Unit 42 Alerts: Phishing Campaign Targeting European Companies to Steal Microsoft Azure Credentials

Listen to this Post

A recent phishing campaign targeting European companies has been uncovered by Unit 42, aiming to steal Microsoft Azure credentials. The campaign has been linked to 33 indicators of compromise (IoCs). Organizations are urged to stay vigilant and implement robust security measures to protect their Azure environments.

Link to https://ift.tt/4peMHEG

Practice-Verified Commands and Codes:

1. Check for Suspicious Logins in Azure:

Get-AzureADAuditSignInLogs -Filter "startsWith(userPrincipalName,'[email protected]')" | Format-Table -Property CreatedDateTime,UserPrincipalName,AppDisplayName,IPAddress,Location

2. Block Suspicious IP Addresses in Azure NSG:

$nsg = Get-AzureRmNetworkSecurityGroup -Name "Your-NSG-Name" -ResourceGroupName "Your-Resource-Group"
$nsg | Add-AzureRmNetworkSecurityRuleConfig -Name "Block-Suspicious-IP" -Description "Block Suspicious IP" -Access Deny -Protocol * -Direction Inbound -Priority 100 -SourceAddressPrefix "Suspicious-IP" -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * | Set-AzureRmNetworkSecurityGroup

3. Enable Multi-Factor Authentication (MFA) for Azure Users:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements $sta

4. Monitor Azure Activity Logs for Anomalies:

Get-AzureRmLog -ResourceGroup "Your-Resource-Group" -StartTime (Get-Date).AddDays(-1) -EndTime (Get-Date) | Where-Object {$_.OperationName.Value -eq "Microsoft.Compute/virtualMachines/write"}

5. Scan for Malicious Files Using Windows Defender:

Start-MpScan -ScanType FullScan
  1. Check for Open Ports on a Suspicious IP:
    nmap -p 1-65535 -T4 -A -v suspicious-ip
    

7. Analyze Network Traffic with tcpdump:

tcpdump -i eth0 -w capture.pcap

8. Block IP Addresses in Linux Firewall:

sudo iptables -A INPUT -s suspicious-ip -j DROP

9. Check for Unauthorized SSH Logins:

grep "Failed password" /var/log/auth.log

10. Scan for Vulnerabilities with OpenVAS:

openvasmd --get-tasks --details

What Undercode Say:

The phishing campaign targeting European companies to steal Microsoft Azure credentials highlights the importance of robust cybersecurity practices. Organizations must remain vigilant and implement multi-layered security measures to protect their cloud environments. Regularly monitoring Azure activity logs, enabling MFA, and blocking suspicious IP addresses are critical steps in mitigating such threats. Additionally, using tools like Windows Defender, Nmap, and OpenVAS can help identify and neutralize potential vulnerabilities. In Linux environments, commands like tcpdump, iptables, and `grep` are invaluable for monitoring and securing network traffic. Always ensure that your systems are up-to-date with the latest security patches and that your team is trained to recognize and respond to phishing attempts. For further reading on Azure security best practices, visit Microsoft’s official documentation. Stay secure, stay informed.

References:

Hackers Feeds, Undercode AIFeatured Image