Identity-based Attack

Forecasting the Cyber Threat Landscape: What to Expect in 2025

2024 marked a pivotal shift in the cyber threat landscape, with threat actors increasingly experimental, yet intentional in their approaches to cyberattacks. Leveraging new and emerging technologies to weaponise trust and further lower the barrier to entry for cybercriminals, we anticipate no less for 2025. Based on PwC Dark Lab’s observations throughout 2024, we share our assessment of the potentially most prevalent threats and likely emerging trends for this year.

Identities will continue to be the primary target for threat actors, resulting in a gradual rise of infostealer infections and credential sales on the dark web

Hong Kong saw a 23% rise in infostealer infections in 2024, further reflected in our incident experience, as infostealers and leaked credentials persisted as a frequent root cause in cyberattacks. We assess this growth in infostealer usage is given the wider trend observed, whereby threat actors of varying motivations have increasingly shifted focus to identity-based attacks.

Through our ongoing dark web monitoring, we observed threat actors have become increasingly deliberate in their weaponisation of infostealers – intentionally targeting specific types of data during collection. This is as reflected in the uptick of network access sales for SSH, VPN, firewall, and cloud. We posit that credentials and database sales will remain a hot commodity within the dark web marketplaces given they allow for easy entry. Furthermore, we observed that data sales are not always need to be associated with an active data breach – as we repeatedly observe threat actors farming data from organisations’ exposed libraries, directories, publicly released information, as well as historically leaked data on the dark web – to publish as a single data dump on the dark web. We posit this repurposing and collating of already available information is performed by threat actors as a means to establish their reputation on dark web hacking forums.

As witnessed in our incident experience and open-source reporting, threat actors now target individuals’ personal devices with the intention to obtain access to enterprise environments. Thiswas most recently evidenced Cyberhaven’s Chrome extension security incident, whereby a phishing attack resulted in attacker takeover of their legitimate browser extension. Replacing the extension with a tampered, maliciously-embedded update designed to steal cookies and authenticated sessions, the extension was automatically dispensed to approximately 400,000 users.[1] In a previous incident, we observed that the victim organisation was compromised as a result of an infostealer deployed on their employee’s personal, unmanaged laptop, leading to the obtaining of valid corporate credentials and subsequent corporate compromise. We anticipate that threat actors will continue to adopt new means to distribute and weaponise infostealers at mass to collect valid identities to initiate their attacks.

Cybercriminals will exploit any means to deliver malware, with Search Engine Optimisation (SEO) being a good mode for compromise – bringing potential reputational damage

Search Engine Optimisation (SEO) plays a crucial role in today’s digital society, enabling visibility and accessibility of websites to seamlessly connect users with the most relevant information. As such, it’s no surprise that SEO has become a growing driver in malicious campaigns. Be it directing users to malicious sites impersonating legitimate brands, spreading of disinformation, or compromising legitimate websites to benefit from their SEO results, threat actors have continuously refined their means to weaponise, or ‘poison’, SEO.

SEO poisoning involves the manipulation of search engine results to direct users to harmful websites. This may be achieved via the use of popular search terms and keywords to increase their sites’ ranks, mimicking of legitimate websites, typosquatting, and/or leveraging cloaking and multiple redirection techniques. Recently, we observed public reports regarding the distribution of a novel multipurpose malware, PLAYFULGHOST, distributed as a trojanised version of trusted VPN applications via SEO poisoning techniques.[2] In other cases, we observe threat actors installing ‘SEO malware’ on compromised websites – designed to perform black hat SEO poisoning, whereby search engines display the attackers’ malicious webpages as though they were contained within the legitimate, compromised website.[3]

In mid-2024, PwC’s Dark Lab have observed a sharp uptick in phishing sites masquerading as online gambling operators. Targeted against users in Southeast Asia, we assessed this is likely due to regional crackdown on online gambling – as evidenced in Philippines’ ban of Philippine Offshore Gaming Operators (POGOs). A notable instigator for the ban on POGOs was the shift into illicit scamming activities by POGOs following the impact of COVID-19 (e.g., online fake shopping, cryptocurrency, and investment scams).[4] As we observe further crackdowns within the region, we anticipate a growth in SEO campaigns pushing online gambling phishing sites, preying on unsuspecting, or vulnerable users. Furthermore, this reflects on how threat actors continue to opportunistically weaponise current events to their benefit.

Growth in identity-based attacks highlights threat of domain abuse and need for stringent governance of top-level domains (TLDs)

The topic of internet hygiene has come to our attention amidst the significant uptick in the amount malicious sites impersonating local Hong Kong brands. Globally, the landscape of domain registration has become increasingly under question due to the ease and anonymity with which domains can be purchased, facilitated by the lack of regulations surrounding Know Your Customer (KYC) processes. This has fostered a favourable environment for malicious actors to disguise their infrastructure, gaining trust via ‘reputable’ top-level domains (TLDs). Whilst some TLDs like [.]xyz and [.]biz are widely regarded as ‘untrustworthy’, we observe commonly trusted TLDs [.]com and [.]top persist as the two most abused TLDs in 2024.[5]

DNS abuse can take many forms, though ICANN defines it as; botnet, malware delivery, phishing, pharming, and spam.[6] Distributed Denial of Service (DDoS) is an example of an ever-present DNS-related threat increasingly observed in 2024, with the motivations behind these attacks being hacktivist in nature and correlating with major geopolitical events (e.g., elections, ongoing tensions). We anticipate a continuation of geopolitical-motivated DDoS attacks in 2025, as threat actors recognise the success that may be achieved through these attacks; being reputational damage and heightened visibility towards their hacktivist cause. In Q2 2024, we uncovered an active campaign masquerading as multiple local brands including Mannings and Yuu using typosquatted domain names registered to [.]top, [.]shop, and [.]vip TLDs. This campaign revealed how customised attacks against individuals are becoming; targeting of personal data now spans beyond credential harvesting – further collecting a broader set of attributes such as the device you are using, user location, behaviour patterns, and even loyalty program details. As highlighted during our 2024 Hack A Day: Securing Identity, identity is now contextual – collecting various attributes or ‘unique identifiers’ to build your holistic identity-profile.

Through PwC Dark Lab’s ongoing efforts to safeguard Hong Kong citizens, we foresee a need for more structured and regular analysis of generic TLDs (gTLDs) – e.g., [.]com, [.]top and country code TLDs (ccTLDs) – e.g., [.]com.hk, [.]hk. To proactively identify and mitigate against these active threats, we anticipate that in the longer run, governance is necessary to enforce and ensure adherence on registrars. This includes intelligence-driven ongoing detection, establishing consistent definitions, uplifting KYC validations, and appropriate procedures to handle known-bad domains. With over 96% of Hong Kong’s population (aged 10 or above) using the Internet[7], it is crucial that registrars collaborate in the collective goal to secure the internet and disrupt threat actors’ infrastructure supply.

Sophistication of social engineering scams will amplify as threat actors ‘smish’, abuse legitimate services, and weaponise automation intelligence

As organisations worldwide have invested efforts into hardening their security posture, we observe threat actors adapting their attacks to find alternative means to bypass the heightened defences. SMS phishing (“smishing”) has become increasingly tailored in response to heightened user awareness. In some cases, we have observed smishing messages no longer containing links, only phone numbers – suggesting a preference to perform voice call phishing (“vishing”) as a means of increasing their chances of success. Beyond abuse of trusted identities, we observe threat actors weaponising legitimate services to disguise their malicious traffic behind legitimate sources.

In Q4 2024, we observed an unknown threat actor leverage multiple trusted domains in Hong Kong to front their Cobalt Strike Beacon C2. Domain fronting is a technique used to disguise the true destination of Internet traffic by using different domain names in different layers of an HTTPS connection to route traffic through a legitimate and highly trusted domain. Similarly, we have observed the use of legitimate platforms such as Ticketmaster and Cloudflare to host phishing sites. In another context, our global counterparts have observed advanced persistent threat (APT) actors utilising TryCloudflare tunnels to stage malware and circumvent DNS filtering solutions. We project that threat actors will continue to experiment with different, legitimate platforms to find means to facilitate their attacks.

As observed since the emergence of ChatGPT in late 2022, generative artificial intelligence (AI) has enabled threat actors to craft highly convincing, tailored social engineering contents at scale. This was observed in 2024, as the U.S. Federal Bureau of Investigation (FBI) observed a surge in AI-driven financial fraud, leveraging GenAI to generate convincing phishing emails, social engineering scripts, and deepfake audio and video to deceive victims.[8] We predict that the application of AI by cybercriminals will expand beyond content generation to automate vulnerability exploitation, malware distribution and development, and AI-enabled ransomware. On the flipside, as the integration of AI into business processes rises, the need to secure these AI systems will continue to mount.

