Threat Intelligence Report - August 4, 2023.
The NetFire Threat Intelligence Report contains a weekly collection of key developments to be aware of along with action tips from NetFire.
NetFire Threat Intelligence Team
Attack on Airgapped Devices Points to Nation-State
APT31, a hacking group linked to China, is suspected to be behind a series of attacks on industrial organizations in Eastern Europe, targeting data stored on air-gapped systems. The attackers use sophisticated modular malware to profile removable drives, contaminate them with a worm to exfiltrate data from isolated networks, and also utilize encrypted payloads, memory injections, and DLL hijacking to hide malicious code and thwart detection and analysis.
Salesforce Infrastructure Used For Facebook Phishing Attacks
Cyber attackers have exploited a zero-day vulnerability in Salesforce's email services in a sophisticated Facebook phishing campaign, using the company's domain and infrastructure to send targeted phishing emails that bypass conventional detection methods. The phishing messages, appearing as from Meta and sent from a "@salesforce.com" domain, direct users to a malicious landing page hosted as a game under Facebook apps, aiming to steal account credentials and two-factor authentication codes.
Russian Hackers Compromise Microsoft Teams For Phishing Attacks
A Russian government-affiliated hacking group known as Midnight Blizzard or APT29 has executed "highly targeted" social engineering attacks on less than 40 global organizations, exploiting Microsoft Teams chats to steal login credentials. The group set up deceptive domains and accounts that resemble technical support to trick users into approving multi factor authentication prompts, demonstrating the hackers' ability to bypass advanced security measures.
New Azure AD Feature Poses Lateral Attack Risk
Microsoft's newly introduced Azure Active Directory Cross-Tenant Synchronization (CTS) feature could potentially enable threat actors to more easily spread laterally to other Azure tenants if improperly configured. Attackers with elevated privileges in a compromised tenant can exploit the CTS feature to move laterally to other connected tenants and deploy rogue CTS configurations, establishing persistence on these networks, posing a significant cybersecurity risk.
34% of Industrial Controls Systems Vulnerable in 2023
About 34% of security vulnerabilities impacting industrial control systems (ICSs) reported in the first half of 2023 have no patch or remediation, a significant increase from the previous year's 13%, according to data compiled by SynSaber. The critical manufacturing and energy sectors are the most likely to be affected, with vendors such as Mitsubishi Electric, Siemens, and Rockwell Automation experiencing the most impact, and an average of 813 unique daily attacks detected against honeypots.
Follow NetFire and stay tuned for more insights.
#NetFireThreatIntelligence #ThreatIntelligence #NetFireCloud #SecureCloud #AirgappedAttack #Salesforce #Phishing #Facebook #Meta #Microsoft Teams #AzureAD #IndustrialControls #NetOnFire