Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – ICS: Multiple Omron Products Vulnerabilities
August 3, 2023Rewterz Threat Alert – Quasar RAT aka CinaRAT – Active IOCs
August 3, 2023
Severity
High
Analysis Summary
Researchers reported that the hacking group APT29, linked to Russia’s Foreign Intelligence Service (SVR), launched phishing attacks on over 40 organizations worldwide, including government agencies. The group used compromised Microsoft 365 tenants to create technical support-themed domains and sent lures to trick users into approving multifactor authentication prompts, aiming to steal their credentials.
“Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.”
The attackers utilized onmicrosoft.com domains, a legitimate Microsoft domain, to make the fake Microsoft support messages appear trustworthy. The objective was to steal targeted users’ credentials and add unauthorized devices to organizations to bypass access restrictions. Microsoft successfully blocked the threat group from using the domains in further attacks and is actively mitigating the campaign’s impact.
“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device”, they added
In certain instances, the actor endeavors to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), possibly aiming to bypass conditional access policies set to restrict access to designated resources for managed devices exclusively.
In another incident, Microsoft was criticized for not addressing a security issue in Microsoft Teams that allowed bypassing restrictions for incoming files from external tenants using a tool named TeamsPhisher. APT29, known for orchestrating the SolarWinds supply-chain attack, has targeted various organizations with stealthy malware, including TrailBlazer and a variant of the GoldMax Linux backdoor.
Recently, Microsoft disclosed that the group is using new malware to control Active Directory Federation Services (ADFS) and infiltrate Windows systems as any user. APT29 has also targeted NATO countries’ Microsoft 365 accounts to gain access to foreign policy-related information. This hacking group has been behind phishing campaigns aimed at governments, embassies, and high-ranking officials in Europe. The impact of their social engineering attacks on government agencies highlights the severity of such threats even on well-protected entities.
Impact
- Credential Theft
- Information Theft and Espionage
- Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- identityverification.onmicrosoft.com
- accountsverification.onmicrosoft.com
- azuresecuritycenter.onmicrosoft.com
- teamsprotection.onmicrosoft.com
Remediation
- Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Conduct regular security awareness training for employees to educate them about the dangers of phishing attacks, social engineering, and how to identify suspicious messages or lures.
- Enforce the use of MFA for all user accounts to add an extra layer of protection against unauthorized access.
- Implement robust conditional access policies that restrict access to specific resources based on the user’s location, device, and other factors.
- Deploy advanced email and web gateway security solutions that can detect and block phishing emails and malicious websites.
- Monitor domain registrations and enforce security policies to prevent the use of unauthorized domains associated with the organization’s brand.
- Establish a well-defined incident response plan and conduct threat hunting exercises to detect and respond to potential threats proactively.
- Ensure all software and systems, including Microsoft Teams, are up to date with the latest security patches to mitigate known vulnerabilities.
- Deploy robust security monitoring and detection tools to identify suspicious activities and potential threats in real-time.
- Conduct periodic security assessments, penetration testing, and vulnerability scanning to identify and address potential weaknesses in the organization’s infrastructure and systems.
- Implement phishing-resistant authentication methods for users to enhance security against phishing attacks.
- Utilize Conditional Access authentication strength to mandate phishing-resistant authentication for both employees and external users accessing critical applications.
- Understand and select appropriate access settings for external collaboration to align with your organization’s security needs.
- Train Microsoft Teams users to verify the “External” tagging on communication attempts from external entities, encouraging caution regarding shared information, and never sharing account details or authorizing sign-in requests over chat.