Overview

• ReliaQuest reports a rise in finance-focused lookalike domains and confirms a targeted intrusion at an unnamed U.S. banking organization.
• Initial access in the bank case relied on socially engineering an executive and triggering a Microsoft Entra ID self-service password reset.
• Attackers moved laterally via Citrix and VPN, compromised VMware ESXi to harvest credentials, and sought deeper access across the network.
• Privilege escalation involved resetting a Veeam service account, assigning Azure Global Administrator rights, and relocating virtual machines to avoid detection, with attempts to exfiltrate data from Snowflake and AWS.
• NCC Group says collaborations with RaaS operators such as ALPHV, RansomHub, DragonForce and Qilin act as a force multiplier, while experts dismiss the group’s recent “retirement” claims as a likely smokescreen.