The ransomware landscape will continue to diversify, weaponising emerging technologies, trusted identities and services to increase their chances of success

2024 was a transformative year for the ransomware landscape, following continued disruptions of the LockBit Ransomware-as-a-Service (RaaS) operations by international law enforcement agencies, and BlackCat’s alleged exit scam. These occurrences resulted in heightened scepticism, posing an opportunity for new ransomware actors to enter the market. As new groups arise, we observe them increasingly experimental in their approaches to ransomware attacks – both through the Techniques, Tactics, and Procedures (TTPs) used and their malware offerings – diversifying the threat of ransomware.

We anticipate that 2025 will see a continuation of this trend, with an increased focus on weaponising trusted identities and legitimate services to increase their chances of success. Infostealers and Initial Access Brokers (“IABs”) will likely persist as a growing infiltration vector for ransomware affiliates, as we project increased targeting against systems likely to house sensitive information to enable rapid “smash and grab” attacks, such as cloud, Software-as-a-Service (SaaS), and file transfer platforms. Target systems for ransomware encryption are expected to further expand – as we already observed in mid-2024, with threat actors increasingly developing custom strains to target macOS and Network Attached Storage (NAS). This is evidenced in the recent discovery following the arrest of a LockBit developer that the group are working on tailored variants to target Proxmox and Nutanix; virtualisation service providers.[9]

Furthermore, we have observed discussion within the cybersecurity community regarding “quantum-proof ransomware”. As quantum computing develops, we hypothesise that ransomware operators will leverage the technology to harden their encryption processes and eliminate opportunities for victims to decrypt their data without the attacker-provided decryptors. On the other hand, we observe “harvest now, decrypt later” repeatedly referenced in these discussions, as researchers anticipate threat actors will weaponise quantum computing to enable mass decryption of previously stolen information. We further suspect that this may lead to attackers collecting and storing data from recent attacks even if unable to crack in the meantime. This poses a threat to existing victims of ransomware attacks, given the potential for ransomware actors to recover highly sensitive information and repurpose their past attack to extort victims and/or sell databases on the dark web.

Recommendations to Secure Your 2025

As we enter 2025, there is no telling with certainty what threats lie ahead. However, our experiences from 2024 have provided valuable lessons on how organisations can continue to strengthen their defences against ever-evolving threats.

Reduce your “low hanging fruit”. Monitor, minimise, and maintain visibility of your attack surface exposure to proactively identify and remediate potential security weaknesses that may expose you to external threats.
- Enforce 24×7 dark web monitoring to swiftly detect and mitigate potential threats, ensuring early detection of compromised data, i.e. leaked credentials from infostealer dumps.
- Extend 24×7 monitoring to social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
- Adopt an offensive approach to Threat and Vulnerability Management (TVM) to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[10] This further allows for the discovery of shadow IT, which may otherwise fall under the radar and pose threats to your organisation.
- Periodically review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured, and segmented from your internal network. Ensure Internet-facing applications are regularly kept up-to-date, and prioritised in your patch management process.
- Leverage canary tokens both on the external perimeter and internal environment to detect unauthorised attempts to access your environment and/or resources. Further, leverage the canary token detection alerts to provide insight into the types of threats actively targeting your organisation and what services and/or data they seek to access.[11]

Uplift identity security and access control. 2024 showed no signs of threat actors weaponising identities, and shed light on the importance of account housekeeping and appropriate access control provisioning.
- Govern and provision appropriate access controls and permissions following the principle of least privilege for all users. Ensure access is conditional and restricted only to the resources necessary for a user to perform their job functions. This includes enforcement of strong authentication mechanisms, such as strong password policies, multi-factor authentication (MFA), role-based access controls (RBAC), and continuous behavioural-based monitoring to detect anomalous behaviour.
- Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s MFA mechanism is no longer linked to any corporate accounts.
- Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.

Protect your “crown jewels”. As threat actors become increasingly intentional in the systems and data they target, it is crucial that organisations identity, classify, and secure the critical systems most likely to be targeted.
- Leverage threat intelligence and continuous monitoring of your attack surface (e.g., canary tokens) to identify the systems actively being targeted by threat actors.
- Prioritise systems hosting critical data (e.g., file transfer systems) with layered preventive and detective strategies to safeguard data (e.g., Data Loss Prevention (DLP)).Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
- Regularly perform risk assessments against critical systems to evaluate the current state of its cybersecurity posture, and harden accordingly.
- Review and uplift the lifecycle of data, including considerations of;
  - Where data is being shared?
  - Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
  - What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.

Manage your “unknown” risks. Unmanaged devices, shadow IT, and third-party risks continue to pose significant threats to organisations, introducing potential opportunities for threat actors to exploit for infiltration and/or access to your sensitive data.
- For unmanaged devices;
  - Develop a Bring Your Own Device (BYOD) policy to govern the use of personal devices allowed to access the corporate network, including guidelines to enforce use of strong passwords and encryption. Regularly perform user awareness training to ensure understanding and adherence with guidelines and best practices.
  - Consider implementation of a Mobile Device Management (MDM) or Endpoint Management solution to gain visibility and control over all devices connect to your network.
  - Isolate unmanaged devices from critical network segments to minimise potential damage and access to resources.
- For shadow IT;
  - Ensure that only authorized personnel can create and publish webpages. Use role-based access controls to limit who can make changes to corporate web assets.
  - Consider use of a Content Management System (CMS) that requires approval from dedicate personnel(s) prior to webpage launch to ensure all webpages comply with security standards.
  - Conduct regular audits to identify unauthorized webpages and monitor for any new web assets that appear without proper authorization. Use automated tools to scan for shadow IT activities.
- For third-party risks;
  - Perform thorough due diligence to vet third-party vendors and fourth-party vendors through vendor risk management and ongoing monitoring. This includes assessment of their vulnerability management processes, security controls, and incident response capabilities.
  - Implement robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations.
  - Restrict third-party access to specific network segments, enforcing the principle of least privilege alongside stringent access controls.

Counter the threat of DNS abuse. As threat actors increasingly abuse DNS infrastructure to enhance the capabilities of their attacks, it is crucial that organisations and registrars maintain awareness of the latest threats.
- For individuals and organisations; maintain awareness of the threat of DNS abuse, including visibility of which registrars should be perceived as higher-risk, and continuous tracking of DNS-related threats.
- For registrars, we recommend reviewing and uplifting the Know Your Customer (KYC) process, and establishing continuous monitoring to proactively flag DNS abuse. Monitoring would cover DNS/WHOIS data, combined with community reports of suspicious domains (e.g., via VirusTotal, URLScan, etc.).
- For ICANN, we recommend to lead the industry; establish and enforce the governance and security key risk indicators (KRIs) on whether registrars are in compliance; what are the penalties; what are the trends of threat actors, and how the registrars and organisations should detect, respond, and recover.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Petty Thefts in Cybersecurity

Posted on August 12, 2024 by darklabhk

The term “data breach” has been engrained into the memories of board level executives to security engineers in the last few years. Typically referring to confidential or sensitive information being compromised by threat actors, we associate the term with all-out intrusions – from initial access from an exposed perimeter, to post-compromise activities aimed at facilitating the end goal of data exfiltration, often prior to ransomware deployment.

However, this trend is shifting. PwC’s Dark Lab describes an alarming trend of data breaches associated with a subset of cyberattacks targeting data platforms and web applications. We responded to multiple local incidents over the past few months in which less sophisticated threat actors operate on a smaller, yet impactful scale – such as the unauthorised access to a single system – to exfiltrate data and post on the dark web for financial gain. This still achieved significant reputation and legal implications due to the sensitive nature of the data, and aligns with our 2024 trends in which we observe independence from traditional Ransomware-as-a-Service (RaaS) groups and lowering of accessibility for threat actors to enter the cybercrime market.

A shift in focus – speed valued with single extortion the endgame

PwC’s Dark Lab monitors social media, cybercrime forums, ransomware leak sites, and various open-sources of threat intelligence. These data points not only give us good insight on the threat actors’ tactics, techniques and procedures (“TTPs”), but more importantly their behaviours from holistic view.

While in past years most of these would take form of a listing of the victim on a ransomware leak site, we now see an increasing shift to data being published in cybercriminal forums for low prices or even free to ‘boost’ threat actors’ reputation. Performed by threat actors we categorise as “commodity criminals”, stolen data can take multiple forms; ranging from a full dump of structured data from a database, to an excel spreadsheet with customer data, or purely a CSV file with user information – either leaked for free or offered for sale.

