On September 16, GitHub discovered phishing attacks by hackers impersonating CircleCI. During the attack, users are warned of session expiration and directed to log in again using their GitHub credentials.
How GitHub Credentials Stolen in Phishing Attack
GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes.
what is sawfish phishing campaign
A phishing campaign targeting our customers lures GitHub users into providing their credentials (including two-factor authentication codes). Learn more about the threat and what you can do to protect yourself.
On September 16, GitHub discovered phishing attacks by hackers impersonating CircleCI. During the attack, users are warned of session expiration and directed to log in again using their GitHub credentials.
The attack allows the attacker to compromise accounts with TOTP (time-based one-time passwords) as well by relaying it to the attacker in real-time. Those who use hardware security keys can not be affected by this attack.
GitHub SIRT listed six TTPs being used by the threat actors behind the campaign.
- The phishing email is sourced from legitimate domains, using compromised email servers or stolen API credentials for legitimate bulk email providers.
- Targets currently-active GitHub users across many companies in the tech sector and in multiple countries via email addresses used for public commits.
- Use of URL-shortening services to conceal the true destination of the malicious link.
- Use of PHP-based redirectors on compromised websites to redirect the victim from a less suspicious-looking URL to another malicious one.
- If the attacker successfully steals GitHub user account credentials, they may quickly create GitHub personal access tokens or authorize OAuth applications on the account in order to preserve access in the event that the user changes their password.
- In many cases, the attacker immediately downloads private repository contents accessible to the compromised user, including those owned by organization accounts and other collaborators.
The research team of Cyfirma has come across fake Zoom application download URLs on the web. Financially motivated FIN11 is thought to be behind the campaign. Additionally, an IP address that was previously linked to AsyncRAT was seen.
Recently, Russian threat actor FIN11 has been linked to the ransomware gang CLOP. This connection raises the risk of infected computers becoming potential ransomware victims.
Recommendations
- Reset your password immediately.
- Reset your two-factor recovery codes immediately.
- Review your personal access tokens.
- Take additional steps to review and secure your account.
GitHub IoCs
Domains:
- circle-ci[.]com
- emails-circleci[.]com
- circle-cl[.]com
- email-circleci[.]com
Zoom IoCs
URLs:
- https://zoom-download[.]host – 92[.]53[.]96[.]41
- https://zoom-download[.]space – 2a03:6f00:1::5c35:6029
- https://zoom-download[.]fun – 92[.]53[.]96[.]41 pDNS 5.101.159[.]26; 87.236.16[.]226
- https://zoomus[.]host – 92[.]53[.]113[.]155
- https://zoomus[.]tech – 92[.]53[.]114[.]144
- https://zoomus[.]website – 92[.]53[.]114[.]172
- hxxp://116.202.179[.]139
- hxxp://193.106.191[.]223
Web applications (used in the past):
- www.zo0m[.]info – 23[.]82[.]19[.]170
- www.app-zoom[.]com – 198[.]54[.]116[.]220
- zoom-meetings[.]net – 2607:f1c0:100f:f000::2ce
- zoom-update[.]online – 192[.]254[.]185[.]80
- zoomcyber[.]nl – 2606:4700:3030::6815:970
- zoomclient[.]nl – 2606:4700:3037::ac43:a1d6
- https://veehy[.]com/download-zoom/ – 5[.]39[.]216[.]178
- http://videoconfer[.]xyz/ – 2606:4700:3035::ac43:87c5
- zoom-download.huvpn[.]com–5[.]39[.]216[.]179
- https://zoom[.]cheap/ – 2606:4700:3031::ac43:9b36
- www.user01zoom[.]website – 161[.]35[.]144[.]236
SHA256:
- b76cad93d0501d69746c84db3f7bfc158968900c2e472121019efe5d234ffa34,
MD5:
- 19AFF3D6ED110A9037AFF507CAC4077F
- 98C8C28B790BBCE2BC2F20CC8FF2BD8E
- 21ABAC012CAA151DA5ED7C760198FAC6
IPs:
- 92.53.96[.]41
- 5.101.159[.]26
- 87.236.16[.]226
- 92.53.113[.]155
- 92.53.114[.]144
- 92.53.114[.]172
- 79.124.78[.]206
CloudFlare IoCs
Domains:
- 91.228.56[.]183
- adogeevent[.]com
- skambio-porte[.]com
- luxury-limousine[.]com
- hxxps://gloogletag[.]com/tagged/ajax[.]js
Leave A Comment