Defenders don't rest. They wake up every day thinking about how to protect the systems that they are charged to protect. Meanwhile, attackers are also looking for crafty ways to infect a system or break into computer networks. In the end, it's good for everyone if defenders are always one step ahead of the attackers.
EvilTokens: A phishing attack that doesn’t steal your password
A phishing attack that does not require creating fake login pages or stealing your passwords. I was speechless when I read the article's title and deservedly so when I read how the attackers executed the attack.
The following should get you started:
EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow.
As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords.
Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page.
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
The good news is that MSFT mitigated the flaw. What's left for tenant admins is to watch and contain. The interesting thing is how the researchers pulled off the attack.
Here is what they did:
Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.
The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection.
Low-skilled attacker used Claude, Codex to breach 14 companies
The barrier to entry into cybercrime has never been this low. And what's reported in this article proves that. Also, you'll expect that since the attacker is tagged a low-skilled attacker, that they will make rookie OPSEC mistakes, yes they did.
From the article:
“In many cases, the attacker supplied only vague, low-skill prompts and allowed Claude to fill in the gaps: researching exposed services, identifying possible vulnerabilities, writing exploit code, validating access, and harvesting data,” the researchers noted.
“The attacker did not need to be an expert operator; they simply had to use the correct framing for their prompts. The agent supplied much of the structure and technical execution that the attacker appeared to lack.”
Massive breach spills credentials for thousands of sensitive networks
Just when you think: We are safe, we have firewalls and the big tech guys to protect our infrastructures. Then you read an article like this and you almost give up, thinking: Which system is safe?
Here is what's going on:
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” researchers from Hudson Rock, a security firm that also analyzed the data, wrote. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”
Rokarolla Android trojan targets banking and crypto users, enables device takeover
Android Trojans and their funny names are something else. The article's title clearly states what the Trojan does. One thing that surprises me every time I read an article like this: given the amount of effort that the developers put into this malware, can't they put the same effort into developing an application that they can somehow monetize? Or, something like that?
I mean, read the following
“Its malicious capabilities include harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input,” the researchers said.
“Furthermore, the trojan actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.”
USB worm spreads crypto-stealing malware via Windows shortcut files
I don't know. At the end of the day, and most of the time, some malware are just after stealing something from an infected system. This is yet another example.
From the article:
The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.
Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)