One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8460375 |
| Date de publication | 2024-03-07 07:11:54 (vue: 2024-03-07 16:07:22) |
| Titre | Arrêt de cybersécurité du mois: détection d'une attaque de code QR malveillante multicouche Cybersecurity Stop of the Month: Detecting a Multilayered Malicious QR Code Attack |
| Texte | This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. The goal of this series is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Business email compromise (BEC) EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation Supply chain compromise In this post, we delve into a new and sophisticated QR code attack that we recently detected and stopped. It shows how attackers constantly innovate-and how Proofpoint stays ahead of the curve. The scenario Typically, in a QR code attack a malicious QR code is directly embedded in an email. But recently, attackers have come up with a new and sophisticated variation. In these multilayered attacks, the malicious QR code is hidden in what seems like a harmless PDF attachment. To slow down automated detection and confuse traditional email security tools, attackers use anti-evasion tactics like adding a Cloudflare CAPTCHA. This means that tools using traditional URL reputation detection face an uphill battle in trying to identify them. Proofpoint recently found one of these threats as it conducted a threat assessment at a U.S.-based automotive company with 11,000 employees. The company\'s incumbent security tools-an API-based email security tool and its native security-both boasted QR scanning capabilities. Yet both classified the email as clean and delivered it to the end user. The threat: How did the attack happen? Here\'s a closer look at how the attack unfolded. 1. A deceptive lure. The email was designed to appear legitimate, and it played on the urgency of tax season. This prompted the recipient to open an attached PDF. The initial email to the end user. 2. Malicious QR code embedded in the PDF. Unlike previous QR code attacks, the malicious URL in this attack was not directly visible in the email. Instead, it was hidden in the attached PDF. Given the ubiquity of QR codes, this might not have seemed suspicious to the recipient. The attached PDF with the embedded QR code (obscured). 3. Cloudflare CAPTCHA hurdle. The attacker added another layer of deception. They used a Cloudflare CAPTCHA on the landing page from the QR code URL to further hide the underlying threat. This step aimed to bypass security detection tools that rely solely on analyzing a URL\'s reputation. Cloudflare CAPTCHA on the QR code URL landing page. 4. Credential phishing endgame. Once the CAPTCHA was solved, the malicious QR code led to a phishing landing page set up to steal user credentials. The theft of user credentials can give a malicious actor access to a user\'s account to spread attacks internally for lateral movement. Or they might use them externally to deceive partners or suppliers as with supplier email compromise attacks. Detection: How did Proofpoint prevent this attack? The use of optical character recognition (OCR) or other QR code scanning techniques plays a vital role in defending against QR code threats. But QR code scanning is only the mechanism used to extract the hidden URL. It does not act as a detection mechanism to decipher between legitimate or malicious QR codes. Many tools, including the incumbent email security tools used by the automotive company, claim to parse QR codes and extract the URL for analysis. However, they lack the ability to scan URLs within an embedded image in an attachment. Few tools have engineered the ability to use in-depth URL analysis on a scale like Proofpoint. Proofpo |
| Envoyé | Oui |
| Condensat | 000 ability about access account act activity actor added adding advanced against ahead aimed all allowed analysis analyze analyzed analyzing another anti api appear approach are arrive artificial assessment associated attached attachment attack attacker attackers attacks attacks: attempts automated automatically automotive awareness based battle bec because become behavior behavioral being between beyond blog boasted body book both business but bypass calls can capabilities captcha captchas cautious centric chain chain: character choose claim classified clean closer cloudflare code codes combine come company comprehensive compromise compromise conducted confuse constantly context continue convert correspondence cpu create credential credentials critical curve cybercriminals cybersecurity data deceive deception deceptive decipher deep defend defending defenses definitive delivered delivers delivery delve depth designed despite detect detected detecting detection detection: detects did directly diversion dns does don down download during dynamic elements email emails embedded emerging employees empower end endgame endpoint engineered ensure esignature especially evasion even events ever evilproxy evolving examined example exploit explores externally extract extracted face far files filters first focuses format fortify found foundational from further give given goal guide happen harm harmless have help here hidden hide high highlights how however human hurdle identify image images importance including incumbent indicated indicators initial innovate instead intelligence internally intertwine invest its key lack landing landscape later lateral layer learn learned learning led legitimate lessons like likelihood look lure machine malicious manipulation many means mechanism memory mfa microsoft might monitor month month: monthly more movement multilayered native nature network new next not obscured ocr often once one only open optical oriented other others page parse part partners patterns payroll pdf pdfs people persistence phishing phishing played plays post prevent previous proactively processes prompted proofpoint proper protect question quickly readable recently recipient recognition reconnaissance redirect rely remediation: report reputation requests role sandbox sandboxing scale scan scanning scenarios scenario season secure security security seemed seems sense sensitive series set showing shows slow socgholish solely solved some sophisticated spread stack stay stays steal step steps stop stopped strategy struggle supplier suppliers supply support supports suspicious tactics takeaways: target tax techniques technologies telephone theft them thematic these those threat threat: threat: threats three tightly time toad today tool tools tracks traditional training trust trying turn types typically ubiquity underlying underscores understand unexpected unfolded unlike unsolicited uphill urgency url urls use used user users uses using variation various vigilant visible visual vital wait weaponization well what which within word yet your and |
| Tags | Tool Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.