info@thehackernews.com (The@The Hacker News
//
A new account takeover (ATO) campaign, dubbed UNK_SneakyStrike, is actively targeting Microsoft Entra ID user accounts. Cybersecurity researchers at Proofpoint have identified that the campaign is leveraging the TeamFiltration pentesting framework to breach accounts. The activity has been ongoing since December 2024, with a surge in login attempts impacting over 80,000 user accounts across hundreds of organizations' cloud tenants. This poses a significant threat to cloud security, as successful account takeovers can lead to data exfiltration and further malicious activities.
The attackers are leveraging the TeamFiltration framework to identify valid user accounts and use password-spraying techniques to gain access. They have been observed utilizing Microsoft Teams API and Amazon Web Services (AWS) servers from various geographic locations to carry out user enumeration and password-spraying attacks. Once an account is compromised, the attackers are able to access sensitive data and potentially upload malicious files to the target user's OneDrive. This campaign demonstrates how legitimate pentesting tools can be exploited for malicious purposes, highlighting the need for robust security measures. Organizations are advised to monitor for indicators of compromise related to the UNK_SneakyStrike campaign. According to researchers, unauthorized access attempts tend to occur in concentrated bursts targeting a wide range of users within a single cloud environment. This is followed by quiet periods. The attackers appear to be attempting to access all user accounts within smaller cloud tenants while focusing on a subset of users in larger ones. Defenders are urged to check if any of their organization's accounts have been compromised and implement stronger authentication measures to prevent future account takeovers. References :
Classification:
@thehackernews.com
//
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.
The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server. This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape. References :
Classification:
|