Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A potential zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass MFA and deploy ransomware. The attack chain begins with a breach of the SonicWall appliance, followed by post-exploitation techniques including enumeration, detection evasion, lateral movement, and credential theft. Attackers quickly gain administrative access, establish command and control, move laterally, disable defenses, and deploy Akira ransomware. The threat actors use a mix of automated scripts and manual activity, abusing privileged accounts and utilizing various tools for persistence and data exfiltration. Immediate action is advised, including disabling SonicWall VPN access or severely restricting it, auditing service accounts, and hunting for malicious activity using provided indicators of compromise.

This threat involves the active exploitation of a potential zero-day vulnerability in SonicWall VPN appliances. Attackers leverage this vulnerability to bypass multi-factor authentication (MFA), a critical security control, enabling unauthorized access to the VPN infrastructure. The attack chain begins with the initial breach of the SonicWall VPN device, which is then followed by a series of post-exploitation activities. These include enumeration of the compromised environment, evasion of detection mechanisms, lateral movement across the network, and credential theft. The adversaries rapidly escalate privileges to gain administrative access, establish command and control (C2) channels, and disable security defenses. Subsequently, they deploy the Akira ransomware payload, which encrypts data and demands ransom payments. The attackers employ a combination of automated scripts and manual operations, abusing privileged accounts and utilizing various tools to maintain persistence and exfiltrate sensitive data. Indicators of compromise (IOCs) such as specific IP addresses and file hashes have been identified to aid detection. The threat actors also exploit multiple MITRE ATT&CK techniques, including credential dumping (T1003), bypassing MFA (implied), lateral movement via remote services (T1021.002, T1021.006), persistence mechanisms (T1505.003, T1136), defense evasion (T1562.001, T1070.001), and ransomware deployment (T1486). Immediate mitigation actions recommended include disabling or severely restricting SonicWall VPN access, auditing service and privileged accounts for suspicious activity, and conducting threat hunting using the provided IOCs. The lack of a CVE identifier and the designation as a zero-day indicate that no official patch is currently available, increasing the urgency for defensive measures.

Detailed information about Active Exploitation of SonicWall VPNs. Get real-time updates, technical details, and mitigation strategies.

Active Exploitation of SonicWall VPNs - Live Threat Intelligence - Threat Radar | OffSeq.com

Active Exploitation of SonicWall VPNs

Proofpoint has uncovered a sophisticated phishing campaign utilizing fake Microsoft OAuth applications to bypass multifactor authentication and steal credentials. The threat actors impersonate various enterprise apps like RingCentral, SharePoint, Adobe, and DocuSign to lure victims. The attack chain involves OAuth app creation, redirects to malicious URLs, and the use of attacker-in-the-middle phishing kits, predominantly Tycoon. This technique has been observed in email campaigns with over 50 impersonated applications, targeting multiple industries. The campaign's goal is to gain access to Microsoft 365 accounts, potentially for information gathering, lateral movement, malware installation, or further phishing attacks.

The threat described is a sophisticated phishing campaign uncovered by Proofpoint that leverages fake Microsoft OAuth applications to bypass multifactor authentication (MFA) and steal user credentials. The attackers impersonate legitimate enterprise applications such as RingCentral, SharePoint, Adobe, and DocuSign, among over 50 others, to lure victims into authorizing malicious OAuth apps. The attack chain involves creating fraudulent OAuth applications that request permissions from users, redirecting victims to malicious URLs controlled by the attackers, and employing attacker-in-the-middle (AITM) phishing kits, predominantly the Tycoon kit, to intercept authentication tokens and credentials. This technique effectively circumvents MFA protections by exploiting OAuth's delegated authorization flow, tricking users into granting access to their Microsoft 365 accounts. Once access is obtained, attackers can conduct information gathering, lateral movement within networks, deploy malware, or launch further phishing campaigns. The campaign targets multiple industries and relies heavily on email as the initial attack vector. Indicators of compromise include specific malicious URLs and domains, as well as IP addresses associated with the campaign. While no CVE or known exploits in the wild are reported, the campaign's use of OAuth app impersonation and MFA bypass techniques represents a significant evolution in phishing tactics against cloud-based identity and access management systems.

Detailed information about Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing. Get real-time updates, technical details, and mitigation strategies

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing - Live Threat Intelligence - Threat Radar | OffSeq.com

Microsoft OAuth App Impersonation Campaign Leads to MFA Phishing

This analysis explores the connections between two Phishing-as-a-Service (PhaaS) platforms: Tycoon2FA and Dadsec. The investigation reveals shared infrastructure and operational similarities, suggesting a common origin or adaptation. The report details the evolving tactics of Tycoon2FA, including its use of Cloudflare Turnstile, anti-analysis techniques, and sophisticated phishing pages. Key findings include the rapid expansion of Tycoon2FA's infrastructure, with thousands of new phishing pages detected since July 2024. The analysis also uncovers the platform's advanced features, such as MFA bypass capabilities and real-time credential interception. The report emphasizes the growing threat posed by PhaaS platforms and the need for continued vigilance and adaptation in cybersecurity defenses.

This threat analysis focuses on two interconnected Phishing-as-a-Service (PhaaS) platforms, Tycoon2FA and Dadsec, which provide cybercriminals with turnkey phishing infrastructure to conduct sophisticated credential theft campaigns. These platforms share infrastructure and operational tactics, indicating a common origin or adaptation. Tycoon2FA has evolved significantly, integrating Cloudflare Turnstile, an anti-bot and anti-abuse mechanism, to evade automated detection and analysis tools. It also employs advanced anti-analysis techniques to hinder forensic investigations and automated defenses. Since July 2024, Tycoon2FA’s infrastructure has rapidly expanded, hosting thousands of phishing pages designed to mimic legitimate login portals with high fidelity. Notably, these platforms target multi-factor authentication (MFA) mechanisms with bypass capabilities and real-time credential interception, enabling attackers to capture user credentials, session tokens, and MFA codes. This adversary-in-the-middle (AITM) tactic allows attackers to bypass one of the most trusted security controls, facilitating account takeover and unauthorized access. The threat actor group behind these platforms is identified as Storm-1575, known for targeting financial and enterprise credentials. Indicators of compromise include domains such as 704movers.com, americanwealthllc.com, and a Russian domain srciek0t8a31dz4.o4dnumvbqy.ru, which serve as phishing infrastructure. The attack techniques leverage multiple MITRE ATT&CK tactics, including credential dumping, scripting, obfuscation, command and control via web protocols, and social engineering, highlighting a complex and adaptive attack methodology. Overall, this PhaaS ecosystem represents a significant escalation in phishing sophistication, lowering the barrier for threat actors to launch effective campaigns and emphasizing the need for dynamic, layered cybersecurity defenses.

Detailed information about PhaaS the Secrets: The Hidden Ties Between Tycoon2FA and Dadsec's Operations. Get real-time updates, technical details, and mitigatio

Title	Severity	Type	Source	Date

Threats Tagged 'mfa bypass'

Filter Threats

Threats Tagged 'mfa bypass'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility