Cybersecurity Weekly: Multiple active Microsoft phishing campaigns

May 4, 2020 by Sam Fay

Targeted phishing attacks successfully hacked top executives at over 150 companies. An Office 365 phishing campaign uses fake Microsoft Teams alerts. A new phishing campaign packs an info-stealer, ransomware punch. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Targeted phishing attacks successfully hacked top executives at over 150 companies

In the last few months, multiple groups of attackers successfully compromised corporate email accounts of officers at various firms based in Europe and Asia. Dubbed PerSwaysion, the new phishing campaign leverages Microsoft file-sharing services — including Sway, SharePoint and OneNote — to launch highly targeted phishing attacks.
Read more »


2. Office 365 phishing campaign uses fake Microsoft Teams alerts

Another phishing campaign is using cloned imagery from automated Microsoft Teams notifications in attacks that attempt to harvest Office 365 credentials. To evade email protection services, the attackers use several URL redirects with the end goal of hiding the URL used to host the phishing campaign.
Read more »


3. New phishing campaign packs an info-stealer, ransomware punch

A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware. By using this combo, the attackers first steal saved stored credentials and then deploy the Jigsaw ransomware to try and get a small ransom to sweeten the attack.
Read more »


4. Report: healthcare targeted by more attacks but less sophistication

Healthcare organizations are experiencing an increase in attacks against their businesses and suppliers, but the attacks appear not to be very sophisticated. Some organizations saw a 30% increase last month in the number of COVID-19-themed phishing sites and lures, but they have not seen a meaningful increase in the number of successful breaches.
Read more »


5. Critical bugs found in three popular e-learning plugins for WordPress

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system plugins that various organizations and universities use through their WordPress-based websites. These flaws could permit students, as well as unauthenticated users, to view personal information of registered users.
Read more »


6. Critical SaltStack bug affects thousands of data centers

Two severe security flaws have been discovered in the open-source SaltStack Sat configuration framework that could allow an attacker to execute arbitrary code on remote servers deployed in data centers and cloud environments. The vulnerabilities were identified by researchers earlier this March and disclosed a day after SaltStack released a patch last week.
Read more »


7. New Android malware steals banking passwords, private data and keystrokes

A new type of mobile banking malware has been abusing Android’s accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages and hijack SMS-based two-factor authentication codes. Called EventBot by researchers, the malware is capable of targeting over 200 different financial apps.
Read more »


8. Hackers claim they stole millions of credit cards from Banco BCR

Hackers claim to have gained access to the network of Banco BCR, the state-owned Bank of Costa Rica, and stole 11 million credit card credentials along with other data. This attack was allegedly conducted by the operators of the Maze Ransomware, who have been behind numerous cyberattacks against high-profile victims.
Read more »


9. How cybercriminals are weathering COVID-19

With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services.
Read more »


10. TrickBot attack exploits COVID-19 fears with DocuSign-themed phishing campaign

Threat actors are spreading the tricky trojan through fake messages in another opportunistic COVID-19-related campaign. Threat actors are using people’s interest in the Department of Labor’s Family and Medical Leave Act to spread what appears to be the TrickBot trojan in a new spam campaign that security researchers discovered recently.
Read more »

Posted: May 4, 2020
Sam Fay
View Profile