Another twisty tale from the cyber sleuths at Check Point today, June 18, with news of a “very sophisticated, malicious” attack on Microsoft users in multiple countries.
This time around, an Oxford University email server and domains belonging to Samsung and others were hijacked, tricking security systems into letting through malicious emails designed to steal targeted network access credentials.
Microsoft Office 365 users were compromised by customized emails which included a link to an “Office 365 Voicemail.” The link was malicious. The emails had genuinely been sent from an Oxford University system, though, bypassing checks within corporate email defenses; how the attackers compromised university systems has not been disclosed. The malicious links then directed users to a Samsung domain hosted on an Adobe server, one set up for Cyber Monday in 2018, and unused since.
Check Point’s Lotem Finkelsteen described the attack as “a masterpiece strategy,” tricking users and their company systems. This approach “allowed the attackers to pass the reputation check for the sender domain,” Check Point explains, adding that “there was no need to compromise actual email accounts to send phishing emails, because they could generate as many email addresses as they wanted.”Most Popular In: Cybersecurity
First problem solved. So now the user is looking at an Office 365 email that had slipped their company’s security net and has enough basic levels of customization—their name and company domain—to encourage a click. And so to the next problem, how to stop those same corporate security systems blocking the user’s click to the malicious phishing site, how to trick those systems a second time around.
The approach to redirecting the user’s click to the Office 365 phishing page was to hijack a legitimate domain, one designed to redirect traffic. This is not new—there have been multiple phishing campaigns that have taken the same approach, ensuring “the link embedded in the phishing email is part of a trusted domain,” Check Point says, “one that unknowingly redirects victims to the phishing website.”
The unwitting victim in this case was a Samsung (Canada) subdomain hosted on an Adobe Campaign server. This includes a URL designed to trigger a further redirect. “The attackers took the existing link from an old, but legitimate Samsung Cyber Monday themed email campaign dating back to 2018,” Check Point explains. “By changing the [URL] parameter, they repurposed it to redirect the victim to a domain they controlled instead of http://samsung.com/ca/.”
Adobe told me that the company “worked directly with customers that may have been impacted to resolve the issue and continues to communicate best practices with customers. The security of Adobe products was not compromised as a result of this unauthorized activity. Unfortunately, in this instance, bad actors manipulated existing marketing URLs for sophisticated email phishing campaigns.” Neither Oxford University nor Samsung have yet responded to requests for comment.
The probable lack of any two-factor authentication (2FA) for those Office 365 accounts provided an easy route in for the attackers. Once inside corporate systems, everything becomes even easier. Microsoft has warned that most of its enterprise users do not have 2FA enabled, and that means most are an easy target for hackers—with the number of account compromises now “really, really, really high.”
With that first redirect in hand, the attackers then used a second redirect to a compromised WordPress site to further fool any security system following links. That second redirect even had a trap to stop the phishing redirect working for anyone not in receipt of the malicious link, again to reduce the chances of discovery.
The multi-tiered attack was designed with an understanding of how each layer of corporate network security would work, the attackers also changed their URLs and domains as the attack progressed, looking to stay ahead of defensive systems that might follow their patterns and block their URLs.
Check Point sent details of the attack to Oxford University, Adobe and Samsung. Check Point tells me that the university took corrective action, and then a day ahead of the report’s disclosure, Adobe “took the relevant actions to prevent this attack across all customers.” Adobe patched multiple vulnerabilities on June 17.
The relatively sudden shift for many organisations to support working from home has opened a wide set of new vulnerabilities. Attacks such as this exploit those. Back in April, the U.S. government advised on the risks of “rapid” deployments of Microsoft Office 365, warning that companies “may not be fully considering the security configurations of these platforms.” Again, 2FA was the primary recommendation.
What has not been disclosed, yet, is the identity of any victims. One can assume, though, that this involved levels of targeting. That might mean criminal networks, but it could also be more sophisticated espionage. Check Point has not attributed the attack, telling me “we tried, but they invest a lot in securing their operation and understand this business very well—so they also protect their identity.”
Check Point commended the level of effort and complexity involved in the attack. “Sending malicious emails through this Oxford University server,” the company told me, “while going unnoticed is complicated. The same for Samsung. And they did all of this just to steal Office 365 credentials. It means it must have been worth it.”
originally posted at : https://www.forbes.com/