{"id":8271,"date":"2023-12-18T17:04:16","date_gmt":"2023-12-18T17:04:16","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=8271"},"modified":"2023-12-20T11:31:02","modified_gmt":"2023-12-20T11:31:02","slug":"espionage-activities-targeting-european-businesses","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/featured\/espionage-activities-targeting-european-businesses\/","title":{"rendered":"Espionage activities targeting European businesses"},"content":{"rendered":"\n<p class=\"has-text-color has-link-color wp-elements-1c4faa9693146f31db943eb3c9b8aeb3\" style=\"color:#000000\">In the evolving landscape of cybersecurity threats, <em>Fortgale<\/em> is tracking <strong>PhishSurf Nebula<\/strong>, an advanced <strong>Cyber Espionage <\/strong>group active since 2021 and primarily targeting entities within the<strong> Banking &amp; Finance<\/strong> and <strong>Real Estate<\/strong> sectors across <strong>Europe <\/strong>and <strong>North America<\/strong>. <\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-f36a8e6aa007818f4d708219773e66e3\" style=\"color:#000000\">In particular, most of the involved companies are <strong>Private Equity Firms, Hedge Funds, Venture Capitals and Luxury Real Estate Dealers.<\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-5e8835774d4675952b7dbdd434d2f148\" style=\"color:#000000\">PhishSurf Nebula (hereinafter PSN) has been demonstrated to possess advanced offensive capabilities, including the ability to <strong>bypass Multi-Factor Authentication<\/strong> (MFA) systems, a security measure employed by organizations to safeguard their employees from unauthorized access.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-df99e43f324efed97ece72aea4682677\" style=\"color:#000000\">This article delves into the modus operandi and <strong>Tactics, Techniques and Procedures<\/strong> of PSN, highlighting aspects useful for Chief Information Security Officers (<strong>CISOs<\/strong>) and IT Departments in <strong>safeguarding<\/strong> <strong>their organizations<\/strong> and emphasizing the limitations of MFA when dealing with <strong>Advanced Cyber Attacks.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-8e5db6e25d0b1a581f404b08ffd5dba9\" id=\"h-attack-flow\" style=\"color:#000000\"><strong>Attack Flow<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-elements-cabf9b27a188a240dae35534e49ac3c2\" style=\"color:#000000\">PSN identifies potential <strong>targets of interest<\/strong><\/li>\n\n\n\n<li class=\"wp-elements-397b108c0ff2a9def204d188dc586c2e\" style=\"color:#000000\">A <strong>customized phishing <\/strong>website is built<\/li>\n\n\n\n<li class=\"wp-elements-5a0d592c3c28cc4fa92828ecd42608b0\" style=\"color:#000000\">The <strong>phishing campaign is developed<\/strong> specifically for the specific targets<\/li>\n\n\n\n<li class=\"wp-elements-48b86314787f66010821687d0b80d905\" style=\"color:#000000\"><strong>Malicious emails<\/strong>, distributed in low volumes, are sent to victims<\/li>\n\n\n\n<li class=\"wp-elements-4ae00888629bdaa44cd740c6d5a54327\" style=\"color:#000000\">Clicking on the malicious links and login leads to the deployment of <strong>persistence mechanisms<\/strong> on the victim&#8217;s account (Office 365, Google Workspace)<\/li>\n\n\n\n<li class=\"wp-elements-4524d8ed1ee5370117d0ec09d1ecb1b8\" style=\"color:#000000\"><strong>Exfiltration, lateral movement, and privileges escalation<\/strong> activities are then carried on by the Threat Actor<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-e1702907960431.png\" alt=\"\" loading=\"lazy\"><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-b1d9322a6170e3c993bb67a5ebe81d1e\" id=\"h-how-to-defend\" style=\"color:#000000\"><strong>How to Defend<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-elements-bf26c2342c2058395eb0f9da9ab1ba82\" style=\"color:#000000\"><strong>Enhanced Security Measures<\/strong>: Given the persistent efficacy of PSN in circumventing MFA, CISOs and IT departments should contemplate the integration of supplementary security layers. This may encompass:\n<ul class=\"wp-block-list\">\n<li class=\"wp-elements-3f9bba2f929afb1631042a17d2a78e3c\" style=\"color:#000000\">The adoption of <strong>Behavioral Analysis<\/strong><\/li>\n\n\n\n<li class=\"wp-elements-ebf9f7b74102d43c0238d1aa4fc5fbc7\" style=\"color:#000000\">The implementation of <strong>Identity Anomaly Detection<\/strong> activities<\/li>\n\n\n\n<li class=\"wp-elements-a2dd4d27a077a0ff07eccd16988e909d\" style=\"color:#000000\">The deployment of <strong>Advanced Endpoint Protection<\/strong> mechanisms<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"wp-elements-72fd8266f823cea93498bbb9af78d7ce\" style=\"color:#000000\"><strong>Intelligence<\/strong>: Leverage Threat Intelligence feeds to ensure a proactive approach against evolving phishing techniques. Regular updates from these feeds facilitate staying ahead of the latest tactics employed by PSN and other threats<\/li>\n\n\n\n<li class=\"wp-elements-00b2cf9efe3fdfe212575d263e58feff\" style=\"color:#000000\"><strong>Continuous Monitoring and Adaptation<\/strong>: The evolving nature of PSN&#8217;s tactics necessitates ongoing vigilance and the adaptation of security strategies to counter new threats effectively. Participate in industry-specific information-sharing groups could be an effective strategy to stay informed about the latest attack trends<\/li>\n\n\n\n<li class=\"wp-elements-73a264fbd4e999a76f3dfb09f8caf35b\" style=\"color:#000000\"><strong>Employee Training and Awareness:<\/strong> Conduct routine phishing awareness training sessions for personnel, emphasizing the criticality of adeptly recognizing and promptly reporting phishing attempts to mitigate potential security breaches<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-317614c7503e41dd62344f33b1079f99\" id=\"h-takeaways\" style=\"color:#000000\"><strong>Takeaways<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-22589ad7e22c49544d9707bb206b5284\" style=\"color:#000000\">A PSN breach could lead to severe C-Level accounts compromission having, as consequences, <strong>data exfiltration,<\/strong> <strong>financial losses and reputational damage<\/strong>. <\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-7418ce57282815f88ef18fd28d2fec15\" style=\"color:#000000\"><strong>Fortgale believes in an holistic approach that merges advanced cyber defense practices with leading cybersecurity technologies as an effective safeguard against sophisticated cyber threats like PSN.<\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-f922ba496729f2e2c4ba3ed61728b6b0\" style=\"color:#000000\">Below is reported an <strong>in-depth analysis<\/strong>, with a complete overview of the attack patterns, Threat Actor, victims and campaigns.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-text-color has-link-color has-x-large-font-size wp-elements-82d65d2f57490f51ca84d5ca0c87ed07\" id=\"h-in-depth-analysis\" style=\"color:#000000\"><strong>In-Depth Analysis<\/strong><\/h2>\n\n\n\n<p>PSN&#8217;s attack campaigns employ <strong>phishing emails as their attack vector<\/strong> to establish long-term access to victims&#8217; account. These emails contain malicious attachments or links that redirect users to customized phishing websites.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-0b8f5faf1521c0d032172217be5b114a\" style=\"color:#000000\">PhishSurf Nebula\u2019s attacks follow a standard infection process, which consists of mainly three steps:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/12\/Attack-Flow_locker_final-1-1024x428.png\" alt=\"\" loading=\"lazy\"><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-63de364956bab9370645b9bd1ba7141a\" style=\"color:#000000\">Key aspects of the attack:<\/p>\n\n\n\n<ul style=\"color:#000000\" class=\"has-text-color has-link-color wp-block-list wp-elements-93e1b56ab7fd4604ae61ee8584c27885\">\n<li class=\"wp-elements-263c81792e9fe8643897aa58d1b94bc6\" style=\"color:#000000\">The phishing email&#8217;s link employs <strong>OpenRedirect technique <\/strong>(<a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/601.html\">CWE-601 URL Redirection to Untrusted Site &#8216;Open Redirect&#8217;<\/a>)<\/li>\n\n\n\n<li class=\"wp-elements-4ad6f352650b3d2cf5437e37a57332fd\" style=\"color:#000000\">After clicking the link, the user is redirected to an <strong>intermediate legitimate website<\/strong>, compromised by the threat actor.<\/li>\n\n\n\n<li class=\"wp-elements-67c996b6f626952642ab40b660107ad3\" style=\"color:#000000\">The final landing page -shown above- is the one leveraging the PhishingKit.<\/li>\n\n\n\n<li class=\"wp-elements-c2089062f9e4f79430abdf8992513811\" style=\"color:#000000\">Different providers, in particular Office365, outlook. Exchange, Gmail, Webmail, are offered as <strong>login options<\/strong>, in order to maximize the surface of possible of victims.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-2d5e6d7724da7a7f3fafbbbe0491b0fc\" id=\"h-threat-actor\" style=\"color:#000000\"><strong>Threat Actor<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-1fabd18bb37f55c1516b2d8a1eaa6dd7\" style=\"color:#000000\">PhishSurf Nebula stands out due to its usage of a <strong>custom PhishingKit<\/strong>.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-a08d91ab19ba5490a752792109ebc2bb\" style=\"color:#000000\">It seems that the Threat Actor abused of <strong>an open-source project called \u201cSurf\u201d<\/strong> (<a href=\"https:\/\/github.com\/headzoo\/surf\">GitHub &#8211; headzoo\/surf<\/a>.) to execute Persistence activities on victims&#8217; accounts.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-a396d64246ad33d4cb53dde5238e6bec\" style=\"color:#000000\">The evidence surrounding this kit led<strong> <\/strong><em>Fortgale <\/em>to designate the threat actor as <strong>&#8220;PhishSurf Nebula.&#8221;<\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-3dc1846d6baad093bb2d3f24863492f8\" style=\"color:#000000\">The activities of the Threat Actor follow a <strong>cyclic rhythm<\/strong>, intensificating and reducing periodically.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-4f80f8aab60c1aac4962784272724129\" style=\"color:#000000\">Over the last nine months, <em>Fortgale <\/em>had gathered <strong>valuable information and insights<\/strong>: <\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/12\/Domains-1-1024x226.png\" alt=\"\" loading=\"lazy\"><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-80b513991978c870c3716fbc82e19989\" id=\"h-targets\" style=\"color:#000000\"><strong>Targets<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-3395db41463da75001998a5bbb585b13\" style=\"color:#000000\">PhishSurf targets strategic users mainly in the context of <strong>investments and real estate<\/strong>. The aim is probably to exfiltrate information related to <strong>assets, funds and acquisitions in order to sell them to relevant stakeholders<\/strong>.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-5a66a03f0f00bf38cae1c703bc1312ff\" style=\"color:#000000\">At the same time, breached systems and companies can be used as <strong>vectors<\/strong> (Company A) to other potential victims (Company B) as explained above.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-1115734ed7c6f90620867afdab997368\" style=\"color:#000000\">Victims are mainly <strong>US and Europe-based companies<\/strong>.