Category Archives: office 365

Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol

Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the efficiency of massive brute force attacks.

Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.” reads the study published by Proofpoint. “At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts.”

The experts analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts, below key findings from the study:

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary goal is to carry out internal phishing, especially when the initial target does not have the access needed to transfer money or data. The access to a cloud account could be exploited by attackers for lateral movements and to expand footholds within an organization via internal phishing and internal BEC. Experts observed that compromised accounts are also used to launch external attacks.    

Giving a look at the sources of the attacks, most of them come from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%).

According to the study, IMAP was the most abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). Experts pointed out that these attacks avoid account lock-out and appear as isolated failed logins and for this reason, they are hard to detect.

Below other data provided by the experts:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

The experts observed a large number of IMAP-based password-spraying campaigns between September 2018 and February 2019. Proofpoint reported that 10% of active user accounts in targeted tenants were hit and 1% of targeted user accounts were successfully breached.

IMAP protocol attacks phishing

The attackers leveraged a botnet composed of thousands of hijacked network devices (i.e. routers, servers) to launch the attacks.

“These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period,” continues Proofpoint.

China was the source for the vast majority of the IMAP-based attacks (53%), followed by Brazil (39%) and the United States (31%).

Most of the attacks (63%) originated from Nigerian IP addresses, followed by South African infrastructure (21%), and the United States via VPNs (11%).

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable.” concludes the study.

“Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations.”

Pierluigi Paganini

(SecurityAffairs – IMAP, hacking)

The post Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol appeared first on Security Affairs.

Security Affairs: Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol

Threat actors targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Over the past months, threat actors have targeted Office 365 and G Suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA).

Experts at Proofpoint conducted an interesting study of massive attacks against accounts of major cloud services, The experts noticed that attackers leverage legacy protocols and credential dumps to increase the efficiency of massive brute force attacks.

Attacks against Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable.” reads the study published by Proofpoint. “At the same time, targeted, intelligent brute force attacks brought a new approach to traditional password-spraying, employing common variations of the usernames and passwords exposed in large credential dumps to compromise accounts.”

The experts analyzed over one hundred thousand unauthorized logins across millions of monitored cloud user-accounts, below key findings from the study:

  • 72% of tenants were targeted at least once by threat actors  
  • 40% of tenants had at least one compromised account in their environment  
  • Over 2% of active user-accounts were targeted by malicious actors 
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers 

The attacker’s primary goal is to carry out internal phishing, especially when the initial target does not have the access needed to transfer money or data. The access to a cloud account could be exploited by attackers for lateral movements and to expand footholds within an organization via internal phishing and internal BEC. Experts observed that compromised accounts are also used to launch external attacks.    

Giving a look at the sources of the attacks, most of them come from Nigerian IP addresses (40%), followed by Chinese IP addresses (26%).

According to the study, IMAP was the most abused legacy protocol. IMAP is a legacy authentication protocol that bypasses multifactor authentication (MFA). Experts pointed out that these attacks avoid account lock-out and appear as isolated failed logins and for this reason, they are hard to detect.

Below other data provided by the experts:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks 
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result 
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization 

The experts observed a large number of IMAP-based password-spraying campaigns between September 2018 and February 2019. Proofpoint reported that 10% of active user accounts in targeted tenants were hit and 1% of targeted user accounts were successfully breached.

IMAP protocol attacks phishing

The attackers leveraged a botnet composed of thousands of hijacked network devices (i.e. routers, servers) to launch the attacks.

“These hijacked devices gained access to a new tenant every 2.5 days on average during a 50-day period,” continues Proofpoint.

China was the source for the vast majority of the IMAP-based attacks (53%), followed by Brazil (39%) and the United States (31%).

Most of the attacks (63%) originated from Nigerian IP addresses, followed by South African infrastructure (21%), and the United States via VPNs (11%).

This study demonstrates the increasing sophistication of threat actors around the world who are leveraging brute force methods, massive credential dumps, and successful phishing attacks to compromise cloud accounts at unprecedented scale. Service accounts and shared mailboxes are particularly vulnerable while multifactor authentication has proven vulnerable.” concludes the study.

“Attackers parlay successful compromises into internal phishing attacks, lateral movement in organizations, and additional compromises at trusted external organizations.”

Pierluigi Paganini

(SecurityAffairs – IMAP, hacking)

The post Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol appeared first on Security Affairs.