Less sophisticated than their cybercriminal counterparts, commodity criminals have carved a niche for themselves in performing “smash and grab” or “petty theft” attacks; exfiltrating sensitive information and listing on the dark web at pace. Whilst these threat actors and their attacks are not new, we assessed this trend of increasing “petty thefts” is aligned with our hypotheses from our 2024 Cyber Threat Landscape blog post.[1]

Firstly, we observe an expansion of the vulnerability “classes” exploited for initial access beyond Common Vulnerabilities and Exposures (CVEs) to misconfigurations, exposed administrative portals, and unintended exposure of remote services. Secondly, focusing on the RaaS landscape, we observe an increase in the crowdsourcing of efforts by ransomware affiliates; leveraging the specialisation of commodity criminals (e.g., Initial Access Brokers) to accelerate the speed and complexity of their attacks. Thirdly, the continuous shift to identity-based attacks has led to increasing demand for network access sales to expedite intrusions. We reference two recent incident response cases from 2024 to exemplify such “petty thefts”.

Case Study Number 1: Intrusion Through Exposed Credentials

Dark Lab recently responded to a significant data breach incident, involving the extraction of data from a public-facing admin portal of the victim’s Content Management System (CMS). The CMS served as the maintenance portal for the victim’s third-party development vendor. However, the customisation for business operations also introduced a number of significant vulnerabilities, including sensitive directory and configuration files exposure.

Inadequate security controls such as the lack of multi-factor authentication(MFA) or geo-fencing, enabled the threat actor to access and export the data from the CMS, including the source code and backup copies of database from the backend components. Although the attack did not result in any disruption of the victim’s operations, the threat actor published the compromised data for sale on a dark web hacking forum a few days after the attack.

Our investigation revealed that the end-to-end attack had completed in under an hour, with minimal interactions with the website by the threat actor, apart from the data export, and without the deployment of malware, or exploitation of vulnerabilities. We further supported the victim to put in place security controls including MFA and geofencing, and formulate a strategic approach to detect anomalies and deviation in access patterns specific to the CMS.

Case Study Number 2: Information Stealer Leaks Administrative Credentials of Web Application

Non-Profit Organisations (NGOs) are no stranger to falling victim to data breaches. In this incident, PwC responded to an incident whereby a threat actor gained initial access to the learning platform of a local NGO. We assessed with moderate confidence that the threat actor gained access via the use of leaked credentials, due to a lack of evidence suggesting activities such as brute-force or vulnerability exploitation.

During our investigation, we discovered the root cause to stem from the personal computer of a former employee of the victim, which had been compromised in late 2023 by the Lumma infostealer. The capabilities of the malware to extract stored credentials from browsers led to the leakage of the corporate credentials required for the initial access to the learning platform.

Lumma infostealer is a subscription-based Malware-as-a-Service (MaaS) offering that has been available since 2022, whilst the number of sightings of this malware being distributed on the dark web forum has been seen to be rising.[2] Cybercriminals leverage this malicious software to extract sensitive information for direct profit (e.g., network access sales), while others might choose to utilise the credentials for intrusions.

Forensic evidence suggests that whilst the leaked credentials were originally circulated on dark web forums in late 2023, they were only weaponised by the threat actor in mid-2024. Upon accessing one of the victim’s externally-facing servers using the valid account, the threat actor subsequently exploited a vulnerability to deploy a webshell to issue commands to the underlying system, as well as establishing a reverse shell for full, remote access. No notable further actions were observed; instead, the threat actor used the built-in export function of the learning platform to download user data including personal identifiable information (“PII”), all within 2.5 hours.

The information was posted for sale on a dark web forum shortly after the incident. Although there is no evidence connecting the threat actor with the sale, the format and content on the available sample data led us to assess that the data had originated from the learning platform. This incident showcases a prime example of a low-level capability threat actor causing a high impact attack.

Cybercriminal Market; A Wealth of (Malicious) Opportunity

The Cybercrime-as-a-Service (CaaS) market is an ever-growing industry of cybercriminals offering their malicious tools, techniques, and services to other cybercriminals who may not have the technical expertise to carry out sophisticated attacks on their own; or alternatively preferring to outsource portions of their attacks to focus efforts on achieving their objective. Through our continuous monitoring the CaaS ecosystem, we observe a notable uptick in the selling of data across various dark web forums and instant messaging channels. In March 2024 alone, 299+ million data records were compromised – a 58% increase from the prior month, and a further 613% year-on-year increase of data records compromised by threat actors.[3]

Whilst ransomware actors are not typically observed to frequent cybercrime forums, we observe ransomware groups broadening their means to achieve financial gain – particularly as the rate of victims obliging with ransom demands continues to dwindle. This is seen in the uprise of ransomware groups such as LockBit, Stormous, and Everest advertising network access sales on their dedicated leak site blogs, Telegram channels, as well as data leak sites.[4]

2023 saw the closure of multiple cybercriminal marketplaces, such as the law enforcement takedown of the notorious Genesis Market[5], voluntary closure of the TOR Market, and suspected ‘exit scams’ of Tor2Door[6] and Incognito[7]. As with all things, as a one door closes, another opens – new marketplaces emerge, existing ‘underdog’ marketplaces rise in popularity, and threat actors continue to innovate in their means of selling data.

Implications of a Data Breach

As the cybercriminal ecosystem evolves and the rise of “smash and grab” attacks intensify, it is crucial that organisations enhance their cyber resilience to defend against these not so “petty” thefts. This is evidenced in the average cost of a data breach being USD 4.88 million in 2023 – encapsulating the cost of operational downtime, loss of customer base, and cost of post-breach actions to enhance cyber resilience.[8] In the case of petty thefts, the most “immediate” cost acknowledged is that on an organisation’s reputation. Though, it is crucial to consider the legal and compliance consequences of such breaches.

Focusing locally, the June 2023 updates to the Hong Kong PCPD’s “Guidance on Data Breach Handling and Data Breach Notifications” have reinforced the severity in which data breaches should be treated. Whilst not mandated, the guideline sets a benchmark for the Personal Data (Privacy) Ordinance (PDPO) to determine if organisations subject to data breaches have met compliance requirements. This reiterates the sheer impact of data breaches, and the need for organisations to remain vigilant against threats of varying intents and capability.

Conclusion

While large cyberattacks shifts focus to the strategies in holistic defence, we observed tactics by less sophisticated cybercriminals to a simple yet effective means to impact company’s reputation and trust. Based on our observation in threat intelligence and dark web intelligence, this trend will likely continue with attacks of smaller scales becoming a threat to be considered. Remaining vigilant and adaptable in the face of evolving cyber threats is essential for companies of all sizes:

Widen the scope to monitor and minimise your attack surface to proactively identify and remediate potential entry-points. This should include;
- Enforce 24×7 dark web monitoring, social media listening, and brand reputation monitoring to identify mentions or impersonation attempts of your organisation, which may be indicative of potential or active targeting against your organisation.
- Adopt an offensive approach to threat and vulnerability management to achieve real-time visibility of your attack surface through autonomous, rapid detection and remediation against emerging threats.[9]
- Establish a structured process to attack surface management through stringent asset inventory management. This includes the discovery of Internet-facing assets (including on-premise and potentially, third-party-hosted assets), identification of the assets hosting critical data, and assessment and subsequent uplifting of the current security posture of these critical systems.
- Leverage bug bounty programs to crowdsource the expertise of ethical hackers to proactively identify otherwise unknown vulnerabilities or security weaknesses that could otherwise expose you to potential exploitation by malicious actors.

Strengthen identity security and access control. Our lessons learnt from case study two highlighted the importance of account housekeeping for unused accounts, particularly those assigned privileged access rights.
- Review and uplift the process for managing credentials, particularly in the case of offboarding or unused accounts. This includes timely revocation of access (termination of account), password changes for any shared accounts the employee had access to, and ensuring the offboarded member’s multi-factor authentication (MFA) mechanism is no longer linked to any corporate accounts.Log, audit, and monitor all privileged account sessions via real-time monitoring, facilitated by Privileged Access Account (PAM) and Privileged Account and Session Management (PASM) solutions.

Consider the role of cybersecurity in safeguarding data security. As the cybercriminal landscape shifts focus to data exfiltration and extortion, it is crucial to consider the interconnectedness between data privacy and the cyber threat landscape.
- Leverage threat intelligence and continuous monitoring of your attack surface to the critical data and systems hosting them, to assess systems and datasets with a heightened threat of targeting by malicious actors.
- Prioritise these systems hosting critical data with layered preventive and defensive protections to safeguard data (e.g., Data Loss Prevention (DLP).
- Conduct regular risk assessments against critical systems to evaluate the current state of your cybersecurity posture.
- Review and uplift the lifecycle of data, including considerations of;
  - Where data is being shared?
  - Who has access, including consideration of third-party risks posed by vendors’ access to internal data?
  - What internal policies are enforced to govern staff on the handling of data? For example, no sharing of internal data via external communication channels such as WhatsApp.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Tracking the proxy: a canary-based approach to locate users from Adversary-in-the-Middle Phishing

Posted on April 8, 2024 by darklabhk

As we step through a busy season of ransomware, financial scams involving deepfake, and sophisticated phishing campaigns, we continue to witness campaigns targeting enterprise users with Adversary-in-the-Middle (AiTM) attacks. As discussed in our previous blog post[1], AiTM leverages proxy-based toolkits such as Evilginx and EvilProxy. This technique has proven extremely effective, even in our red team assignments, in capturing credentials, and authenticated sessions.

