Breach Roundup: Phishing Platform ONNX Targets Microsoft 365 (2024)

Cybercrime , Cybercrime as-a-service ,

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, ONNX targeted Microsoft 365, Symantec spotted Chinese espionage, AMD may have been breached, Cleveland vowed to defy hackers, Black Basta hit a Spanish firm, Pakistani hackers targeted India, Microsoft said it fixed flaws in Azure, and the U.S. and Indonesia held a cybersecurity exercise.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

A new phishing-as-a-service platform called ONNX Store is targeting Microsoft 365 accounts in the financial sector, using QR codes embedded in PDF attachments. ONNX is likely a rebranded version of the Caffeine phishing kit. It operates via Telegram bots and includes two-factor authentication bypass mechanisms.

Researchers at EclecticIQ discovered ONNX, which began operations in February 2024 by distributing phishing emails impersonating HR departments with lures such as salary updates. The malicious emails contain mimicked Microsoft 365 login interfaces. The attackers captured login credentials and 2FA tokens in real-time to enable account hijacking.

ONNX's robust features make it an attractive tool for cybercriminals. It offers customizable phishing templates, encrypted JavaScript for evading detection, and Cloudflare services for domain protection. Operations are managed through Telegram, with bots and dedicated support channels. ONNX provides four subscription tiers ranging from $150 to $400 per month, and each tier offers various phishing functionalities, including 2FA cookie stealing and custom redirect links.

A sustained campaign using tools associated with Chinese espionage groups targeted multiple telecom operators in a single Asian country, according to a report by Symantec's Threat Hunter Team. The attacks began in 2021 or 2020. They involve the use of custom malware and tactics to breach the networks of targeted companies and steal credentials.

The attackers employed a variety of tools, including backdoors associated with the Fireant, Needleminer, and Firefly groups - all linked to Chinese espionage actors. Hackers used backdoors including Coolclient, Quickheal and Rainyday to log keystrokes, read and delete files and communicate with command-and-control servers.

The campaign also involved port scanning, credential theft through registry hive dumping, and the use of tools such as Responder to poison DNS and NetBIOS services. The attackers may have been gathering intelligence on the telecom sector, eavesdropping or building a disruptive capability against critical infrastructure in the targeted country.

Symantec identified several indicators of compromise related to the campaign, including specific malware variants and IP addresses used by the attackers.

Chip giant AMD is investigating claims by hacker IntelBroker, who announced on criminal online forum BreachForums that he is selling sensitive data allegedly stolen from the company. The data putatively includes information on future products, employee and customer databases, source code and financial documents, possibly obtained from a third-party hosting provider in June 2024.

The city of Cleveland will not pay the ransom demanded by cybercriminals who attacked city systems earlier this month, reported local ABC news outlet Channel 5. The attack did not affect a number of city functions, including 911, trash collection, and the municipal court system (see: Cleveland Cyber Incident Prompts Shutdown of City IT Systems).A city spokesperson told Channel 5 that the Department of Taxation, utilities and airports "are segmented on a different network and domain" and don't appear to have been affected by the attack. City Hall closed to the public for nearly two weeks but will reopen Thursday with "select operations."

Spanish engineering and technology firm Amper Group fell victim to a cyberattack by the Black Basta group earlier this month. The ransomware-as-a-service outfit stole 650 gigabytes of sensitive data, including confidential project details and employee personal information, reported Europa Press. The firm works in sectors including defense, security, energy and telecommunications.

According to reports from HackManac and confirmation from internal company sources, the incident began on June 6 with a phishing email. A company spokesperson told Europa Press that the encrypted servers "weren't critical," backups were in place and the hackers have not managed to affect any critical systems.

An advanced persistent threat from Pakistan, tracked as UTA0137, is using an old Linux vulnerability and innovative Discord-based malware called "Disgomoji" to conduct cyberespionage against Indian government organizations, according to Volexity. UTA0137 exploits the "Dirty Pipe" Linux kernel bug, tracked as CVE-2022-0847. The flaw allows unauthorized users to gain root privileges. This vulnerability still affects the widely used Indian Linux distribution "BOSS," despite being publicized two years ago.

Disgomoji uses emojis for commands and manages infections through Discord channels. It sends system information to attackers, establishes persistence via the "cron" scheduler, and can steal data from connected USB devices. Commands include a camera emoji for screenshots and a fire emoji to exfiltrate files.

Microsoft said it addressed in May server-side request forgery vulnerabilities in the Azure Machine Learning service discovered by cybersecurity firms Wiz and Tenable. "These vulnerabilities could have allowed unauthorized requests by an HTTP client, potentially including internal IPs. These internal IPs could access AML's internal Kubernetes infrastructure and expose back-end metadata, such as network and pod information, that could be used to disrupt AML service operations," Microsoft said.

The United States and Indonesia held a port-focused cybersecurity tabletop exercise from June 10 through June 13 in Surabaya, Indonesia. The exercise, a first for the two countries, simulated cyber incidents and ransomware attacks on maritime infrastructure and aimed to improve resilience and response plans. Led by the U.S. Department of Homeland Security, the event included participants from the Indonesian government and the private sector. The exercise is part of ongoing U.S.-Indonesia security cooperation. Concerns over Chinese-built cranes and cyberthreats to ports were highlighted as ongoing issues that need attention.

Other Coverage From Last Week

• Chinese Hackers Used Open-Source Rootkits for Espionage
• Popular Chatbots Spout Russian Misinformation, Finds Study
• Russian State Hackers Target French Government for Espionage
• UK Pathology Lab Ransomware Attackers Demanded $50 Million

With reporting from Information Security Media Group's David Perera in Washington, D.C.