Menlo Security today released its latest report, “Global Cyber Gangs,” which uncovered three novel nation-state campaigns employing highly evasive and adaptive threat (HEAT) attack techniques. The report highlights state-sponsored threat actors' growing sophistication and shifting behavior and describes how their novel techniques evade traditional security controls.
In a recent 90-day period, Menlo Labs uncovered a trifecta of sophisticated HEAT campaigns—LegalQloud, Eqooqp, and Boomer—compromising at least 40,000 high-value users, including C-suite executives from major banking institutions, financial powerhouses, insurance giants, legal firms, government agencies, and healthcare providers. The breadth and depth of these breaches signal an alarming escalation in cyber warfare, all detailed in this report.
“This year, state-sponsored cyberattacks such as these have impacted at least one-third of American citizens,” said Andrew Harding, Vice President of Security Strategy at Menlo Security. “State-sponsored cyberattacks are a looming cloud over security leaders, and our research shows that they have been growing in both sophistication and scale. One thing is clear: attackers are moving fast and refreshing their tactics to target the browser, and traditional security controls such as SSE or SWG are letting these attacks slip through the cracks.”
Menlo Labs identified these novel campaigns:
LegalQloud, hosted on Tencent Cloud (the largest Internet company in China), impersonates legal firms to steal Microsoft credentials, targeting governments and investment banks in North America. Menlo Labs discovered 500 enterprises targeted by this campaign in a 90-day period, bypassing URL categorization and block lists.
Eqooqp can defeat multifactor authentication (MFA) and targets a range of government and private sector organizations, including logistics, finance, petroleum, manufacturing, higher education, and research. Nearly 50,000 attacks associated with this campaign have been detected and stopped by Menlo Cloud in recent months.
Boomer is an intricate phishing campaign targeting sectors such as government and healthcare. In Boomer attacks, threat actor employs advanced evasive techniques including dynamic phishing sites, custom HTTP headers, tracking cookies, bot detection countermeasures, encrypted code, and server-side generated phishing pages.
Other key findings surrounding these campaigns include:
- 60% of malicious links clicked by a user are attributed to phishing or fraud.
- 25% of phishing links clicked by the user goes undetected by legacy URL filtering.
- Microsoft is the most impersonated brand across industries.
The Menlo Security findings presented in this report reveal the increasing sophistication and alarming prevalence of evasive attacks by nation-state actors, capable of bypassing MFA using Adversary in the Middle (AiTM) kits. Leveraging unique and early-stage telemetry from within the Menlo Cloud, Menlo Security developed effective defenses against these HEAT attacks. The Menlo Secure Cloud Browser, with HEAT Shield phishing prevention, offers real-time protection by executing web requests in the cloud. This eliminates the browser attack surface, preventing malicious activities from ever reaching endpoints.
Download the Global Cyber Gangs Report to read the full findings, including which specific tactics each campaign used, the verticals they are targeting, and how these evasive techniques are evolving.
To learn more about the role of browser security in eliminating the risk of highly evasive threats, visit Menlo Security’s platform overview page or schedule a demo.