In this article, we explore a use case in Microsoft 365, in which a feature has allowed opportunities to build a canary-based detection mechanism in an unconventional way. Inspired by the effectiveness of bug bounty programs in identifying vulnerabilities, this strategy aims to locate and mitigate the risks associated with AiTM attacks.

Understanding Adversary-in-the-Middle Attacks

Traditionally, in combating phishing and scams, our approach to protecting accounts in Microsoft 365 has revolved around the use of strong credentials and multi-factor authentication (MFA). These proved mostly effective against password brute-force and credential harvesting with fake phishing sites. Coupling this with new solutions such as Microsoft’s Intune or Mobile Device Management (MDM) applications, threat actors need to explore new ways of gaining access to their victims’ Microsoft 365.

AiTM attacks have proven to be extremely effective choice of technique leveraged by cybercriminals. We have previously covered use cases observed in phishing campaigns targeting our clients in Hong Kong, Macau, and in the region. This is because, unlike traditional phishing techniques, AiTM captures both the victims’ passwords, as well as valid login sessions cookie – another form of valid credentials. Threat actors have also explored new ways of using the compromised identities, not just to access confidential data from the victim’s mailbox, but also the data files on OneDrive and SharePoint.

From a defender’s perspective, it is difficult to identify individuals who has fallen victim to this kind of technique as, unlike traditional phishing, the victim is engaged in an interactive flow, supplying both credentials and any multi-factor authentication. The phishing site acts as an intermediatory internet reverse proxy, completing the authentication on the victim’s behalf and, capturing the materials in between. The diagram below illustrates a complete flow of how a threat actor can compromise the victim’s account.

Figure 1: Typical compromise flow of an AiTM attack

In general, detection of a compromised user account would require heuristics approaches (e.g. Microsoft’s Risky IP Address, or Impossible Travel) or detection of specific threat-actor activities (e.g. New-InboxRule). These are very effective in identifying anomalies in interactions with the mailbox, prompting additional investigations and mitigations with the downside being, in our experience, a late detection where the threat actor might have taken actions or information with the victim’s account.

The Canary-Based Approach to Detection

For those experienced in cyber defense, canaries are a familiar tool used to provide detection opportunities against specific behaviors. They act like tripwires or indicators which are designed to stand out in attack scenarios. A prime example is “honey accounts” in Active Directory environment, where a failed attempt to log in to this decoy account should warrant immediate attention to identify the source for potential behavior in the environment.

How can we do the same in our use case in M365? Going back to our drawing board, the authentication process in both normal and AiTM attack scenario involves interaction with the official Azure login page. Earlier this year, security researchers at IronPeak identified a feature in Azure called “Company Branding” which can enable such a detection mechanism.

The reader can follow the original blog post here.[2]

Company Branding is a feature that allows Azure administrators to apply branding to their login page by setting company logos, brand colors, and more through customising a cascading style sheets (CSS) file. A user browsing the login page will load the corresponding components referencing the style sheets. It is then possible, by introducing a single-pixel web-beacon as a CSS component, to capture referred request to the beacon, and identify if a user is falling victim to a phishing site.

Figure 2: Canary-based detection via CSS component

Setting up canary-URL for detecting AiTM

The section below outlines sample steps to configure a canary-based detection for AiTM attack on Microsoft 365 platform. This is based on the research conducted by IronPeak team.

To begin, download a copy of the template CSS file available from Microsoft.[3] Add the custom reference canary URL to the CSS file template and upload to the sign-in page.

Figure 3: Addition of custom reference canary URL to CSS template

Access the “Company Branding” section of Microsoft Entra admin center. Click “Edit” for the default sign-in, or corresponding sign-in pages.

Figure 4: Edit Company Branding in Microsoft Entra admin center

Select the “Layout” tab and upload the customised CSS file under the “Custom CSS” section.

The configuration will take effect during new login against M365 at the login page (e.g. https://login.microsoftonline.com).

Figure 6: Sample implementation of custom reference canary URL via CSS template

As a website is created in the detection site, a web server can be configured to capture the full request, including header values such as “Referrer”. Note that the existence of the requested file does not matter as we just needed the web service to capture the request. A sample set of logs is shown below.

47.39.x.x - - [03/Apr/2024:03:43:56 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://login.microsoftonline.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03" 174.102.x.x - - [03/Apr/2024:03:47:30 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://totally-not-phishing.site/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03" 185.240.x.x - - [03/Apr/2024:03:47:30 +0000] "GET /beacon.png HTTP/1.1" 404 197 "https://login.microsoftonline.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" "3.03"

The key point here is that the canary-URL is triggered when the user key in the email address i.e. the log is not indicative of an access session or credentials compromise. However, we can take steps to determine if an AiTM attack has taken place:

Determine if the URL specified in the “Referrer” field above exhibits behavior of an AiTM phishing portal
Review the Microsoft 365 logs to identify the actual user behind the IP address
If a successful authentication has matched the logs, we can determine that the user account has been compromised : perform the necessary mitigations e.g. revoke sessions, credentials reset, inbox rule cleanup, etc.

Faring against advance phishing kits

While this canary URL is effective against open-source, proxy-based phishing framework (e.g. Evilginx), there are other phishing toolkits which take a different approach in displaying contents to the victim. One example is the more advanced Phishing-as-a-Service (PhaaS) platforms, such as “Caffeine” or “Tycoon 2FA”.

In our research, these phishing kits are well-designed to hide from public scanners behind Cloudflare or other anti-DDoS pages. During interaction, they also behave differently by displaying pre-loaded components and styles from the official Microsoft 365 login pages to the user, while leveraging embedded JavaScript as the API engine with Microsoft 365 in authentication. In other words, the victim is not interacting directly with the official Microsoft 365 login page and thus, the custom CSS files as well as the canary-URL will not be triggered.

An example of such a page is shown below.

Figure 7: Sample phishing site with pre-loaded components and styles, and embedded JavaScript

This seems like a bypass of the canary-URL detection, but not all hope is lost.

Since we are using canary-URL to collect data for every access to the official Microsoft 365, the resulting data set can be compared against the Azure sign-in log. The analysis of data will still allow isolation of IP addresses in login records that security analysts should further conduct review.

Figure 8: Sample detection via canary-URL

Conclusion

In an era of increasingly sophisticated cyber threats, the detection of AiTM attacks is of paramount importance. The canary-based approach presents a proactive strategy to identifying victims in AiTM attacks. By combining dynamic canary URL and behavioral analysis, organisations can enhance their security posture and protect sensitive data from falling into the wrong hands.

Canary-based approach uses triggers to create new opportunities in attack detection. The Canary URL above targets anomalies as early as the authentication process, reduces the time-to-detect duration in AiTM attack, and allows for prompt response and mitigation.

This technique has proven effective in combating phishing toolkits such as Evilginx. As cybercriminals up their game with additional Phishing-as-a-Service frameworks, we shall continuously evaluate the limitations in our detection tricks and explore additional techniques or data-centric approaches to identify anomalies.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

The 2024 Cyber Threat Landscape

Posted on April 3, 2024 by darklabhk

2023 saw threat actors relentlessly innovating and specialising to remain sophisticated in speed and scale, through the use of automation intelligence, targeting against supply chains and managed service providers, and a shifted focus to identity-based attacks. As we ushered in the new year, we expected that these threats would continue to drive the cyber threat landscape in 2024 as threat actors continuously seek to outmanoeuvre defenders. In this blog, we outline Dark Lab’s expectations of the most prevalent issues in 2024, and validate that with observations from the first quarter of incident response insights and threat intelligence investigations.

Ransomware continues to evolve as affiliates seek independence from RaaS groups, weaponize supply chains, and crowdsource efforts by specializing in tradecraft

Ransomware attacks have surged, with a 65% increase in compromised victim listings observed in 2023. There are multiple reasons for this increase, such as the rapid exploitation of new and known vulnerabilities as well as managed service providers (MSPs) becoming prime targets due to their ability to launch downstream attacks on the MSP’s clients. However, we have observed other factors such as affiliates branching out to craft their own trade through specialization (e.g., leveraging crowdsourcing to procure credentials from Initial Access Brokers) and customization of ransomware tools. This is likely compounded by law enforcement efforts to dismantle prominent RaaS operators, such as Hive[1] in early 2023 and more recently BlackCat[2] and LockBit[3].

