21 October 2022

9 min read

EvilProxy attacks spike | Cyber Intelligence Briefing: 21 October

2022
Cyber Briefing News

 

Top news stories this week

  1. EvilProxy. S-RM witnesses dramatic spike in business email compromises linked to this sophisticated new phishing toolkit.
  2. German cyber chief fired. Federal Cyber Security Authority head fired over unconfirmed KGB links.
  3. Bank of England cyber alert. Cyber attacks named as biggest risk to UK financial system.
  4. ProxyRelay vulnerabilities. New set of Exchange Server flaws are being actively exploited.
  5. Stop the press! German newspapers suffer ransomware attack.
  6. APT attacks surge. Chinese threat actors allegedly behind attacks against Tata Power and US political parties.
  7. Bad debt. The FBI warns of scammers targeting US student loan debt relief applicants.

1. EvilProxy attacks spike

Over the last six weeks, S-RM has witnessed a dramatic increase in business email compromises. The trend is likely related to the recent adoption of a phishing-as-a-service toolkit named EvilProxy, which is a sophisticated adversary-in-the-middle (AiTM) attack framework used to bypass multi-factor authentication (MFA).

Although AiTM phishing tools have existed for several years, EvilProxy poses a much greater threat as it is easy to set up, includes instructional videos, has an accessible graphical user interface, and comes with a library of fake phishing websites for well-known platforms including Apple iCloud, Google, and Microsoft.

So what?

EvilProxy undermines the effectiveness of MFA, which many organisations rely on to defend against attempts to gain unauthorised access to mailboxes. To protect themselves against EvilProxy attacks, organisations should augment MFA with conditional access policies that prevent sign-ins from untrusted devices and unauthorised IP ranges. Phishing awareness also remains a critical defence.


2. Germany fires cyber chief

On Tuesday, Arne Schönbohm, the now former head of Germany’s Federal Cyber Security Authority (BSI), was dismissed following accusations that he maintained links to a subsidiary of a Russian cyber security business reportedly established by a former senior member of Russia’s KGB. Investigations are still ongoing and Schönbohm has not been formerly charged with any wrongdoing.

So what?

Insider threats remain a high risk for organisations. A preventative approach is best and employers must conduct a comprehensive screening of all candidates in the hiring process.


3. Bank of England cyber alert

The Bank of England has identified cyber attacks as the greatest risk to the UK financial system. This report follows Moody’s warning that USD 22 trillion of its rated debt has high or very high exposure to the risk of a cyber attack.

So what?

Organisations are under increasing pressure to make the right investment choices to improve their cyber resilience. While the overall size of cyber budgets is an important metric when preparing a cyber strategy, how individual budgets are allocated across different cyber investment areas is equally pertinent.


4. ProxyRelay vulnerabilities

Security researchers have discovered a new set of Microsoft Exchange Server vulnerabilities, dubbed ProxyRelay. The actively exploited flaws enable threat actors to bypass authentication or achieve remote code execution without user interaction. Microsoft released a fix for ProxyRelay in August.

So what?

Organisations should check their exposure and patch their servers to the latest available update.


5. Stop the press!

German media group Stimme Mediengruppe recently suffered a ransomware attack by a “well-known cybercriminal group”. The incident impacted the operations of the entire media group and its subsidiaries, crippling the printing systems of one of their publishers.

So what?

Cyber attacks can have major knock-on effects for dependent organisations. Disaster management and business continuity plans, as well as a robust set of cyber security controls, should be in place for both holding companies and their portfolio companies.


6. Chinese APT groups active globally

Indian energy giant Tata Power fell victim to a cyber attack that impacted its IT systems. However, all critical business operations remain functional. Although there is no attribution so far, the incident coincides with reports of an ongoing campaign against the Indian power sector by Chinese state-backed threat actors. 

Elsewhere, the FBI has warned of an increase in Chinese advanced persistent threat (APT) groups scanning US political party domains for vulnerabilities ahead of midterm elections. The motivation of the scanning appears to be reconnaissance and target development.

So what?

Nation-backed attacks are sophisticated and challenging to defend against. While prevention is important, detection is critical. Endpoint detection and response solutions, alongside centralised log collection, are critical to defend against sophisticated threats like these.


7. US students beware

The FBI has released a warning to US students that enrol in the Federal Student Aid programme. Threat actors have set up fraudulent websites and are conducting targeted phishing attacks on applicants. Victims of these attacks are tricked into revealing their personal information, payment details, and sometimes paying money to the threat actors.  

So what?

The only way to officially apply for the debt relief programme is by visiting studentaid.gov.

Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.

Authors

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.