Each quarter, the Cradlepoint Threat Intelligence and Analysis (TR&A) Team publishes a threat intelligence report to inform customers about relevant changes in the threat landscape. This report covers events from January through March 2024.
Our Views on Recent Attacks
This quarter’s report is focused on the increasing threats to credentialed access. Two factor authentication (MFA or 2FA) has been a standard of good security. However, the effectiveness of MFA and other credential defenses are under threat by new and improved threat actor tools. Phishing as a Service (PhaaS) and botnets are both contributing to the increased capability of cybercriminals to bypass Multi-Factor Authentication (MFA) and evade defenses to identify and prevent the misuse of credentials.
Credential theft: trending techniques
MFA bypass using Phishing as a Service (PhaaS)
Phishing attacks have increasingly sophisticated tools to steal credentials using MFA bypass and reusing the credentials with Session Replay attacks. PhaaS services enable actors to use difficult ‘attack in the middle’ (AitM) techniques for MFA bypass. PhaaS services sold on dark web marketplaces include websites hosting malicious code, API relays to legitimate authentication services, realistic login pages, and compromised credential management. Lowering the technical expertise for using AitM techniques may result in more MFA bypass in credential theft attacks. A recent example of PhaaS improvements was reported by Sekoia security researchers who discovered ‘Tycoon 2FA’ (PhaaS) now offers improved phishing pages for Microsoft 365 and Gmail, and templates for delivering malicious code through attachments.
TR&A Comments: The introduction of PhaaS services like Tycoon 2FA service has made it easier for cybercriminals to use Man-in-the-Middle (MitM) techniques to bypass Multi-Factor Authentication (MFA). Additionally, it has reduced the ability of users to recognize and identify malicious websites and attachments. Defenders may want to consider what additional defenses they can implement against credential theft and detection of stolen credentials. Detection of abnormal user behavior by AI technology and SIEM detection of high levels of access or network connection denials may be the most effective.
Detection evasion
Detection of credential theft has relied on two main defenses: geographic anomalies of sign-in location, and VPN services or TOR nodes with a suspicious reputation. The effectiveness of these defenses may be reduced as threat actors move to services offering botnets of infected SOHO routers and IoT devices. These botnets can be used to execute attacks, control infected devices remotely (command and control, or C2), and steal data. Botnet devices have been leveraged to use IPs in the same geographic location as the victim to evade geographic-based detections. And reputation-based filters have been evaded by exploiting the low-risk reputation of botnet device IPs or domains.
TR&A Comments: Bad actors’ use of botnet networks for evasion may increase as additional vulnerabilities of SOHO routers and IoT devices were announced in Q1, and actors leverage the successful techniques used in successful campaigns such as Volt Typhoon’s KV botnet. The data FBI disrupted the botnet network of Volt Typhoon but additional botnet services of this kind are available on dark web marketplaces. Another indicator of the increased threat was a US government joint Cybersecurity Advisory reporting on campaigns using SOHO router botnets to target energy, government, manufacturing and other industries.
Credential theft trends
How do we know if credential theft has been successful for threat actors? Threat actors operate like any business; they will continue to invest in techniques and tools which work. Lagging indicators of successful of credential compromise techniques include:
- the number of successful attacks which use valid credentials (30%1 increase),
- the number and type of credentials for sale on dark web marketplaces (20% increase2), and
- the investment by threat actors in new or improved credential theft tools.
Annual and quarterly metrics reported from incident response companies continue to confirm the upward trend in all three of these indicators.
TR&A Comments: During the first quarter of each year, large monitoring and incident response firms publish an annual review of threat actors, tools and techniques. This year’s reports were dominated by concerns about credential theft by phishing, info stealer malware, AI aiding the advancement of tools and increasingly sophisticated defense evasion features of malware. For additional details, see Red Canary 2024 Threat Detection Report, 2024 Sophos Threat Report and Deepwatch 2024 Threat Report.
