News Heading - 1

Ongoing Malicious Campaign Compromises Hundreds of Azure Cloud Accounts

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

An ongoing malicious campaign believed to be targeting Microsoft Azure corporate accounts was discovered recently by cybersecurity researchers at Proofpoint.

Including credential phishing and account takeover techniques, the campaign active since November 2023, is directed towards senior executives at various levels, globally. Frequent targets include vice presidents, sales directors, CEOs, presidents, CFOs, finance, and account managers.

Luring victims via individualized phishing emails, embedded within shared documents, the threat actors use a specific Linux user-agent to gain unauthorized access to ‘OfficeHome’ sign-in and other Microsoft 365 applications.

With access to these accounts, the threat actors conduct various cybercrimes including, email threats, impersonation, financial fraud, and data exfiltration.

  • Multifactor authentication (MFA) manipulation – wherein to maintain persistence access, the attacker sometimes registers an alternate phone number or authenticator app for receiving codes and notifications.
  • Data exfiltration – through sign-in access, the attackers download sensitive information, like data on financial assets, security protocols, and user credentials.
  • Internal and external phishing – enables the hackers to sometimes commit financial fraud by sending targeted phishing emails to human resources and finance departments.

‘’The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions,’’ Proofpoint revealed.

The attackers were seen using proxy services and obfuscation techniques to cover their tracks and erase evidence of their malicious activities. Based on their forensic analysis and use of certain local fixed-line ISPs, Proofpoint believes the threat actors might be of Russian and Nigerian origin.

The firm’s Cloud Security Response Team said that it would continue to monitor this threat. It also recommended that organizations should identify initial threat vectors, unauthorized access to sensitive resources, and suspicious cloud account takeover attempts. It should enforce immediate changes of compromised accounts and employ auto-remediation measures to limit potential damages.

News Heading - 2

AnyDesk Resets Passwords and Revokes Certificates Following Cyber Security Incident

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The start of February witnessed a popular remote access software provider, AnyDesk, disclose a security breach incident which compromised its production systems. By stealing source code and private code signing keys, the unknown hackers were able to access the internal system.

In a public statement, the German-based developer revealed that the incident was discovered during a security audit, triggered by suspicious activity on some of its systems. Upon discovery, the company immediately deployed remediation measures, along with a response plan involving cybersecurity expert CrowdStrike. It also revoked access to its online portal using existing login credentials.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” the statement said .

Although AnyDesk did not disclose details of the attack, it said that the incident was not ransomware related, and no evidence of any end-user device compromise was found.

‘’Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices,’’ AnyDesk assured users.

Nevertheless, as a precautionary measure, it revoked all passwords to its web portal, my.anydesk.com, and recommended users to change their passwords if used elsewhere. AnyDesk assured its customers that its application was safe to use; however, it urged them to use the latest version with the new code signing certificate.

Shortly after AnyDesk’s statement, cybersecurity firm Resecurity reported that multiple threat actors were selling the hacked user login credentials on dark web forums. One of these actors, going by the alias, “Jobaaaaa,” was offering to sell over 18,000 AnyDesk customer credentials for $15,000 in cryptocurrency.

At the time of writing, AnyDesk has restored all user access, and assured continuous monitoring of its systems to prevent any interruptions in its operations.