In 1Q 2024, we responded to an incident involving Mario ESXi ransomware strain. Consistent with other ransomware actors, the threat actor strategically targeted the victim’s backup systems to maximise damage and thereby increase their chances of receiving ransom payment. We assessed that the threat actor may be working with RansomHouse Ransomware-as-a-Service (RaaS) group to publish leaked data as part of their double extortion tactics. However, we had observed that RansomHouse collaborated with other opportunistic threat actors leveraging different strains of ransomware, such as 8BASE, BianLian, and White Rabbit. This specialization allows smaller threat actors to devote their limited resources to developing custom malware strains, potentially off leaked source code of other larger RaaS groups. For example, Mario ransomware utilised leaked Babuk code to develop the .emario variant to target ESXi and .nmario to target Network Attached Storage (NAS) devices.[4][5] We anticipate new, smaller RaaS groups in 2024, and a continued increase in ransomware attack volume.

Organisations must rethink how they define vulnerabilities as threat actors now leverage different “classes” to target their victims

Organisations have made efforts to mitigate the exploitation of Common Vulnerabilities and Exposures (CVEs) through timely patching and vulnerability management. However, opportunistic threat actors have adapted their attacks by targeting different “classes” of vulnerabilities, such as misconfigurations, exposed administrative portals, or unintended disclosure of sensitive information, as opposed to phishing as the ticket of entry for their attack.

In early 2024, we responded to a Business Email Compromise (BEC) incident in which there were two “classes” of vulnerabilities. First, the production web server had been misconfigured to expose the underlying directory listing; within that directory listing contained a configuration file (.env) that included plain text credentials of various email accounts. Second, those email accounts did not enable multi-factor authentication (MFA), which allowed the threat actor to login to Microsoft 365. Traditional penetration testing exercises may overlook these vulnerability “classes”, but threat actors have adapted their reconnaissance methods to identify these means of achieving initial access. It is crucial for organisations to rethink how they define vulnerabilities and consider any weakness that can be exploited by threat actors to gain access to their environment.

At the tail end of 1Q 2024, we observed a sophisticated supply chain attack unfold, as unknown threat actors attempted to inject malicious code into an open-source library.[6] Despite its assignment of a Common Vulnerabilities and Exposures Identifier, the “vulnerability” emphasises the heightened dependency on libraries and supply chain risks associated. Not only should these vulnerability “classes” be expedited for remediation, but they should also be treated as cyber-attacks given the nature of the impact. As this vulnerability “class” cannot be addressed through preventive or detective measures, it is crucial that organisations develop proactive response plans to enhance their cyber-readiness against such attacks. This includes maintaining asset inventories and cooperating with DevSecOps to identify impacted systems and containing the incident through patching and subsequent threat hunting.

Prioritise resources on securing identity, as this is becoming the most valuable and targeted asset

While organisations strengthen their security defenses through measures like rapid vulnerability patching and MFA enablement, threat actors would explore other means to bypass heightened controls. For example, phishing attacks once focused solely on obtaining valid credentials such as username and password. As MFA become more commonplace, threat actors had to shift their targeting to steal valid, authenticated sessions cookies that proves the victim’s ongoing and authenticated session within the website. Though adversary-in-the-middle (AiTM) has been observed at least since 2022[7], the adaptation has been rapidly accelerating, compounded by the availability of Phishing-as-a-Service toolkits to lower the technical entry thresholds of cybercriminals.

In 1Q 2024, we responded to two separate BEC incidents launched within days of each other against the same victim. While we were unable to confirm if they were two separate campaigns, they both harboured similar characteristics of AiTM attacks – such as the use of rented infrastructure in abnormal geographies to conceal true identity upon login; achieving persistence through manipulating inbox rules, deleting emails, and removing email notifications to hide suspicious actions; and impersonating the user as a trusted party to execute fraudulent transactions to internal users and external parties. This demonstrates the need to adopt a more robust security baseline to secure identities, including managing devices against a compliance profile together with innovative means to detect for AiTM attacks. Please look out for our upcoming blog post would elaborate the latest BEC incidents as well as our proprietary approach to detect and respond to AiTM attacks.

Artificial Intelligence (AI) is the new hype which both attackers and defenders are looking to weaponize

The emergence of AI has led to a significant wave of interest in how it can be leveraged in cybersecurity. From a threat actor’s perspective, we have observed since mid-2023 and throughout 1Q 2024 the use of AI in the form of “automation intelligence” to reduce the time to weaponize certain “classes” of vulnerabilities. For example, we have observed through our threat intelligence investigations that threat actors are rapidly generating new social media profiles to target unsuspecting victims. While their motivation and capabilities are unclear, it is evident they are exploring and fine-tuning their standard operating procedures due to potential operational security errors (e.g., use of male pronoun for a LinkedIn profile with a female picture, likely generated from AI). In other reports, we have observed that deepfakes have been utilized for financial gain, with one Hong Kong-based incident involving a digitally recreated version of its chief financial officer ordering money transfers in a video conference call.[8] It is likely that AI would be further adapted to be misused for various motivations.

This is a call for cyber defenders to explore how to weaponize AI to keep pace with threat actors. Machine learning techniques allow AI-embedded solutions to adapt to an organisation’s environment and distinguish between normal and anomalous behavioural activity. AI also has the potential to identify abnormal activity by regular users, indicating potential impersonation attempts or credential abuse, addressing the threat of identity-based attacks. Additionally, AI is employed in investigating and responding to incidents, as seen in solutions like Microsoft Copilot for Security, enables heightened efficiency and capabilities of defenders using generative AI. It is expected that AI will continue to uplift cybersecurity professionals by automating repetitive tasks, conducting analysis, proactively identifying threats, and accelerating knowledge acquisition.

Recommendations to Secure Your 2024

Whilst there is no telling for certain how the rest of 2024 will unfold, our 2023 experiences taught us invaluable lessons on how organisations can continue to harden their cyber security posture to adapt to the ever-evolving cyber threat landscape.

Continuously monitor and minimise your attack surface to proactively and rectify potential security weaknesses that may expose you to external threats and improve situational awareness to prioritise improvement areas in your cyber defense strategy.
- Regularly review your asset inventory, ensuring Internet-facing applications, exposed administrative ports, and non-production servers are intended to be publicly accessible, are appropriately configured and segmented from your internal network, and prioritised in your vulnerability and patch management process.
- Conduct dark web monitoring, social media listening, and young domain monitoring to identify mentions or impersonation attempts of your organisation that may indicate potential intent, opportunity, or active targeting against your organisation.
- Leverage a bug bounty program to crowdsource the expertise of ethical hackers to identify otherwise unknown vulnerabilities and security weaknesses that could otherwise expose you to potential exploitation by malicious actors.
Protect identities through a layered defense strategy to prevent and detect unauthorised access, impersonation, or misuse of personal information.
- Govern and apply appropriate access controls and permissions following the principle of least privilege for all users, ensuring access is conditional and restricted only to the resources necessary to perform their job functions. This includes implementing strong authentication mechanisms such as multi-factor authentication (MFA), role-based access controls (RBAC), and continuous monitoring of user activities to detect any suspicious behaviour.
- Establish behavioural-based detection for user activity to monitor for anomalies, tuning rules to expire tokens and disable sign ins when suspicious behaviour is detected.
- Prioritise the protection of privileged accounts by implementing strong privileged access management (PAM) controls, such as privileged identity and session management, regular credential rotation, and monitoring of privileged user activities, to mitigate the risk of unauthorised access and potential misuse of high-level privileges.
Adopt a zero trust strategy, enforcing authentication and authorisation at every access point, regardless of whether it is within or outside the organisation’s network perimeter.
- Unify and consolidate applications to streamline access controls and reduce potential attack surfaces by eliminating unnecessary or redundant applications, minimising the complexity of managing access policies, and ensuring consistent security measures across the application landscape.
- Implemented and enforce a compliance profile across your managed devices, regardless of whether it is corporate-provisioned or bring-your-own-device (BYOD).
- Secure DevOps environments through the implementation of zero trust principles, ensuring cybersecurity is considered at the forefront of innovation and implementation of new technologies. Ensure appropriate training is provided to DevOps professionals to build and implement securely.
- Consider the long term goal of transforming your security architecture to follow the Secure Access Service Edge (SASE) framework to enable a flexible, scalable, more secure approach to your network security strategy.
Manage supply chain risks posed by third- and fourth-party vendors through robust vendor risk management and ongoing monitoring
- Conduct thorough due diligence before engaging with a third-party vendor or partner. Perform comprehensive due diligence to assess their security practices, including their vulnerability management processes, security controls, and incident response capabilities, to ensure they align with your organisation’s risk tolerance.
- Implement a robust vendor management program that includes regular assessments, audits, and contractual agreements that define security requirements and expectations. This program should also outline the responsibilities of both parties regarding vulnerability management, incident reporting, and remediation timelines.
- Continuously monitor third-party systems and conduct regular vulnerability assessments to identify potential weaknesses. This includes scanning for vulnerabilities, tracking patch management, and engaging in ongoing dialogue with vendors to address any identified vulnerabilities in a timely manner and mitigate supply chain risks.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Watch Out for the Adversary-in-the-Middle: Multi-Stage AiTM Phishing and Business Email Compromise Campaign

Posted on November 1, 2023 by darklabhk

PwC’s Dark Lab recently responded to a Business Email Compromise incident, leading to the discovery of an opportunistic multi-stage Adversary-in-the-Middle campaign.

