Tecplix ThreatTrack Insights - September

1. Phishing Campaign Exploits Mobile Users via PWAs and WebAPKs

A new phishing technique is targeting Android and iOS users through Progressive Web Applications (PWAs) and WebAPKs, compromising mobile devices without requiring explicit user permissions. The campaign primarily focuses on delivering phishing apps that mimic legitimate banking applications, making them difficult to identify. While iOS users are tricked into adding a fake PWA to their home screen, Android users face similar threats through browser pop-ups, where the phishing WebAPK appears to be installed from trusted sources like the Google Play Store.

Key Takeaways:

• Phishing campaigns leverage standard delivery techniques with an innovative twist, using PWAs on both iOS and Android, as well as WebAPKs on Android.
• These malicious applications bypass typical security warnings, leading users to unknowingly install third-party apps.
• The phishing WebAPKs on Android often masquerade as legitimate installations from the Google Play Store.
• Multiple threat actors were identified behind the campaigns based on Command & Control (C&C) server analysis and backend infrastructure.
• Phishing attacks are propagated via automated voice calls, SMS messages, and malicious social media ads on platforms like Facebook and Instagram.

Impact

This phishing technique poses a severe risk to mobile users by bypassing traditional app security measures. Victims unknowingly install fake banking applications, leading to the theft of sensitive financial information such as banking credentials. With the apps mimicking legitimate services, users may not realize their information is compromised until after the damage is done. This attack highlights a growing trend of sophisticated phishing campaigns that target mobile devices through unconventional methods, leaving users vulnerable.

Who is Affected?

• Mobile users on both Android and iOS platforms.
• Clients of banking institutions are targeted through fake PWAs and WebAPKs.
• Individuals who click phishing links from SMS, automated voice calls, or social media advertisements.
• Users are enticed by fake update offers or suspicious ads, particularly on platforms like Facebook and Instagram.

Recommendations:

• Enforce strict app verification processes to prevent malicious PWAs and WebAPKs from being installed.
• Educate users on recognizing phishing attempts and verifying the authenticity of app updates and links.
• Deploy advanced threat detection systems and collaborate to dismantle malicious C&C servers and distribution channels.

2. Unicoin Faces Security Breach: Google Workspace Account Compromised

Unicoin Inc. detected unauthorized access to its Google Workspace account, resulting in a major security breach. The attacker exploited administrative privileges to change passwords for all employees, locking them out of their accounts for four days. During this period, sensitive company data, including confidential documents stored on Google Drive, was accessed and stolen. Unicoin has since regained control and is actively investigating the incident to assess the damage and any fraudulent activities.

Key Takeaways

• A hacker gained access to Unicoin’s Google Workspace account and modified passwords for all employees.
• The attack locked employees out of their corporate accounts for over four days, disrupting business operations.
• Sensitive documents were accessed and stolen during the breach, leading to potential data manipulation and fraud.
• The company is still assessing the full impact and extent of the data breach.

Impact

The breach exposed Unicoin to significant operational disruption and potential reputational damage. Critical business information was compromised, raising concerns over data integrity and security within the organization. The incident highlights vulnerabilities in cloud-based services and underscores the importance of enhanced security measures, such as Multi-Factor Authentication (MFA).

Who is Affected?

All employees with an “@unicoin.com” email address were impacted, as they were denied access to vital tools like Gmail and Google Drive. Additionally, any partners or stakeholders relying on communications or services from Unicoin may experience delays or interruptions. The breach also poses risks for the company’s clients and investors, given the nature of the stolen documents and the potential for fraud.

