norm. threat bulletin: 22nd March 2023

Norm threat bulletin

Business email compromise volumes double

The number of business email compromise (BEC) incidents doubled last year and replaced ransomware as the most prolific cybercrime category, according to recently released research by American cyber security company Secureworks. The threat detection and response firm compiled its ‘Learning from Incident Response’ report from real-world incidents it was called upon to investigate. It claimed the significant growth in BEC volumes was down to a rise in phishing, which accounted for 33% of initial access vectors – up from 13% in 2021. At the same time, ransomware fell from the top, as the most common cybercrime type, with detections declining 57%.

This research suggests the fall could be down to threat actors targeting smaller victims, which are less likely to engage with incident responders. BEC attacks can generate a big pay out but require relatively little technical skill. Attackers can simultaneously phish multiple organisations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models.

This analysis matches a recent Trend Micro report, which suggested that ransomware groups will increasingly look to adopt other criminal models that monetise initial access, like BEC. The report also showed that vulnerabilities in internet-facing systems accounted for another third of initial access vectors, warning that it is known bugs like Log4Shell, rather than zero days, that represent the biggest threat.

By utilising both norm.’s Cyber Safety and Phishing module which educates users on how to spot a likely malicious email and norm.’s Vulnerability Patch Management service which will patch known vulnerabilities like Log4Shell, you can minimise the risk of both BEC attacks and the exploit of publicly known vulnerabilities.


Learning from Incident Response: 2022 Year in Review

Rethinking Tactics – 2022 Annual Cybersecurity Report

Microsoft warns of large-scale phishing attacks using attacker-in-the-middle phishing kits

Phishing attacks have become one of the most common forms of cyber-attack that occur almost daily, and which come in many different forms. Adversary in the Middle (AitM) phishing kits have become increasingly prominent in the world of cybercrime due to their ability to orchestrate attacks on a large scale, with the ability to send out millions of phishing emails per day from various threat actors using the tool. The attacks in question aim to steal a target’s credentials by intercepting a user’s password and session cookies by deploying a proxy server between the user and the website they are attempting to use, hence, attacker-in-the-middle. These types of phishing attacks have also been stated to be able to circumvent multi-factor authentication, making them highly sought after for potential phishing attacks.

Per Microsoft, the group behind several of the aforementioned phishing kits is known as DEV-1101. The group has allowed potential attackers to purchase or rent these kits, making performing a phishing attack a lot more accessible and less resource intensive, in turn making them a much larger threat due to their accessibility to anybody willing to pay for them. Another factor into why these kits are considered such a threat is that the kits are service-based, meaning any credentials potentially stolen using the kits can be sent to both the customer and the kit provider. The AitM kits feature the ability to make the phishing landing pages mimic Microsoft Office and Outlook, as well as the ability to evade detection using captcha checks and managing the phish campaigns from a user’s phone.

One such use of these kits comes from an activity cluster, named DEV-0928, a phishing campaign that has managed to compromise over 1 million emails since September 2022. The attack commences with an email sent to the target, with the email containing a link to a PDF document which will redirect the target to a login page masquerading as an official Microsoft sign-in portal. This step also incorporates a captcha check, with the aim of this being that automated systems will have a much higher difficulty passing the captcha than humans, ensuring that all of the credentials are legitimate and valid user accounts. Although these types of phishing attacks can bypass MFA, it is still crucial that organizations implement authentication methods to block suspicious login attempts. Due to the ability to bypass MFA, it is very important that users are properly educated on phishing attacks so that they are able to effectively identify these types of attacks as soon as they see them.

The Cyber Safety and Phishing module from norm. can educate users on how to spot a likely malicious email. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious emails and links. It is also recommended to take a minute to assess an email or message before responding and never give any remote access to your device.

Microsoft Warns of Large-Scale Use of Phishing Kits to Send Millions of Emails Daily

RedEyes hackers use new malware to steal data from Windows

APT37, also known as ‘RedEyes’ is a North Korean cyber espionage hacking group believed to be state-supported. In 2022, the hacking group was seen exploiting Internet Explorer zero-days and distributing a wide assortment of malware against targeted entities and individuals. More recently they have been observed using new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.

The recent attacks started in January 2023, when the hacking group sent phishing emails containing a malicious attachment to their targets. Opening the attachment triggers the exploitation of an old EPS vulnerability, the exploit will cause shellcode to run on a victim’s computer that downloads and executes malicious code stored within a JPEG image. This JPG image file uses steganography, to stealthily introduce the M2RAT executable (“lskdjfei.exe”) onto the system and inject it into “explorer.exe”.