Business Email Compromise (BEC) attacks persist as one of the most popular scam strategies among opportunistic cybercriminals. BEC attacks refer to a form of social engineering whereby malicious actors attempt to defraud organisations by hacking into legitimate business email accounts and impersonating employees and third parties for direct monetary gains.

Though these attacks have existed since the dawn of the Internet, they continue to be a highly lucrative avenue for attackers given the ability to scale operations target multiple victims simultaneously at a low setup cost. Furthermore, as organisations have heavily prioritised efforts to mature their cyber postures over the last few years, we observe a significant shift away from malware towards identity-based attacks as attackers leverage valid credentials to disguise their activities. In the past few years, an increasingly common strategy is to leverage phishing toolkits to steal valid credentials as well as login sessions, bypassing multi-factor authentication (MFA).

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. In part one, we shared our technical analysis on the ongoing campaign leveraging the Evil QR tool to hijack Hong Kong and Macau-based victims’ WhatsApp accounts.[1] This blog piece provides a technical analysis on our incident response experience with a multi-stage Adversary-in-the-Middle (AiTM) phishing and BEC attack, which led to the discovery of a wide-scale, opportunistic campaign weaponising a sophisticated phishing toolkit, Evilginx and EvilProxy.

Initial Access

The attack initiated via the delivery of a phishing email from joingreatlife[.]com, with a lure masquerading as a DocuSign notification for document review and signature.

Figure 1: Screenshot of phishing email

The phishing emails originated from the joingreatlife[.]com sender domain, which we assessed to be a legitimate business based on the WHOIS records indicating the domain was registered in 2013, and multiple linked social media accounts, including an actively updated Facebook account, and no malicious flagging by security solutions.[2],[3],[4],[5] Due to their lack of valid SPF, DKIM, or DMARC record as at the time of investigation[6], we hypothesise that the legitimate business was likely spoofed or compromised to deliver phishing emails.

Figure 2: Flagged malicious joingreatlife[.]com sub-domains

Through further review of the victim’s mailbox, it was observed that the victim was repeatedly targeted by multiple phishing emails from senders such as ‘cv@service[.]bosszhipin[.]com’ between March 2022 and June 2023. Pivoting on the email address, we discovered that cv@service[.]bosszhipin[.]com has been historically flagged for sending spam and phishing emails.[7] Consistent with observations of the joingreatlife[.]com domain, we validated the bosszhipin[.]com domain to be serving legitimate business content[8], and was likely spoofed by malicious actors as a result of the lack of valid DKIM or DMARC record.[9]

Upon clicking on the ‘Review Document’ button within the phishing email, the victim was redirected to a Ticketmaster domain (engage.ticketmaster.com) before redirecting to the actual phishing URL hosted on an online coding sandbox website (hx5g6s.codesandbox[.]io), which then further redirected the user to their phishing site hosted at IP address 134.209.186[.]170. We hypothesise that the multi-redirect approach initiated via the legitimate intermediate domains was employed to evade detection, confuse security analysis and blocking by the victim organisation’s spam filters.

Investigation into 134.209.186[.]170 revealed the IP address to be flagged as malicious and reported in multiple occasions in July 2023.[10] Furthermore, the same IP address (134.209.186[.]170) was noted to be historically hosting a phishing site resembling a OAuth-based login portal – a matching indicators of a credentials- or session-harvesting site leveraging the AiTM attack.[11]

Figure 3: 134.209.186[.]170 flagged malicious, hosting OAuth phishing site

The phishing site served as a proxy between the victim and the legitimate Microsoft login page. As the victim performed a legitimate login with multi-factor authentication (MFA), the attacker operated as an adversary-in-the-middle, using the captured OAuth access token to bypass MFA and obtain the victim’s valid logon session, resulting in a successful impersonation with the victim’s identity to the legitimate resources on M365, including Outlook, SharePoint, or other applications as accessible by the victim.[12]

Persistence and Defense Evasion

Subsequent to logging into the victim’s mailbox, the attacker (85.209.176[.]200) registered a new MFA authentication method and attempted to access the victim’s mailbox via a legitimate, external application (PerfectData Software) to establish persistent access. To maintain stealth, the attacker (147.124.209[.]237) modified mailbox rules to reroute emails to the victim’s RSS Subscriptions folder, altered email folder arrangements, and accessed two SharePoint files. As observed at each stage of their attack, the threat actor was logged using a different IP address for each activity to conceal their identity and location, and further evade detection.

Impact

Leveraging the compromised email account, the attacker (104.254.90[.]195) impersonated the victim’s identity to send two phishing emails. The first email was sent to an external contact, containing no contents. The second email was sent to an internal employee containing a fraudulent transaction invoice attachment, indicating an attempt to facilitate unauthorised fund transfers. At this stage, the victim organisation detected and blocked the fraudulent fund request attempt and proceeded to conduct containment measures to reset the compromised credentials and revoke the unauthorised login sessions. Based on our observations, we assessed that the malicious actor conducted the AiTM attack to perform the email account takeover for financially-motivated intent.

Uncovering the wide-scale AiTM campaign

Pivoting on the phishing email subject title “Completed: Complete Doc viaSign: #2,” we identified over 50 files uploaded between 3 July and 18 July 2023[13] which contained redirects to the same embedded URL (http://links[.]engage[.]ticketmaster[.]com). Paired with the observed existence of the phishing email structure since December 2021, this indicated that the victim was phished as a part of an ongoing opportunistic campaign which researchers have reported as a multi-stage AiTM phishing and business email compromise (BEC) campaign.

Potential Use of the Caffeine Phishing Toolkit

Pivoting on the malicious link, we assessed that the link was likely launched from a phishing toolkit to steal valid sessions. We observed that the malicious link leveraged the Ticketmaster domain to obfuscate the malicious payload to bypass mail detection rules and deliver malicious payloads via browser redirects to codesandbox.io.[14] Further pivoting on the Ticketmaster domain, we observed potential relations to a Phishing-as-a-Service (PhaaS) platform “Caffeine”, which provides subscribers phishing email templates with legitimate URLs to contain malicious payloads that operate to steal credentials (e.g. passwords, session tokens) through third-party sites such as codesandbox.io to evade detection.[15][16] This is consistent with the observations in this phishing campaign and corresponding telemetry, as evidenced in Figure 4.

Figure 4: Phishing email redirects leveraging legitimate services to redirect to payloads hosted on codesandbox.io

Weaponising Evilginx and EvilProxy

Through deeper inspection, we discovered that the IP (134.209.186[.]170) address associated with the attackers were involved with several other phishing submissions submitted by other users. These submissions revealed that the domains used by the attackers serve pages that are consistent with our observed victim’s sessions stealing activities. The user emails passed in the web request were also observed to be consistent with other relevant schemes. Through these observations, we assessed with high confidence that the threat actors leveraged Evilginx and EvilProxy as a means to bypass two-factor authentication (2FA) and that these session stealing methods were the initial foothold that enabled the threat actor to gain access to the victim’s corporate resources.

Evilginx is an advanced AiTM attack framework capable of bypassing 2FA and intercepting legitimate session cookies.[17] This is a significant capability for attackers who can consequently conduct their phishing campaigns without capturing credentials, as attackers can impersonate victims without password knowledge to gain unauthorised access.

EvilProxy is a Phishing-as-a-Service (PhaaS) toolkit operating as a powerful proxy tool, redirecting victims’ web traffic through attacker-controlled servers.[18] The tool enables attackers to not only capture login credentials but also manipulate web content in real-time, presenting victims with malicious payloads or further deceptive content.

Conclusion

Based on our findings, we assessed with high confidence that the victim was compromised as part of a wide-scale, opportunistic social engineering campaign utilising Evilginx and EvilProxy to bypass MFA and subsequently perform a BEC attack via internal spear phishing. Due to the lack of information and reporting on the specific IOCs collected during the incident, and the use of widely adopted techniques and toolkits, we did not derive conclusive evidence to ascertain the specific threat actor responsible for the attack.

