One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8524718 |
| Date de publication | 2024-06-24 14:46:29 (vue: 2024-06-24 15:10:30) |
| Titre | La nouvelle plate-forme PHAAS permet aux attaquants de contourner l'authentification à deux facteurs New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication |
| Texte | #### Targeted Geolocations - Eastern Europe - Northern Europe - Southern Europe - Western Europe - Middle East - Central America and the Caribbean - North America - South America #### Targeted Industries - Financial Services ## Snapshot EclecticIQ analysts discovered phishing campaigns targeting financial institutions using QR codes embedded in PDF attachments to direct victims to phishing URLs. ## Description The attacks were facilitated by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which operates through Telegram bots. ONNX Store includes a two-factor authentication (2FA) bypass mechanism that intercepts 2FA requests, increasing the success rate of Business Email Compromise (BEC) attacks. The phishing pages mimic Microsoft 365 login interfaces, tricking targets into entering their authentication details. Analysts believe with high confidence that ONNX Store is likely a rebranded version of the Caffeine phishing kit, discovered by Mandiant in 2022, based on overlapping infrastructure and Telegram advertisements. The Arabic-speaking threat actor MRxC0DER is thought to be the developer and maintainer of Caffeine, and likely provides client support for ONNX Store. ONNX Store offers various services via Telegram bots, including phishing templates, webmail services, and bulletproof hosting. It leverages Cloudflare to delay takedown processes and evade detection, using features like CAPTCHA and IP proxying to protect malicious sites. ONNX Store distributes PDF documents with embedded QR codes that direct victims to phishing pages, often impersonating reputable services like Adobe or Microsoft 365. These QR codes are difficult for organizations to detect, especially on mobile devices. Most phishing campaigns target financial institutions in the EMEA and AMER regions, including banks and credit unions. The phishing kit uses encrypted JavaScript to evade detection and captures 2FA tokens in real-time, relaying them to attackers. ONNX Store also provides bulletproof hosting, allowing cybercriminals to operate without shutdown risks. The broader implications of these phishing toolkits include aiding credential theft and ransomware attacks. ## Microsoft Analysis ## Detections/Hunting Queries EclecticIQ identified two YARA Rules that can be used to identifiy potentially malicious domains or PDF Files from the ONNX Store. HUNT\_CRIME\_ONNX\_PHISHING\_URL is designed to identify specific patterns associated with malicious domains that utilize ONNX Store API such as default error messages and Telegram support links. | rule HUNT\_CRIME\_ONNX\_PHISHING\_URL { meta: description = "Searches for default ONNX Store API error" author = "Arda Buyukkaya" date = "2024-05-23" hash = "77e03c77a2bdbc09d5279fa316a35db0" strings: $contact\_link = "https://t.me/ONNXIT" $support\_message = "Please contact ONNX SUPPORT" $expired\_api = "Your API has been expired" condition: all of them } | | --- | MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR is designed to detect potenetioally malcioius QR codes with PDF files. | rule MAL\_CRIME\_ONNX\_Store\_Phishing\_PDF\_QR { meta: description = "Detects potentially malicious PDFs based on structural patterns" author = "Arda Buyukkaya" date = "2024-05-17" hash = "0250a5ba26791e7ffddb4b294d486479" strings: $pdf = "%PDF-" $magic\_classic = "%!FontType1-1." $magic\_font = /obj\s\*]\*\/Subtype\s\*\/Type1/ $magic\_font2 = /obj\s\* |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### $contact $dompdf $dompdf2 $expired $magic $pdf $pdf in $qr $support /font /font/ /subtype /type /type1 /type1/ 0250a5ba26791e7ffddb4b294d486479 1024 2022 2024 2fa 2f 4d 65 64 69 61 42 6f 78 20 5b 30 2e 30 30 30 365 365/anti 365/safe 365/security/defender/microsoft 64 00 6f 00 6d 00 70 00 64 00 66 00 20 00 2b 00 20 00 43 00 50 00 44 00 46 64 00 6f 00 6d 00 70 00 64 00 66 00 20 00 32 00 2e 00 30 00 2e 00 30 00 20 00 2b 00 20 00 43 00 50 00 44 00 46 29 77e03c77a2bdbc09d5279fa316a35db0 = /obj abbreviatedmktgpage about access access/concept access/overview accessed accessing account across activities activity actor actors add additional additionally address adobe advanced advertisements advised against agent aiding aitm alert alerts all allowing also amer america among analysis analysts and 1 of anomalous anonymizer anti any api arabic arda are associated attachments attacker attackers attacks attempts authentication authenticator author automatically available banks based baseline bec been before behavior believe best block bots breach brings broader browser browsers build bulletproof business buyukkaya bypass caffeine called campaign campaigns can captcha captures caribbean center central centralizing certificate certificates characteristics characteristics circumvent classic classic in click client cloudflare codes com/azure/active com/deployedge/microsoft com/en com/microsoft com/onnx com/security/business/siem complement complemented compliant compromise compromised condition: conditional confidence configure configure contact containing context continuous continuously contributes control controlled controls conventional cookie correlating could credential credentials credit crime customers cyber cybercriminals date default defaults defender defenders delay delivery description designed despite details detect detection detections/hunting detects determined developed developer device devices difficult direct directory/conditional directory/fundamentals/concept discovered distributes dnssec documents domain domains driven east eastern eclecticiq edge educate effective email emails embedded emea employees enable enabling encrypted endpoints enforced ensure ensures entering error especially essential europe evade evaluate evaluation even example expiration expired extensions external facilitated factor failed faster features fido2 files financial first focused following font font2 fonttype1 from fundamentals further general geolocations granular group hardware has hash have high highly hosting html https https://blog https://learn https://t https://www hunt identified identifiy identify identities identity impact impersonating impersonation implement implementation implement implications improve incident incidents include includes including incoming increasing indicate industries information infrastructure ins institution institutions intelligence intercepts interfaces internet invest investigate investigated investigations isp javascript key keys kit kits learndoc lets leverage leverages like likely limit link links location locations login logins mailbox maintainer mal malcioius malicious management mandiant manner mdi mdo me/onnxit measure measures mechanism membership message messages meta: methods mfa microsoft middle mimic mitigate mitigating mitigations mobile monitor monitoring more most mrxc0der multifactor multiple name new north northern not number ocid=magicti offers office often one onnx onnx operate operates opportunity organizations organizations: other others otp over overlapping pages password patterns pdf pdfs persistence phaas phish phishing pillar place platform please policies policy posture potenetioally potential potentially practices processes products protect protection protection/microsoft provider provider provides providing proxying qr queries ransomware rate real reason rebranded recommendations recommends reduce references regions registered relaying remains remediation reputa |
| Tags | Ransomware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.