Summary: Microsoft has disclosed a critical vulnerability (CVE-2024-49040) in Exchange Server that allows attackers to spoof legitimate email senders, potentially enhancing the effectiveness of phishing attacks. Discovered by researcher Vsevolod Kokorin, the flaw affects Exchange Server 2016 and 2019, prompting Microsoft to implement detection and warning measures in recent updates.…
Tag: SMTP
Summary:
HawkEye, also known as PredatorPain, is a long-standing malware primarily functioning as a keylogger but has evolved to include functionalities typical of stealers. Initially emerging in 2008, it gained notoriety through spearphishing campaigns and has been utilized by various threat actors. Its delivery methods have diversified over time, and it has shown resilience in adapting to new evasion techniques and maintaining persistence on infected systems.…Summary:
Earth Estries employs sophisticated attack chains utilizing various malware, including Zingdoor and Snappybee, to exploit vulnerabilities in systems like Microsoft Exchange servers. Their tactics involve maintaining persistence, lateral movement, and data exfiltration through a combination of custom tools and established malware.Keypoints:
Earth Estries targets government and tech sectors since at least 2020.…Threat Actor: IntelBroker | IntelBroker Victim: Nokia | Nokia Price: $20,000 Exfiltrated Data Type: Source code, SSH keys, RSA keys, Bitbucket credentials, SMTP accounts, webhooks, hardcoded credentials
Key Points :
Nokia is investigating claims of a significant data breach involving stolen source code and sensitive information.…Summary:
The article outlines various phishing attempts through email, detailing the types of attachments used and the number of users targeted. The emails primarily involve financial documents and requests, indicating a focus on exploiting business transactions.Keypoints:
Multiple phishing emails targeting users with financial documents. Attachments include various file types such as rar, zip, and exe.…Threat Actor: Unknown Hacker | Unknown Hacker Victim: Nokia | Nokia Price: Offered to reputable buyers on the dark web Exfiltrated Data Type: Sensitive credentials and source code
Key Points :
A significant data breach exposed Nokia’s source code through a third-party contractor. Leaked information includes SSH keys, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded passwords.…Short Summary:
The Sysdig Threat Research Team uncovered a global operation named EMERALDWHALE, which targeted exposed Git configurations, resulting in the theft of over 15,000 cloud service credentials. The attackers exploited misconfigured web services to steal credentials, clone private repositories, and extract sensitive data. The stolen credentials, valuable for phishing and spam campaigns, were stored in an S3 bucket belonging to a previous victim.…
Threat Actor: Unknown | Unknown Victim: RANEPA University | RANEPA University Price: Not disclosed Exfiltrated Data Type: Personal information and IT configurations
Key Points :
RANEPA University in Russia was compromised in a cyberattack. Attackers accessed key systems including OwnCloud, phonebook, and GLPI. Leaked data includes sensitive IT configurations like SMTP settings and LDAP URLs.…Short Summary:
The article discusses the analysis of a packed Snake Keylogger malware sample. It details the reverse engineering process, including unpacking techniques, the use of .NET obfuscation, and the malware’s capabilities such as keylogging and clipboard hijacking. The analysis also highlights the malware’s communication with the threat actor’s Telegram bot and the extraction of various indicators of compromise (IOCs).…
Summary: ESET researchers have uncovered a sophisticated cyberespionage campaign by the APT group GoldenJackal, targeting air-gapped systems within governmental organizations in Europe. This blogpost details previously undocumented tools used by the group, highlighting their capabilities and the timeline of their attacks from 2019 to 2024.
Threat Actor: GoldenJackal | GoldenJackal Victim: Governmental organizations in Europe | governmental organizations in Europe
Key Point :
GoldenJackal has been targeting air-gapped systems since at least 2019, using a custom toolset that includes GoldenDealer, GoldenHowl, and GoldenRobo.…Short Summary:
ESET researchers have uncovered a series of cyberespionage attacks attributed to the APT group GoldenJackal, targeting governmental organizations in Europe. The group has utilized sophisticated tools to compromise air-gapped systems, aiming to steal confidential information. This blogpost details the previously undocumented tools and their functionalities, highlighting GoldenJackal’s capabilities and persistence in targeted networks.…
Summary: Cybersecurity researchers are alerting organizations about active exploitation attempts of a newly disclosed vulnerability, CVE-2024-45519, in Synacor’s Zimbra Collaboration software. The flaw allows unauthenticated attackers to execute arbitrary commands, prompting urgent patching recommendations from security experts.
