@hunters_ai References:
- The initial publication by @jaimeblascob https://t.co/NESuPqcnFD
- great publication including campaign details by @tuckner (Secure Annex) - https://t.co/xMTi8Jwf87
Regarding the Cyberhaven chrome extension compromise I have reasons to believe there are other extensions affected. Pivoting by the ip address there are more domains created within the same time range resolving to the same ip address as cyberhavenext[.]pro (cont)
🚨 Major Chrome Extension Threat Campaign 🚨
The new year kicks off with a significant cybersecurity threat that demands attention.
@hunters_ai Team AXON is now actively researching this threat, that was initially appeared as a single incident involving Cyberhaven's compromised browser extension and has now revealed itself as part of a much larger, coordinated campaign.
💡 What we know so far:
- There are indications that this campaign has been active for at least 7 months, targeting a variety of Chrome extensions and apps.
- December 2024 saw a notable spike in compromised Chrome extensions, marking the height of this activity.
- Affected extensions include malicious mechanisms to exfiltrate user cookies, posing a severe risk to both users and organizational services.
📌 Indicators of Compromise (IOCs):
Domains:
"bookmarkfc[.]info",
"vpncity[.]live",
"castorus[.]info",
"parrottalks[.]info",
"primusext[.]pro",
"censortracker[.]pro",
"uvoice[.]live",
"iobit[.]pro",
"moonsift[.]store",
"yujaverity[.]info",
"wayinai[.]live",
"readermodeext[.]info",
"policyextension[.]info",
"yescaptcha[.]pro",
"internxtvpn[.]pro",
"wakelet[.]ink",
"linewizeconnect[.]com",
"bardaiforchrome[.]live",
"blockadsonyt[.]vip",
"chataiassistant[.]pro",
"chatgptextension[.]site",
"chatgptextent[.]pro",
"cyberhavenext[.]pro",
"dearflip[.]pro",
"geminiaigg[.]pro",
"goodenhancerblocker[.]site",
"gpt4summary[.]ink",
"linewizeconnect[.]com",
"locallyext[.]ink",
"proxyswitchyomega[.]pro",
"savegptforyou[.]live",
"savgptforchrome[.]pro",
"searchcopilot[.]co",
"tinamind[.]info",
"tkv2[.]pro",
"videodownloadhelper[.]pro",
"vidnozflex[.]live",
"youtubeadsblocker[.]live",
"checkpolicy[.]site",
"extensionbuysell[.]com",
"extensionpolicy[.]net",
"extensionpolicyprivacy[.]com",
"linewizeconnect[.]com"
IPs:
"149.28.124[.]84"
"149.248.2[.]160"
SHA256 Hashes:
"a8d3027be48f61ae6174d067e59e89b7ec47ae19420470248733d8c4b75fda52",
"91ff6f07b3f2347da00b5ec9907d0b7753cca9c442cc9c0692c1c6aba1b90318",
"b53007dc2404dc3a4651db2756c773aa8e48c23755eba749f1641542ae796398",
"0e05fa617531e9c49b9e377b6715c21c909a8dd998cdd68fad09fc463f1dd2ba"
SHA1 Hashes:
"AC5CC8BCC05AC27A8F189134C2E3300863B317FB",
"0B871BDEE9D8302A48D6D6511228CAF67A08EC60",
🛡 Hunting Recommendations:
If you identify any additional suspicious IPs, we recommend conducting a reverse IP lookup. Leveraging reverse IP lookups and their historical data has proven invaluable in identifying many compromised domains linked to the C2 IP addresses associated with the relevant threat actor.
If you identify any additional indicators or TTPs, feel free to share them in the comments below.
Links the valuable resources can be found in the comments section below.
#AXON #THREATHUNTING #DFIR #CYBERSECURITY #CYBERHAVEN #CHROME #HUNTERS
@team__axon
@hackerkartellet Very interesting. Just posted about this threat as well. Axios UA in addition to OfficeHome usage which was already mentioned in the comments by @johnk3r - focusing on Axios versions 1+ (lower versions more likely to be FP IMO) can be nice for hunting.
Ongoing Microsoft 365 AiTM Attacks Leveraging Axios
A few months ago, we saw multiple reports about how attackers were exploiting Axios (Node.js) to intercept traffic and facilitate M365 phishing attacks.
This threat continues to evolve, so it's important not to treat it as a past event.
Threat actors are still using Axios to capture user credentials and tokens (to also bypass MFA) gaining unauthorized access to M365 accounts.
🔎 Threat Hunting Tips from @hunters_ai team AXON:
1. Look for sign-in events with a "%Axios/%" user-agent. If the Axios version is > 1, the likelihood of a true positive increases.
2. Found different hits, and you are not sure if it is a True-positive or not? one of the first things to check is the application display name. If it's OfficeHome, it is more likely to be a TP.
3. Identified Axios malicious sign-in attempt? even if it wasn't a successful attempt, consider rotating credentials, revoking active sessions and ensuring MFA is enabled.
Stay alert and keep tracking this ongoing trend - it's relatively easy to monitor but critical to act on. 💡
#THREATHUNTING #DFIR #AZURE #PHISHING #AITM #MITM #HUNTERS #AXON
Hunters’ team AXON has observed a concerning rise in Microsoft services abuse over the past few months. A notable trend is the increase in targeted attacks initiated through social engineering via Microsoft Teams, specifically through OneOnOne messages that exploit the default “External Access” feature in Microsoft 365.
To protect yourself and your organization, make sure to:
✅ Allow only specific external domains (if necessary)
🚦 Strictly control your organization’s guest access settings
🚫 Block anonymous access
Stay tuned for more details coming soon!
#Microsoft365 #DFIR #THREATHUNTING #THREATINTEL #CyberSecurity #MicrosoftTeams
Short “RegreSSHion” (CVE-2024-6387) hunting TL;DR based on the work we did at Hunters’ team Axon:
1. Look for spikes of incoming network connections towards “sshd” from public IPs using EDR Logs
2. Significant amount of “timeout before authentication” SSHD log entries
Links 👇
#DFIR_TLDR:
Azure VM Extensions can play a key role in security incidents.
non-commonly used forensics artifact is the "WaAppAgent.log" file that can include valuable details regarding Azure VM extensions that might had been abused
Path: C:\WindowsAzure\Logs\WaAppAgent.log
#DFIR
A good explanation is a simple explanation.
We've put together a complete and "human-friendly" guide for #Azure incident response and threat hunting, as Azure Cloud has become a popular target for cyber attacks.
Check Part 1 here👇
https://t.co/viultMUgLR