Ankura CTIX FLASH Update - March 29, 2024

• Published date: 05 April 2024
• Subject Matter: Food, Drugs, Healthcare, Life Sciences, Technology, Security
• Law Firm: Ankura Consulting Group LLC
• Author: Ankura Consulting Group LLC

Ransomware/Malware Activity

Tycoon 2FA Phishing Kit Bypasses MFA for M365 and Gmail

Tycoon 2FA is a phishing-as-a-service (PHaaS) platform which has been on the dark market since at least August 2023. A new version of the Tycoon 2FA was released in 2024, introducing a stealthier phishing kit with updates to its JavaScript and HTML code. Tycoon 2FA has been observed in thousands of phishing attacks targeting login credentials for M365 and Gmail. The attack leverages a reverse proxy server which hosts a phishing webpage designed to mimic a legitimate service to steal credentials provided by the victim. In the first step of the attack chain, victims are sent a phishing email containing a malicious link or QR code crafted to lure them into visiting the phishing webpage. The phishing webpage presented is determined by extracting the victim's email address from the original malicious URL which directs them to the spoofed page of either M365 or Gmail. The phishing site prompts users to input their credentials, which when entered are exfiltrated back to the malicious operator via WebSockets. Victims are then presented with a 2FA challenge, and the token or 2FA response entered by the victim is similarly exfiltrated back to the attacker. Using the credentials and 2FA information, the attacker can authenticate into the victim's email account which is used to carry out further attacks. Tycoon 2FA is not the only PHaaS platform on the market. Similar PHaaS platforms include LabHost, Greatness, and Robin Banks. The uptick in the sale of the Tycoon 2FA kit is a reminder for organizations to remain vigilant on educating and training employees on how to identify and report phishing emails. CTIX analysts will continue to provide updates on novel and escalating strains of malware and malware campaigns.

• Bleeping Computer: New MFA Bypassing Phishing Kit Targets M365 Gmail Accounts
• Sekoia: Tycoon 2FA: An In-Depth Analysis

Threat Actor Activity

INC Ransom Breaches NHS Scotland's IT System

Following reports of a cybersecurity incident on March 15 that affected services relating to the National Health Service (NHS) of Scotland, cybercriminals from the INC Ransom extortion gang posted images containing medical documents related the organization, saying they would soon leak more data. The cyber extortion gang first emerged in July 2023 with notable attacks on education, healthcare, government, and industrial entities, targeting both public and private sectors. NHS Scotland is...