The two campaigns explored in this two-part blog series are just two of the many case studies supporting our observations that the cyber threat landscape is rapidly evolving, with threat actors increasingly shifting towards-identity based attacks. As organisations worldwide have prioritised efforts to harden their cybersecurity posture, we observe threat actors adapt by weaponising valid credentials to bypass defences under the guise of trusted identities. Furthermore, in both cases, we observed that threat actors are not only targeting passwords, but valid sessions to maintain persistent, elusive access to victim environments.

Whilst identity-based attacks are by no means novel, they continue to pose a significant threat to organisations given the complexity of distinguishing between legitimate and malicious use of authorised access. To effectively protect against identity-based attacks, it is vital that organisations and individuals enforce a layered defence strategy combining robust preventative measures with behavioural-based detection.

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

Preventive

Implement sender authentication measures including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication (DMARC) to reduce susceptibility to phishing and spoofing attacks.
Review existing Microsoft 365 configuration and update their security solutions and network devices (including external firewall, web proxies). For example, enforcing spam filters configurations to ensure all inbound emails are processed by spam filtering policies prior to delivery, reviewing email forwarding rules to identify any potential external malicious email forwarding, and restricting O365 access via geo-fencing to prevent authorised access or account brute-force over O365.
While this incident highlighted how threat actors can potentially bypass multi-factor authentication (MFA), MFA remains a critical layer of protection against credential-abuse attacks. Best practices include:
- Ensuring MFA solutions restrict the number of failed authentication attempts, login attempts are monitored and alerted for anomalous activity, and enforcing strong password policy requirements.
- Leveraging features such as conditional access to setup session timeouts or block sign-ins from illegitimate access to the resources by third party devices, or overseas where applicable, in combination with features such as Mobile Device Management (MDM).
Enhance business security controls by establishing procedures for financial transactions and their respective handling procedures. For example, automatic bank notifications for outbound transaction verifications and mandatory out-of-band verifications of bank account changes.
Regularly conduct user awareness training to educate employees on the latest social engineering techniques deployed, indicators to identify potentially malicious activity, and process for reporting suspicious activity.
Organisations should conduct young domain monitoring to proactively uncover potential phishing campaigns targeting, or likely to target, your organisation.

Detective

Monitor user account activity for email forwarding, excessive document downloads or deletions and excessive file sharing. Depending on the user (e.g. users operating within functions more likely to be targeted in phishing attacks, such as HR, Finance, C-Suite personnel), setup monitoring for specific activities, such as monitoring for the creation of mail rules that involve moving to folders to RSS.
Establish behavioural-based detection rules that will expire tokens and disable sign in when suspicious account behaviour is detected. Indicators of suspicious behaviour could include access from abnormal geolocations and accessing servers not typically accessed by the user identity. Further, leverage features such as “risky sign-in” to receive notifications of suspicious authentication attempts and respond in-time to threats.
We further advise organisations to establish an O365 mailbox rule to detect and block inbound/outbound traffic from the malicious IPs listed in our Indicators of Compromise (IoC) section.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

T1589.002 – Gather Victim Identity Information: Email Addresses Resource Development
T1584.004 – Compromise Infrastructure: Server
T1588.002 – Obtain Capabilities: Tool
T1566.002 – Phishing: Spear Phishing Link
T1189 – Drive-by Compromise
T1204.001 – User Execution: Malicious Link
T1098.005 – Account Manipulation: Device Registration

Indicators of Compromise (IoCs)

We include the observed IoCs:

IoC	Type	Description
`brad.hansen[@]joingreatlife[.]com`	Email Sender	Email Sender of phishing email
`Completed: Complete Doc viaSign: #2`	Email Sender	Email Sender of phishing email
`hx5g6s.codesandbox[.]io`	Domain	Online coding sandbox website
`lmo-halbacea.halbacea[.]com`	Domain	Domain associated with phishing web server
`lmolmoworked-inc-docs-signedservices.remmellsp.]com`	Domain	Domain associated with phishing web server
`134.209.186[.]170`	IP Address	IP Address of OAuth phishing web server, threat actor logon
`85.209.176[.]200`	IP Address	IP Address of threat actor logon, deliver phishing email, register Authenticator App and attempt to connection to external application “PerfectData Software”
`147.124.209[.]237`	IP Address	IP Address of threat actor logon, create new inbox rule
`51.195.198[.]33`	IP Address	IP Address of threat actor logon, access SharePoint files
`104.254.90[.]195`	IP Address	IP Address of threat actor logon, deliver phishing email, create new inbox rule

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Watch Out for the Adversary-in-the-Middle: WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

Posted on October 26, 2023 by darklabhk

PwC’s Dark Lab investigates the local WhatsApp account hijacking attacks, uncovering multiple campaigns targeting Hong Kong and Macau consumers.

Over the last few months, the community has seen a surge in attacks against individuals’ collaboration and communication applications that offers the use of mobile devices as a means of authentication. By taking over accounts on such platforms through means such as phishing, threat actors can easily gain access to personal or event-sensitive information shared across such platforms or carry out attempts to defraud legitimate business partners or contacts of individuals.

In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. This blog piece provides a technical analysis and actionable steps to protect yourself against the ongoing campaign leveraging the Evil QR toolkit to hijack WhatsApp accounts locally.

Stay tuned for part two, as we share our incident response experience with a multi-stage AiTM phishing and business email compromise (BEC) attack weaponizing Evilginx and EvilProxy, leading to our discovery of the wide-scale, opportunistic campaign.

WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers

In October 2023, we observed multiple reports of WhatsApp account hijacking cases impacting Hong Kong- and Macau-based victims. Upon successful account takeover, malicious actors have been observed to impersonate the owners of the compromised WhatsApp accounts, contacting the victim’s WhatsApp contacts to request fund transfers under the guise of their trusted relationship. Breaking down the attack, we observe that the Evil QR tool was deployed to facilitate the WhatsApp account takeovers, targeting unsuspecting victim.

Understanding how Evil QR works

Evil QR, first reported in July 2023, is a browser extension that enables attackers to exploit legitimate QR codes to intercept and steal their cookie session, providing access to the victim’s account.[1]

How Evil QR operates[2]:

The attacker open the legitimate WhatsApp Web login page (https://web.whatsapp.com/).
The attacker enables the Evil QR browser extension, which extracts the legitimate QR code from WhatsApp Web and proxies it to the Evil QR server, which hosts the attacker’s phishing page.
The attacker’s phishing page dynamically displays the latest QR code extracted from the WhatsApp Web login page.
When the unsuspecting victim visits the phishing page impersonating WhatsApp Web login and scans the QR code, the attacker successfully obtains access to the victim’s WhatsApp account.
Due to proxying, the victim will be unaware of the existence of these sessions, unless they manually check their WhatsApp settings (Settings > Linked Devices).

Figure 1: Attack path for WhatsApp account takeover using Evil QR

Weaponization of Evil QR by malicious actors

Due to the relatively simple setup of the QR code and phishing site using Evil QR, it is a highly lucrative and incentivising means for attackers to obtain access to sensitive information and perform malicious activities, as reflected in the recent surge of attacks against collaboration and communication applications.

We observe search results on Google, which indicate dedicated efforts to promote phishing sites impersonating WhatsApp to defraud unsuspecting victims. Search engine optimisation (SEO) poisoning is a technique commonly deployed by threat actors to improve the ranking of their malicious websites on search engine result pages.[3]

To improve the SEO ranking of their phishing site and deceive unsuspecting visitors of their ‘legitimacy’, threat actors may deploy an array of techniques, such as keyword stuffing, whereby threat actors overload their phishing sites with keywords in a repetitive manner to manipulate search engine rankings to assess their website has relevant content. Another common technique is typosquatting, whereby threat actors capitalise on human error by registering domains with variations of potential spelling errors, that could accidentally be typed (“typo”) by unsuspecting users (e.g. watsap web). Further, attackers commonly abuse sponsored listings and advertisements to direct users to their phishing sites.

Figure 2: Search results for the typo ‘watsapp web’

Referencing the first sponsored search result, ws6.whmejjp[.]com, we observe the domain to be actively impersonating the WhatsApp Web login webpage.

Figure 3: Screenshot of ws6.whmejjp[.]com as of 19 October 2023

Pivoting on structurally similar websites, we observe the host IP (2a06:98c1:3121:[:]3) hosting over 10,000 domains with a similar HTML structure. Based on the newly registered domains associated with the host IP, we observed multiple typosquatted domains targeting users of various gaming and communications platforms, such as Twitch, Steam, Valorant, and Telegram.

Referencing public reports of the ongoing attacks against Hong Kong consumers[4], we pivoted on the waacad[.]cyou domain which continues to display a WhatsApp Web login page.