Threat Actor: Unknown | unknown Victim: Synacor | Synacor
Key Point :
Exploitation attempts began shortly after the vulnerability was disclosed, indicating a rapid response from threat actors.…Summary: Attackers are exploiting a critical remote code execution vulnerability (CVE-2024-45519) in Zimbra’s SMTP server, prompting urgent patching by affected organizations. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands, leading to potential control over vulnerable systems.
Threat Actor: Unknown | unknown Victim: Zimbra | Zimbra
Key Point :
Exploitation of CVE-2024-45519 began on Sept.…Short Summary:
The article details various email payloads used in phishing attempts, specifically focusing on different types of attachments and the malware associated with them. The payloads target multiple users and utilize various compression formats to deliver malicious software.
Key Points:
Date of incidents ranges from September 2, 2023, to September 30, 2024.…Short Summary:
Attackers are exploiting legitimate web features to send spam, utilizing automated processes and human involvement to manipulate web forms and email servers. Credential stuffing is also a significant threat, allowing attackers to access email accounts and send spam from legitimate domains. The article discusses various methods used by spammers and tools that facilitate these attacks, while also providing recommendations for users to enhance their security.…
Short Summary:
This article discusses a series of malicious email campaigns that occurred in August 2024, targeting various users with different types of email payloads, including attachments and links. The campaigns utilized various malware types, such as xloader, snakekeylogger, and originlogger, to compromise users.
Key Points:
Multiple malicious email campaigns reported throughout August 2024.…Summary: Fortinet’s FortiGuard Labs has identified a new variant of the Snake Keylogger, delivered through a malicious Excel document in a phishing campaign that exploits a known vulnerability. This sophisticated malware is designed to steal sensitive information by executing a series of malicious activities upon opening the infected document.…
Short Summary:
The article discusses a phishing campaign that delivers a new variant of the Snake Keylogger through a malicious Excel document. This keylogger is capable of collecting sensitive information from victims’ computers, including saved credentials, keystrokes, and screenshots. The campaign exploits a known vulnerability to execute its payload and employs various techniques to evade detection.…
Short Summary:
The article discusses a phishing campaign that delivers a new variant of the Snake Keylogger through a malicious Excel document. This keylogger is capable of stealing sensitive information from Windows users, including saved credentials, keystrokes, and screenshots. The analysis details the methods used to execute the attack, including exploiting vulnerabilities and employing various scripting languages to download and execute the keylogger.…
Threat Actor: Dark Web Threat Actor | Dark Web Threat Actor Victim: Popular E-commerce Website | Popular E-commerce Website Price: Available for Sale Exfiltrated Data Type: Admin accounts, database access, API keys
Key Points :
User Base: The e-commerce site reportedly has a total of 19,100 registered users.…Short Summary:
The article discusses a phishing attack that led to a malware infection involving the 0bj3ctivity Stealer, facilitated by the Ande Loader. eSentire’s Threat Response Unit (TRU) details their investigation, response, and recommendations for enhancing security measures against such threats.
Key Points:
eSentire operates 24/7 Security Operations Centers (SOCs) with elite threat hunters.…
Short Summary
Read More
Kimsuky is a North Korean APT group focused on intelligence collection, particularly targeting South Korean entities, as well as the U.S. and Europe. Active since at least 2012, Kimsuky employs phishing tactics to infiltrate university networks and steal sensitive information. Recent advisories from the NSA and FBI highlight their use of social engineering and misconfigured DMARC records to facilitate their operations.…
Summary: A surge in SnakeKeylogger infections targeting Windows users has been reported, with the malware capable of stealing credentials, taking screenshots, and exfiltrating sensitive data. Fortinet’s FortiGuard Labs has identified this keylogger as a significant threat, particularly noting its sophisticated methods of evasion and data collection.…
“`html
Short Summary: AhnLab Security Intelligence Center has reported the distribution of SnakeKeylogger malware via phishing emails. This Infostealer malware, developed in .NET, exfiltrates sensitive data through various channels, including email and FTP. Key Points: SnakeKeylogger is an Infostealer type of malware. It is distributed via phishing emails with executable attachments.…“`html Short Summary:
Cisco Talos is monitoring multiple malware campaigns utilizing NetSupport RAT for persistent infections. These campaigns employ obfuscation and updates to evade detection. The article discusses how Snort can be leveraged for detecting these evasive malware threats, detailing the stages of the attack and the methodologies for detection.…
Summary: Recent vulnerabilities in hosted outbound SMTP servers allow authenticated users to spoof sender information, undermining email security protocols like SPF, DKIM, and DMARC. This exploitation poses significant risks of email impersonation, potentially damaging the reputation and finances of affected organizations.
