216.73.216.133

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

· Published 01/04/2025 15:24 · Modified 01/04/2025 17:58

Export JSON

Essential information

Published
01/04/2025 15:24
Modified
01/04/2025 17:58
Tags
2025-04-01 CVE-2023-27532 evilginx mfa bypass msp phishing qilin ransomware screenconnect stac4365 supply-chain
Related entities
1 intrusion sets (apt), 14 techniques (mitre), 1 malware

Description

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated attack impersonating a authentication alert. The attackers, affiliated with and tracked as , used an adversary-in-the-middle technique to bypass multi-factor authentication and gain access to the 's environment. They deployed their own instance across multiple customer networks, performed reconnaissance, collected and exfiltrated data, and ultimately deployed . This attack matches a pattern of similar incidents dating back to 2022, utilizing fake domains and the framework to intercept credentials and session cookies. The attackers employed various tools for lateral movement and defense evasion, including PsExec, NetExec, and WinRM.

External references