Popular service providers continue to provide threat actors with wonderful exploitation opportunities to get into the systems of unprepared users and organizations.
This week’s newsletter will cover:
- Phishing against Office 365 users
- Risks of hacks into systems of video conferencing participants
- Attacks employing a new backdoor
Phishing against Office 365 users
Security researchers have detected an Office 365 credentials’ harvesting campaign luring unsuspecting users with a fake VPN configuration notification, which has supposedly originated from the IT support of the recipients’ company. The senders’ email addresses impersonate the domain of the targets’ respective organizations. The landing page is a cloned Office 365 login page hosted on the Microsoft-owned domain which gives it a sense of legitimacy. As Azure-hosted applications automatically get their own secure page padlock because of the *.web.core.windows.net wildcard SSL certificate, those pages could trick even the most suspicious users.
Recommendation: Set up custom Office 365 rules to automatically block login pages that are not hosted by Microsoft on the microsoft.com, live.com, or outlook.com domains. If setting up block rules is not an option, educate employees on how to check whether they are logging in from their company affiliated web page.
Risks of hacks into systems of video conferencing participants
Researchers have discovered two critical security flaws, now patched, in the Zoom conferencing program which could be exploited with no or little interaction from the targets following the submission of specially crafted chat messages. In both instances, Zoom had failed to implement validation checks.
- The first vulnerability allows an attacker to place a malicious image into a Zoom-specific folder on the target system abusing the way Zoom handles third-party animated GIFs which users exchange while chatting. In addition, the application could be tricked into saving nefarious files disguised as GIFs into folders such as “Startup” that are often used by malware to maintain foothold after system reboot.
- The second vulnerability exploits Zoom’s automatic zip file extraction feature allowing an adversary to plant malicious code on targeted computers including in directories outside the intended Zoom ones.
Recommendation: Upgrade Zoom to the latest 5.X version.
Attacks employing a new backdoor
Cyber experts have linked a new backdoor with the Trickbot malware to compromise a target network. The attack chain starts with an email pretending to be an employee termination notice, a customer complaint or other theme to trick recipients into downloading a Google-hosted document. Leveraging hidden code and a malware loader, the file helps establish a connection with the Command and Control infrastructure to fetch the “BazarBackdoor”.
Recommendation: Educate employees on the risks of malicious emails using phishing simulators. Have an incident response plan in place to remediate successful phishing attacks and regularly test those.
As always – be vigilant, stay alert, think twice.
AMATAS will continue to monitor this space and deliver salient information regularly. Stay tuned for our next cyber report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing firstname.lastname@example.org.
Amatas, Tripwire, Abnormal Security, The Hacker News, Security Intelligence, Panda Security, Bleeping Computer, Cisco Talos, Creative Commons