Hackers target financial giants via AiTM phishing and BEC attacks

SISA Weekly Threat Watch - 19 June 2023

Recent discoveries by security researchers have uncovered various targeted campaigns by threat groups employing sophisticated tactics. These include the deployment of custom backdoors for espionage attacks, AiTM phishing and BEC attacks targeting financial institutions, exploitation of critical vulnerabilities in SSL VPN devices, and the emergence of a new malware loader targeting cryptocurrency wallets. These incidents highlight the importance of continuous monitoring, regular security awareness training, and the implementation of advanced security solutions to detect and mitigate such threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.


1. Stealth Soldier: A new custom backdoor targets North Africa with espionage attacks

A recent discovery has unveiled a series of cyberespionage attacks aimed at Libyan organizations. These attacks involve the use of a previously unknown backdoor called Stealth Soldier, which has been specifically designed to carry out surveillance activities. The Command and Control (C&C) network associated with Stealth Soldier is part of a larger infrastructure that has been utilized for spear-phishing attacks primarily targeting government entities.

The attack begins with a downloader, which serves as the initial step in the attack chain. Security analysts have discovered three distinct infection chains associated with different versions (6, 8, and 9) of the Stealth Soldier malware. These versions differ in various aspects such as filenames, mutex names, XOR keys, and directory names. Organizations in Libya and other targeted regions are advised to enhance their cybersecurity defenses, including implementing robust perimeter security, network monitoring, endpoint protection solutions, and multi-factor authentication (MFA).

2. Microsoft uncovers banking AiTM phishing and BEC attacks targeting financial giants

Microsoft has revealed that Banking and financial services organizations have become the targets of a new multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack. Tracked as Storm-1167, Microsoft called out the group’s use of indirect proxy to pull off the attack, which the attackers used to flexibly modify the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AiTM attacks.

The attack chains initiate with a phishing email that points to a link, which when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and entering their credentials and TOTPs. The harvested passwords and session cookies are then used to mimic the user and gain unauthorized access to the email inbox by means of a replay attack. The access is then abused to get hold of sensitive emails and orchestrate a BEC attack. To improve identity security posture, organizations are advised to enable conditional access policies that evaluate sign-in requests using additional identity-driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins.

3. Fortinet rolls out patches for critical RCE vulnerability in SSL VPN devices (CVE-2023-27997)

A critical vulnerability has been discovered in FortiOS and FortiProxy SSL-VPN. The vulnerability is a heap-based buffer overflow bug that allows unauthenticated remote code execution (RCE) on the affected system. Fortinet has issued Fortigate firmware updates to fix the vulnerability in SSL VPN products. This vulnerability is critical, as it can compromise the security and integrity of the network protected by Fortigate devices.

The bug can potentially breach this secure channel and allow attackers to execute arbitrary code or commands on the device. The vulnerability is also reachable pre-authentication, meaning that attackers do not need any credentials or privileges to exploit it. Fortinet has issued patches for the flaw, which are included in versions 7.2.5, 7.0.12, 6.4.13, 6.2.15, and 6.0.17 of FortiOS firmware. Users are strongly advised to update their systems to these versions as soon as possible to prevent potential attacks. Users should also review their network configurations and firewall rules to ensure that only authorized and trusted users can access the SSL VPN functionalities of Fortigate devices.

4. New DoubleFinger loader targets cryptocurrency wallets with stealer

A new addition to the cybercriminals’ toolkit, known as DoubleFinger has emerged as a malware loader designed to steal cryptocurrency and business data. The attack starts with a phishing email containing a malicious PIF file, which, when opened by the victim, initiates a series of actions leading to the initial stage of DoubleFinger being downloaded. Subsequently, the malware drops GreetingGhoul, a unique cryptocurrency credential-stealing tool, in its secondary stage.

GreetingGhoul consists of two main components that collaborate to carry out its malicious activities. The first component leverages MS WebView2 technology to generate overlays on cryptocurrency wallet interfaces, tricking users into entering their credentials into fake interfaces controlled by the attackers. The second component is responsible for identifying cryptocurrency wallet applications on the victim’s system and extracting sensitive information from them. Organizations are recommended to conduct regular security awareness training sessions to educate employees about the risks of phishing emails. It is also advised to implement advanced email filtering solutions that can detect and block phishing emails containing malicious attachments or links.

5. UNC4841 group exploits zero-day flaw in Barracuda Email Security Gateway

The hacking group UNC4841, known for conducting cyber espionage activities on behalf of the People’s Republic of China, has been identified as the perpetrator behind the exploits of vulnerability discovered in the Barracuda Email Security Gateway product (CVE-2023-2868). The attacks commence by sending emails containing malicious file attachments with the extension ‘.tar’. When the targeted ESG device scans the attachment, the exploit takes advantage of the vulnerability to execute remote code on the device.

After gaining remote access to the compromised Barracuda ESG devices, the threat actors proceeded to infect them with three distinct malware families: ‘Saltwater,’ ‘Seaspy,’ and ‘Seaside.’ Their primary objective was to steal email data from the compromised devices. UNC4841 specifically targeted and exfiltrated selected data, occasionally utilizing the compromised ESG appliances to navigate through the victims’ networks or send emails to other compromised devices. Immediate appliance replacement and conducting thorough investigation and hunting activities in the entire environment are essential to mitigate the impact and enhance defenses against future attacks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider