Security
Headlines
HeadlinesLatestCVEs

Headline

Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks

By Deeba Ahmed KEY FINDINGS Microsoft Threat Intelligence Team has published a new report highlighting the activities of a notorious, financially… This is a post from HackRead.com Read the original post: Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks

HackRead
#vulnerability#windows#microsoft#js#git#java#intel#ssl

KEY FINDINGS

  • Storm-0324 is a financially motivated threat actor that has been facilitating ransomware deployment and allowing access to compromised networks/devices to other threat actors since 2019.

  • Since July 2023, Storm-0324 has been exploiting MS Teams chats using an open-source tool to distribute payloads and send phishing lures to facilitate a particular cybercrime group, Sangria Tempest.

  • The group’s attack chain starts with phishing emails referencing payments/invoices with a link to a SharePoint site hosting a ZIP archive. This archive contains a JavaScript code-embedded file.

  • Storm-0324 has also been observed using protected documents to perform extended social engineering.

  • Microsoft has suspended all identified accounts and tenants linked or exploited in this “fraudulent behavior.”

Microsoft Threat Intelligence Team has published a new report highlighting the activities of a notorious, financially motivated threat actor it tracks as Storm-0324 (TA543 and Sagrid). This group has been facilitating ransomware deployment and allowing access to compromised networks/devices to other threat actors since 2019.

However, since July 2023, it has been exploiting MS Teams chats using an open-source tool to distribute payloads and send phishing lures to facilitate a particular cybercrime group, Sangria Tempest (aka Elbrus, Carbon Spider, and FIN7).

It is worth noting that this activity has no connection with the Midnight Blizzard social engineering campaign detected in May 2023, which also involved exploiting MS Teams.

The group’s attack chain starts with phishing emails referencing payments/invoices with a link to a SharePoint site hosting a ZIP archive. This archive contains a JavaScript code-embedded file. In fact, this group use used several different files for hosting this code, such as Ekipa and WSF publisher files. For this purpose, it exploits the CVE-2023-21715 local security feature bypass vulnerability. The code, when launched, drops a JSSLoader variant DLL and additional Sangria Tempest tools.

Researchers have also observed Storm-0324 using protected documents to perform extended social engineering. Moreover, it adds the security code/password in the initial communication with the user with the lure document to create a sense of trust for the user and avoid analysis mechanisms.

Since July 2023, Storm-0324 has been exploiting MS Teams chats to send phishing lures with malicious links to that SharePoint-hosted file. The group relies on a TeamPhisher, a Python-based, open-source program that allows Teams tenant users to attach files to messages sent to external tenants. These phishing lures are identified as External users by the Teams platform.

Storm-0324 offers a distribution service to the payloads of other attackers using exploit kit or phishing vectors and focus mainly on highly evasive infection chains. This actor usually distributes the JSSLoader malware that encourages RaaS (ransomware-as-a-service) actor Sangria Tempest to gain initial access. Previously, Storm-0324 has used Gozi infostealer and the Nymaim downloader/locker, GrandCrab ransomware, IcedID infostealer, Gookit and Dridex banking trojan, and Sage ransomware.

“Sorm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic,” read Microsoft’s blog post on Storm-0324’s ransomware distribution tactics.

Storm-0324’s email themes use payments/invoice lures, mimicking legit services like Quickbooks, DocuSign, etc. The group has used different file formats to launch malicious JavaScript codes, including Windows Script File, Microsoft Office documents, and VBScript.

Microsoft has suspended all identified accounts and tenants linked or exploited in this “fraudulent behaviour.”

Mike Newman, CEO of My1Login, has reflected on the news, stating that this seems like a sophisticated phishing scam with the potential to claim many victims as they won’t doubt messages sent through the MS Teams platform.

“This is a sophisticated phishing scam that will catch out many victims because they will not realize criminals can hijack Microsoft Teams to carry out attacks. “People understand the techniques criminals can use to send phishing scams via email, but with Teams being seen as an internal communications platform, employees place more trust in the tool and are more likely to open and action documents they receive in chats.”

Newman stresses that organizations should educate employees on detecting phishing lures, avoiding sharing sensitive data by clicking on suspicious links, and implementing advanced Identity Management solutions to enhance data security and operational efficiency.

MS Teams has made headlines in the past for being a key target of malicious activities. Back in April 2020, CyberArk’s researchers detected a worm-like vulnerability in MS Teams, which they suspected could be exploited to hijack the entire roaster of Teams accounts of an organization simply by sending malicious GIFs or links to Teams users.

And news about Teams being exploited started pouring in. In February 2022, cloud email security solutions provider, Avanan reported discovering a campaign targeting Teams users with malware by exploiting its chat feature and attaching malicious documents in chat threads that dropped trojan when clicked.

KEY FINDINGS

  1. Microsoft Office Most Exploited Software in Malware Attacks
  2. Unpatched MS Exchange servers hit by cryptojacking malware
  3. Malicious Office documents make up 43% of all malware downloads
  4. TeamSpy malware targeting users through malicious TeamViewer app
  5. ‘Zoom account suspended’ phishing scam aims at Office 365 credentials

Related news

Apple Users Need to Update iOS Now to Patch Serious Flaws

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

Microsoft Patch Tuesday February 2023: Win Graphics RCE, Edge RCE, Publisher SFB, CLFS EoP, Exchange RCEs, Word RCE, HoloLens1

Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2023, including vulnerabilities that were added between January and February Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239118 This month I decided to change the format a bit. Now I share my impression of Microsoft Patch Tuesday on the same Patch Tuesday day […]

Threat Source newsletter (Feb. 16, 2023) — Recapping what we may have missed so far this year

Jon is back from parental leave and recapping the top security stories from late 2022 and early 2023 that totally blew by him.

Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild. The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month. Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are

Update now! February's Patch Tuesday tackles three zero-days

Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Apple Tags: Adobe Tags: SAP Tags: Citrix Tags: Cisco Tags: Atlassian Tags: Google Tags: Mozilla Tags: Forta Tags: OpenSSH Tags: CVE-2023-21823 Tags: CVE-2023-21715 Tags: OneNote Tags: CVE-2023-23376 Tags: CVE-2023-21706 Tags: CVE-2023-21707 Tags: CVE-2023-21529 Tags: CVE-2023-21716 Tags: CVE-2023-23378 Tags: CVE-2023-22501 Tags: CVE-2023-24486 Tags: CVE-2023-24484 Tags: CVE-2023-24484 Tags: CVE-2023-24483 Tags: CVE-2023-25136 Tags: GoAnywhere Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors (Read more...) The post Update now! February's Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.

9 New Microsoft Bugs to Patch Now

78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

Microsoft Patch Tuesday, February 2023 Edition

Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year's special Valentine's Day Patch Tuesday includes fixes for a whopping three different "zero-day" vulnerabilities that are already being used in active attacks.

CVE-2023-21715

Microsoft Publisher Security Features Bypass Vulnerability

Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday

Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday