One involved ‘Multi-Factor Authentication fatigue’; another used hotel booking lures, and the last threat acted as a dropper for other malware
In the beginning of August 2022, the Yanluowang ransomware group attacked Cisco, targeting an employees’ Google account that contained corporate credentials. The victim had suffered ‘MFA fatigue’— being flooded by multiple Multi Factor Authentication push notification and finally responding to one message just to stop the deluge.
While Cisco claimed the attackers could only harvest and steal non-sensitive data from a Box folder linked to the compromised employee’s account, hackers had subsequently provided proof that around 2.75GB of data had been exfiltrated.
Meanwhile, in the same month of August, the IcedID infostealer circulated multiple times with different exploits:
- Walmart Global tech disclosed that PrivateLoader continued to function as an effective loading service, recently leveraging the use of SmokeLoader for payloads.
- Palo Alto Unit 42 Intel Unit monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike which was posted on Twitter reporting that the IcedID (Bokbot) infection led to CobaltStrike. Bokbot mainly targets businesses and steals payment information; it also acts as a loader and can deliver other viruses or download additional modules.
- A researcher at ISC SANS observed IcedID malware using Dark VNC activity and Cobalt Strike by threat actor Monster Libra (also known as TA551 or Shathak) who has started distributing a new IcedID infection generated from a password-protected zip archive.
Finally, a small threat actor, the TA558 group was actively targeting hospitality, hotel, and travel organizations primarily with Portuguese and Spanish speakers, in Latin America, Western Europe and North America. It uses multiple malware in its attacks, including Loda RAT, Vjw0rm, and Revenge RAT via phishing campaigns featuring hotel booking lures. The malware has been repurposed to steal personal and financial data from hotel customers, including credit card information, perform lateral movement, and deliver additional payloads.
According to Securonix Threat Labs, which provided the list of incidents analyzed internally, 4,783 indicators of compromise, 115 distinct threats, and 62 threat detections were identified for the month.