The talk DPRK – All grown up will cover how the Democratic People’s Republic of Korea (DPRK) has successfully built computer network exploitation capability over the past 10 years and how threat actors have enabled North Korea to steal billions of dollars in cryptocurrency as well as target organizations associated with satellites and weapons systems. Over this period, North Korean threat actors have developed and used multiple zero-day exploits and have become experts in cryptocurrency, blockchain, and AI technology.

This presentation will also include information on North Korea overcoming sanctions and other financial barriers by the United States and multiple other countries through the deployment of North Korean IT workers in Russia, China, and, other countries. These IT workers masquerade as individuals from countries other than North Korea to perform legitimate IT work and generate revenue for the regime. North Korean threat actors’ focus areas are:

• Stealing money or cryptocurrency to help fund the North Korea weapons programs
• Stealing information pertaining to weapons systems, sanctions information, and policy-related decisions before they occur
• Performing IT work to generate revenue to help fund the North Korea IT weapons program

Meanwhile, in the talk No targets left behind, Microsoft Threat Intelligence analysts will present research on Storm-2077, a Chinese threat actor that conducts intelligence collection targeting government agencies and non-governmental organizations. This presentation will trace how Microsoft assembled the pieces of threat activity now tracked as Storm-2077 to demonstrate how we overcome challenges in tracking overlapping activities and attributing cyber operations originating from China.

This blog summarizes intelligence on threat actors covered by the two Microsoft presentations at CYBERWARCON.

Sapphire Sleet: Social engineering leading to cryptocurrency theft

The North Korean threat actor that Microsoft tracks as Sapphire Sleet has been conducting cryptocurrency theft as well as computer network exploitation activities since at least 2020. Microsoft’s analysis of Sapphire Sleet activity indicates that over 10 million US dollars’ worth of cryptocurrency was stolen by the threat actor from multiple companies over a six-month period.

Masquerading as a venture capitalist

While their methods have changed throughout the years, the primary scheme used by Sapphire Sleet over the past year and a half is to masquerade as a venture capitalist, feigning interest in investing in the target user’s company. The threat actor sets up an online meeting with a target user. On the day of the meeting, when the target user attempts to connect to the meeting, the user receives either a frozen screen or an error message stating that the user should contact the room administrator or support team for assistance.

When the target contacts the threat actor, the threat actor sends a script – a .scpt file (Mac) or a Visual Basic Script (.vbs) file (Windows) – to “fix the connection issue”. This script leads to malware being downloaded onto the target user’s device. The threat actor then works towards obtaining cryptocurrency wallets and other credentials on the compromised device, enabling the threat actor to steal cryptocurrency.  

Posing as recruiters

As a secondary method, Sapphire Sleet masquerades as a recruiter on professional platforms like LinkedIn and reaches out to potential victims. The threat actor, posing as a recruiter, tells the target user that they have a job they are trying to fill and believe that the user would be a good candidate. To validate the skills listed on the target user’s profile, the threat actor asks the user to complete a skills assessment from a website under the threat actor’s control. The threat actor sends the target user a sign-in account and password. In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system.

Ruby Sleet: Sophisticated phishing targeting satellite and weapons systems-related targets

Ruby Sleet, a threat actor that Microsoft has been tracking since 2020, has significantly increased the sophistication of their phishing operations over the past several years. The threat actor has been observed signing their malware with legitimate (but compromised) certificates obtained from victims they have compromised. The threat actor has also distributed backdoored virtual private network (VPN) clients, installers, and various other legitimate software.

Ruby Sleet has also been observed conducting research on targets to find what specific software they run in their environment. The threat actor has developed custom capabilities tailored to specific targets. For example, in December 2023, Microsoft Threat Intelligence observed Ruby Sleet carrying out a supply chain attack in which the threat actor successfully compromised a Korean construction company and replaced a legitimate version of VeraPort software with a version that communicates with known Ruby Sleet infrastructure.

Ruby Sleet has targeted and successfully compromised aerospace and defense-related organizations. Stealing aerospace and defense-related technology may be used by North Korea to increase its understanding of missiles, drones, and other related technologies.

North Korean IT workers: The triple threat

In addition to utilizing computer network exploitation through the years, North Korea has dispatched thousands of IT workers abroad to earn money for the regime. These IT workers have brought in hundreds of millions of dollars for North Korea. We consider these North Korean IT workers to be a triple threat, because they:

• Make money for the regime by performing “legitimate” IT work
• May use their access to obtain sensitive intellectual property, source code, or trade secrets at the company
• Steal sensitive data from the company and in some cases ransom the company into paying them in exchange for not publicly disclosing the company’s data

Microsoft Threat Intelligence has observed North Korean IT workers operating out of North Korea, Russia, and China.

