Scammers Bypassed MFA and Attacked 10,000 Organizations
Read also: Hacker stole 23 million Mangatoon accounts, Uniswap users were robbed of $8 million worth of Ethereum, and more.
Thursday, July 14, 2022
Scammers bypassed MFA and attacked 10,000 organizations
Microsoft has warned its customers about large-scale phishing attacks that affected more than 10,000 organizations since September 2021. According to the tech giant, cybercriminals used the technic known as adversary-in-the-middle (AiTM) attacks. They set up phishing sites in order to steal victims’ authorization credentials and session cookies even if the victims enabled multifactor authentication (MFA) on their accounts. Using this info, the threat actors accessed users’ mailboxes for further business email compromise (BEC) attacks on other targets.
In the case described by Microsoft, the threat actors targeted Office 365 users by spoofing the Office online login page. They sent emails with an HTML file attachment to employees in different organizations which eventually were redirected to the fake Office online authentication page.
According to the researchers, it took only five minutes after login info and session theft for a hacker to launch BEC attack.
Hackers stole $8 million worth of cryptocurrency from Uniswap users
On July 11, Uniswap, a large decentralized cryptocurrency exchange, was robbed of $8 million worth of Ethereum. At first, some speculated that the threat actor compromised Uniswap protocol by exploiting a vulnerability. However, it turned out, the cybercriminals leveraged sophisticated phishing scheme.
Phishers announced a giveaway of free UNI tokens (so-called airdrops) in order to trick cryptocurrency owners into approving transactions that gave scammers full access to their wallets. They used a disguised “setApprovalForAll” function which is intended for authorizing marketplaces to transfer sold items from owner’s wallet to the buyer's one during the tokens selling process. Using this function, the threat actor could redeem Uniswap tokens for ETH in the victims’ wallets.
Scammers created “uniswaplp[.]com,” a phishing website which impersonated the official “uniswap.org,” and redirected potential victims to it. In total, the threat actors stole 7,574 ETH and immediately moved 7,500 ETH to the Tornado Cash mixing service to quickly launder the stolen assets.
Microsoft patched a zero-day vulnerability which has been exploited in the wild
On July 12, 2022, Microsoft fixed 84 security issues in its products as a part of a monthly Patch Tuesday. Only four of them are deemed “critical”, and the other 80 are considered “important.”
One of the fixed flaws has been already exploited in cyberattacks, says Microsoft. This bug (CVE-2022-22047) affects Windows CSRSS and allows attackers to elevate their privileges to the SYSTEM level.
Using SYSTEM access, a threat actor can gain even more administrator and domain level accounts – let’s say, using Mimikatz tool – for further spreading the infection.
Microsoft didn’t provide any information about this vulnerability except the fact that it is under active exploitation. However, according to the researchers from Zero Day Initiative, hackers usually pair security flaws like this with code execution vulnerabilities to take over an affected system.
New Lilith, RedAlert and 0mega ransomware operations got their first victims
The researchers from cybersecurity firm Cyble published an analysis of three new ransomware families which have already posted their first victims on their data leak portals.
The first one is RedAlert/N13V ransomware operation. It was created to target Windows and Linux VMWare ESXi servers. Notably, RedAlert only accepts ransom payments in Monero, which is not typical for the RaaS operations.
The second one is 0mega which encrypts files adding the “.0mega” extension.
The third one – Lilith – was written in C/C++. It only targets 64-bit versions of Windows and appends the extension “.lilith.”
23 million accounts exposed in Mangatoon data breach
A hacker who calls themselves pompompurin claimed that they have breached a popular comic reading platform and a mobile app Mangatoon. Last week, Have I Been Pwned (HIBP), a website where users can check whether their personal info has been compromised in data breaches, added 23 million Mangatoon accounts to its service.
According to HIBP’s founder Troy Hunt, the platform was breached sometime in May. The threat actor gained access to Mangatoon’s unsecure Elasticsearch database and stole user’s names, email addresses, genders, social media account identities, authorization tokens and password hashes, tweeted Hunt.
Hunt attempted to contact the Mangatoon and warn it about the incident but never succeeded. Notably, pompompurin themselves contacted his victim, and the company eventually changed the password to better protect its database. However, the platform’s users remained ignorant until recently.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law. 
