The Rise of Phishing-as-a-Service: Cyber Threat Intelligence Roundup

A surprising study reveals how offensive cyber activity associated with the Russia – Ukraine struggle has had little more than minor impact outside the confines of the cyber domain attached to the conflict’s theater of operations. Next, we look at the new EvilProxy phishing-as-a-service (PhaaS) toolkit, currently being advertised on the criminal underground as a new way for threat actors to bypass two-factor authentication (2FA). We also share a recent Blackberry report regarding a newly emerged ransomware operation calling itself Monti.

1. The impact of offensive hacks tied to Russia/Ukraine

A new study reveals that cyberattacks linked to the Russia – Ukraine conflict have had minor impact outside of the theater of operations and are unlikely to escalate further.

The study is primarily focused on the efforts of the cybercrime underground (hacktivists, cybercriminal syndicates, ransomware gangs, etc.), though conclusions can be drawn that apply to top-tier threat actors as well.

Researchers from the University of Cambridge, the University of Edinburgh, and the University of Strathclyde examined data gathered during the two months before and four months after the beginning of Russia’s kinetic operations within Ukraine. They analyzed 281,000 web defacement attacks, 1.7 million distributed denial-of-service (DDoS) attacks, and hundreds of announcements on Telegram used by hackers to coordinate their activity.

What researchers predicted

At first, adversarial cyber activity between the two nations seemed to follow industry predictions. Russia was the first to be attacked at scale, followed by Ukraine a few days later. However, within roughly two weeks, cyberattacks had returned to what the researchers describe as pre-conflict levels.

This is where the data really gets interesting. The following information gleaned by the study highlights the contrasts between what industry insiders expected to observe during this conflict, and what actually occurred.

At the conflagration’s outbreak, the general industry consensus was that the biggest cyber risk presented by the conflict was the threat of advanced, destructive attacks on the critical infrastructure underpinning both nations. Industry experts were quick to predict that Russia would flex its hacking muscles; unleashing its notorious state- and military-intelligence-backed, GRU-FSB/SVR-linked advanced persistent threat (APT) groups, such as APT29 or APT28, on Ukraine’s critical infrastructure. Both actors are known for their sophistication and advanced toolsets.

But the biggest worry, as expressed by the FBI, CISA, and parroted by legions of cybersecurity industry experts, was spillover – the name used to describe the risk of destructive malware or adversarial cyber operations escaping the confines of the Eastern European theater of operations and making its way to Western targets either by accident, or in retaliation for sanctions or other punishments levied against Russia for its perceived belligerence towards a U.S.-friendly nation.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“To CTI, the findings of this study represent a microcosm of the Russia/Ukraine conflict and its accompanying cyber activity. The cyber domain associated with this theater of operations is clearly a wild west of sorts, with low-level hacktivists and cybercriminals trying new attack techniques and selecting targets for fun, the challenge they presented, or out of sheer boredom. Similarly, the state-backed APTs active in this conflict seem to have used it as a sort of testing-ground for new tools and tactics. We suppose it’s fortunate that, as of yet, we’ve seen little (if any) of the much-hyped spillover that our cyber agencies warned us of.”

“Of course, given the sophistication and devotion to operational security (OPSEC) attributed to some of the groups that are bound to be operating behind the scenes here (APT29, APT28, etc.), it wouldn’t surprise us if we didn’t learn of spillover incidents in the months ahead.”

2. New EvilProxy phishing-as-a-service toolkit allows cybercriminals to bypass 2FA security

Recent reporting from cybersecurity firm Resecurity, Inc. reveals a new phishing-as-a-service (PhaaS) toolkit, dubbed EvilProxy, that is being advertised on the criminal underground as a way for threat actors to bypass 2FA. The service enables unsophisticated threat actors to steal online accounts that are otherwise well-protected by leveraging reverse proxy and cookie injection methods to bypass 2FA.

What is EvilProxy?

EvilProxy, also known as Moloch by other sources, was discovered and advertised on the dark web as a new PhaaS.

The first mention of EvilProxy was detected in May 2022 when its operators released a demonstration video detailing how it could be used to deliver advanced phishing links with the intent being to compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others. EvilProxy also supports phishing attacks against PyPI which is quite coincidental given PyPIs supposed first known phishing attack just this past week.

