Back

Blogs

NHS DSPT New Submission Requirements

View All

Case Studies

Powering Alt HAN Co.'s Smart Meter Rollout

View All

Upcoming Events

LEMA Summit 2024

View All

Webinars

Image of Cyber crime and pirate sign digital concept with skullImage of Cyber crime and pirate sign digital concept with skull

Thoughts

Threat Actors Target Organisations

17th Apr, 2024

As organisations adopt digital solutions and handle critical data at an increasing rate, vulnerability to cyber attacks increases. Threat actors are looking to a vast range of potential weaknesses and the tools necessary to exploit them. This week, we look at three such attacks that are targeting organisations.

Silent SharePoint Heists: Exposing Covert Data Exfiltration Tactics

In the digital age, where data is a precious commodity, cyber adversaries are constantly devising new methods to steal this valuable asset without leaving a trace. Recently, cybersecurity researchers have brought to light two ingenious tactics for stealthily extracting data from Microsoft SharePoint, a platform widely used by organisations globally for collaboration and information sharing.

The first method leverages the seemingly innocuous ‘open in app’ feature of SharePoint. This feature, designed for seamless user experience, can be manipulated by attackers to access, and download files while merely logging an access event in the file’s audit trail. This subterfuge can be executed manually or automated through a malicious PowerShell script, making it a potent tool for data theft with minimal footprints.

The second strategy involves disguising data downloads as routine file sync operations. By exploiting the Microsoft SkyDriveSync functionality and tweaking the User-Agent configuration, a feature that typically identifies the type of access event, threat actors can mask their unauthorised downloads. This manipulation allows the downloads to fly under the radar, appearing as benign sync events, thereby eluding detection mechanisms and audit logs.

These vulnerabilities, disclosed to Microsoft in November 2023, have yet to see a patch, attributed to their “moderate” risk assessment by the tech giant. Microsoft maintains that SharePoint operates as designed, highlighting that audit logs do capture file access events. The stance suggests a reliance on security solutions and vendors to monitor these audit events vigilantly for any signs of unauthorised access.

The strategic implications of these vulnerabilities cannot be overstated. With reports suggesting that one in every ten records in the cloud is accessible to all employees within an organisation, the risk of internal and external data breaches skyrockets. Given SharePoint’s ubiquity in the corporate world, these vulnerabilities spotlight the critical need for businesses to reassess their data security strategies and the trust placed in default configurations.

On a tactical level, the absence of immediate patches from Microsoft shifts the onus onto organisations and cybersecurity vendors to fortify their defences. Monitoring audit events more scrupulously and educating users about the potential misuse of seemingly benign features are steps in the right direction.

Decade of Deception: @RubyCarp’s Botnet Odyssey

In the shadowy recesses of the cyber underworld, a new protagonist has emerged, orchestrating a botnet campaign that spans over a decade. This financially motivated syndicate, with roots tracing back to Romania, has created a niche in the cybercrime world through its sophisticated exploitation efforts.

At the heart of @RubyCarp’s operations are vulnerable Laravel applications, specifically targeted for a remote code execution flaw identified as CVE-2021-3129. But their ambitions didn’t halt at Laravel; WordPress sites have also fallen prey to their schemes, compromised via harvested usernames and passwords. The initial breach serves as a gateway for the deployment of Shellbot, a Perl-based botnet that operates under the cloak of IRC channels to communicate with its command-and-control (C2) server. The compromised devices, ensnared within this botnet, are primarily harnessed for cryptomining activities, leveraging tools such as NanoMiner and XMRig to generate cryptocurrency stealthily.

Yet, @RubyCarp’s cybercriminal ventures extend beyond mere cryptomining. Researchers have unearthed phishing campaigns meticulously crafted by the group, aiming to siphon off credit card numbers among other valuable assets. This tactic is not solely for financing their clandestine operations; the spoils could also be repurposed for further malicious endeavours or peddled to other dark web denizens.

An intriguing facet of this discovery is the potential overlap in tactics, techniques, and procedures (TTPs) between @RubyCarp and another notorious entity, @Outlaw. However, researchers caution against drawing definitive links due to the common practice of sharing TTPs among botnet operators, blurring the lines of distinction.

The revelation of @RubyCarp’s phishing attacks, targeting renowned entities like the Danish logistics firm ‘Bring’, European banking titan ‘Nets’, and the Swedish banking consortium ‘Swish’, underscores the strategic depth of their criminal enterprise. The broad sweep of their botnet, reflecting both technical prowess and a penchant for subterfuge, hints at the extensive measures employed by @RubyCarp to cloak their digital footprints.

The unveiling of @RubyCarp raises pertinent tactical considerations. With their decade-long shadow play now exposed to the cybersecurity spotlight, it remains to be seen how @RubyCarp will adapt. The group may well recalibrate their strategies, seeking refuge in the depths of cyberspace to evade detection and sustain their illicit operations. This cat-and-mouse game between cybercriminals and defenders continues, reminding us of the constant vigilance required to navigate the cyberspace.

Cloud under Siege: @MuddledLibra’s Assault on SaaS Realms

The threat actor group @MuddledLibra are proving to be a formidable force, especially in their recent campaigns against software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. From late 2023 into early 2024, this elusive group has demonstrated a keen interest in the cloud’s vast potential, orchestrating precision strikes on platforms that form the backbone of today’s digital infrastructure.

Employing social engineering tactics with a particular focus on administrative users, @MuddledLibra has adeptly navigated through the defences of renowned CSPs, including giants like Amazon Web Services and Azure. Their modus operandi? Exploiting the convenience of Single Sign-On (SSO) features or capitalising on poorly secured credentials to infiltrate these cloud bastions.

Once inside, the group’s agenda becomes clear: to siphon off credentials and sensitive information, thereby compromising the integrity and confidentiality of cloud-hosted data. A notable manoeuvre in their campaign was the orchestrated attack against ‘Okta’ in September 2023. By configuring rogue Identity Providers and leveraging SSO, @MuddledLibra adeptly accessed multiple SaaS applications, underscoring their sophisticated approach to cyber espionage.

The linkage of @MuddledLibra to @ScatteredSpider—either as an alias or a faction within the larger group reveals a continuity in tactics and tools, with their nefarious activities tracing back to at least 2022. This association signals a well-orchestrated operation, armed with a common toolkit designed to breach, dwell, and extract with efficiency.

Strategically, @MuddledLibra’s choice of targets, veiled in anonymity but known to traverse telecommunications and critical infrastructure sectors, hints at the group’s broader ambitions. These forays into the digital ether are not just opportunistic but are aimed at undermining the very fabric of our interconnected world.

The tactical evolution of @MuddledLibra, as evidenced by their recent campaigns, serves as a clarion call for organisations. The imperative to fortify cloud environments has never been more pressing. Enhanced vigilance, robust access monitoring, and the deployment of multi-factor authentication (MFA) stand out as critical bulwarks against such insidious threats.

In the face of @MuddledLibra’s continued adaptability and threat potential, the cybersecurity community must respond with equal parts innovation and resolve. As we venture further into the cloud era, safeguarding our digital domains against such sophisticated adversaries is paramount to preserving the security of our digital lives.

Authors

Ian Hirst

Partner, Cyber Threat Services

Read Bio