Global cyber gangs are evolving rapidly, wielding advanced techniques and enjoying state sponsorship. Menlo Security’s latest report exposes the growing threat landscape, detailing how these criminal groups are becoming more sophisticated and dangerous.
Browser security giant Menlo Security’s latest report, “Global Cyber Gangs,” reveals three new nation-state campaigns using HEAT attack techniques, targeting banking institutions, financial powerhouses, insurance companies, legal firms, government agencies, and healthcare providers.
For your information, Highly Evasive and Adaptive Threat (HEAT) are sophisticated cyber threats that bypass traditional security measures, targeting web browsers as the entry point using techniques like dynamic behaviour, fileless attacks, and delayed execution to evade detection.
Menlo Labs discovered three sophisticated HEAT campaigns, LegalQloud, Eqooqp, and Boomer, compromising at least 40,000 high-value users, and generating evasive attacks that can bypass MFA and take over sessions with Adversary in the Middle (AiTM) kits.
The study reveals that 60% of user-clicked malicious links are phishing or fraud, 25% go undetected by legacy URL filtering, and Microsoft is the most impersonated brand.
Key Campaigns and Techniques
- LegalQloud: Uses trusted domains and URL obfuscation to bypass security, similar to tactics previously identified. Reliance on Tencent Cloud for evasion aligns with our earlier observations of attackers exploiting global infrastructure.
- Eqooqp: Utilizes Adversary in the Middle (AiTM) techniques and the NakedPages phishing toolkit to defeat MFA. The association with DEV-1101 underscores the campaign’s adaptability and sophistication.
- Boomer: Uses advanced evasion techniques, custom HTTP headers, and rapid phishing site deployment, reflecting continuous improvement among threat actors. Boomer’s ability to avoid automated security analysis tools indicates a high level of operational maturity.
LegalQloud is hosted on China’s largest internet company, Tencent Cloud. It impersonates legal firms to steal Microsoft credentials. North American governments and investment banks are its key targets and reportedly, it has targeted about 500 enterprises in 90 days, bypassing URL categorization and block lists.
Eqooqp campaign targets government and private sector organizations by bypassing non-phishing resistant MFA (multi-factor authentication) using the Adversary-in-the-Middle/AiTM technique where a proxy server is placed between the victim and the legitimate website to intercept login credentials.
Currently, logistics, higher education, petroleum, finance, and manufacturing sectors are its key targets. Menlo Cloud has detected and stopped around 50,000 attacks linked with this campaign in recent months, and attributed this campaign to DEV-1101 or Storm-1101.
Boomer is a sophisticated phishing campaign targeting government and healthcare sectors, employing advanced techniques like dynamic phishing sites, tracking cookies, custom HTTP headers, bot detection countermeasures, server-side generated pages, and encrypted code. It impersonates brands like Adobe and Microsoft.
Nation-states, with their vast resources and expertise in cyberwarfare, are allegedly providing safe havens and technical assistance to these gangs. State-sponsored cybercrime poses significant threats to businesses, critical infrastructure, and citizens’ personal information.
Callie Guenther, Senior Manager of cyber Threat Research at Critical Start commented on the report stating, “In April 2023, Critical Start identified the rise of Highly Evasive Adaptive Threats (HEAT), noting how these attacks exploit browser vulnerabilities to bypass traditional security controls. Menlo Security’s latest report confirms these findings, showing how HEAT attacks continue to evolve and evade measures like Multi-Factor Authentication (MFA) with advanced techniques.“
To combat this, increased international cooperation is crucial, including intelligence sharing, joint investigations, and coordinated takedown operations. Robust cybersecurity measures, employee training, and advanced software are also essential. Governments can promote best practices for data protection and establish regulations.