Hackers are targeting highly positioned professionals, including senior executives, with targeted phishing and cloud account takeover attacks, new research claims.
A report from Proofpoint outlined a new campaign to compromise Microsoft Azure cloud environments and accounts starting in late November 2023.
Anonymous threat actors were seen to be distributing individualized phishing lures within shared documents. Some of the documents, researchers claim, include embedded “View Document” links that simply redirect victims to a malicious phishing page that steals people's login credentials.
Steal data and cover your tracks
While hackers appear to be casting a relatively wide net, they are still going after managers and senior management, with frequent targets such as sales directors, account managers and financial managers, and people in executive positions such as “vice president of operations” . ”, “Chief Financial Officer and Treasurer” and “President and CEO”.
If they manage to breach their targets' cloud environments, hackers do several things, from setting up their own multi-factor authentication to maintaining persistence and exfiltrating data. In some cases, they also use their position to engage in business email compromises (BEC) and conduct wire fraud, sending payment requests to human resources and finance departments.
Finally, they establish different mailbox rules to cover their tracks and erase any evidence of their presence on the target network.
While the hackers' infrastructure included “several proxy servers, data hosting services, and hijacked domains,” they also used local landline ISPs, giving investigators a clue to their location. Some of these non-proxy sources include Russia-based 'Selena Telecom LLC' and Nigerian providers 'Airtel Networks Limited' and 'MTN Nigeria Communication Limited', leading Proofpoint to assume that the attackers could be of Russian origin. and Nigerian.
However, it is worth mentioning that Proofpoint has not yet attributed this campaign to any particular threat actor.
