How to battle against modern phishing ?

A very good reference blog from Bleekseeks about implementing a better protection against phishing attacks.

Modern phishing often bypass MFA (thanks to tools like evilginx) due to session reuse. We need to have phishing resistant MFA, like FIDO2 hardware security keys or based on PKIs. If it's not possible, at least implement/enable number matching in your MFA !

With phishing resistant MFA, when a malicious website tries to impersonate a real one, the relying party is different and the hardware key doesn't respond to the challenge, blocking the phishing attempt.

This kind of MFA must not be the only protection for your users, and must be layered with the usual solutions:

• Train users
• Block suspicious emails AND websites
• Implement a zero trust approach

📰 https://bleekseeks.com/blog/how-to-protect-against-modern-phishing-attacks

📘 CISA guide for Phishing-Resistant MFA https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

📘 CISA guide for Number matching MFA https://www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf

Threat report for SMBs

A good report from Huntress, analysing the threats they encounters for the SMBs they manage.

The report provides interesting details but mostly highlight 3 keys findings:

• Attacker are exploiting legit tools and frameworks more than 50% of the time
• Remote Monitoring and Management tools are prioritized to maintain post-intrusion access
• Ransomware are often from thought to be extinct strains

This focus on SMBs depicts a slightly different picture (especially 3/) than the compromise report we can often read regarding big companies targeted by APT with 0-days and fancy tools… SMBs are being “drived-by” by large quantities of low skills attackers (see below, NoEscape).

🧠 https://www.huntress.com/resources/report/smb-threat-report

NCC dives into NoEscape, a Ransomware-as-a-Service

NCC Group’s Cyber Incident Response Team (CIRT) was recently involved in an incident were the NoEscape group was encountered.

NCC believes this new group (potentially a spinoff of Avaddon) is financially motivated and opportunistic, as their victims’ seems to share no specific criteria. They’re employing a double extortion method and even offering an “option” or their affiliates to DoS/spam their victims.

The group targets exposed and vulnerable services to gain an initial foothold, and deployed webshells in this instance to maintain accesses. Then, surprisingly they employed several tools to attempt to disable the antivirus and dump credentials (thus being very noisy), leading NCC to think the group is rather low skilled. A secondary access method was still deployed. Then, they made a 2nd mistake, by executing the ransomware while the data was still being exfiltrated… This happened 33 days after the initial access (compared to the less than an hour between the initial compromise and webshell deployment).

📰 Go to their website for all the IOCs and a full MITRE ATT&CK matrix: https://research.nccgroup.com/2023/11/20/is-this-the-real-life-is-this-just-fantasy-caught-in-a-landslide-noescape-from-ncc-group/

5 notable malware threats in November 2023

A few interesting sample identified by any.run last month:

• gh0strat has been using steganography to store a DLL into an image
• A proprietary protocol via WebSocket was identified in Tycoon, a 2FA – Adversary-in-the-Middle (AiTM) and Phishing-as-a-Service (PhaaS) platform
• IPFS was abused to spread phishing
• A student developed a PoC for a crypto-ransomware (MauriCrypt) and it was incorporated by attackers into CryptGh0st
• socks5systemz once deployed turns systems into proxies for forwarding traffic

When possible, any.run provides CyberChef recipes to decrypt connections and files, be sure to head to their post to find them !

📰 https://any.run/cybersecurity-blog/5-threats-nov-2023/