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-6a8c3b2094b971f23e806ad8f21c9b43\" style=\"color:#000000\"><em>Fortgale <\/em>has identified several targets in recent months through its Threat Intelligence activities. Some of these targets include:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter has-small-font-size\"><table class=\"has-text-color has-link-color\" style=\"color:#000000\"><thead><tr><th><strong>Company<\/strong><\/th><th><strong>Country<\/strong><\/th><th><strong>Sector<\/strong><\/th><th><strong>First Seen<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Bl** ***** Advisors<\/strong><\/td><td>Switzerland<\/td><td>Financial Services<\/td><td>June 2023<\/td><\/tr><tr><td><strong>D****** AM<\/strong><\/td><td>United Kingdom<\/td><td>Alternative Investments<\/td><td>May 2023<\/td><\/tr><tr><td><strong>Investment ********** Institute<\/strong><\/td><td>Australia<\/td><td>Institutional Investments<\/td><td>March 2023<\/td><\/tr><tr><td><strong>** Investments <\/strong><\/td><td>Switzerland<\/td><td>Financial Services<\/td><td>March 2023<\/td><\/tr><tr><td><strong>V*** *** Advisors<\/strong><\/td><td>United Kingdom<\/td><td>Financial Services<\/td><td>March 2023<\/td><\/tr><tr><td><strong>Q****** Financial<\/strong><\/td><td>Austria<\/td><td>Financial Solutions<\/td><td>March 2023<\/td><\/tr><tr><td><strong>K****** Strategies<\/strong><\/td><td>US<\/td><td>Investments<\/td><td>March 2023<\/td><\/tr><tr><td><strong>W***** Capital<\/strong><\/td><td>Dubai<\/td><td>Venture Capital<\/td><td>February 2023<\/td><\/tr><tr><td><strong>*** Capital<\/strong><\/td><td>Switzerland<\/td><td>Portfolio Management<\/td><td>February 2023<\/td><\/tr><tr><td><strong>** Capital<\/strong><\/td><td>Bulgaria<\/td><td>Real Estate<\/td><td>February 2023<\/td><\/tr><tr><td><strong>F***** Law LLP<\/strong><\/td><td>United Kingdom<\/td><td>Legal Aservices<\/td><td>February 2023<\/td><\/tr><tr><td><strong>**-Innovation<\/strong><\/td><td>Germany<\/td><td>Solar Energy<\/td><td>December 2022<\/td><\/tr><tr><td><strong>** Advisors<\/strong><\/td><td>US<\/td><td>Financial Advisors<\/td><td>December 2022<\/td><\/tr><tr><td><strong>**** Trust<\/strong><\/td><td>Germany<\/td><td>Financial Services<\/td><td>December 2022<\/td><\/tr><tr><td><strong>******* Masons<\/strong><\/td><td>United Kingdom<\/td><td>Legal Services<\/td><td>November 2022<\/td><\/tr><tr><td><strong>E*******e<\/strong><\/td><td>United Kingdom<\/td><td>Private Equity<\/td><td>October 2022<\/td><\/tr><tr><td><strong>B*** &amp; S******<\/strong><\/td><td>Luxembourg<\/td><td>Legal Services<\/td><td>October 2022<\/td><\/tr><tr><td><strong>N**** S** Capital<\/strong><\/td><td>Denmark<\/td><td>Investment Management<\/td><td>October 2022<\/td><\/tr><tr><td><strong>S******.at<\/strong><\/td><td>Austria<\/td><td>Real Estate Project Develop.<\/td><td>October 2022<\/td><\/tr><tr><td><strong>B******* &amp; Co<\/strong><\/td><td>The Netherlands<\/td><td>Investment Management<\/td><td>October 2022<\/td><\/tr><tr><td><strong>L******** Capital<\/strong><\/td><td>Canada<\/td><td>Investment Management<\/td><td>October 2022<\/td><\/tr><tr><td><strong>L************* BioCapital<\/strong><\/td><td>Denmark<\/td><td>Trusts and Estates<\/td><td>October 2022<\/td><\/tr><tr><td><strong>L********<\/strong><\/td><td>Luxembourg<\/td><td>Investments<\/td><td>September 2022<\/td><\/tr><tr><td><strong>O**** Law<\/strong><\/td><td>Germany<\/td><td>Legal Services for funds<\/td><td>September 2022<\/td><\/tr><tr><td><strong>A****** G***** Capital<\/strong><\/td><td>Germany<\/td><td>Venture Capital<\/td><td>September 2022<\/td><\/tr><tr><td><strong>P******<\/strong><\/td><td>Denmark<\/td><td>Law Practices<\/td><td>September 2022<\/td><\/tr><tr><td><strong>** Partners<\/strong><\/td><td>Australia<\/td><td>Accounting<\/td><td>September 2022<\/td><\/tr><tr><td><strong>A*****<\/strong><\/td><td>Belgium<\/td><td>Real Estate<\/td><td>September 2022<\/td><\/tr><tr><td><strong>S**** B** Ventures<\/strong><\/td><td>sweden<\/td><td>Investment in Biotherapeutics<\/td><td>September 2022<\/td><\/tr><tr><td><strong>V****** Partners<\/strong><\/td><td>Singapore<\/td><td>Venture Capital<\/td><td>September 2022<\/td><\/tr><tr><td><strong>E****** P**** Fr\u00e8res<\/strong><\/td><td>France<\/td><td>Financial Services<\/td><td>September 2022<\/td><\/tr><tr><td><strong>S*** Ventures<\/strong><\/td><td>United Kingdom<\/td><td>Venture Capital<\/td><td>September 