Figure 4: Screenshot of waacad[.]cyou as of 19 October 2023

Analysing the host IP (103.71.152[.]102) for waacad[.]cyou, we observe it to be serving 14 newly registered domains within the last month starting from 22 September 2023. The domains were observed follow a similar domain naming convention, all displaying an identical WhatsApp Web phishing page.

Figure 5: Newly registered domains hosted by 103.71.152[.]102 [5]

Through further investigation of 103.71.152[.]102, we observed multiple domains created between 27 August and 1 September 2023, which appear to impersonate Sands casino. Based on observations that 103.71.152[.]102 and multiple of its hosted domains have been flagged as malicious for phishing, consistent naming conventions, contents of the WhatsApp Web phishing pages written in Chinese, and the ongoing suspected phishing campaign impersonating Sands, we assess with high confidence that the threat actor is conducted an ongoing, targeted phishing campaign against Hong Kong and Macau citizens.

Potential impact upon successful WhatsApp account takeover

Upon a successful WhatsApp account takeover, the attacker has full access to the user’s conversations and contact list. In the ongoing campaign targeting Hong Kong users, we observe the primary goal to be victim impersonation to request fund transfers from unsuspecting people who would typically trust the victim, including family, loved ones, and friends.

Figure 6: Sample of fraudulent fund transfer request via WhatsApp

Further, attackers may scan the victim’s conversation for sensitive information, such as personally identifiable information (“PII”) and shared passwords, depending on what sensitive information has been disclosed by the individual to other parties. In addition, the attacker could further leverage the account to send phishing links (“smishing”) to the victim’s contacts, to perform additional credential theft activities.

Conclusion

PwC’s Dark Lab observes that Hong Kong and Macau are being actively targeted by multiple opportunistic phishing campaigns. We strongly encourage citizens to exercise caution and awareness when interacting with untrusted sources. Refer to our recommendations below for general best practices and advice on how to detect and respond to a potential WhatsApp account takeover.

We continue to observe the cyber threat landscape evolve, with threat actors increasingly shift towards identity-based attacks not only weaponizing passwords, but sessions to maintain persistent access to compromised accounts. Stay tuned for part two, as we share key learnings from a recent incident response case involving a multi-stage AiTM phishing and business email compromise (BEC) attack.

Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here

Recommendations

How to detect if you are visiting a phishing website impersonating WhatsApp Web:

When searching for “WhatsApp Web” or any other website, avoid sponsored links and double check before clicking on a link for any spelling errors which could indicate it is a typosquatted (phishing) domain.
When visiting the website, while the website may appear similar to the legitimate domain, look out for the slight differences.

For example, if we compare the legitimate WhatsApp Web domain (web.whatsapp.com) with the malicious domain (waacad[.]cyou), we notice four (4) differentiators:

If you were to check the URL of the phishing page, you would immediately notice it is suspicious and unlikely to be the actual WhatsApp login page.
On the legitimate webpage, the WhatsApp logo and name exists, which is not observed on the malicious page.
The instruction wordings differ.
The legitimate webpage has a ‘Tutorial’ section with advice on ‘how to get started’. It should be noted that whilst this phishing domain does not display this section, other more convincing phishing sites could include this section to further deceive you into trusting their phishing site is legitimate.

How to check and respond if you suspect your WhatsApp account has been compromised:

1. Check and log out any unauthorised devices:

In WhatsApp, check if any unauthorised devices are logged in (Settings > Linked Devices).
For any suspicious or unknown logins, tap the device to log out. This will remove their access to your account.

2. Perform additional checks to identify any potential activities performed by the malicious actor during their access to your account:

Check archived messages to see if any conversations were archived by the malicious actor.
Check if any messages have been sent or deleted in the chat without your knowledge.
Check if any voice recordings or files were shared to your contacts.

3. Inform any of your contacts if they have been contacted by the malicious actor.

Whether your contact unknowingly sent money or not, it is important to notify them that they were communicating with the malicious actor and not you so they can remain aware and exercise caution when receiving unusual or suspicious messages from you or other contacts.

General Best Practices

Visiting websites:

Check links before clicking to validate their legitimacy (e.g. spelling errors) and always remain wary of the legitimacy of webpages and their branding.
Access websites via the global webpage as opposed to the URL shortened link if in doubt.
If you accidentally visit a phishing site,
- Do not click on any links and double check your device to see if any files were downloaded.
- If any files were downloaded, do not open it. Delete the file immediately and clear your recycling bin.
If you believe you may have fallen victim to a phishing attack,
- Monitor your email’s “sent” folder to identify any unauthorised emails that have been issued from your account. If any, alert the receiver as well as your wider contact list that you may have fallen victim to a phishing attack, so they can be on alert that incoming messages from your account may not be legitimate.
- Perform a password reset, enable multi-factor authentication (MFA), and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.

Communication platforms:

If you have received a suspicious or unusual message from your contact requesting funds or sensitive information, exercise caution to determine if the request is legitimate. Potential signs that your contact has been compromised could include:
- Unusual nature of the request – e.g. your contact asking you to urgently send money
- Deviating from their normal typing or speaking pattern – if their message does not sound like them – it might not be them!
- Often times, malicious actors use artificial intelligence (“AI”) to generate messages, which may sound robotic or unnatural in nature. For voice messages, malicious actors may alter the AI-generated message (e.g. speeding it up or adding background noise) to attempt to make the voice message seem less robotic.
- Do not disclose sensitive information via WhatsApp or other communication channels. Whilst these channels may be encrypted, we continue to observe malicious actors attempting to perform account takeovers, granting them with full access to compromised users’ accounts.

MITRE ATT&CK TTPs Leveraged

We include the observed MITRE ATT&CK tactics and techniques from the campaign:

T1583.001 – Acquire Infrastructure: Domains
T1583.008 – Malvertising
T1586 – Compromise Accounts
T1608.006 – Stage Capabilities: SEO Poisoning
T1566 – Phishing
T1189 – Drive-by Compromise

Indicators of Compromise (IoCs)

We include the observed IoCs:

IOC	Type
`clooe[.]cyou`	WhatsApp phishing site
`kkgee[.]icu`	WhatsApp phishing site
`waacad[.]cyou`	WhatsApp phishing site
`www[.]waacad[.]cyou`	WhatsApp phishing site
`clooeapp[.]cyou`	WhatsApp phishing site
`kkgegroup[.]icu`	WhatsApp phishing site
`bbhes[.]cyou`	WhatsApp phishing site
`gooe8[.]cyou`	WhatsApp phishing site
`xxeez[.]icu`	WhatsApp phishing site
`gooer[.]icu`	WhatsApp phishing site
`waacad[.]icu`	WhatsApp phishing site
`weeae[.]icu`	WhatsApp phishing site
`weeaet[.]cyou`	WhatsApp phishing site
`wyyadinc[.]icu`	WhatsApp phishing site
`bbyaysc[.]cyou`	WhatsApp phishing site
`5565m[.]vip`	Potential Sands phishing site – not flagged malicious
`5565k[.]vip`	Potential Sands phishing site – not flagged malicious
`5565v[.]vip`	Potential Sands phishing site – not flagged malicious
`5565f[.]vip`	Potential Sands phishing site – not flagged malicious
`5565t[.]vip`	Potential Sands phishing site – not flagged malicious
`5565z[.]vip`	Potential Sands phishing site – not flagged malicious
`5565c[.]vip`	Potential Sands phishing site – not flagged malicious
`5565r[.]vip`	Potential Sands phishing site – not flagged malicious
`5565i[.]vip`	Potential Sands phishing site – not flagged malicious
`5565a[.]vip`	Potential Sands phishing site – not flagged malicious
`5565p[.]vip`	Potential Sands phishing site – not flagged malicious
`5565w[.]vip`	Potential Sands phishing site – not flagged malicious
`5565g[.]vip`	Potential Sands phishing site – not flagged malicious
`5565u[.]vip`	Potential Sands phishing site – not flagged malicious
`5565e[.]vip`	Potential Sands phishing site – not flagged malicious
`5565l[.]vip`	Potential Sands phishing site – not flagged malicious
`5565d[.]vip`	Potential Sands phishing site – not flagged malicious
`5565s[.]vip`	Potential Sands phishing site – not flagged malicious
`5565j[.]vip`	Potential Sands phishing site – not flagged malicious
`5565q[.]vip`	Potential Sands phishing site – not flagged malicious
`5565x[.]vip`	Potential Sands phishing site – not flagged malicious
`5565h[.]vip`	Potential Sands phishing site – not flagged malicious
`5565o[.]vip`	Potential Sands phishing site – not flagged malicious
`ws6.whmejj[.]com`	WhatsApp phishing site
`dxweb.whasatcp[.]life`	WhatsApp phishing site
`uaa.whxmcwd.top`	WhatsApp phishing site
`103.71.152[.]102`	IP Address

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.