uTalk

The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data.

"The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said.

While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections.

The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014.

Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with recent attacks in 2021 and 2022 employing backdoors such as Karkoff, Shark, Marlin, and Saitama for information theft.

The starting point of the latest activity is a . NET-based dropper that's tasked with delivering four different files, including the main implant ("DevicesSrv.exe") responsible for exfiltrating specific files of interest.

Also put to use in the second stage is a dynamic-link library (DLL) file that's capable of harvesting credentials from domain users and local accounts.

The most notable aspect of the .NET backdoor is its exfiltration routine, which involves using the stolen credentials to send electronic missives to actor-controlled email Gmail and Proton Mail addresses.

"The threat actors relay these emails via government Exchange Servers using valid accounts with stolen passwords," the researchers said.

The campaign's connections to APT34 stem from similarities between the first-stage dropper and Saitama, the victimology patterns, and the use of internet-facing exchange servers as a communication method, as observed in the case of Karkoff.

If anything, the growing number of malicious tools associated with OilRig indicates the threat actor's "flexibility" to come up with new malware based on the targeted environments and the privileges possessed at a given stage of the attack.

"Despite the routine's simplicity, the novelty of the second and last stages also indicate that this entire routine can just be a small part of a bigger campaign targeting governments," the researchers said.

Over the past few years, cybersecurity has become a major concern for businesses around the globe. With the total cost of cybercrime in 2023 forecasted to reach $8 Trillion – with a T, not a B – it's no wonder that cybersecurity is top of mind for leaders across all industries and regions.

However, despite growing attention and budgets for cybersecurity in recent years, attacks have only become more common and more severe. While threat actors are becoming increasingly sophisticated and organized, this is just one piece of the puzzle in determining why cybercrime continues to rise and what organizations can do to stay secure.

? Unlock the future of cybersecurity: Get ahead of the game with the 2023 Cyber Security Trends Forecast! Discover the major trends of 2022 and learn how to protect your business from emerging threats in the coming year. ⚡ Get your insider's guide to cybersecurity now!
An abundance of cyber spending, a shortage of cyber security#
It's easy to assume that the solution to the cybersecurity problem is money– to hire more security experts, and to invest in more tools and technology. If only it were that simple.

For one thing, experienced cyber professionals are in short supply. The (ISC)2 estimates that there are 3.4 Million unfilled cyber positions globally– a 26% increase year-on-year from 2020 to 2021. Additionally, nearly 70% of cybersecurity workers "feel their organization does not have enough cybersecurity staff to be effective." So, even if an organization has the budget to hire a small army of cybersecurity experts, they might not be able to find them.

Moreover, data from the past several years shows that organizations are investing more and more on cybersecurity each year. Gartner predicts that global spending on security and risk management will grow by more than 11% in 2023, up to $188 Billion from just $158 Billion in 2021. This trend is expected to continue, with worldwide cybersecurity spending forecasted to climb 11% each year through 2026 to reach a total of $267.3 billion.

Despite these significant increases in spending, and many businesses purchasing a plethora of commercial-off-the-shelf security solutions– one survey found that the average organization has 76 security technologies deployed– breaches of corporate networks, systems, and data only continue to become more routine.

Breaches are becoming more frequent – and more costly#
It's no secret that cybercrime is a serious challenge, but exactly how much of a problem is it? Some data suggests that the number of cyber attacks was 38% higher in 2022 than the previous year. That comes after a reported 50% spike year-on-year from 2020 to 2021.

While not all of these attacks are targeted or sophisticated, the sheer volume of attacks raises the probability that one attack will go undetected– and it only takes one successful attack for an organization to face serious costs and reputational damage.

All too often, organizations react to cyber incidents only after the attack is at an advanced stage, with very few clues on how the breach occurred and what the threat actors might be after. This leaves security teams scrambling to catch up, which slows down the response and recovery processes.

Unfortunately, as the time it takes to return to business as usual increases, so too does the cost of the incident. According to the 2022 IBM Cost of a Data Breach report, it takes the average organization a staggering 277 days to fully identify and contain a breach. This brings the average cost of a data breach up to $4.35 Million – a figure high enough to pose an existential risk to many SMBs. Even for larger enterprises, this amount of money is nothing to scoff at.

A strategic shift is needed to give organizations the capability to anticipate threats, implement preventative strategies, and improve agility to detect and eliminate threats as quickly as possible.

The journey to impactful intelligence #
Without exception, every organization with a digital presence will experience cyber attacks. The most effective approach is to identify and respond to the attack as early as possible. The sooner a threat is detected and eliminated, the lower the probability that the attack will be successful and result in damages to the organization.

So the question becomes: how can organizations minimize the amount of time it takes to detect and defeat a threat? The answer: impactful intelligence that improves visibility on risks and enables cyber agility in responding to and taking down threats.

In the Infosec world, it's often said that threat intelligence must be "actionable." This is true, but it's just one aspect of what constitutes valuable intelligence. In today's hostile threat landscape, intelligence must be impactful.

Impactful threat intelligence must have 4 properties:

Accurate - the intelligence must be true and accurate
Relevant - the intelligence must be relevant to the organization
Actionable - there must be actions the organization can take to defeat the threat
Cost Effective - the cost of the threat must be greater than the cost of remediation
This new framework brings a must-needed shift from looking at cybersecurity as strictly a technical problem to a new mindset where cybersecurity is viewed as a business challenge that must be addressed in an efficient and cost-effective manner. Threat intelligence can no longer just be an expense– it must be a business enabler that provides measurable value to the enterprise.

Cyberint, a leading threat intelligence vendor headquartered in Israel, is driving the evolution to impactful intelligence with the Argos Edge platform. To learn more about Cyberint's new approach to threat intelligence, check out this webinar on the Journey To Impactful Intelligence with Cyberint CEO Yochai Corem.

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a phishing campaign designed to breach organizations' cloud environments and steal email.

"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant said. "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland."

Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data.

The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consent to exfiltrate mailboxes.

On top of that, Microsoft said it implemented additional security measures to improve the vetting process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the potential for fraudulent behavior in the future.

The disclosure coincides with a report released by Proofpoint about how threat actors have successfully exploited Microsoft's "verified publisher" status to infiltrate the cloud environments of organizations.

What's notable about the campaign is that by mimicking popular brands, it was also successful at fooling Microsoft in order to gain the blue verified badge. "The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," the company explained.

These attacks, which were first observed on December 6, 2022, employed lookalike versions of legitimate apps like Zoom to deceive targets into authorizing access and facilitate data theft. Targets included financial, marketing, managers, and senior executives.