For persistence on the system, the malware adds a new value (“RyPO”) in the “Run” Registry key, with commands to execute a PowerShell script via “cmd.exe.” This same command was also seen in a 2021 Kaspersky report about APT37.

The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. The screenshot-snapping function is activated periodically and works autonomously without requiring a specific operator command.

The malware’s ability to scan for portable devices connected to the Windows computer, such as smartphones or tablets, is of particular interest. If a portable device is detected, it will scan the device’s contents for documents and voice recording files and, if found, copy them to the PC for exfiltration to the attacker’s server. Before exfiltration, the stolen data is compressed in a password-protected RAR archive, and the local copy is wiped from memory to eliminate any traces.

By utilising norm.‘s Threat Detection & Response module in combination with the Vulnerability Patch Management module, your systems will receive the latest security updates, resulting in attacks which utilise old vulnerabilities unsuccessful.

Microsoft Word remote code execution vulnerability CVE-2023-21716

A proof of concept has been released for a remote code execution (RCE) vulnerability in Microsoft office. This RCE vulnerability is specifically found within the Microsoft Office Word RTF (Rich Text Files) parser. The vulnerability is a heap corruption vulnerability, when exploited, it’s allowed to run arbitrary commands that bad actors use to gain the victim’s privilege via malicious RFT files. The exploit even takes effect when using preview, meaning the victim does not even need to open it for the payload to be delivered. This brings a low attack complexity with high impact potential which is why it has resulted in a CVSS score of 9.8 which is critical.

This has affected Word, Office, SharePoint, and Microsoft 365 apps with attacks most likely to be delivered through Microsoft Outlook. Although there is no known exploitation at present, a publicly available PoC can significantly increase the likelihood of exploitation in the wild.

Microsoft issued 21 updates on the 14th February 2023 for CVE-2023-21716 covering Word, Office, SharePoint, and Microsoft 365 apps. On the 23rd February 2023 updates were added for further Office editions and added that customers that run automatic updates do not need to do any further action.

Should you not run automatic updates, Microsoft have added some workarounds to use in the meantime until updates are applied:

  • Use Microsoft Outlook to reduce the risk of users opening RTF files from unknown or trusted sources.
  • Read emails in plain text format.

You can do this in Outlook for Microsoft 365 by going to:

  1. The file tab, choose Options > Mail.
  2. Under Compose Messages, in the Compose messages in this format list, then select plain text.

You can also use Microsoft Office file block policy to prevent Office opening RTF documents from unknown or trusted sources, but you will need to configure a special “exempt directory” or you will be unable to open documents saved in the RFT format.

By utilising norm.‘s Vulnerability Patch Management service, you can ensure firstly that software is up to date with the latest security patches, greatly reducing the attack surface, by adding norm.‘s Threat Detection & Response module on top of this, you can ensure this attack surface is protected as best as possible.


Microsoft Word Remote Code Execution Vulnerability

New Botnet responsible for 3.3 Tbps DDoS attacks

Researchers at Akamai have identified a new emerging malware botnet named “Hinata”, named after a popular anime character from “Naruto”. This botnet is primarily focused on performing distributed denial of service (DDoS) attacks using HTTP and SSH to target several vulnerabilities in IoT and networking hardware.

Akamai discovered this botnet through a series of SSH and HTTP honeypot servers – servers deliberately exposed to the public internet designed to lure attackers into performing exploits or deploying/detonating malware. Honeypots can be deployed on edge infrastructure to record and track the actions of malicious actors that may be targeting your organisation. Akamai estimated that Hinata is capable of DDoS attacks exceedingly more than 3.3 Tbps of traffic. For comparison, the DDoS attack against in 2016 exceeded 620 Gbps.

Hinata has used vulnerabilities in Realtek SDK devices (CVE-2014-8361) and Huawei routers (CVE-2017-17215) to spread and infect devices exposed to the internet.

Akamai has attributed the operator of Hinata to the distribution of the Mirai botnet, an equally destructive and more well-known botnet that first hit the scene in 2016, which norm. delved into in the last edition of the threat bulletin (08.03.23).

By utilising norm.’s Threat Detection & Response and Vulnerability Management modules your public facing assets are monitored for DDoS attack activity and are protected against historic and emerging vulnerabilities.


New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks (

Uncovering HinataBot: A Deep Dive into a Go-Based Threat | Akamai

Further reading:
06th March 2023 Data Protection Bulletin

Get norm.’s threat bulletin direct to your inbox

norm. tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: