Our reporting this week demonstrates how cybercriminals are continually developing their tradecraft to produce more effective phishing campaigns. One example included a phishing campaign that targeted more than 10,000 entities utilising adversary-in-the-middle techniques, whereby phishing sites were used to proxy authentication requests to legitimate websites to extract passwords and session cookies to bypass multi-factor authentication. Another large-scale phishing campaign targeting online banking users in Brazil and Portugal leveraging the Anubis Network, a command-and-control portal that steals user credentials.
Other phishing campaigns we reported this week highlight the value of producing themed lures as an effective technique to trick users into opening malicious spear-phishing attachments. For example, we reported on a South Asian threat actor that has been targeting public entities in Afghanistan, Poland, Italy, India, and the United States with a malicious Excel document containing geopolitical themed lures to deliver the remote access trojans (RAT) AsyncRAT and LimeRAT.
The zero-day Windows CSRSS Elevation of Privilege vulnerability (CVSS: 7.8|OVSS: 34) enables threat actors to gain SYSTEM privileges and impacts almost all versions of Windows. Although it is not considered a critical severity vulnerability, it is being actively exploited in the wild.
rpc.py through 0.6.0 allows Remote Code Execution (CVSS: 9.8|OVSS: 37) because an unpickle occurs when the \”serializer: pickle\” HTTP header is sent, meaning that an unauthenticated client can cause the data to be processed with unpickle. Although this has not yet been exploited in the wild, we assess that there is an 85% likelihood of future exploitation.
The medium-severity Rolling Pwn vulnerability (CVSS: 5.3|OVSS: 20) enables threat actors to unlock a car manufactured by Honda or start its engine remotely. The vulnerability was discovered last year but has been found this week to impact various Honda models.
Key Intelligence Reports
- Cybercriminals use adversary-in-the-middle phishing sites as infection vector for financial fraud campaign
Microsoft has warned that, since September 2021, cybercriminals have launched a series of adversary-in-the-middle phishing attacks targeting more than 10,000 entities. Read full report >>
- South Asian adversary targets multiple public entities with AsyncRAT and LimeRAT
Since March 2021, a South Asian threat actor has launched multiple phishing campaigns to deliver remote access trojans (RATs) to public entities in Afghanistan, Poland, Italy, India, and the United States. Read full report >>
- New Anubis Network phishing campaign targeting Portuguese and Brazilian online banking users
A large-scale phishing campaign which leverages the Anubis Network, a command-and-control portal that steals user credentials, has been targeting online banking users in Brazil and Portugal since March 2022. Anubis Network’s activity was first detected by Portuguese researchers in 2020, in a very similar campaign. Read full report >>
What is OVSS?
The Orpheus Vulnerability Severity Score (OVSS) helps companies understand the risk associated with particular vulnerabilities. Orpheus does this by adding additional context on the likely threat to and impact of CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score.