April 24, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple IBM Products Vulnerabilities
December 19, 2024
SOC Maturity Model: Where Does Your Organisation Stand?
December 19, 2024Multiple IBM Products Vulnerabilities
December 19, 2024SOC Maturity Model: Where Does Your Organisation Stand?
December 19, 2024
Severity
High
Analysis Summary
A new phishing attempt that targeted European firms intending to obtain account credentials and take over the victims' Microsoft Azure cloud infrastructure has been revealed by cybersecurity researchers.
Researchers have given the campaign the codename HubPhish because of the misuse of HubSpot products in the attack chain. At least 20,000 European consumers who manufacture industrial, chemical, and automotive compounds are among the targets. Phishing attempts by the campaign peaked in June 2024, when phony forms made with the HubSpot Free Form Builder service were used.
Phishing emails with DocuSign-themed lures are used in the attacks to trick recipients into viewing a document. This leads them to malicious HubSpot Free Form Builder links, which then take them to a phony Office 365 Outlook Web App login page where their credentials are stolen. Researchers discovered at least 17 functional Free Forms that were used to reroute victims to various threat actor-controlled domains. ".buzz" was the top-level domain (TLD) that held a sizable portion of those domains.
The Bulletproof VPS server was one of the services used to host the phishing campaign. During the account takeover operation, the threat actor also leveraged this infrastructure to get access to Microsoft Azure tenants that had been hacked. The campaign's threat has been discovered to add a new device under their control to the account after successfully acquiring access to it to demonstrate persistence.
By using credential harvesting attacks on the phishing victim's endpoint computer, threat actors guided the phishing campaign to target the victim's Microsoft Azure cloud infrastructure. They proceeded to the cloud by performing lateral movement operations after this action. Attackers have been observed posing as SharePoint in phishing emails that are intended to spread the information-stealing malware family known as XLoader, which is Formbook's successor. The most recent methods that phishing attacks are coming up with to get around email security measures include impersonating email security provider brands as well as abusing trustworthy services like Google Calendar and Google Drawings.
Sending emails with a calendar (.ICS) file attached and a link to Google Forms or Google Drawings is one way that threat actors take advantage of the confidence that is associated with Google services. After clicking on the link, users are directed to click on another one, usually a support or reCAPTCHA button. When victims click on this link, they are taken to fraudulent websites that conduct money fraud. To guard against this type of phishing attack, users are recommended to enable Google Calendar's "known senders" setting.
Impact
- Credential Theft
- Unauthorized Access
Indicators of Compromise
IP
- 167.114.27.228
- 144.217.158.133
- 91.92.245.39
- 91.92.244.131
- 94.156.71.208
- 74.119.239.234
- 208.91.198.96
MD5
- 123318c2c20cf6aa5de61ed0b811e864
- c10592eb193a1b2d612b78e9821abbd6
- 6b4e122790ef9e6eff7d74f602901d39
SHA-256
- b2ca9c6859598255cd92700de1c217a595adb93093a43995c8bb7af94974f067
- f3f0bf362f7313d87fcfefcd6a80ab0f18bc6c5517d047be186f7b81a979ff91
- deff0a6fbf88428ddef2ee3c4d857697d341c35110e4c1208717d9cce1897a21
SHA1
- 0b29994efc1907e20d997f4292d066d20a7cf810
- a2a4481a56db1e65ad994bc11551d63eb23ed9e4
- c2c6976ea481bfbceca9027d7c221691ddb643d7
URL
- https://share-eu1.hsforms.com/1P_6IFHnbRriC_DG56YzVhw2dz72l
- https://share-eu1.hsforms.com/1UgPJ18suRU-NEpmYkEwteg2ec0io
- https://share-eu1.hsforms.com/12-j0Y4sfQh-4pEV6VKVOeg2dzmbq
- https://share-eu1.hsforms.com/1qe8ypRpdTr284rkNpgmoow2ebzty
- https://share-eu1.hsforms.com/1vNr8tB1GS4mZuYg81ji3dg2e08a3
- https://share-eu1.hsforms.com/18wO3Zb9hTIuittmhHvQFuQ2ec8gt
- https://technicaldevelopment.industrialization.buzz/?o0B=RLNT
- https://technicaldevelopment.rljaccommodationstrust.buzz/?WKg=2Ljv8
- https://asdrfghjk3wr4e5yr6uyjhgb.mhp-hotels.buzz/?Nhv3zM=xI7Kyf
- https://purchaseorder.europeanfreightleaders.buzz/?Mt=zqoE&submissionGuid=476f32d0-e667-4a18-830b-f57a2b401fc3
- https://orderspecification.tekfenconstruction.buzz/?6BI=AmaPH&submissionGuid=e2ce33ea-ee47-4829-882c-592217dea521
- https://docs.doc2rprevn.buzz/?username=
- https://vomc.qeanonsop.xyz/?hh5=IY&username=ian@deloitte.es
- https://sensational-valkyrie-686c5f.netlify.app/?e=
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