Facilitators complicate tracking of IT worker ecosystem

Microsoft Threat Intelligence observed that the activities of North Korean IT workers involved many different parties, from creating accounts on various platforms to accepting payments and moving money to North Korean IT worker-controlled accounts. This makes tracking their activities more challenging than traditional nation-state threat actors.

Since it’s difficult for a person in North Korea to sign up for things such as a bank account or phone number, the IT workers must utilize facilitators to help them acquire access to platforms where they can apply for remote jobs. These facilitators are used by the IT workers for tasks such as creating an account on a freelance job website. As the relationship builds, the IT workers may ask the facilitator to perform other tasks such as:

• Creating or renting their bank account to the North Korean IT worker
• Creating LinkedIn accounts to be used for contacting recruiters to obtain work
• Purchasing mobile phone numbers or SIM cards
• Creating additional accounts on freelance job sites

Fake profiles and portfolios with the aid of AI

One of the first things a North Korean IT worker does is set up a portfolio to show supposed examples of their previous work. Microsoft Threat Intelligence has observed hundreds of fake profiles and portfolios for North Korean IT workers on developer platforms like GitHub.

Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs. 

In October 2024, Microsoft found a public repository containing North Korean IT worker files. The repository contained the following information:

• Resumes and email accounts used by the North Korean IT workers
• Infrastructure used by these workers (VPS and VPN accounts along with specific VPS IP addresses)
• Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites without getting flagged
• Actual images and AI-enhanced images of suspected North Korean IT workers
• Wallet information and suspected payments made to facilitators
• LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
• Tracking sheet of work performed and payments received by these IT workers

Review of the repository indicates that the North Korean IT workers are conducting identity theft and using AI tools such as Faceswap to move their picture over to documents that they have stolen from victims. The attackers are also using Faceswap to take pictures of the North Korean IT workers and move them to more professional looking settings. The pictures created by the North Korean IT workers using AI tools are then utilized on resumes or profiles, sometimes for multiple personas, that are submitted for job applications.

In the same repository, Microsoft Threat Intelligence found photos that appear to be of North Korean IT workers:

Microsoft has observed that, in addition to using AI to assist with creating images used with job applications, North Korean IT workers are experimenting with other AI technologies such as voice-changing software. This aligns with observations shared in earlier blogs showing threat actors using AI as a productivity tool to refine their attack techniques. While we do not see threat actors using combined AI voice and video products as a tactic, we do recognize that if actors were to combine these technologies, it’s possible that future campaigns may involve IT workers using these programs to attempt to trick interviewers into thinking they are not communicating with a North Korean IT worker. If successful, this could allow the North Korean IT workers to do interviews directly and not have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to them.

Getting payment for remote work

The North Korean IT workers appear to be very organized when it comes to tracking payments received.  Overall, this group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts. 

Protecting organizations from North Korean IT workers

Unfortunately, computer network exploitation and use of IT workers is a low-risk, high-reward technique used by North Korean threat actors. Here are some steps that organizations can take to be better protected:

• Follow guidance from the US Department of State, US Department of the Treasury, and the Federal Bureau of Investigation on how to spot North Korean IT workers.
• Educate human resources managers, hiring managers, and program managers for signs to look for when dealing with suspected North Korean IT workers.
• Use simple non-technical techniques such as asking IT workers to turn on their camera periodically and comparing the person on camera with the one that picked up the laptop from your organization.
• Ask the person on camera to walk through or explain code that they purportedly wrote.

Storm-2077: No targets left behind

Over the past decade, following numerous government indictments and the public disclosure of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly challenging as the attackers adjust their tactics. These threat actors continue to conduct operations while using tooling and techniques against targets that often overlap with another threat actor’s operation. While analyzing activity that was affecting a handful of customers, Microsoft Threat Intelligence assembled the pieces of what would be tracked as Storm-2077. Undoubtably, this actor had some victimology and operational techniques that overlapped with a couple of threat actors that Microsoft was already tracking.  

Microsoft assesses that Storm-2077 is a China state threat actor that has been active since at least January 2024. Storm-2077 has targeted a wide variety of sectors, including government agencies and non-governmental organizations in the United States. As we continued to track Storm-2077, we observed that they went after several other industries worldwide, including the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services. Storm-2077 overlaps with activity tracked by other security vendors as TAG-100.