2022<\/td><\/tr><tr><td><strong>A*****a<\/strong><\/td><td>United Kingdom<\/td><td>Insurance<\/td><td>August 2022<\/td><\/tr><tr><td><strong>P*** F*** Partners <\/strong><\/td><td>United Kingdom<\/td><td>Cliamate-Related Investments<\/td><td>August 2022<\/td><\/tr><tr><td><strong>F****** SA<\/strong><\/td><td>Luxembourg<\/td><td>Insurance Company<\/td><td>August 2022<\/td><\/tr><tr><td><strong>A*** Partners<\/strong><\/td><td>France<\/td><td>Financial Services<\/td><td>August 2022<\/td><\/tr><tr><td><strong>L*** Harbour<\/strong><\/td><td>United Kingdom<\/td><td>Real Estate<\/td><td>August 2022<\/td><\/tr><tr><td><strong>***** Management Services<\/strong><\/td><td>United States<\/td><td>Property Management<\/td><td>August 2022<\/td><\/tr><tr><td><strong>T**** France<\/strong><\/td><td>France<\/td><td>Financial Investors<\/td><td>August 2022<\/td><\/tr><tr><td><strong>S*****.com<\/strong><\/td><td>United Kingdom<\/td><td>Commodity Investments<\/td><td>April 2022<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-b5d21af56dd057e83a743cee25289ed4\" id=\"h-tactics-and-recent-developments\" style=\"color:#000000\"><strong>Tactics and Recent Developments<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-0ae1d0205b661fe387368e33d217e8b3\" style=\"color:#000000\">The threat actor employs <strong>Digital Ocean<\/strong> to host fake login pages, creating multiple instances personalized with the <strong>target company&#8217;s name. <\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-d3aa5a64b41c3a33d972de89e7b8987b\" style=\"color:#000000\"><strong>More than 300 unique IP Addresses have been collected<\/strong>, all having the same characteristics and interface.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-2b7b76c58f85a4b7f98286fcf2da64f7\" style=\"color:#000000\">The first sign of this strategy date back to <strong>2021<\/strong> and references have been seen <strong>until 4 months ago (August 2023).<\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-c0abe1b2dcb5cd529fde290c1b2d176a\" style=\"color:#000000\">After vanishing from <em>Fortgale <\/em>radars unexpectedly, <em><strong>PhishSurf Nebula has re-emerged in recent days.<\/strong><\/em><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-709d01ca2bcbf958da7bdf35c1263b08\" style=\"color:#000000\">Despite retaining its focus on targeting specific companies, PSN has made <strong>subtle changes to its infrastructure and tactics. <\/strong><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-8b204ecde48c3a4ee6aad4068cfe22e2\" style=\"color:#000000\">The latest insights reveal that the phishing kit is now hosted on &#8220;<strong>openresty<\/strong>&#8221; and exploits <strong>IPFS.io as a vector<\/strong>. IPFS, a modular suite of protocols, facilitates data organization and transfer through peer-to-peer networking.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-a1eca32f3906a2a475357a50e655cfaf\" style=\"color:#000000\">Furthermore, PSN has adopted a new strategy of <strong>hosting media elements on a third-party website<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/12\/directory_zoomed.png\" alt=\"\" loading=\"lazy\"><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-71075b0c5ca2cf8e477298140f5fc854\" id=\"h-similar-campaigns\" style=\"color:#000000\"><strong>Similar Campaigns<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-stripes\"><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-2.png\" alt=\"\" loading=\"lazy\"><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-e9bea8d9dd9924c8940665f197f1ffe4\" style=\"color:#000000\"><em>Fortgale&#8217;s <\/em>research revealed <strong>similar campaigns sharing tactics and infrastructure<\/strong> with the tracked threat. A Phishing landing page with a slightly different design was found &#8211; image below.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-9251c72f1c2283948d671d78dcf9978b\" style=\"color:#000000\">Further investigation uncovered <strong>common backend components, affirming a medium-confidence connection to PhishSurf Nebula.