EvilProxy uses the “Reverse Proxy” principle which uses a reverse proxy to fetch all of the legitimate content a user would expect to see, like login pages, but sniffs the traffic as it passes through the proxy. More specifically a reverse proxy is a server that sits between the victim and a legitimate endpoint, such as a company’s login form. When the victim attempts to connect to a phishing page the reverse proxy will display the legitimate login form and when the victim enters their credentials into the phishing page they are forwarded to the actual platform’s server. However, since the proxy server sits in the middle, it can also steal the session cookie containing the authentication token. The authentication cookie can then be used by the threat actor to log in to the site as the user, thus bypassing MFA protections.

After activation, the operator will be asked to provide SSH credentials to further deploy a Docker container and a set of scripts. This approach has also been used in other PhaaS service called “Frappo” which was identified by Resecurity this year. After deployment the scripts will forward the traffic from the victims via 2 gateways defined as “upstream.”

Anti-detection techniques

The threat actors behind EvilProxy use multiple techniques to protect the PhaaS toolkit from being detected. Like fraud prevention and cyber threat intelligence solutions, they aggregate data about known VPN services, proxies, TOR exit nodes and other hosts which may be used for IP reputation analysis. In the case they suspect a bot or researcher, they drop the connection or redirect it to a specific host. EvilProxy is also diligent when it comes to detecting possible virtual machines which are typically used by security analysts to research malicious content.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The operators behind EvilProxy appear to take several extra steps to ensure the toolkit boasts a broad and effective reach. For starters, the number of instructional videos the threat actors have made available is impressive. Many literally convey the step-by-step measures hackers need to take to successfully deploy EvilProxy. These videos allow threat actors of all sophistication levels to leverage the toolkit to bypass MFA, and further highlight just how easy it is to enter the cybercriminal world.”

“The most noteworthy aspect of EvilProxy is the fact that the operators vet the clients looking to purchase the toolkit. It’s not clear what the vetting process entails but the existence of such a process indicates that some prospective buyers are likely rejected. CTI would love to know what potential deal-breakers may be … adverse permanent records?”

3. The curious case of “Monti” ransomware: a real-world doppelganger

A recent report by BlackBerry’s incident response team details an attack by a previously unknown group calling itself Monti. Most of the IOCs identified in the Monti attack were also observed in previous Conti ransomware cases.

The Monti ransomware group: An overview

Though there is limited information available regarding the Monti ransomware group, BlackBerry researchers believe this threat actor emerged between May and June 2022. Researchers suspect the group has purposefully mimicked the better-known Conti ransomware group’s TTPs along with many of its tools and encryptor payload. Conti’s internal communications, chat logs, training guides, source code, etc. were all publicly leaked towards the beginning of the year. This leak effectively gave Monti threat actors (and likely many other threat actors) a step-by-step guide to mimic Conti’s notoriously successful attacks.

The Monti ransomware attack

The BlackBerry Security Services Incident Response team was engaged in July to perform a forensic investigation into a ransomware-related security event. The threat actor is believed to have gained initial access via an exploitation of the well-known Log4Shell vulnerability (CVE-2021-44228) in the client’s internet-facing VMware Horizon virtualization system.

By the time BlackBerry was engaged the threat actor had already encrypted 18 user desktops. The threat actor also encrypted a three-server ESXi cluster, resulting in impact to 21 virtualized servers.

After gaining access to the victim’s environment, the threat actor installed the Google Chrome browser and used it to download various attack tools. The threat actor additionally downloaded and installed two remote monitoring and maintenance agents including AnyDesk and Action1. These agents were leveraged to establish persistence and enabled additional remote access.

The tools the attacker brought into the environment were also used to dump credentials from memory and scan the network. And the Microsoft Windows built-in Remote Desktop Protocol (RDP) was used to connect to other servers, access data files on network shares, and eventually to deploy the Monti strain of ransomware.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Although it’s not totally off the table, there is no concrete evidence that Conti has rebranded itself as Monti. The public availability of Conti’s source code makes it possible that Monti merely leveraged this information to create its own ransomware based on Conti.

Given how notoriously successful Conti was, a true Conti rebrand would be more complex than simply reusing leaked source code, but that’s just our two cents. The reuse of many of Conti’s TTPs may give security researchers and defenders a leg up when it comes to alerting and detecting Monti ransomware.

While the reuse of Conti’s source code may be strategic, the reuse of the actual ransom note is strange and almost ironic. The ransom notes are identical besides the use of ‘Monti’ instead of ‘Conti’ and a different onion domain. The body of the note still reads, ‘If you don’t know who we are – just Google it,’ which doesn’t make a whole lot of sense considering Monti is new and currently returns very little in a Google search.”

---

Have a look at our recent cyber threat intelligence roundups. Or jump in and try Tanium’s Converged Endpoint Management (XEM) solution.