We assess that Storm-2077 likely operates with the objective of conducting intelligence collection. Storm-2077 has used phishing emails to gain credentials and, in certain cases, likely exploited edge-facing devices to gain initial access. We have observed techniques that focus on email data theft, which could allow them to analyze the data later without risking immediate loss of access. In some cases, Storm-2077 has used valid credentials harvested from the successful compromise of a system.

We’ve also observed Storm-2077 successfully exfiltrate emails by stealing credentials to access legitimate cloud applications such as eDiscovery applications. In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints. Once administrative access was gained, Storm-2077 created their own application with mail read rights.

Access to email data is crucial for threat actors because it often contains sensitive information that could be utilized later for malicious purposes. Emails can include sign-in credentials, confidential communication, financial records, business secrets, intellectual property, and credentials for accessing critical systems, or employee information. Access to email accounts and the ability to steal email communication could enable an attacker to further their operations.

Microsoft’s talk on Storm-2077 at CYBERWARCON will highlight how vast their targeting interest covers. All sectors appear to be on the table, leaving no targets behind. Our analysts will talk about the challenges of tracking China-based threat actors and how they had to distinctly carve out Storm-2077.

CYBERWARCON Recap

At this year’s CYBERWARCON, Microsoft Security is sponsoring the post-event Fireside Recap. Hosted by Sherrod DeGrippo, this session will feature special guests who will dive into the highlights, key insights, and emerging themes that defined CYBERWARCON 2024. Interviews with speakers will offer exclusive insights and bring the conference’s biggest moments into sharp focus.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON appeared first on Microsoft Security Blog.

84% of surveyed organizations want to feel more confident about managing and discovering data input into AI apps and tools. This report includes research to provide you with the actionable industry-agnostic insights and guidance to better secure your data used by your generative AI applications. 

Microsoft Data Security Index

Gain deeper insights about generative AI and its influence on data security.

Discover more

In 2023, we commissioned our first independent research that surveyed more than 800 data security professionals to help business leaders develop their data security strategies. This year, we expanded the survey to 1,300 security professionals to uncover new learnings on data security and AI practices.   

Some of the top-level insights from our expanded research are:  

1. The data security landscape remains fractured across traditional and new risks due to AI.
2. User adoption of generative AI increases the risk and exposure of sensitive data.
3. Decision-makers are optimistic about AI’s potential to boost their data security effectiveness.

The data security landscape remains fractured across traditional and new risks

On average, organizations are juggling 12 different data security solutions, creating complexity that increases their vulnerability. This is especially true for the largest organizations: On average, medium enterprises use nine tools, large enterprises use 11, and extra-large enterprises use 14. In addition, 21% of decision-makers cite the lack of consolidated and comprehensive visibility caused by disparate tools as their biggest challenge and risk.

Fragmented solutions make it difficult to understand data security posture since data is isolated and disparate workflows could limit comprehensive visibility into potential risks. When tools don’t integrate, data security teams have to build processes to correlate data and establish a cohesive view of risks, which can lead to blind spots and make it challenging to detect and mitigate risks effectively.

As a result, the data also shows a strong correlation between the number of data security tools used and the frequency of data security incidents. In 2024, organizations using more data security tools (11 or more) experienced an average of 202 data security incidents, compared to 139 incidents for those with 10 or fewer tools.

In addition, a growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024. Attacks from the use of AI apps not only expose sensitive data but also compromise the functionality of the AI systems themselves, further complicating an already fractured data security landscape.

In short, there’s an increasingly urgent need for more integrated and cohesive data security strategies that can address both traditional and emerging risks linked to the use of AI tools.

Adoption of generative AI increases the risk and exposure of sensitive data

User adoption of generative AI increases the risk and exposure of sensitive data. As AI becomes more embedded in daily operations, organizations recognize the need for stronger protection. 96% of companies surveyed admitted that they harbored some level of reservation about employee use of generative AI. However, 93% of companies also reported that they had taken proactive action and were at some stage of either developing or implementing new controls around employee use of generative AI.  

Unauthorized AI applications can access and misuse data, leading to potential breaches. The use of these unauthorized AI applications often occurs with employees logging in with personal credentials or using personal devices for work-related tasks. On average, 65% of organizations admit that their employees are using unsanctioned AI apps.