Security Affairs

Uh Oh 365

In an earlier post, I talked about how some vendors tend to push enterprises into a weaker security posture. In this post, I continue with information relating to Office 365. Microsoft’s cloud implementation of the Office suite is mind boggling in its complexity and sheer want of native connectivity. If you are using a proxy, […]

A Look at the Cerber Office 365 Ransomware

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office macros.

This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack’s newest version of our malware analysis sandbox, ThreatAnalyzer 6.1.

Analyzing Cerber

Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you’re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general “feel” of your target before narrowing down to the specifics.

ThreatAnalyzer is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.

Fig: ThreatAnalyzer’s unique behavior determination engine

Fig: ThreatAnalyzer’s unique behavior determination engine

 

Fig 1: ThreatAnalyzer 6.1 in action

Fig 1: ThreatAnalyzer 6.1 in action

Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:

  1. Determine that the sample is detected as malicious on 3 different fronts:
    1. ThreatIQ (our integrated threat intelligence server) observers the sample trying to beacon to blacklisted URLs
    2. The sample is detected by at least 1 or multiple antivirus engine(s)
    3. Based on the behavior that it performed, has a high probability that the sample is malicious
  2. Shows the researcher/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned
  3. Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged

ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.

If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:

  • Spawned WINWORD.EXE (normal since we fed a DOTM file), but the process tree shows that it spawned
    • Cmd.exe
    • Wscript.exe
  • Created a randomly named VBS file in %appdata%
    • %appdata%\15339.vbs
    • Cmd.exe /V /C set “GSI=%APPDATA%\%RANDOM%.vbs” (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()”Seeded another cmd.exe calling the VBS file
  • Made an attempt to connect to
    • httx://solidaritedeproximite.org/mhtr.jpg
  • Made a randomly named .TMP in %appdata% and executed it
    • Hash: ee0828a4e4c195d97313bfc7d4b531f1

These are highly suspicious activities given that we were trying to analyze an Office document file. The behavior above cannot be classified as normal. So the next time you’re nervous on opening an attachment, even if it came from a person or organization you know, feed it to a sandbox like ThreatAnalyzer and have a look before running it on your production machine.

Good ol’ reverse engineering

Office 365 Enable Content

Office 365 Enable Content

Looking at how this ransomware was coded, it will not only infect Office 365 users but users of Office 2007 and above. The macro inside the Document_Open function will auto-execute once the malicious office attachment is opened. But this is also dependent on whether the macro settings is enabled or in earlier Office versions, security is set to low. And quite possibly in an attempt to slow down the analysis process and bypass traditional AV signatures, each iteration of this Cerber macro variant is obfuscated.

Auto-execution macro inside Cerber macro

Auto-execution macro inside Cerber macro

The macro will then proceed to the creation of a script located in %appdata%. The VBS is also obfuscated but luckily not encrypted. It is interesting to note a particular action that may or may not be an intended feature to bypass behavioral detection. It uses the Timer function to generate a random integer and compare it to a self-generated variable, all the while; this action will be the condition when code to download the cryptor component will ensue.

Using built in network features of VBS; it will attempt to connect to a remote server and attempt to download a particular file.

httx://solidaritedeproximite.org/mhtr.jpg

This may seem harmless as it is just a simple JPG file, right? Well, the VBS code also indicates that it will write whatever the contents of that file, save it to a .TMP in %appdata% and execute it. Although this technique has been used by other malware and dates back years ago, this seems interesting.

Download the file, save it, then Run

Download the file, save it, then Run

Md5 Hash: ee0828a4e4c195d97313bfc7d4b531f1

The downloaded file is the cryptor part of the Cerber ransomware. This program is the one responsible for scanning and encrypting target files on a victim’s system. The full analysis of this component will be discussed on a separate blog. It is interesting to note that the downloaded cerber executable will encrypt your files even in the absence of internet connection. The code inside the EXE indicates that it does not connect to a remote server (unlike the ones before it e.g. crytowall, locky, Teslacrypt, etc.) to encrypt the victim’s files.

Once a system is successfully infected it will display the following in the desktop.

And spawn an instance of your browser containing the message:

And play a sound “your documents, photos, databases, and other important files have been encrypted” in a robot voice.

Infection Summary

Flow of the Cerber attack scenario

Flow of the Cerber attack scenario

  1. A spear-phishing email that contains a malicious Office attachment arrives.
  2. If the user opens the email, executed the attachment AND the macro setting for Office is set to enabled, the macro will execute spawning another VBS script.
  3. The script will contact a remote server, downloads and execute the cryptor part of the Cerber ransomware.
  4. Proceeds on scanning and encrypting the user’s files.
  5. Displays a notice that your system has been infected by Cerber ransomware.

The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.