.

The malware targets the .env files for credentials, and to scan Laravel web applications, it forms a botnet.

Threat actors issue GET/POST requests to /.env URI by searching for usernames, passwords, and more. In debug mode, they use a POST variable (0x[]) as an identifier. 

If successful, they access email, AWS credentials, and the Laravel application key. 

Besides this, by exploiting CVE-2018-15133, they encrypt PHP code to pass…

Source…

Microsoft hacked: Tech company reveals hack by Russia-backed group, Midnight Blizzard, or Nobelium

/in


CHICAGO — Microsoft revealed Friday that some of its corporate email accounts were hacked by a Russian-backed group.

The tech company said in a blog post that its security team detected the attack on Jan. 12 and quickly identified the group responsible: Midnight Blizzard, “the Russian state-sponsored actor also known as Nobelium.”

In late November, the group allegedly used a “password spray attack,” where a user uses a single common password against multiple accounts on the same application, to “compromise a legacy non-production test tenant account and gain a foothold,” according to Microsoft.

The group then “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” the company said.

The hackers allegedly were targeting email accounts for information related to Midnight Blizzard, Microsoft said.

RELATED: Man says fraudulent accounts opened, home purchased in his name after city ransomware hack

Microsoft was able to remove the hacker’s access to the email accounts on Jan. 13, according to a company filing with the SEC.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the company said.

The company said it is in the process of informing its affected users.

The investigation is ongoing.

Copyright © 2024 ABC News Internet Ventures.

Source…

Microsoft network breached through password-spraying by Russia-state hackers

/in


Microsoft network breached through password-spraying by Russia-state hackers

Getty Images

Russia-state hackers exploited a weak password to compromise Microsoft’s corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.

The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks as Midnight Blizzard, is at least the second time in as many years that failures to follow basic security hygiene have resulted in a breach that has the potential to harm customers. One paragraph in Friday’s disclosure, filed with the Securities and Exchange Commission, was gobsmacking:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

Microsoft didn’t detect the breach until January 12, exactly a week before Friday’s disclosure. Microsoft’s description of the incident raises the prospect that the Russian hackers had uninterrupted access to the accounts for as long as two months.

A translation of the 93 words quoted above: A device inside Microsoft’s network was protected by a weak password with no form of two-factor authentication employed. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one. The threat actor then accessed the account.

Furthermore, this “legacy non-production test tenant account” was somehow configured so that Midnight Blizzard…

Source…