HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft
Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims' Microsoft Azure cloud infrastructure.
The campaign has been codenamed HubPhish by Palo Alto Networks Unit 42 owing to the abuse of HubSpot tools in the attack chain. Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe.
"The campaign's phishing attempts peaked in June 2024, with fake forms created using the HubSpot Free Form Builder service," security researchers Shachar Roitman, Ohad Benyamin Maimon, and William Gamazo said in a report shared with The Hacker News.
The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.
As Unit 42 points out, neither was HubSpot compromised during the phishing campaign, nor were the Free Form Builder links delivered to target victims via the customer platform's infrastructure.
The company said it identified no less than 17 working Free Forms working Free Forms used to redirect victims to different threat actor-controlled domains. A significant chunk of those domains were hosted on the ".buzz" top-level domain (TLD).
"The phishing campaign was hosted across various services, including Bulletproof VPS host," the company said. "[The threat actor] also used this infrastructure for accessing compromised Microsoft Azure tenants during the account takeover operation."
Upon gaining successful access to an account, the threat behind the campaign has been found to add a new device under their control to the account so as to establish persistence.
"Threat actors directed the phishing campaign to target the victim's Microsoft Azure cloud infrastructure via credential harvesting attacks on the phishing victim's endpoint computer," Unit 42 said. "They then followed this activity with lateral movement operations to the cloud."
The development comes as attackers have been spotted impersonating SharePoint in phishing emails that are designed to deliver an information stealer malware family called XLoader (a successor to Formbook).
Phishing attacks are also increasingly finding novel ways to bypass email security measures, the latest among them being the abuse of legitimate services like Google Calendar and Google Drawings, removing URL protocols (HTTP/HTTPS) from embedded links in emails, as well as spoofing email security provider brands, such as Proofpoint, Barracuda Networks, Mimecast, and Virtru.
Those that exploit the trust associated with Google services involve sending emails including a calendar (.ICS) file with a link to Google Forms or Google Drawings. Users who click on the link are prompted to click on another one, which is typically disguised as a reCAPTCHA or support button. Once this link is clicked, the victims are forwarded to phony pages that perpetrate financial scams.
To further lend the attacks a ring of authenticity, the threat actors send out the meeting invites containing the malicious link via Calendar, thereby completely bypassing email security tools. Users are advised to enable the "known senders" setting in Google Calendar to protect against this kind of phishing attack.
(The story was updated after publication to emphasize that the campaign did not involve the compromise of HubSpot or its infrastructure.)
source: TheHackerNews
Free security scan for your website
Top News:
CISA orders federal agencies to secure Microsoft 365 tenants
December 18, 2024Recorded Future CEO applauds "undesirable" designation by Russia
December 19, 2024BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356)
December 18, 2024Google Chrome uses AI to analyze pages in new scam detection feature
December 21, 2024