Initial access broker attack techniques
Initial Access Brokers (IAB) specialize in infiltrating organizations’ networks and systems, steal credentials and then sell this unauthorized access to other criminals on dark web marketplaces. The role of the Initial Access Broker is critical in the cybercrime ecosystem as they enable other criminals to conduct a variety of malicious activities without having to breach the defenses themselves. It is valuable to understand the techniques of successful IABs so defenders can prioritize defenses against those techniques.
IntelBroker
Operating since 2022, IntelBroker’s campaigns have been both opportunistic and targeted, and executed for financial gain. IntelBroker is an individual member of a larger ‘CyN’>sup>3 cybercrime group and has collaborated with other members of the group to attack targets. In late March, IntelBroker posted stolen credentials for at least eight organizations on BreachForums and has posted credential sales throughout Q1 2024. Techniques used include exploiting enterprise software vulnerabilities (Los Angeles International Airport and Acuity), Endurance ransomware, using previously stolen credentials for lateral movement to data storage resources, third-party compromise (Facebook) and API vulnerabilities (PandaBuy). For more details, see medium.com.
TR&A Comments: The activity of IntelBroker reflects the increasing demand for valid credentials to use in an attack lifecycle. While IntelBroker utilizes a range of techniques, the focus on credential theft indicates that credential security should be a priority for organizations.
TA577
Opportunistic and financially motivated, TA577 has been observed using a new malware downloader ‘Latrodectus’, and was responsible for the campaign stealing credentials via NTLM in late February 2024. Latrodectus uses phishing lures containing URLs to download malicious JavaScript files. The JavaScript file create BAT files to run exploit code on the victim host. For more details, see the Proofpoint blog and Alienvault.
TR&A Comments: To mitigate the threat of users downloading malicious files, inspect all downloads for malicious code. Inspection technology could be anti-virus for known malicious code, static/dynamic code inspection, content disarm and reconstruct (CDR) or all three.
Prophet Spider (also known as Gold Melody and UNC961)
Opportunistic and financially motivated, Prophet Spider exploits vulnerabilities in unpatched internet facing servers including Apache Struts (CVE-2017-5638) and Log4j (CVE-2024-4104). For more details, see the Secureworks site.
TR&A Comments: To mitigate the ability for Gold Melody to find and exploit internet facing resource vulnerabilities, reduce attack surfaces and apply zero trust principles of least privilege access to mitigate the threat actor's ability to laterally move to a domain controller.
Cradlepoint solutions for defense against credential theft and credentialed attacks
Proactive defense of credential theft: Block info stealer malware
Remote Browser Isolation (RBI) and Web Application Isolation (WAI) create secure virtual environments for user sessions, effectively countering information stealer downloads and browser vulnerability exploits. Isolation inserts a digital air gap between web content and user devices. Each user browsing or application session is executed in an isolated cloud container. Only a safe virtual stream of the rendered website is sent in real-time to the user’s browser. This means that all active code remains isolated in the cloud, so malware can never reach the user’s device or the network. In addition, suspicious sites such as spoofed login pages can be opened in read-only mode so that users cannot enter credentials.
Cradlepoint solutions security for the edge: Attack surface reduction
A combination of Zero Trust WAN Security and Zero Trust Web Security allows an organization to proactively defend against credentialed attacks on VPN and RDP internet-facing resources. Our 5G zero trust WAN is built with security designed in, operates on an invitation-only basis, and hides all IP addresses, thereby making each site, asset, and application in the WAN dark to each other and to the outside world. Additionally, Cradlepoint solutions include clientless zero trust access to internet-available applications like RDP.
1 IBM X-Force Threat Intelligence Index 2024, page 8 https://www.ibm.com/reports/threat-intelligence
2 CrowdStrike 2024 Global Threat Report, page 46 https://www.crowdstrike.com/global-threat-report/
3 The name of the cybercrime gang is a racial slur and so the abbreviated name CyN has been used instead.