Recommendations:

• Require MFA for all admin accounts to add an extra layer of security. Use security keys for the most robust protection against phishing.
• Ensure each administrator has a unique account. Avoid sharing admin accounts to maintain accountability and clear audit trails.
• Keep the number of super admin accounts to a minimum. Regularly review and update super admin privileges to ensure only authorized personnel have access.
• Enable logging and auditing to track admin activities. Set up alerts for critical actions to detect and respond to suspicious behaviour promptly.
• Implement a policy for regular password changes and use strong, unique passwords for each admin account. Avoid reusing passwords across different accounts.
• Please refer to the link below for all of the security best practices for administrator accounts, as provided by the Google Workspace support team: https://support.google.com/a/answer/9011373?hl=en

3. Phishing Email Analysis: A Comprehensive Guide to Detect Phishing Attempts

Imagine receiving an urgent email from your bank, alerting you to a suspicious transaction on your account and prompting you to click a link to resolve the issue immediately. Or picture receiving a seemingly innocent message from a trusted colleague asking for confidential information. These scenarios are common examples of a dangerous cyber threat that plagues the digital world—phishing.

Phishing is a malicious technique employed by cybercriminals to deceive individuals into divulging sensitive and personal information, such as passwords, credit card numbers, or social security numbers. Typically, it involves impersonating trusted entities or individuals through fake emails, websites, messages (smishing), or calls (vishing) that appear legitimate at first glance. The ultimate goal of phishing is to trick the recipient into compromising their security and privacy, making it a potent weapon in the arsenal of online fraudsters.

Phishing has evolved significantly over the years. It has progressed from simple emails laced with poor grammar containing malicious links or attachments to sophisticated phishing kits available on the dark web. Techniques now include conversation hijacking, phishing emails with embedded QR codes, and captchas. Another critical aspect of phishing is that it often serves as the initial attack vector in high-profile breaches and compromises.

In this three-part phishing email analysis series, we will explore effective ways to analyze phishing emails...

4. Bling Libra Shifts to Cloud Extortion: AWS Exploitation

The Bling Libra threat group, associated with the ShinyHunters ransomware, has shifted from selling stolen data to extorting victims. In a recent engagement by Unit 42, the group used legitimate credentials from public repositories to access an organization’s Amazon Web Services (AWS) environment. Though restricted permissions limited the scope of the breach, the attackers were able to conduct reconnaissance, leveraging tools like Amazon S3 Browser and WinSCP to access and manipulate S3 bucket configurations.

Key Takeaways

• Credential Exploitation: Attackers used exposed AWS credentials, particularly targeting IAM access keys, to gain entry into the cloud environment.
• Reconnaissance and Data Manipulation: Bling Libra utilized common tools such as S3 Browser and WinSCP to interact with and delete S3 objects.
• Cloud Misconfigurations: Overly permissive permissions in AWS environments remain a significant security gap, amplifying the risk of attacks.
• Security Measures: Proactive security practices, including using IAM Access Analyzer and AWS Service Control Policies, can help prevent unauthorized actions in cloud environments.

Impact

While the permissions associated with the compromised credentials limited the damage to the affected S3 buckets, the incident underscores the growing risks posed by misconfigured cloud environments. Without strong security controls, threat actors could escalate attacks, gain persistence, or create malicious resources. Cloud vulnerabilities, like overly permissive access, continue to be exploited by groups like Bling Libra, endangering sensitive data and operational integrity.

Who is Affected?

Organizations using AWS cloud services, especially those with inadequate permissions management or exposed credentials, are at heightened risk. As cloud adoption increases, businesses must adopt rigorous access control policies and continually monitor cloud environments to mitigate evolving threats like those posed by Bling Libra.

Recommendations:

• Restrict AWS IAM users and roles only to have the required permissions. Avoid assigning overly permissive policies like AmazonS3FullAccess.
• Continuously monitor AWS CloudTrail logs for suspicious activity, especially regarding the use of critical services like S3.
• Enable MFA for all AWS accounts and ensure that IAM users, particularly those wit sensitive access, use MFA to prevent unauthorized use of credentials.
• Set up appropriate S3 bucket policies, block public access to critical buckets, and use encryption for sensitive data stored in S3.
• Regularly rotate IAM user access keys and ensure they are encrypted and stored securely.

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.