One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8393658 |
| Date de publication | 2023-10-10 10:00:00 (vue: 2023-10-10 10:07:09) |
| Titre | & timide; histoires du SOC: Quishing & # 8211;Combattre les codes QR malveillants intégrés Stories from the SOC: Quishing – Combatting embedded malicious QR codes |
| Texte | James Rodriguez – Senior Specialist, Cybersecurity
Executive summary
Over the past several months, AT&T Managed Detection and Response (MTDR) security operations center (SOC) analysts have seen an increase in the usage of phishing emails containing malicious QR codes. In a recent example, a customer that was victimized by a phishing attempt provided the AT&T analysts with an email that was circulated to several of its internal users. The analysts reviewed the email and its included attachment, a PDF containing a QR code and an urgent message claiming to be from Microsoft.
When the targeted user scanned the QR code, they were directed to a counterfeit Microsoft login page designed to harvest usernames and passwords. This type of attack is called “quishing.”
Unfortunately, several users fell victim to the attack, and their credentials were compromised. However, our analysts were able to engage with the customer and guide them through the proper remediation steps.
Encouraging targeted users to act quickly and scan the code using their phone (which often is not as secure as the rest of a company’s network) is a standard tactic employed by threat actors. By doing this, they hope to convince the user to act without thinking and forgo proper security practices allowing the threat actor to bypass traditional security measures in place on a company network.
Threat actor tactics
The threat actor used a Windows authentication setup for multi-factor authentication (MFA) to initiate the attack. The targeted users received a phishing email indicating MFA needed to be set up on their account. The email included a PDF attachment with instructions directing them to scan the included QR code, which was malicious.
Once the users scanned the QR code, they were redirected to a fake Microsoft sign-in page on their phone. Here, they entered their legitimate login credentials,which were then stored and made available to the threat actor.
Investigation
Once the customer suspected the email was malicious, they contacted the AT&T team and provided a copy of the PDF file with the included QR code. The team analyzed the file and the QR code (see Image 1) and identified the associated destination as “srvc1[.]info/mcrsft2fasetup/index.html.”
Image 1: PDF file from customer containing malicious QR code
The QR codes associated URL sends the user to a credential harvester masquerading as a Microsoft login page. (See Image 2.)
Image 2: Credential harvester masquerading as login page
AT&T SOC analysts analyzed the credential harvester using a fake email and the Google Chrome Inspector tool to record any outbound connections when clicking the “Sign In” button (see Image 2). Only one network connection was made, which resulted in a 404 HTTP response code to the external domain “logo.clearbit[.]com/email.com.” Research into clearbit[.]com found it is associated with Clearbit B2B Marketing Intelligence, which is listed as a legitimate marketing tool for identifying customers and sales exchanges.
Analysts used open-source intelligence (OSINT) to further research the initial associated domain “srvc1[.]info” but found no additional information as the domain was recently purchased. Further investigation revealed that the owner’s identity was hidden, and there was no additional data available. The customer confirmed that neither the Clearbit nor the srvc1 external domains were known or a part of normal business use within their environment.
Remediation
AT&T SOC analysts worked closely with the customer to identify w |
| Envoyé | Oui |
| Condensat | “logo “quishing “sign “srvc1 image the over stories 404 able access account accounts act active actor actors additional additionally affected against all allowing also analysts analyzed any are associated at&t attachment attack attacks attempt authentication available avoid b2b becomes been before being better block business but button bypass called care center chrome circulated claiming clearbit clicking client close closely closing code codes com com/email combatting commonplace company company’s completely compromised conducted confirm confirmed connected connection connections contacted containing convince copy corporate counterfeit credential credentials critical customer customers cybersecurity dangers data designed destination detailed detection device directed directing doing domain domains during email emails embedded employed encouraging engage entered environment example exchanges executive exfiltrated external factor fake fell file forgo found from fully further google guide had harvest harvester harvesters have here hidden hope how however html http identified identify identifying identity image in” inboxes incident included increase indicating indicators info” info/mcrsft2fasetup/index inform information initial initiate inspector instructing instructions intelligence internal internally investigation its james known learned legitimate less lessons listed logged login made malicious managed marketing masquerading measures message mfa microsoft mobile months more mtdr multi needed neither network nor normal not often once one only open operations osint other out outbound owner’s page page part passwords past pdf phishing phone place practices prior proper protect provided purchased quickly quishing received recent recently record redirected remediated remediation remove research reset resets response rest resulted retain revealed review reviewed rodriguez sales scan scanned scanning secure security see seen sends senior sessions set setup several sign since soc soc: some source specialist srvc1 standard steps stored submitted successfully summary suspected tactic tactics take targeted team teams than them then thinking threat through time tool traditional type typically unfortunately until urgent url usage use used user user’s usernames users using verify victim victimized when whether which will windows within without worked your yourself |
| Tags | Tool Threat |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.