Ongoing Microsoft Azure account hijacking campaign targets executives

A phishing campaign detected in late November 2023 has compromised tons of of person accounts in dozens of Microsoft Azure environments, together with these of senior executives.

Hackers goal executives’ accounts as a result of they’ll entry confidential company data, self-approve fraudulent monetary transactions, and entry vital techniques to make use of them as a foothold for launching extra in depth assaults towards the breached group or its companions.

Proofpoint’s Cloud Security Response Team, which has been monitoring the malicious exercise, issued an alert earlier as we speak highlighting the lures the risk actors use and proposing focused protection measures.

Campaign particulars

The assaults make use of paperwork despatched to targets that embed hyperlinks masqueraded as “View doc” buttons that take victims to phishing pages.

Proofpoint says the messages goal staff who usually tend to maintain larger privileges inside their using group, which elevates the worth of a profitable account compromise.

“The affected person base encompasses a large spectrum of positions, with frequent targets together with Sales Directors, Account Managers, and Finance Managers. Individuals holding govt positions comparable to “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” have been additionally amongst these focused,” explains Proofpoint.

The analysts recognized the next Linux user-agent string which attackers use to achieve unauthorized entry to Microsoft365 apps:


Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This person agent has been related to numerous post-compromise actions, comparable to MFA manipulation, information exfiltration, inside and exterior phishing, monetary fraud, and creating obfuscation guidelines in mailboxes.

Proofpoint says it has noticed unauthorized entry to the next Microsoft365 elements:

  • Office365 Shell WCSS-Client: Indicates browser entry to Office365 purposes, suggesting web-based interplay with the suite.
  • Office 365 Exchange Online: Shows that attackers goal this service for email-related abuses, together with information exfiltration and lateral phishing.
  • My Signins: Used by attackers to govern Multi-Factor Authentication (MFA).
  • My Apps: Targeted for accessing and probably altering configurations or permissions of purposes inside the Microsoft 365 setting.
  • My Profile: Indicates makes an attempt to switch person private and safety settings, probably to keep up unauthorized entry or escalate privileges.
MFA manipulation events
MFA manipulation occasions (Proofpoint)

Proofpoint additionally reviews that the attackers’ operational infrastructure contains proxies, information internet hosting companies, and hijacked domains. Proxies are chosen to be close to the targets to scale back the chance of assaults being blocked by MFA or different geo-fencing insurance policies.

The cybersecurity agency additionally noticed non-conclusive proof that the attackers could also be based mostly in Russia or Nigeria, based mostly on using sure native fixed-line web service suppliers.

How to defend

Proofpoint proposes a number of protection measures to guard towards the continued campaign, which can assist improve organizational safety inside Microsoft Azure and Office 365 environments.

The solutions embrace:

  1. Monitor for using the particular user-agent string shared above and supply domains in logs.
  2. Immediately reset compromised passwords of hijacked accounts and periodically change passwords for all customers.
  3. Use safety instruments to detect account takeover occasions shortly.
  4. Apply industry-standard mitigations towards phishing, brute-forcing, and password-spraying assaults.
  5. Implement insurance policies for automated risk response.

These measures can assist detect incidents early, reply quickly, and reduce the attackers’ alternative and dwell occasions as a lot as potential.

Information:
We are right here to offer Educational Knowledge to Each and Every Learner for Free. Here We are to Show the Path in the direction of Their Goal. This publish is rewritten with Inspiration from the Bleepingcomputer. Please click on on the Source Link to learn the Main Post

Bleepingcomputer:
Source link

Contact us for Corrections or Removal Requests
Email: [email protected]
(Responds inside 2 Hours)”

Related Articles

Back to top button
close