New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

FYI We do have Phishing Training Available..spend the money don’t get malware. Targets O365 and Gsuite which in reality are easy targets

By Bill Toulas March 25, 2024 12:56 PM

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named ‘Tycoon 2FA’ to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection.

Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels.

The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.

In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.

Tycoon 2FA attacks

Tycoon 2FA attacks involve a multi-step process where the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays them to the legitimate service.

“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies,” Skoia explains. This way, the attacker can replay a user’s session and bypass multi-factor authentication (MFA) mechanisms.

Sekoia’s report describes the attacks in seven distinct stages as described below Target :

Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
Stage 2 – Background scripts extract the victim’s email from the URL to customize the phishing attack.
Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack’s success.

An overview of the attack is described with the diagram below, which includes all the steps of the process.

Evolution and scale

Sekoia reports that the latest version of the Tycoon 2FA phishing kit, released this year, has introduced significant modifications that improve the phishing and evasion capabilities.

Key changes include updates to the JavaScript and HTML code, alterations in the order of resource retrieval, and more extensive filtering to block traffic from bots and analytical tools.

For example, the kit now delays loading malicious resources until after the Cloudflare Turnstile challenge is resolved, using pseudorandom names for URLs to obscure its activities.

Also, Tor network traffic or IP addresses linked to data centers are now better identified, while traffic is rejected based on specific user-agent strings.

Regarding the scale of operations, Sekoia reports that it’s substantial, as there’s evidence of a broad user base of cybercriminals currently utilizing Tycoon 2FA for phishing operations.

The Bitcoin wallet linked to the operators has recorded over 1,800 transactions since October 2019, with a notable increment starting August 2023, when the kit was launched.

Over 530 transactions were over $120, which is the entry price for a 10-day phishing link. By mid-March 2024, the threat actors’ wallet had received a total of $394,015 worth of cryptocurrency.

Tycoon 2FA is just a recent addition to a PhaaS space that already offers cybercriminals plenty of options. Other notable platforms that can bypass 2FA protections include LabHost, Greatness, and Robin Banks.

For a list of the indicators of compromise (IoCs) linked to the Tycoon 2FA operation, Sekoia makes available a repository with over 50 entries.

Article (https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

 

Google’s new AI search results promotes sites pushing malware, scams

Google’s new AI search results promotes sites pushing malware, scams  (Get off Google Chrome)

By Mayank Parmar March 25, 2024 07:32 AM

Google’s new AI-powered ‘Search Generative Experience’ algorithms recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams.

Earlier this month, Google began rolling out a new feature called Google Search Generative Experience (SGE) in its search results, which provides AI-generated quick summaries for search queries, including recommendations for other sites to visit related to the query.

However, as SEO consultant Lily Ray first spotted, Google’s SGE is recommending spammy and malicious sites within its conversational responses, making it easier for users to fall for scams.
BleepingComputer found that the listed sites promoted by SGE tend to use the .online TLD, the same HTML templates, and the same sites to perform redirects.

This similarity indicates that they are all part of the same SEO poisoning campaign that allowed them to be part of the Google index.

When clicking on the site in the Google search results, visitors will go through a series of redirects until they reach a scam site.

In BleepingComputer’s tests, the redirects most commonly lead you to fake captchas or YouTube sites that try to trick the visitor into subscribing to browser notifications.

Browser notifications are a common tactic scammers use to send visitors a barrage of unwanted ads directly to the operating system desktop, even when you’re not on the website.

Once we subscribed to some of the notifications, we began to receive spam with advertisements for tech support affiliate scams, fake giveaways, and other unwanted sites.

In one instance, we received an alert for McAfee antivirus that led to a site claiming our system was infected with ten viruses, urging the visitor to “Scan now to remove viruses” or renew their license.

However, these misleading ads are simply designed to sell McAfee licenses so the fraudsters can earn affiliate commissions.

Finally, and while not as common, BleepingComputer saw some of the redirects pushing unwanted browser extensions that perform search hijacking, and potentially other malicious behavior.

Other scams promoted by the SGE results lead to fake Amazon giveaways that pretend to be loyalty programs giving away an Apple iPhone 15 Pro.

These giveaway scams are used to collect your personal information, which will be sold to other scammers and direct marketers.

Article (https://www.bleepingcomputer.com/news/google/googles-new-ai-search-results-promotes-sites-pushing-malware-scams/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

 

New Windows Server updates cause domain controller crashes, reboots

By Sergiu Gatlan March 20, 2024 04:40 PM 0

The March 2024 Windows Server updates are causing some domain controllers to crash and restart, according to widespread reports from Windows administrators.

Affected servers are freezing and rebooting because of a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022.

LSASS is a Windows service that enforces security policies and handles user logins, access token creation, and password changes.

As many admins have warned, after installing the KB5035855 and KB5035857 Windows Server updates released this Patch Tuesday, domain controllers with the latest updates would crash and reboot due to increasing LSASS memory usage.

“Since installation of the march updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die),” one admin said.

“We’ve had issues with lsass.exe on domain controllers (2016 core, 2022 with DE and 2022 core domain controllers) leaking memory as well. To the point all domain controllers crashed over the weekend and caused an outage,” another one added.

“Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung,” one admin told BleepingComputer.

“The Support rep says they expect official comms to be announced from Microsoft soon.”
Temporary workaround available

Until Microsoft officially acknowledges this memory leak issue, admins are advised to uninstall the buggy Windows Server updates from their domain controllers.

“Microsoft Support has recommended that we uninstall the update for the time being,” the same admin told BleepingComputer.

To remove the troublesome updates, open an elevated command prompt by clicking the Start menu, typing ‘cmd,’ right-clicking the Command Prompt application, and then choosing ‘Run as Administrator.’

Next, run one of the following commands, depending on what update you have installed on your Windows domain controller:

wusa /uninstall /kb:5035855
wusa /uninstall /kb:5035857

Once uninstalled, you should also use the ‘Show or Hide Updates’ troubleshooter to hide the buggy update so it will no longer appear in the available updates list.

Microsoft addressed another LSASS memory leak affecting domain controllers in December 2022, when affected servers would freeze and restart after installing Windows Server updates released during the November 2022 Patch Tuesday.

In March 2022, Microsoft fixed one more LSASS crash, causing unexpected Windows Server domain controller reboots.

A Microsoft spokesperson could not immediately provide more details when contacted by BleepingComputer earlier today.

Article ( https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-domain-controller-crashes-reboots/)

Update Article 3-21-2024 (https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-windows-server-issue-behind-domain-controller-crashes/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

2 different articles must read

Brought to you by Bleeping Computer

ScreenConnect flaws exploited to drop new ToddleShark malware

The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShar

Article (https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddleshark-malware/)

Hackers steal Windows NTLM authentication hashes in phishing attacks
Folks you need a phishing training!! We have it inexpensive for your clients

The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks.

Article (https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”