While some malicious parties continue to rely on standard attack vectors, others have become more brazen in their efforts to capitalize from human and infrastructure weaknesses.



In this edition of the newsletter we will cover:

  • Phishing and vishing campaigns
  • Lateral movement from Azure to an on-prem AD
  • Abusing a Google Drive feature
  • Bypassing VISA contactless payment PINs


Phishing and vishing campaigns

Cyberexperts believe that the Lazarus threat actor group is behind a massive spear-phishing campaign that has been running since at least 2018, relying on LinkedIn lures and targeting organizations in the cryptocurrency space in the United States, the United Kingdom, Germany, Singapore, the Netherlands, Japan, and other countries.

Other researchers have come across a phishing campaign which urges victims to resolve fictitious Outlook incoming email issues by following a rogue link that impersonates an internal company system.

A group of crooks has taken the standard phishing attack a notch further, offering a voice phishing service that uses social engineering phone calls and custom phishing sites to steal VPN credentials from remote workers (primarily new joiners) at organizations in the financial, telecommunications and social media industries.


Lateral movement from Azure to an on-prem AD

Security analysts have discovered that an attacker with “Global Admin” or “Intune Administrator” access could abuse the Microsoft Endpoint Manager to run arbitrary PowerShell scripts as the SYSTEM user on on-prem Windows devices that are managed via a “Hybrid Azure AD Join”. Pivoting from an Azure Active Directory (AD) tenant into an on-prem AD domain could enable attack paths between environments that do not explicitly trust each other, or even know about each other.


Abusing a Google Drive feature

Threat actors could exploit an unpatched vulnerability in Google Drive to distribute weaponized files camouflaged as legitimate documents or images. The flaw resides in a feature of the cloud-based service that allows users to manage different file versions. The issue is believed to open doors to highly successful spear-phishing campaigns.


Bypassing VISA contactless payment PINs

Academics have found a way to bypass PIN codes for VISA contactless payments. The attack could be deployed with two Android phones, a special app called Tamarin, and a VISA contactless card, allowing criminals to make fraudulent purchases.


As always – be vigilant, stay alert, think twice.

AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.



Amatas, Cyware, F-Secure, Sophos Naked Security, Krebs On Security, The Hacker News, ZDnet, Creative Commons