A malicious campaign is targeting Microsoft Azure environments using credential phishing and cloud account takeover (ATO) techniques. Since late November 2023, attackers have been sending emails with weaponized documents containing links disguised as document previews.
Clicking on these links redirects users to phishing webpages designed to steal login credentials, which compromises user accounts, including those of senior executives, potentially granting unauthorized access to Azure resources.
Attackers are targeting a broad range of individuals across various organizations with phishing lures embedded in shared documents, seeking to compromise accounts with diverse access levels by targeting users like sales directors, finance managers, and even CEOs.
Security researchers identified a specific Linux user-agent, Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, used during the initial access phase, indicates an attack against Microsoft Azure environments, which suggests a strategic attempt to gain privileged access within targeted organizations.
Attackers also target the ‘OfficeHome’ sign-in application with a specific user-agent, potentially to gain access to various Microsoft 365 functionalities by indicating browser-based access through ‘Office365 Shell WCSS-Client’, potentially for reconnaissance.
Compromised accounts might then be used for malicious activities like email threats and data exfiltration through ‘Office 365 Exchange Online’, and attackers might use ‘My Signins’ to bypass Multi-Factor Authentication (MFA) and potentially exploit ‘My Apps’ and ‘My Profile’ for further lateral movement within the system.
Attackers exploit initial access to an organization’s system by manipulating MFA (Multi-Factor authentication) to gain persistent control, which involves registering their own methods like notification apps or phone numbers.
Once inside, they exfiltrate sensitive data like financial records, security protocols, and user credentials and then use stolen credentials and access to mailboxes for lateral movement within the network and launch targeted phishing attacks.
Additionally, attackers may send fraudulent emails impersonating internal figures to trick HR or finance departments into initiating unauthorized financial transfers. To cover their tracks, they can also set up rules within mailboxes to automatically delete evidence of their activity.
Operational Infrastructure:
Attackers used a combination of proxies, data hosting services, and hijacked domains to mask their location and evade geo-fencing. Frequently switching proxies further hindered defenders from identifying and blocking malicious activity.
Attackers also used certain local ISPs, including Russia-based Selena Telecom LLC and Nigerian providers Airtel Networks Limited and MTN Nigeria Communication Limited, potentially revealing their geographical origins.
The tactics make it difficult to attribute the attack to a specific threat actor, but the use of Russian and Nigerian infrastructure suggests possible involvement from actors in those regions.
The investigation by Proofpoint revealed indicators of compromise (IOCs), including multiple user agents, domains, and internet service providers (ISPs) potentially involved in a multi-phased attack. The user agents, all spoofing Chrome versions 119 and 120, suggest the attackers targeted Windows and Linux systems during access and post-access phases.
Malicious domains sachacel[.]ru, lobnya[.]com, makeapp[.]today, alexhost[.]com, mol[.]ru, smartape[.]net, and acedatacenter[.]com were identified, and ISPs Sokolov Dmitry Nikolaevich, Dom Tehniki Ltd, and Selena Telecom LLC were found to be hosting the malicious infrastructure.
Never forget to check out our YouTube channel, ETHICAL EMPIRE, and keep reading our exciting blogs. Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security. See you soon, bye!