By Bill Toulas October 16, 2022 10:07 AM

A new Ducktail phishing campaign is spreading a never-before-seen Windows information-stealing malware written in PHP used to steal Facebook accounts, browser data, and cryptocurrency wallets.

Ducktail phishing campaigns were first revealed by researchers from WithSecure in July 2022, who linked the attacks to Vietnamese hackers.

Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core malware masquerading as a PDF document supposedly containing details about a marketing project.

The malware targeted information stored in browsers, focusing on Facebook Business account data, and exfiltrated it to a private Telegram channel that acted as a C2 server. These stolen credentials are then used for financial fraud or to conduct malicious advertising.

Zscaler now reports spotting signs of new activity involving a refreshed Ducktail campaign that uses a PHP script to act as a Windows information-stealing malware.
A PHP information-stealing malware

Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP.

Most of the fake lures for this campaign are related to games, subtitle files, adult videos, and cracked MS Office applications. These are hosted in ZIP format on legitimate file hosting services.

When executed, the installation takes place in the background while the victim sees fake ‘Checking Application Compatibility’ pop-ups in the frontend, waiting for a fake application sent by the scammers to install.

The malware will ultimately be extracted to the %LocalAppData%\Packages\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools, as shown below.

My comments last week about droppng Corportae Facebook seem to be coming true

Article (https://www.bleepingcomputer.com/news/security/new-php-information-stealing-malware-targets-facebook-accounts/)

Bitdefender will do a content filter to Block Access to Facebook

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Sergiu Gatlan September 27, 2022 03:11 PM
Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023.

Microsoft also recently warned customers that it would start disabling basic authentication in random tenants to improve Exchange Online security beginning October 1, 2022.

CARs are sets of conditions, exceptions, actions, and priority values that allow Microsoft 365 admins to filter client access to Exchange Online based on many factors.

Connections can be allowed or blocked based on the client’s IP addresses and authentication type, as well as the protocol, application, or service they’re using to connect.

In short, once configured, they help control who can access what resources in an Exchange Online organization.

“Today, we are announcing the retirement of CARs in Exchange Online, to be fully deprecated by September 2023,” the Exchange Team said.

“We will send Message Center posts to tenants using client access rules to start the planning process to migrate their rules.”

The company will begin the deprecation process by first disabling client access rules in tenants where they’re unused starting October 2022.

Until September 2023, Microsoft plans to help migrate all remaining tenants from CARs to use new access control features like continuous access evaluation (CAE).
Client access rules deprecation timeline
Client access rules deprecation timeline (Microsoft)

​”If you do not currently use CARs, cmdlets will be disabled for your tenant after October 2022,” the Exchange Team added.

“If you currently have CARs configured in your tenant you will be able to keep using them until September 2023, which provides you with time to migrate other, more resilient options.”

As Redmond explains, the switch to CAE access control to Exchange Online resources is designed to add extra resiliency by proactively terminating active user sessions and ensuring tenant policy change enforcement in almost real-time.

“Now with new features, like Continuous Access Evaluation (CAE) that allows Azure Active Directory applications to subscribe to critical events, that can then be evaluated and enforced in near real time; you can have better control while also adding resiliency to your organization,” the Exchange Team said.

Microsoft also recently warned customers that it would start disabling basic authentication in random tenants to improve Exchange Online security beginning October 1, 2022.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchange-online-client-access-rules-in-a-year/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Sergiu Gatlan September 23, 2022 07:28 AM

Microsoft has acknowledged a known issue where copying files/shortcuts using Group Policy Preferences on Windows client devices might not work as expected after installing recent Windows cumulative updates released during this month’s Patch Tuesday.

On affected systems, files or shortcuts will not copy to the target drives or end up as zero-byte files when using Group Policy file operations.

“File copies using Group Policy Preferences might fail or might create empty shortcuts or files using 0 (zero) bytes,” Microsoft explained.

“Known affected Group Policy Objects are related to files and shortcuts in User Configuration -> Preferences -> Windows Settings in Group Policy Editor.”

