In recent updates, Microsoft has raised a red flag on a rising threat cluster identified as Storm-0539, raising gift card fraud and theft through sophisticated email and SMS phishing.
This wave of attacks is strategic, particularly during the heightened vulnerability of the holiday shopping season.
Modus Operandi: AiTM Phishing Pages
The primary objective of Storm-0539 is to disseminate rigged links that steer unsuspecting victims toward adversary-in-the-middle (AiTM) phishing pages. These pages are designed to extract credentials and session tokens from users skillfully.
According to Microsoft, Storm-0539 takes a step further once initial access is gained by registering its device for subsequent secondary authentication prompts.
This clever tactic allows the threat actors to bypass Multi-Factor Authentication (MFA) protections, establishing persistence in the compromised environment using a fully compromised identity.
Escalation of Privileges and Data Harvesting
The foothold acquired through these means is a launching pad for the threat actors to escalate privileges, traverse the network laterally, and access cloud resources.
They target sensitive information related to gift card services, facilitating fraudulent activities.
Beyond this, Storm-0539 collects additional valuable assets, including emails, contact lists, and network configurations.
This data becomes ammunition for subsequent attacks against the same organizations, underscoring the importance of implementing robust credential hygiene practices.
Persistence Since 2021: Financially Motivated Actor
Microsoft’s monthly report from last month characterized Storm-0539 as a financially motivated group with a track record dating back to at least 2021.
The group exhibits a high level of proficiency in conducting extensive surveillance on targeted organizations and tailoring phishing lures to perfection.
“The actor is well-versed in cloud providers and leverages resources from the target organization’s cloud services for post-compromise activities,” Microsoft stated.
Security Breach Alert: Ledger’s Crypto Wallet Module Compromised
In a recent incident, Ledger, the maker of crypto hardware wallets, faced a significant security breach when malicious actors exploited vulnerabilities in their “@ledgerhq/connect-kit” npm module.
This unauthorized access resulted in the illicit withdrawal of over $600,000 virtual assets.
Phishing Attack Exploitation
Ledger revealed that the compromise originated from a phishing attack on a former employee, providing the attackers an entry point to Ledger’s npm account.
Subsequently, the threat actors uploaded three compromised versions of the module (1.1.5, 1.1.6, and 1.1.7), deploying crypto drainer malware to applications dependent on the module—a classic case of a software supply chain breach.
Rogue WalletConnect Project Redirects Funds
The injected malicious code employed a deceptive WalletConnect project, redirecting funds to a wallet controlled by the hackers.
The Connect Kit, designed to link decentralized applications (DApps) to Ledger’s hardware wallets, unwittingly became a way for unauthorized transactions.
Exploitation Timeline and Limited Window
The malicious file was active for approximately five hours, with a specific window of less than two hours, during which the attackers drained funds.
Ledger lacked two-factor authentication (2FA) protections for its deployment systems, enabling the attackers to leverage the compromised account to publish the malicious software.
Need to Secure Than What Else To Expect?
Shopping and gift thefts are on the top in the holiday season. People use their transaction cards and shop their hearts out to maximize the time fraudsters utilize. Microsoft has raised concerns about the previously known exploits, which could affect your holidays.
In another space, your crypto wallets must be taken care of. Supply chain attacks constantly target open-source ecosystems.
Marrium Akhtar
December 18, 2023
5 months ago
