EvilProxy attacks spike | Cyber Intelligence Briefing: 21 October

Top news stories this week

1. EvilProxy. S-RM witnesses dramatic spike in business email compromises linked to this sophisticated new phishing toolkit.
2. German cyber chief fired. Federal Cyber Security Authority head fired over unconfirmed KGB links.
3. Bank of England cyber alert. Cyber attacks named as biggest risk to UK financial system.
4. ProxyRelay vulnerabilities. New set of Exchange Server flaws are being actively exploited.
5. Stop the press! German newspapers suffer ransomware attack.
6. APT attacks surge. Chinese threat actors allegedly behind attacks against Tata Power and US political parties.
7. Bad debt. The FBI warns of scammers targeting US student loan debt relief applicants.

1. EvilProxy attacks spike

Over the last six weeks, S-RM has witnessed a dramatic increase in business email compromises. The trend is likely related to the recent adoption of a phishing-as-a-service toolkit named EvilProxy, which is a sophisticated adversary-in-the-middle (AiTM) attack framework used to bypass multi-factor authentication (MFA).

Although AiTM phishing tools have existed for several years, EvilProxy poses a much greater threat as it is easy to set up, includes instructional videos, has an accessible graphical user interface, and comes with a library of fake phishing websites for well-known platforms including Apple iCloud, Google, and Microsoft.

So what?

EvilProxy undermines the effectiveness of MFA, which many organisations rely on to defend against attempts to gain unauthorised access to mailboxes. To protect themselves against EvilProxy attacks, organisations should augment MFA with conditional access policies that prevent sign-ins from untrusted devices and unauthorised IP ranges. Phishing awareness also remains a critical defence.

2. Germany fires cyber chief

On Tuesday, Arne Schönbohm, the now former head of Germany’s Federal Cyber Security Authority (BSI), was dismissed following accusations that he maintained links to a subsidiary of a Russian cyber security business reportedly established by a former senior member of Russia’s KGB. Investigations are still ongoing and Schönbohm has not been formerly charged with any wrongdoing.

So what?

Insider threats remain a high risk for organisations. A preventative approach is best and employers must conduct a comprehensive screening of all candidates in the hiring process.

3. Bank of England cyber alert

The Bank of England has identified cyber attacks as the greatest risk to the UK financial system. This report follows Moody’s warning that USD 22 trillion of its rated debt has high or very high exposure to the risk of a cyber attack.

So what?

Organisations are under increasing pressure to make the right investment choices to improve their cyber resilience. While the overall size of cyber budgets is an important metric when preparing a cyber strategy, how individual budgets are allocated across different cyber investment areas is equally pertinent.

4. ProxyRelay vulnerabilities

Security researchers have discovered a new set of Microsoft Exchange Server vulnerabilities, dubbed ProxyRelay. The actively exploited flaws enable threat actors to bypass authentication or achieve remote code execution without user interaction. Microsoft released a fix for ProxyRelay in August.

So what?

Organisations should check their exposure and patch their servers to the latest available update.

5. Stop the press!

German media group Stimme Mediengruppe recently suffered a ransomware attack by a “well-known cybercriminal group”. The incident impacted the operations of the entire media group and its subsidiaries, crippling the printing systems of one of their publishers.

So what?

Cyber attacks can have major knock-on effects for dependent organisations. Disaster management and business continuity plans, as well as a robust set of cyber security controls, should be in place for both holding companies and their portfolio companies.