Highly organized cybercriminals suspected to be based in Russia and Nigeria are targeting hundreds of executives in dozens of organizations in an ongoing Microsoft Azure cloud account takeover (ATO) campaign.
According to US cybersecurity firm Proofpoint: “As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents.”
Innocent but weaponized documents sent to key executives include embedded links to “View Document”, which automatically directs them to a malicious site. The users affected by the attacks occupy a variety of trusted positions within their organizations. Victims include chief financial officers (CFOs), finance managers, account managers, corporate vice presidents, and sales directors. Proofpoint believes that targeting this variety of executive positions is far from being a series of random phishing attacks.
“The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions,” says Proofpoint.
The attackers use access to the targeted organization to steal financial assets, user credentials, and internal security protocols, enabling them to conduct internal as well as external phishing attacks, posing as trusted members of staff. Mailbox access within the company can then be used to target specific employees’ user accounts with personalized messages.
Internal emails sent to enable financial fraud
According to Proofpoint: “In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations… Attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims’ mailboxes.”
The attackers use a variety of authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone calls. They then create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims’ mailboxes. Proofpoint identified specific indicators of compromise (IOCs) associated with this campaign, primarily a specific Linux user-agent utilized by attackers during the access phase of the attack chain.
Cybercriminals use proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, thereby evading the target organization’s geo-fencing policies. The use of frequently alternating proxy services allows threat actors to mask their true location and creates an additional challenge for companies trying to block malicious activity.
Proofpoint has, however, seen attackers utilize certain local fixed-line ISPs, potentially exposing their geographical locations. These non-proxy sources include the Russia-based Selena Telecom LLC’, and Nigerian providers ‘Airtel Networks Limited’ and ‘MTN Nigeria Communication Limited’, suggesting that the cyber criminals may be based in locations outside the US jurisdiction.