Threat Actor: Authenticated attackers | authenticated attackers Victim: Organizations using hosted email services | organizations using hosted email services
Key Point :
Vulnerabilities CVE-2024-7208 and CVE-2024-7209 allow spoofing of sender identities in shared hosting environments.…Summary: ESET Research identified multiple phishing campaigns targeting small and medium-sized businesses in Poland during May 2024, utilizing ModiLoader to distribute various malware families. The campaigns exploited compromised email accounts and company servers to deliver malware, including Rescoms, Agent Tesla, and Formbook, primarily aimed at credential theft and network access.…
Summary: Guardio Labs has identified a critical exploit in Proofpoint’s email protection service, allowing threat actors to send millions of spoofed phishing emails that appear to come from reputable brands. This technique, termed “EchoSpoofing,” bypasses major security measures, posing significant risks to recipients and highlighting vulnerabilities in email protocols.…
“`html Short Summary:
ESET Research identified multiple phishing campaigns targeting small and medium-sized businesses in Poland during May 2024, utilizing ModiLoader to distribute various malware families, including Rescoms, Agent Tesla, and Formbook. The campaigns leveraged compromised email accounts to enhance credibility and facilitate data exfiltration.
Key Points:
ESET detected nine notable ModiLoader phishing campaigns in May 2024 across Poland, Romania, and Italy.…“`html
Short SummaryThe article discusses a significant phishing campaign named “EchoSpoofing,” which exploits Proofpoint’s email protection service to send millions of perfectly spoofed emails from well-known brands like Disney, IBM, and Coca-Cola. The campaign leverages authenticated SPF and DKIM signatures to bypass security measures, aiming to deceive recipients into revealing sensitive information.…
Key Findings
In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default Any email infrastructure that offers this email routing configuration feature can be abused by spammers Proofpoint Essentials customers are not affected, as configuration settings are already set that prevent unauthorized relay abuse This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result We are sharing what we know about these campaigns to help others mitigate this issue and prevent further unauthorized abuse, as it is not unique to Proofpoint
Abusing an Outbound Email Relay Configuration to Conduct Spam Campaigns
In March 2024, Proofpoint observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers’ email infrastructures, targeting users of free email providers such as Yahoo, Gmail, and GMX.…
“`html Short Summary:
Guardio Labs has identified a significant exploit known as “EchoSpoofing” affecting Proofpoint’s email protection service. This vulnerability allowed threat actors to send millions of spoofed phishing emails, masquerading as reputable brands like Disney and IBM, while bypassing security measures such as SPF and DKIM authentication.…
Summary
Read More
On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days after the July 19, 2024, single content update for CrowdStrike’s Falcon sensor — which impacted Windows operating systems — was identified and a fix was deployed.…
Summary: Microsoft is launching inbound SMTP DANE with DNSSEC for Exchange Online in public preview to enhance email security and integrity. This new capability aims to protect against various attacks, including man-in-the-middle and TLS-downgrade attacks, while ensuring secure email communication.
Threat Actor: Malicious Actors | malicious actors Victim: Microsoft Exchange Online Users | Microsoft Exchange Online Users
Key Point :
Inbound SMTP DANE with DNSSEC will enhance email integrity by verifying mail server identities and securing email communications.…[This is a Guest Diary by Michael Gallant, an ISC intern as part of the SANS.edu BACS program]
Image generated by DALL-E [8]
Introduction
During my internship at the SANS Internet Storm Center, I was tasked with setting up a honeypot, an internet device intentionally vulnerable, to observe and analyze attack vectors.…
Summary: Forcepoint X-Labs has discovered a new ransomware strain called “ShadowRoot” that specifically targets Turkish businesses. The attack starts with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.
