State-sponsored actors have recently launched three novel credential-phishing campaigns that have affected approximately 40,000 corporate users, including high-level executives, within a three-month period. These campaigns have been identified by researchers from Menlo Security, who have noted the sophistication and evasiveness of the attacks.
Known as LegalQloud, Eqooqp, and Boomer, these campaigns utilize highly evasive and adaptive threat techniques that can bypass security controls such as multifactor authentication and URL filtering. The attackers enter corporate networks through browsers, enabling them to circumvent traditional security measures and cloud network services. This evolution in attack capabilities poses a significant challenge to security practitioners, who are urged to enhance their controls to address these sophisticated threats promptly.
The primary focus of these campaigns is credential phishing, with evidence linking them to Chinese-sponsored threat actors. These actors have been targeting the US and private enterprises in aggressive cyber espionage efforts, posing a threat to national security and intellectual property. While attribution to a specific group has been established, the exact nation behind these attacks remains unclear.
These campaigns have targeted over 3,000 unique domains spanning various industries and government institutions. The attackers employ tactics such as bypassing multifactor authentication, using phishing kits, and implementing adversary-in-the-middle tactics to gain control over user sessions. Additionally, they impersonate entities like Microsoft to lure victims and utilize dynamic phishing links that are challenging to detect using traditional filtering technologies.
Each of the campaigns — LegalQloud, Eqooqp, and Boomer — has its own distinct targets and tactics aimed at extracting credentials from corporate users for malicious purposes, primarily cyber espionage. LegalQloud impersonates legal firms to steal Microsoft credentials, Eqooqp targets government and private sector organizations with AitM attacks, and Boomer employs advanced evasive techniques to target government and healthcare sectors.
The growing sophistication of these attacks highlights the need for organizations to constantly refine their cybersecurity strategies to keep pace with evolving threats. AitM attacks, in particular, are considered the future of cybercrime, posing challenges for traditional security measures. As threat actors continue to adapt and innovate, organizations must prioritize security awareness and phishing training to educate users about these sophisticated attack techniques.
Experts emphasize the importance of adopting a zero-trust framework that evolves alongside technological advancements and shifts in the threat landscape. This approach, which emphasizes continuous refinement and adaptation, is crucial for mitigating risks and safeguarding sensitive information against increasingly sophisticated attacks. By prioritizing cybersecurity and implementing robust defense mechanisms, organizations can better protect themselves against state-sponsored cyber threats.