One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8628075 |
| Date de publication | 2024-12-20 18:52:43 (vue: 2024-12-20 19:09:31) |
| Titre | WikiKit AiTM Phishing Kit: Where Links Tell Lies (Recyclage) |
| Texte | #### Targeted Industries - Critical Manufacturing - Healthcare & Public Health ## Snapshot Researchers from TRAC Labs recently uncovered a phishing kit dubbed "WikiKit," which received its name for redirecting to Wikipedia pages when JavaScript is disabled or the phishing link is invalid. ## Description Launched in October 2024, WikiKit campaigns have been observed impacting multiple industries, including automotive, manufacturing, and healthcare. The phishing kit uses Jimdosite-hosted landing pages that mimic corporate branding and prompt users to click on a link labeled "Review Document Here," redirecting them to credential harvesting pages. Attackers exploit compromised corporate email accounts to distribute phishing links, sometimes disguising them as legitimate Salesforce redirects to increase user trust. Victims who interact with these phishing links encounter CAPTCHA checks before entering credentials, which are then validated and sent to the attackers\' servers. The phishing kit dynamically customizes pages with the victim\'s company logo and background, enhancing its legitimacy. WikiKit employs advanced techniques to evade detection, including tamper-proof JavaScript code that disrupts debugging attempts and hides non-default authentication methods. The attackers leverage stolen credentials to bypass multi-factor authentication and redirect victims to what appear to be legitimate Microsoft 365 or Outlook error pages. As of December 2024, the campaign continues to operate with consistent infrastructure and evasion tactics. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app) with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking. - For more granular control, enable conditional access policies. [Conditional access](https://learn.microsoft.com/entra/identity/conditional-access/overview) policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. - Implement [continuous access evaluation](https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation). - Turn on [Safe Links](https://learn.microsoft.com/defender-office-365/safe-links-about) and [Safe Attachments](https://learn.microsoft.com/defender-office-365/safe-attachments-about) for Office 365. - Enable [Zero-hour auto purge (ZAP)](https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes. - Run endpoint detection and response [(EDR) in block mode](https://l |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 365 365/admin/security 365/safe 365/security/defender 365/security/defender/microsoft 365/zero abdea71ba094 about access access/concept access/overview accessed accounts acquired across action additional address advanced aitm alert alerts all already also among anti antivirus any app appear are artifacts assets associated attachments attacker attackers attacks attempts authentication authenticator auto automated automatically automotive avoid background based been before behind block blocks branding breach breaches browsers bypass campaign campaigns can captcha center centralizing checks circumvent click cloud code com/defender com/deployedge/microsoft com/entra/identity/conditional com/microsoft com/security/mobile com/wikikit com/windows/security/threat company compliance/set compliant compromised conditional configure consistent contain content continues continuous control copyright corporate cover credential credentials critical customizes debugging december default defender defense delivered description detect detected detection device devices disabled disguising disrupts distribute distribution document does driven dubbed dynamically edge edr educate effective email emails employs enable enabling encounter encourage endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/mtd enforced enhancing entering enterprise equivalent error essential evade evaluate evaluation evasion even evolving exploit exploits factor fido first from full granular group harvesting have health healthcare here hides highly host hosted hour https://learn https://trac https://www identifies identify identities identity immediate impacting implement implementation implementations incident including incoming increase industries information infrastructure ins intelligence interact invalid invest investigation investigations its jacking javascript jimdosite kit kit: labeled labs landing launched learning legitimacy legitimate let leverage lies like link links location logo machine mail mailboxes majority malicious malware management manufacturing mdo membership messages methods mfa microsoft mimic mobile mode monitor more multi multifactor multiple name neutralize new newly non not observed october office on operate organizations other others outlook overview pages part passive passkey permission phishing pillar policies post product prohibited prompt proof protect protection protection/microsoft protections public purge quarantine rapidly received recently recommendations redirect redirecting redirects reducing references remains remediate remediation reproduction requests require requirements researchers reserved resolve response response retroactively review rights risks run running safe salesforce scam scenes secure security sent servers sight sign signals significantly sim site sites smartscreen smartscreen/microsoft snapshot solutions that sometimes spam status stolen stopping such support suspicious tactics take tamper targeted techniques telephony tell them themselves then thereof these those threat threats tokens tools trac trust trusted turn uncovered unknown use used user users uses using validated variants variety victim victims visited volume web websites what when where which who wikikit wikipedia without works written your zap zero in malicious merges so |
| Tags | Spam Malware Tool Threat Mobile Medical |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | RiskIQ |
|---|---|
| Identifiant | 8627768 |
| Date de publication | 2024-12-20 01:01:31 (vue: 2024-12-20 02:08:22) |
| Titre | Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces |
