- Cybercriminals are using fake Microsoft Teams updates ads to deploy Cobalt Strike, according to a "non-public security advisory" from Microsoft obtained by Bleeping Computer. "We are aware of reports and are investigating. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages," said a Microsoft spokesperson in an email.
- Microsoft is suggesting customers use Microsoft's Defender ATP to mitigate the FakeUpdates risk, which is linked to the DoppelPaymer and WastedLocker ransomware strains, according to the report. Microsoft uncovered an attack where bad actors bought a search engine ad "that caused top results for Teams software to point to a domain under their control," Bleeping Computer said.
- When clicking on a link, users downloaded payloaders, including Predator the Thief infostealer and Cobalt Strike beacons. Microsoft believes the same operators are behind a handful of attacks that ultimately lead to data encryption.
Malware disguised in fraudulent ads or updates is another phishing scheme organizations need to watch for. At least 60,000 parked domains became "malicious," or linked to phishing and malware, between March and September, according to Palo Alto Networks' Unit 42.
In the Microsoft Teams example, when a victim clicked on a corrupt link, a PowerShell script was executed via a payloader. To disguise the malicious activity, a "legitimate copy" of Microsoft Teams was also installed, according to the report.
While fake ads and updates are nothing new, they have a greater chance at success in a mass remote work environment. Employees are likely using personal devices, which "may not have corporate or company security protections installed to mitigate the threats associated with these types of droppers," said Dan L. Dodson, CEO of Fortified Health Security.
The reported attacks are using known tactics and tools. The Predator the Thief malware was discovered in 2018 and is often found on hacking forums, according to Fortinet. It performs typical functions of a stealer malware: sends its operators credentials, search history, or images from hijacked webcams. What sets it apart from other stealers written in C#, is that the Predator is "fully written in C/C++," according to researchers.
Cobalt Strike, a penetration tool for white hat hackers, has become a staple for cybercriminals and is easily manipulated. "When its capabilities are utilized by a cybercriminal, Cobalt Strike can compromise an entire network," said Dodson.
In a typical Ryuk ransomware attack, Cobalt Strike's role, in conjunction with Mimikatz, LaZagne or Kerbrute, to perform reconnaissance, browser pivoting, and unmonitored communication. IBM uncovered an overlap in code signing certificates between Cobalt Strike Beacon and Ryuk.
Key to mitigating these attacks is employee awareness and training. "Ask questions and learn from one another. We are all in this fight together," said Dodson.