Microsoft Alerts to Rising Use of File Hosting Services in Business Email Compromise Schemes

Microsoft has issued a warning about cyberattack strategies that exploit legitimate file hosting platforms like SharePoint, OneDrive, and Dropbox, commonly utilized in corporate environments as a tactic to evade defenses. These campaigns have diverse objectives, enabling threat actors to compromise identities and devices, facilitating business email compromise (BEC) incidents that lead to financial fraud, data theft, and further infiltration into networks.

The abuse of trusted internet services (LIS) is an increasingly prevalent risk factor, allowing adversaries to blend in with normal network activity, often circumventing traditional security measures and complicating threat attribution. This tactic, known as living-off-trusted-sites (LOTS), takes advantage of the inherent trust in these platforms to bypass email security protocols and deliver malware. Microsoft has noted a concerning trend in phishing attacks exploiting this strategy.

Microsoft Alerts on Increasing Use of File Hosting Services in Business Email Compromise Attacks

October 9, 2024

Microsoft has issued a warning regarding a rise in cyber attack campaigns that exploit established file hosting services such as SharePoint, OneDrive, and Dropbox. These platforms, frequently utilized in corporate settings, are being leveraged as tactics to circumvent security measures. The primary objective of these campaigns varies widely, enabling attackers to hijack identities and devices while executing Business Email Compromise (BEC) schemes. This strategy frequently culminates in financial fraud, unauthorized data access, and lateral movement across different network endpoints.

The exploitation of legitimate internet services (LIS) has emerged as a significant risk vector in the current threat landscape. Adversaries are increasingly utilizing LIS to mask their malicious activities within what appears to be normal network traffic, thus evading conventional security solutions and complicating efforts to identify the source of the attacks. This approach is often referred to as living-off-trusted-sites (LOTS), wherein attackers take advantage of the inherent trust and familiarity associated with these services to bypass email security protocols and deliver malware.

Microsoft has observed a concerning trend where phishing campaigns are being cleverly disguised using these trusted platforms. This tactic not only enhances the effectiveness of the attacks but also raises the stakes for businesses, as it reduces the likelihood of detection by traditional security mechanisms. The implications for enterprise security are grave, as successful attacks can lead to significant financial losses and long-term data integrity risks.

Enterprise environments are particularly targeted due to their reliance on these file hosting solutions for collaboration and file sharing. The sophistication of these attacks highlights the need for business owners to reassess their cybersecurity strategies. As these tactics align with various techniques outlined in the MITRE ATT&CK framework—such as initial access, persistence, and privilege escalation—companies must develop robust defenses that address the evolving landscape of threats.

It is crucial for business owners, particularly in the United States, to be aware of these developments and the specific vulnerabilities they introduce. Strengthening email security measures and enhancing employee training can mitigate risks associated with these advanced tactics. Furthermore, organizations should consider implementing more stringent monitoring processes to detect anomalies in network traffic that could signal an ongoing attack.

In conclusion, the rising trend of leveraging legitimate file hosting services for BEC attacks presents a formidable challenge to cybersecurity in the business sector. As the landscape evolves, vigilance and proactive measures will be critical in safeguarding sensitive data and maintaining the integrity of enterprise communications. Business owners are urged to stay informed and to continuously adapt their security practices in response to these emerging threats.

Source link

Related Posts

North Korean Hackers Target Developers with Fake Job Interviews to Spread Cross-Platform Malware

Oct 09, 2024
Phishing Attack / Malware

Threat actors linked to North Korea are strategically targeting tech job seekers to propagate updated versions of well-known malware, identified as BeaverTail and InvisibleFerret. This activity, classified under the cluster CL-STA-0240, is part of the “Contagious Interview” campaign revealed by Palo Alto Networks’ Unit 42 in November 2023. According to Unit 42’s new report, these hackers pose as potential employers on job search platforms, enticing software developers with invitations to participate in online interviews. During these sessions, the attackers aim to persuade victims to download and install malware. The initial stage of the infection utilizes the BeaverTail downloader and information stealer, which targets both Windows and Apple macOS systems. This malware serves as a gateway for the Python-based InvisibleFerret backdoor. Evidence suggests that this activity…

THN Cybersecurity Weekly Recap: Key Threats, Tools, and Trends (October 7 – October 13)

Posted on October 14, 2024
Category: Cybersecurity Recap

Get ready for your weekly update on the latest in cybersecurity! This week, we’re diving into everything from zero-day vulnerabilities and rogue AI to the FBI stepping into the crypto game—you won’t want to miss this! Let’s get started so we can beat the FOMO! ⚡

🔒 Threat Spotlight: GoldenJackal’s Air-Gapped Infiltration
Introducing GoldenJackal, the hacking group that’s been flying under your radar. They’ve developed a method to breach highly secure, air-gapped systems using stealthy worms distributed via infected USB drives (yes, you read that right!). ESET researchers have identified their operations targeting notable victims, including a South Asian embassy in Belarus and a European Union government entity.

🔔 Top Headlines
Mozilla has released a patch for a critical Firefox zero-day vulnerability…

China Accuses U.S. of Inventing Volt Typhoon to Distract from Its Own Hacking Activities

Oct 15, 2024
National Security / Cybersecurity

China’s National Computer Virus Emergency Response Center (CVERC) has intensified its assertions that the alleged hacking group Volt Typhoon is a U.S. invention. In collaboration with the National Engineering Laboratory for Computer Virus Prevention Technology, the agency claims that the U.S. government, intelligence agencies, and Five Eyes allies are engaged in cyber espionage against China, as well as France, Germany, Japan, and internet users worldwide. It further asserted that there is “ironclad evidence” of the U.S. conducting false flag operations to obscure its own cyberattacks, accusing it of fabricating the “so-called threat of Chinese cyber operations” and establishing a “large-scale global internet surveillance network.” The agency pointed out that the U.S. has employed supply chain attacks, implanted backdoors in internet products, and initiated “pre-positioning” strategies, entirely…

New Malware Campaign Deploys PureCrypter Loader to Distribute DarkVision RAT

October 15, 2024
Malware / Cybercrime

Cybersecurity experts have revealed a recent malware campaign utilizing the PureCrypter loader to disseminate the commodity remote access trojan (RAT) known as DarkVision RAT. Observed by Zscaler ThreatLabz in July 2024, this operation comprises multiple stages to effectively deliver the RAT payload. According to security researcher Muhammed Irfan V A, “DarkVision RAT establishes communication with its command-and-control (C2) server using a custom network protocol via sockets.” The RAT boasts a variety of commands and plugins for enhanced functionality, including keylogging, remote access, password theft, audio recording, and screen capture. PureCrypter, initially disclosed in 2022, is a commercially available malware loader that enables users to distribute information stealers, RATs, and ransomware on a subscription basis. The method of initial access for deploying PureCrypter remains under investigation.