A new report released this week reveals that man-in-the-middle (MitM) phishing attacks have increased by 35% between Q1 2022 and Q1 2023. The research, conducted by Cofense Intelligence, shows that threat actors are using MitM attacks with credential phishing to steal usernames and passwords as well as session cookies in order to bypass multi-factor authentication. The study has also found that 95% of the MitM phishing attacks observed target Microsoft Office 365 authentication. MitM phishing attacks use URL redirection, with 89% of campaigns using at least one URL redirect and 55% using two or more. These phishing attacks evade standard secure connection processes used in most websites by setting up two secure connections between the attacker and the victim and the attacker and the desired website. The attackers then use a proxy login page to harvest credentials from the victim.
Meanwhile, new research has revealed that almost 180 organizations are still vulnerable to the Go-Anywhere Managed File Transfer (MFT) vulnerability. The exploit, CVE-2023-0669, was patched in February, but according to a report by Censys, almost 180 hosts are still running exposed GoAnywhere MFT admin panels, with 30% of these showing indications of remaining unpatched and potentially vulnerable to this exploit. A single vulnerable instance can potentially serve as a gateway to a data breach that could impact millions of individuals. Ransomware is on the rise, and Go-Anywhere MFT is just one of many vectors that attackers are using to exploit vulnerabilities.
In addition, researchers at Kroll have discovered a new ransomware family called CACTUS that leverages VPNs to infiltrate its targets. The ransomware has been observed leveraging documented vulnerabilities in VPN appliances in order to gain initial access, and uses a novel encryptor requiring a key to decrypt it for implementation, which likely allows it to remain undetected until the threat actors implement the ransomware attack. As of yet, there is no data available on ransom prices or the consequences of not paying ransom.
Furthermore, CISA and the FBI have released a joint report detailing the PaperCut NG and PaperCut MF vulnerability CVE-2023-27350. The FBI has observed the Bl00dy ransomware gang attempting to exploit the vulnerability on PaperCut servers belonging to education sector targets. Education Facilities Subsector entities maintain approximately 68% of exposed but not necessarily vulnerable, US-based PaperCut servers. In early May 2023, the Bl00dy Ransomware Gang gained access to victim networks across the subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.
Meanwhile, in a report by cybersecurity firm Imperva, it was found that almost 50% of all internet traffic in 2022 was from automated bots, marking a 5.1% increase in automated traffic. The report also showed that “good bots” are increasing in prevalence, with 17.3% of all traffic, and “bad bots” (those used by bad actors to troll for vulnerabilities) increased to 30.2%. Imperva writes, “As bad bot evasion techniques become increasingly sophisticated, we are observing a fascinating trend, where advanced bad bot levels (51.2%) are growing at the expense of moderate ones (15.4%).”
In cyberattack news, CERT-UA warns that the financially motivated Russian criminal group UAC-0006 is pushing SmokeLoader malware in a phishing campaign. The phishing emails are staged from compromised accounts and often misrepresent themselves as billing documents, with the payload carried in an attached zip file. The group’s customary aims are to compromise accountants’ PCs, steal authentication data, such as login, password, key/certificate, and create unauthorized payments.
Lastly on patch news, Microsoft released 40 security updates affecting various products, and they also republished 9 non-microsoft CVEs. Simply updating machines might not solve the problem, as enabling Secure Boot for protection is required. SAP also released 25 updates and security patches which fixed 26 vulnerabilities, which had a cumulative CVSS value of 9.8.