Kimsuky is a North Korean APT group focused on intelligence collection, particularly targeting South Korean entities, as well as the U.S. and Europe. Active since at least 2012, Kimsuky employs phishing tactics to infiltrate university networks and steal sensitive information. Recent advisories from the NSA and FBI highlight their use of social engineering and misconfigured DMARC records to facilitate their operations.…
Tag: SMTP
Summary: A surge in SnakeKeylogger infections targeting Windows users has been reported, with the malware capable of stealing credentials, taking screenshots, and exfiltrating sensitive data. Fortinet’s FortiGuard Labs has identified this keylogger as a significant threat, particularly noting its sophisticated methods of evasion and data collection.…
“`html
Short Summary: AhnLab Security Intelligence Center has reported the distribution of SnakeKeylogger malware via phishing emails. This Infostealer malware, developed in .NET, exfiltrates sensitive data through various channels, including email and FTP. Key Points: SnakeKeylogger is an Infostealer type of malware. It is distributed via phishing emails with executable attachments.…“`html Short Summary:
Cisco Talos is monitoring multiple malware campaigns utilizing NetSupport RAT for persistent infections. These campaigns employ obfuscation and updates to evade detection. The article discusses how Snort can be leveraged for detecting these evasive malware threats, detailing the stages of the attack and the methodologies for detection.…
Summary: Recent vulnerabilities in hosted outbound SMTP servers allow authenticated users to spoof sender information, undermining email security protocols like SPF, DKIM, and DMARC. This exploitation poses significant risks of email impersonation, potentially damaging the reputation and finances of affected organizations.
Threat Actor: Authenticated attackers | authenticated attackers Victim: Organizations using hosted email services | organizations using hosted email services
Key Point :
Vulnerabilities CVE-2024-7208 and CVE-2024-7209 allow spoofing of sender identities in shared hosting environments.…Summary: ESET Research identified multiple phishing campaigns targeting small and medium-sized businesses in Poland during May 2024, utilizing ModiLoader to distribute various malware families. The campaigns exploited compromised email accounts and company servers to deliver malware, including Rescoms, Agent Tesla, and Formbook, primarily aimed at credential theft and network access.…
Summary: Guardio Labs has identified a critical exploit in Proofpoint’s email protection service, allowing threat actors to send millions of spoofed phishing emails that appear to come from reputable brands. This technique, termed “EchoSpoofing,” bypasses major security measures, posing significant risks to recipients and highlighting vulnerabilities in email protocols.…
“`html Short Summary:
ESET Research identified multiple phishing campaigns targeting small and medium-sized businesses in Poland during May 2024, utilizing ModiLoader to distribute various malware families, including Rescoms, Agent Tesla, and Formbook. The campaigns leveraged compromised email accounts to enhance credibility and facilitate data exfiltration.
Key Points:
ESET detected nine notable ModiLoader phishing campaigns in May 2024 across Poland, Romania, and Italy.…“`html
Short SummaryThe article discusses a significant phishing campaign named “EchoSpoofing,” which exploits Proofpoint’s email protection service to send millions of perfectly spoofed emails from well-known brands like Disney, IBM, and Coca-Cola. The campaign leverages authenticated SPF and DKIM signatures to bypass security measures, aiming to deceive recipients into revealing sensitive information.…
Key Findings
In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow To resolve the issue, Proofpoint implemented a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default Any email infrastructure that offers this email routing configuration feature can be abused by spammers Proofpoint Essentials customers are not affected, as configuration settings are already set that prevent unauthorized relay abuse This issue did not expose any Proofpoint customer data, and no customer experienced any data loss as a result We are sharing what we know about these campaigns to help others mitigate this issue and prevent further unauthorized abuse, as it is not unique to Proofpoint
Abusing an Outbound Email Relay Configuration to Conduct Spam Campaigns
In March 2024, Proofpoint observed spam campaigns being relayed from Microsoft 365 tenants through several Proofpoint enterprise customers’ email infrastructures, targeting users of free email providers such as Yahoo, Gmail, and GMX.…
“`html Short Summary:
Guardio Labs has identified a significant exploit known as “EchoSpoofing” affecting Proofpoint’s email protection service. This vulnerability allowed threat actors to send millions of spoofed phishing emails, masquerading as reputable brands like Disney and IBM, while bypassing security measures such as SPF and DKIM authentication.…
Summary
Read More
On July 23, 2024, CrowdStrike Intelligence identified a malicious ZIP file containing a Python-based information stealer now tracked as Connecio. A threat actor distributed this file days after the July 19, 2024, single content update for CrowdStrike’s Falcon sensor — which impacted Windows operating systems — was identified and a fix was deployed.…
Summary: Microsoft is launching inbound SMTP DANE with DNSSEC for Exchange Online in public preview to enhance email security and integrity. This new capability aims to protect against various attacks, including man-in-the-middle and TLS-downgrade attacks, while ensuring secure email communication.
Threat Actor: Malicious Actors | malicious actors Victim: Microsoft Exchange Online Users | Microsoft Exchange Online Users
Key Point :
Inbound SMTP DANE with DNSSEC will enhance email integrity by verifying mail server identities and securing email communications.…[This is a Guest Diary by Michael Gallant, an ISC intern as part of the SANS.edu BACS program]
Image generated by DALL-E [8]
Introduction
During my internship at the SANS Internet Storm Center, I was tasked with setting up a honeypot, an internet device intentionally vulnerable, to observe and analyze attack vectors.…
Summary: Forcepoint X-Labs has discovered a new ransomware strain called “ShadowRoot” that specifically targets Turkish businesses. The attack starts with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.
Threat Actor: ShadowRoot ransomware | ShadowRoot ransomware Victim: Turkish businesses | Turkish businesses
Key Point :
The attack begins with phishing emails containing malicious PDF attachments disguised as invoices, originating from a Russian domain.…Summary: More than 1.5 million email servers running vulnerable versions of the Exim mail transfer agent are at risk of attacks that can deliver executable attachments to user accounts, allowing threat actors to bypass protections against malicious emails.
Threat Actor: Unknown | Unknown Victim: Email servers running vulnerable versions of the Exim mail transfer agent | Exim
Key Point :
More than 1.5 million email servers running vulnerable versions of the Exim mail transfer agent are at risk of attacks that can deliver executable attachments to user accounts.…Summary: This content discusses a malicious NuGet campaign that uses homoglyphs and IL weaving to deceive developers.
Threat Actor: Unknown | Unknown Victim: Developers | Developers
Key Point :
A malicious NuGet campaign has been discovered that uses homoglyphs and IL weaving techniques to trick developers into installing malicious packages.…Threat Actor: Unknown | Unknown Victim: True Line Solution India | True Line Solution India Price: Not specified Exfiltrated Data Type: Company information, SMTP details, API keys, customer information, user data
Key Points :
A database from a digital marketing company in India has allegedly been leaked on a darkweb forum.…1. Overview
AhnLab Security intelligence Center (ASEC) confirmed that botnets trending since 2019 have been continuously used to install NiceRAT malware. A botnet is a group of devices infected by malware and controlled by a threat actor. Because threat actors mainly launched DDoS attacks using botnets in the past, Nitol and other malware strains used in DDoS attacks were perceived as the key strains that form botnets.…
Written by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno
Individuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of global and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian society.…