Threat Actor: ShadowRoot ransomware | ShadowRoot ransomware Victim: Turkish businesses | Turkish businesses
Key Point :
The attack begins with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.…Summary: More than 1.5 million email servers running vulnerable versions of the Exim mail transfer agent are at risk of attacks that can deliver executable attachments to user accounts, allowing threat actors to bypass protections against malicious emails.
Threat Actor: Unknown | Unknown Victim: Email servers running vulnerable versions of the Exim mail transfer agent | Exim
Key Point :
More than 1.5 million email servers running vulnerable versions of the Exim mail transfer agent are at risk of attacks that can deliver executable attachments to user accounts.…Summary: This content discusses a malicious NuGet campaign that uses homoglyphs and IL weaving to deceive developers.
Threat Actor: Unknown | Unknown Victim: Developers | Developers
Key Point :
A malicious NuGet campaign has been discovered that uses homoglyphs and IL weaving techniques to trick developers into installing malicious packages.…Threat Actor: Unknown | Unknown Victim: True Line Solution India | True Line Solution India Price: Not specified Exfiltrated Data Type: Company information, SMTP details, API keys, customer information, user data
Key Points :
A database from a digital marketing company in India has allegedly been leaked on a darkweb forum.…1. Overview
AhnLab Security intelligence Center (ASEC) confirmed that botnets trending since 2019 have been continuously used to install NiceRAT malware. A botnet is a group of devices infected by malware and controlled by a threat actor. Because threat actors mainly launched DDoS attacks using botnets in the past, Nitol and other malware strains used in DDoS attacks were perceived as the key strains that form botnets.…
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society.…
Affected Platforms: Microsoft WindowsImpacted Users: Windows UsersImpact: Collects sensitive information from a victim’s computerSeverity Level: Critical
A new phishing campaign was recently captured by our FortiGuard Labs that spreads a new Agent Tesla variant targeting Spanish-speaking people.
Security researchers have detected Agent Tesla campaigns from time to time for years.…
Introduction
Read More
The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of May.
Executive Summary Email-based threats increased over the past month, with most of the increase being attributed to an increase in easily detectable, low-effort spam messages.…In so many penetration tests or assessments, the client gives you a set of subnets and says “go for it”. This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name.…
Email forensics overview
Read More
Email forensics involves the examination, extraction, and analysis of email data to gather digital evidence crucial for resolving crimes and specific incidents, ensuring the integrity of the investigation process.This investigative process encompasses various aspects of emails, focusing on:
Email content, including messages and attachments.…Threat Actor: IntelBroker | IntelBroker Victim: Europol | Europol Price: $20,000 in cryptocurrency Exfiltrated Data Type: FOUO (For Official Use Only) and other classified data, Alliance employees, files related to recon and guidelines
Additional Information :
The hacker announced the hack of Europol on the cybercrime forum Breach.…Threat Actor: IntelBroker | IntelBroker Victim: Major Cybersecurity Company | Major Cybersecurity Company Price: $20,000 Exfiltrated Data Type: Confidential and highly critical logs, credentials, SMTP access, PAuth Pointer Auth access, SSL passkeys, SSL certificates, and additional undisclosed privileges
Additional Information:
IntelBroker is selling unauthorized access to the PAuth-SMTP of a major cybersecurity company.…Welcome to Picus Security‘s weekly cyber threat intelligence roundup! …
Key findings:
The group is targeting various countries around the world in addition to its priority region of Latin America.
It uses long chains that incorporate a variety of tools and malware: AgentTesla, FormBook, Remcos, LokiBot, Formbook, Guloader, SnakeKeylogger, XWorm, and others.
The group uses compromised legitimate FTP servers for C2, and SMTP servers, for C2 and phishing.…
Read More
Summary: A new campaign conducted by the TA558 hacking group is using steganography to hide malicious code inside images and deliver various malware tools onto targeted systems.
Threat Actor: TA558 | TA558 Victim: Various sectors and countries | SteganoAmor campaign
Key Point :
The TA558 hacking group is using steganography to conceal malicious code inside images and deliver malware tools.…