The company behind the online malware analysis service Any.Run has disclosed it has recently faced a phishing attack part of a business email compromise (BEC) campaign.
The incident took place on June 18, 2024, when all staff members received a phishing email from an internal employee's account. The email, sent to the employee's entire contact list, led to a malicious page featuring a JavaScript script disguised as a Microsoft sign-in form.
As it turned out, the an employee’s account had been compromised and was being used by an unauthorized entity to execute a post-breach business email compromise (BEC) campaign.
In response to the attack, the company implemented security measures and launched an investigation. The probe revealed that the account was breached as far back as May 27 and that the initial compromise occurred through an AiTM phishing and BEC campaign. The employee had received a phishing email from a compromised client. Due to insufficient access controls and weaknesses in our multi-factor authentication (MFA) policies, the unauthorized entity was able to register their mobile device with the compromised account's MFA service
Over the next 23 days, the threat actor repeatedly accessed the compromised employee’s mailbox. The attackers used PerfectData Software, an application that potentially enabled them to back up the entire mailbox.
One of Any.Run sales team employees received an email via a third-party service from a client with whom they had previous communication. This email contained a link leading to a compromised website with a fake login form
The company said that the sandbox environment was not set up in MITM proxy mode, which would have allowed decryption of HTTPS traffic. This prevented Suricata IDS from detecting the malicious content and flagging the website as malicious.
The employee entered their actual login credentials and MFA into the fake page within the sandbox environment and then replied to the client, stating they could not access the sent content.
At this point, the threat actor gained access to the employee’s account for the first time. They added their mobile device to the MFA service for the compromised account, maintaining access. The attacker installed the PerfectData Software application and used it to steal the contents of the compromised email account. The attacker then sent similar emails to the entire contact list of the employee.
Any.Run said that no data or system integrity was impacted during the attack.