Monthly IntSum - September 2023

We will bring you a roundup of the top weekly threat intelligence news.

Our monthly IntSum report is a compilation of the most important and relevant news stories.

Our team of cybersecurity experts are constantly monitoring the latest threats and vulnerabilities from around the world to provide you with the most up-to-date information.

4th September - 8th September: W3LL phishing kit enables compromise of Microsoft 365 accounts

A set of phishing tools known as W3LL recently facilitated the compromise of 8,000 Microsoft 365 accounts in Business Email Compromise (BEC) campaigns spanning from October 2022 to July 2023. In total, 56,000 corporate Microsoft 365 accounts were targeted.

W3LL, active since 2017, offers 16 custom tools designed for BEC attacks, primarily targeting companies in the US, UK, Australia, and Europe across various industries. These tools employ advanced techniques, including the Adversary-in-the-Middle (AitM) method, to capture authenticated session cookies for unauthorised access.

Accounts compromised by W3LL were used for various malicious activities, including data theft, fake invoice scams, professional service impersonation, CEO fraud, and malware distribution. The use of AitM techniques is becoming common in other phishing kits, reflecting a competitive market for cybercriminal tools. BEC campaigns can generate significant revenue, making them appealing to cybercriminals.

The availability of sophisticated phishing kits like W3LL, with features such as AitM, enables less skilled cybercriminals to bypass Multi-Factor Authentication (MFA) mechanisms. This, combined with the profitability of BEC operations, is expected to increase the threat of BEC campaigns to all organisations.

Therefore, it is recommended that organisations raise awareness of the latest BEC phishing techniques and implement robust conditional access controls, such as trusted device requirements, and FIDO2-compliant authentication solutions.

11th September - 15th September: Threat actors increasingly use Microsoft Teams-based chat lures to compromise victims

In recent cybersecurity developments, threat actors are increasingly using Microsoft Teams for phishing attacks. Storm-0324, a known threat group, has been using Microsoft Teams chats to distribute phishing lures and gain access to compromised systems since July 2023. They likely employ an open-source tool called TeamsPhisher to attach malicious files to messages sent to external tenants.

Storm-0324 specialises in phishing and exploit kit campaigns to gain initial access and then hands off compromised networks to other threat actors, often resulting in ransomware attacks. This trend is growing, as another campaign using Teams-based lures was reported just a week earlier. In this case, compromised Office 365 accounts sent chat messages with malicious links to SharePoint-hosted files, leading to the download of a malicious executable called DarkGate loader.

What's concerning is that Microsoft Teams' security features like 'Safe Attachments' and 'Safe Link' failed to detect and block these phishing lures. Additionally, this tactic reflects a broader trend of cybercriminals adopting techniques previously associated with nation-state actors. Earlier, a Russian nation-state actor (APT29) used Teams chats for highly targeted social engineering campaigns.

As a precaution, it's recommended that Microsoft Teams users restrict chat requests to specific external domains to mitigate the impact of similar social engineering campaigns.

18th September - 22nd September: China accuses the United States of decade-long intelligence collection campaign

The Chinese Ministry of State Security (MSS) has accused the United States of conducting a decade-long intelligence collection campaign against China. They allege that the US, specifically the National Security Agency (NSA), infiltrated Huawei Technologies' servers since 2009, using malware called Second Date for monitoring and injecting malicious code.

Additionally, the MSS claims that the US pressured tech companies to install backdoors for cyber espionage, mentioning X-Mode Social and Anomaly Six. These allegations echo Edward Snowden's 2013 revelations and come amid ongoing US-China tensions, where both accuse each other of espionage efforts.

China's claims aim to discredit the US and divert attention from its own cyber operations while potentially facilitating future attribution of US cyber activities. This exchange of accusations is likely to continue as part of the geopolitical rivalry.

25th September - 29th September: Ukrainian intelligence observes a change in Russian cyber capabilities and outlines trends from 2023

In recent research by the Ukrainian State Special Communications Service, it was revealed that Russian cyber groups have significantly increased their activities against Ukraine in the first half of 2023.

The number of cyber incidents targeting Ukraine doubled in this period, with at least 23 Russia-linked threat actors involved. These actors primarily targeted Ukraine's government sector for espionage and the media and entertainment sector for influence operations.

These cyber campaigns involved revisiting previous vulnerable targets, using legitimate software, and "living off the land" tactics to avoid detection. Common infection vectors included phishing, account compromises, and exploiting known vulnerabilities. Additionally, open-source mail systems were frequently exploited, and sensitive political and military data were exfiltrated.

This report follows a recent incident where Russian threat actors used phishing and lure tactics to deploy malware for remote control over Ukrainian military personnel's devices in a highly targeted campaign.

Interestingly, the research noted a decline in campaigns targeting the energy sector and a 50% reduction in critical incidents, possibly indicating a period of developing new malware and tactics.

Orpheus suggests that Russia may have adjusted its cyber approach following the leak of sensitive political and military information in the Vulkan files. These findings underscore a concerted effort by Russian threat actors to evolve tactically, aiming to weaken Ukraine's position and resistance against Russian military actions in the ongoing conflict between the two states.

We are committed to keeping you informed and helping you stay ahead of the ever-evolving cybersecurity landscape.

By subscribing to our newsletter, you can ensure that you stay ahead of the ever-evolving cybersecurity landscape. You'll receive monthly updates on the latest trends and threats, in-depth analysis and expert commentary. With this information at your fingertips, you can better protect yourself and your organisation from potential cyber-attacks. Subscribe here .