<\/strong><\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-f00a0f6bcdd483e17a5e4a092209f5c4\" id=\"h-editor-s-notes\" style=\"color:#000000\"><strong>Editor&#8217;s Notes<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-2b2eab5bc7ae1e48931d90516a0cf510\" style=\"color:#000000\">Similarities were founded between our analysis and the Intrusion Set described at: <a href=\"https:\/\/perception-point.io\/blog\/spear-phishing-campaign-spoofing-email-clients\/\">link<\/a>.<\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-caf7bec34399fd0ce442e19190361666\" style=\"color:#000000\">We are currently not publicy relasing Indicators Of Compromise (IOCs) since they would expose the involved companies. <\/p>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-89d884fc68b9ec1eab43a6bfce5ac600\" style=\"color:#000000\">Contact us for further information: <a href=\"mailto:info@fortgale.com\" target=\"_blank\" rel=\"noreferrer noopener\">info@fortgale.com<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading has-text-color has-link-color wp-elements-639bea33aaf7f2940f9355b8a791605f\" id=\"h-attack-patterns\" style=\"color:#000000\"><strong>Attack Patterns<\/strong><\/h3>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-34d4d23327ff6f55bbd65802d1118e96\" style=\"color:#000000\">Mapping of <strong>Tactics, Techniques and Procedures (TTPs) <\/strong>used by the Threat Actor.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes has-small-font-size\"><table class=\"has-text-color has-link-color\" style=\"color:#000000\"><tbody><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>CODE<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>NAME<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>DESCRIPTION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>EXECUTION<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1204<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">User Execution<\/td><td class=\"has-text-align-left\" data-align=\"left\">An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>PERSISTENCE<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1111<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Two-Factor Authentication Interception<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources<\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\">&nbsp;<\/td><td class=\"has-text-align-left\" data-align=\"left\"><strong>INITIAL ACCESS<\/strong><\/td><\/tr><tr><td class=\"has-text-align-left\" data-align=\"left\"><strong>T1192<\/strong><\/td><td class=\"has-text-align-left\" data-align=\"left\">Spearphishing Link<\/td><td class=\"has-text-align-left\" data-align=\"left\">Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">TTPs<\/figcaption><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities within the Banking &amp; Finance and Real Estate sectors across Europe and North America. In particular, most of the involved companies are Private Equity Firms, Hedge Funds, Venture Capitals and Luxury [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":8395,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2515],"tags":[3068,3065,226,3023,3064],"class_list":["post-8271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","tag-attention","tag-espionage","tag-mfa","tag-phishsurf-nebula","tag-threatactor"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/8271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=8271"}],"version-history":[{"count":112,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/8271\/revisions"}],"predecessor-version":[{"id":8657,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/8271\/revisions\/8657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/8395"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=8271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=8271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=8271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}