Tag Archive for: Motivated

‘Financially Motivated Threat Actors’ Distributing Malware via App Installer

/in


Microsoft is warning that bad actors, including those financially motivated, are using App Installer to distribute malware.

Microsoft Threat Intelligence says bad actors have been using the ms-appinstaller URI scheme (App Installer) to distribute malware since at least mid-November 2023. Microsoft has disabled the protocol handler in an effort to combat its abuse.

The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution. Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software. A second vector of phishing through Microsoft Teams is also in use by Storm-1674.

Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats.

The attacks are especially dangerous for Teams users, since the bad actors are spoofing legitimate Microsoft pages.

Since the beginning of December 2023, Microsoft identified instances where Storm-1674 delivered fake landing pages through messages delivered using Teams. The landing pages spoof Microsoft services like OneDrive and SharePoint, as well as other companies. Tenants created by the threat actor are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.

More information can be found here, including detailed analysis of the attack. In the meantime, Microsoft says organizations should educate Teams users to be able to identify and protect themselves from this exploit.

Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.

Source…

Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks

/in


Sep 18, 2023THNThreat Intelligence / Ransomware

Ransomware Attacks

The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed.

“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the threat intelligence firm said.

“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”

The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees’ valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$.

Cybersecurity

While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat.

A key hallmark of the threat actors is that they are known to leverage a victim’s credentials to impersonate the employee on calls to the organization’s service desk in an attempt to obtain multi-factor authentication (MFA) codes and/or password resets.

It’s worth noting that Okta, earlier this month, warned customers of the same attacks, with the e-crime gang calling the victims’ IT help desks to trick support personnel into resetting the MFA codes for employees with high privileges, allowing them to gain access to those valuable accounts.

In one instance, an employee is said to have installed the RECORDSTEALER malware via a fake software download, which subsequently facilitated credential theft. The rogue sign-in pages, designed using phishing kits such as EIGHTBAIT and others, are capable of sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.

The adversary has also been observed using a variety of information…

Source…

Alarming Increase in Targeted Attacks Aimed at Politically Motivated Sabotage and Subversion – Business Wire (press release)

/in

Alarming Increase in Targeted Attacks Aimed at Politically Motivated Sabotage and Subversion
Business Wire (press release)
… marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups, according to Symantec's (Nasdaq: SYMC) Internet Security Threat Report (ISTR

and more »

internet security news – read more