The list of affected platforms includes client (from Windows 8.1 up to Windows 11 22H2) and server releases (from Windows Server 2008 SP2 and up to Windows Server 2022).

Microsoft acknowledged the issue following a stream of Windows admin reports across multiple social networks and on Microsoft’s online community regarding issues with Group Policy settings after deploying September 2022 Patch Tuesday updates.

At the time, some of the affected admins suggested a radical fix requiring manually uninstalling and hiding the offending cumulative updates. Unfortunately, this would also remove all fixes for recently patched security vulnerabilities.

However, multiple admins have also reported that un-checking the “Run in user security context” option on the affected GPOs will help address the file copying and shortcut creation problems.
Official workarounds are also available

Microsoft confirmed the last workaround shared by impacted customers before the issue was acknowledged, together with a couple of additional ways to mitigate the issue (any one of them is enough for mitigation) :

Uncheck the “Run in logged-on user’s security context (user policy option).” Note: This might not mitigate the issue for items using a wildcard (*).
Within the affected Group Policy, change “Action” from “Replace” to “Update.”
If a wildcard (*) is used in the location or destination, deleting the trailing “\” (backslash, without quotes) from the destination might allow the copy to be successful.

Redmond also added that its developers are working on a resolution for this known issue and will provide a fix with an upcoming update.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workarounds-for-windows-group-policy-issues/)

Microsoft: Windows KB5017383 preview update added to WSUS by mistake
(https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383-preview-update-added-to-wsus-by-mistake/)
Microsoft rolls out emergency fix for blocked Windows logins (https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-emergency-fix-for-blocked-windows-logins/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Sergiu Gatlan September 22, 2022 01:13 PM
Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails.

“The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access,” the Microsoft 365 Defender Research Team said.

“The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server.”

The attacker then used this inbound connector and transport rules designed to help evade detection to deliver phishing emails through the compromised Exchange servers.

The threat actors deleted the malicious inbound connector and all the transport rules between spam campaigns as an additional defense evasion measure.

In contrast, the OAuth application remained dormant for months between attacks until it was used again to add new connectors and rules before the next wave of attacks.

These email campaigns were triggered from Amazon SES and Mail Chimp email infrastructure commonly used to send marketing emails in bulk.
The attacker used a network of single-tenant applications as an identity platform throughout the attack.

After detecting the attack, Redmond took down all apps linked to this network, sent alerts, and recommended remediation measures to all affected customers.

Microsoft says this threat actor was linked to campaigns pushing phishing emails for many years.

The attacker was also seen sending high volumes of spam emails within short timeframes through other means “such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure.”

“The actor’s motive was to propagate deceptive sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize,” Microsoft further revealed.

“While the scheme possibly led to unwanted charges for targets, there was no evidence of overt security threats such as credential phishing or malware distribution.”

Article (https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-via-oauth-apps-for-phishing/)
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

This week, SecurityBoulevard has featured an interesting article on why APIs have no clothes — APIs being the digital equivalent of the protagonist in the Hans Christian Andersen’s folktale The Emperor’s New Clothes. In the story, the emperor was exposed, but no one told him or was willing to do anything about it. Not so different from where you might find yourself with APIs.

The first challenge to API security the author highlights is presented by the disappearing perimeter. Organizations can no longer rely on perimeter protections, such as firewalls, to protect their assets. The adoption of cloud technology and PaaS has meant that the external perimeter is largely eroded. Instead, the focus needs to move to protect the API endpoints themselves by using advanced authentication like multi-factor authentication (MFA), and monitoring multiple levels of the network to identify attacks.

As ever, the lack of cybersecurity talent and skills only exacerbates the problem, and nowhere is this more acutely felt than with APIs. Many of the lessons learned with protecting web applications no longer apply to APIs, and teams need to learn new skills or adapt their methods to protect APIs.

To remedy this and get your APIs covered, the author suggests going back to the basics in protecting APIs, namely:

Authentication
Auditing and logging
Encryption

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”