Actu
Menlo Security Exposes Three New Nation-State Campaigns
June 2024 by Menlo Security
Menlo Security released its latest report, “Global Cyber Gangs,” which uncovered three novel nation-state campaigns employing highly evasive and adaptive threat (HEAT) attack techniques. The report highlights state-sponsored threat actors’ growing sophistication and shifting behavior and describes how their novel techniques evade traditional security controls.
In a recent 90-day period, Menlo Labs uncovered a trifecta of sophisticated HEAT campaigns—LegalQloud, Eqooqp, and Boomer—compromising at least 40,000 high-value users, including C-suite executives from major banking institutions, financial powerhouses, insurance giants, legal firms, government agencies, and healthcare providers. The breadth and depth of these breaches signal an alarming escalation in cyber warfare, all detailed in this report.
Menlo Labs identified these novel campaigns:
LegalQloud, hosted on Tencent Cloud (the largest Internet company in China), impersonates legal firms to steal Microsoft credentials, targeting governments and investment banks in North America. Menlo Labs discovered 500 enterprises targeted by this campaign in a 90-day period, bypassing URL categorization and block lists.
Eqooqp can defeat multifactor authentication (MFA) and targets a range of government and private sector organizations, including logistics, finance, petroleum, manufacturing, higher education, and research. Nearly 50,000 attacks associated with this campaign have been detected and stopped by Menlo Cloud in recent months.
Boomer is an intricate phishing campaign targeting sectors such as government and healthcare. In Boomer attacks, threat actor employs advanced evasive techniques including dynamic phishing sites, custom HTTP headers, tracking cookies, bot detection countermeasures, encrypted code, and server-side generated phishing pages.
Other key findings surrounding these campaigns include:
• 60% of malicious links clicked by a user are attributed to phishing or fraud.
• 25% of phishing links clicked by the user goes undetected by legacy URL filtering.
• Microsoft is the most impersonated brand across industries.
The Menlo Security findings presented in this report reveal the increasing sophistication and alarming prevalence of evasive attacks by nation-state actors, capable of bypassing MFA using Adversary in the Middle (AiTM) kits. Leveraging unique and early-stage telemetry from within the Menlo Cloud, Menlo Security developed effective defenses against these HEAT attacks. The Menlo Secure Cloud Browser, with HEAT Shield phishing prevention, offers real-time protection by executing web requests in the cloud. This eliminates the browser attack surface, preventing malicious activities from ever reaching endpoints.