| Texte | #### Targeted Geolocations - United States - Canada - United Kingdom #### Targeted Industries - Consumer Retail - Critical Manufacturing - Financial Services - Other business entities - Consulting Services ## Snapshot Researchers from Sophos released a report detailing the disruption of the prolific phishing-as-a-service (PaaS) platform Rockstar2FA and the surge from a similar PaaS platform, dubbed FlowerStorm. ## Description According to Sophos, Rockstar2FA\'s infrastructure suffered a significant technical failure in November 2024, with phishing pages and command-and-control Telegram channels going offline. This disruption was not due to a takedown but appears to stem from backend issues. Following Rockstar2FA\'s collapse, Sophos researchers began to observe an increase in activity from FlowerStorm. FlowerStorm shares many features with Rockstar2FA, such as the format of its phishing portal pages and the connection to its backend server. Both platforms show similarities in their HTML structure and domain registration patterns, suggesting a shared ancestry or operational overlap. However, FlowerStorm has introduced minor variations in its phishing methods, such as unique subdomain names and field responses. FlowerStorm users have primarily impacted users in North America and Europe, with the US accounting for 60% of observed attacks. The service industry, particularly organizations that offer engineering, construction, real estate, and legal services, have been heavily impacted. Despite its rapid adoption, FlowerStorm\'s operations have been marred by technical errors, providing researchers with valuable insights into its backend infrastructure. While direct links between Rockstar2FA and FlowerStorm remain unconfirmed by Sophos, their shared characteristics and operational trends hint at a potential connection. The decline of Rockstar2FA and the rise of FlowerStorm may reflect a strategic pivot, personnel changes, or disruptions in shared infrastructure. ## Recommendations - Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. [Microsoft Defender for Office 365](https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-security-center-mdo) merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically [identify and block](https://learn.microsoft.com/deployedge/microsoft-edge-security-smartscreen) malicious websites, including those used in this phishing campaign. - [Require multifactor authentication (MFA).](https://learn.microsoft.com/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication)While AiTM phishing attempts to circumvent MFA, implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats. - Leverage more secure implementations such as FIDO Tokens, or [Microsoft Authenticator](https://www.microsoft.com/security/mobile-authenticator-app) with passkey. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking. - For more granular control, enable conditional access policies. [Conditional access](https://learn.microsoft.com/entra/identity/conditional-access/overview) policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements. - Implement [continuous access evaluation](https://learn.microsoft.com/entra/identity/conditional-access/concept-continuous-access-evaluation). - Turn on [Safe Links](https://learn.microsoft.com/defender-office-365/safe-links-about) and [Safe Attachment |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | #### **© 2024 2024** 2fa 365 365/admin/security 365/safe 365/security/defender 365/security/defender/microsoft 365/zero about access access/concept access/overview accessed according accounting acquired across action activity additional address adoption advanced aitm alert alerts all already also america among ancestry anti antivirus any app appears are artifacts assets associated attachments attacker attacks attempts authentication authenticator auto automated automatically avoid backend based been began behind between block blocks both breach breaches browsers business but campaign can canada center centralizing changes channels characteristics circumvent cloud code collapse com/defender com/deployedge/microsoft com/en com/entra/identity/conditional com/microsoft com/security/mobile com/windows/security/threat command compliance/set compliant conditional configure connection construction consulting consumer contain content continuous control copyright cover credentials critical decline defender defense delivered description despite detailing detect detected detection device devices direct disruption disruptions distribution does domain driven dubbed due edge edr educate effective email emails enable enabling encourage endpoint endpoint/automated endpoint/configure endpoint/edr endpoint/mtd enforced engineering enterprise entities equivalent errors essential estate europe evaluate evaluation even evolving exploits factor failure features fido field financial first flowerstorm following format from full geolocations going granular group has have heavily highly hint host hour however html https://learn https://news https://www identifies identify identities identity immediate impacted implement implementation implementations incident including incoming increase industries industry information infrastructure ins insights intelligence introduced invest investigation investigations issues its jacking kingdom learning legal let leverage like links location machine mail mailboxes majority malicious malware management manufacturing many marred may mdo membership messages methods mfa microsoft minor mobile mode monitor more multi multifactor names neutralize new newly non north not november observe observed offer office offline on operational operations organizations other others overlap overview paas pages part particularly passive passkey patterns permission personnel phishing picks pieces pieces/ pillar pivot platform platforms policies portal post potential primarily product prohibited prolific protect protection protection/microsoft protections providing purge quarantine rapid rapidly real recommendations reducing references reflect registration released remain remains remediate remediation report reproduction requests require requirements researchers reserved resolve response responses response retail retroactively rights rise risks rockstar rockstar2fa run running safe scam scenes secure security sent server service services shared shares show sight sign signals significant significantly sim similar similarities site sites smartscreen smartscreen/microsoft snapshot solutions that sophos spam states status stem stolen stopping strategic structure subdomain such suffered suggesting support surge suspicious take takedown targeted technical techniques telegram telephony themselves thereof those threat threats tokens tools trends trips trusted turn unconfirmed unique united unknown us/2024/12/19/phishing use used user users using valuable variants variations variety visited volume web websites when which without works written your zap zero “flowerstorm” in malicious merges so |
| Tags | Spam Malware Tool Threat Mobile Cloud Technical |
| Stories | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.