Given these concerns, it is important for organizations to implement the right data security controls and to mitigate these risks and ensure that AI tools are used responsibly. Currently, 43% of companies are focused on preventing sensitive data from being uploaded into AI apps, while another 42% are logging all activities and content within these apps for potential investigations or incident response. Similarly, 42% are blocking user access to unauthorized tools, and an equal percentage are investing in employee training on secure AI use.

To implement the right data security controls, customers need to increase their visibility of their AI application usage as well as the data that is flowing through those applications. In addition, they need a way to assess the risk levels of emerging generative AI applications and be able to apply conditional access policies to those applications based on a user’s risk levels.

Finally, they need to be able to access audit logs and generate reports to help them assess their overall risk levels as well as provide transparency and reporting for regulatory compliance.

AI’s potential to boost data security effectiveness

Traditional data security measures often struggle to keep up with the sheer volume of data generated in today’s digital landscape. AI, however, can sift through this data, identifying patterns and anomalies that might indicate a security threat. Regardless of where they are in their generative AI adoption journeys, organizations that have implemented AI-enabled data security solutions often gain both increased visibility across their digital estates and increased capacity to process and analyze incidents as they are detected.

77% of organizations believe that AI will accelerate their ability to discover unprotected sensitive data, detect anomalous activity, and automatically protect at-risk data. 76% believe AI will improve the accuracy of their data security strategies, and an overwhelming 93% are at least planning to use AI for data security.

Organizations already using AI as part of their data security operations also report fewer alerts. On average, organizations using AI security tools receive 47 alerts per day, compared to an average 79 alerts among those that have yet to implement similar AI solutions.

AI’s ability to analyze vast amounts of data, detect anomalies, and respond to threats in real-time offers a promising avenue for strengthening data security. This optimism is also driving investments in AI-powered data security solutions, which are expected to play a pivotal role in future security strategies.

As we look to the future, customers are looking for ways to streamline how they discover and label sensitive data, provide more effective and accurate alerts, simplify investigations, make recommendations to better secure their data environments, and ultimately reduce the number of data security incidents.

Final thoughts 

So, what can be made of this new generative AI revolution, especially as it pertains to data security? For those beginning their adoption roadmap or looking for ways to improve, here are three broadly applicable recommendations:  

• Hedge against data security incidents by adopting an integrated platform.
• Adopt controls for employee use of generative AI that won’t impact productivity. 
• Uplevel your data security strategy with help from AI.

Gain deeper insights about generative AI and its influence on data security by exploring Data Security Index: Trends, insights, and strategies to keep your data secure and navigate generative AI. There you’ll also find in-depth sentiment analysis from participating data security professionals, providing even more insight into common thought processes around generative AI adoption. For further reading, you can also check out the Data Security as a Foundation for Secure AI Adoption white paper. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft Data Security Index annual report highlights evolving generative AI security needs appeared first on Microsoft Security Blog.

As part of the department’s ongoing assessments of zero trust implementation, Flank Speed just underwent its second round of security assessments sponsored by the DoD Zero Trust Portfolio Management Office (PfMO)—with tremendous results. Just two years after the initial DoD guidance was issued, the United States Navy demonstrated that their integrated approach to security could achieve the department’s ZT goals, years ahead of schedule. The model developed by the Navy in collaboration with Microsoft can be replicated to help both civilian and defense agencies to similarly accelerate their own zero trust goals. 

DoD Zero Trust Report

The United States Navy is proving that Zero Trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Discover more

During the exhaustive test, the comprehensive, integrated suite of Microsoft Security tools enabled Navy personnel to meet Target Level zero trust implementation, achieving 100% success in the 91 Target Level activities tested. Further testing of 61 Advanced Level zero trust activities determined the Navy had achieved success in nearly all (60 of 61) advanced Target Level activities.

The DoD expanded beyond traditional penetration testing to thoroughly evaluate all 152 zero trust activities. Prior to the month-long test, military personnel were trained on the effective operation of the comprehensive zero trust solution over the course of six months. This training allowed Navy personnel to detect and mitigate all attack vectors presented to them by the near-peer adversary assessment team.  

“Flank Speed’s unprecedented ability to achieve the very highest level of DoD ZT outcomes demonstrate to us that the department and the federal government that ZT cyber defenses work very effectively to protect and defend our data and systems against the very latest cyber-attacks from our adversaries.”

—Mr. Randy Resnick, Senior Executive Service, Chief ZT Officer for the DoD 

Components of success 

Flank Speed is a large-scale deployment born out of the need to securely facilitate remote workers at the onset of the COVID-19 pandemic and built on the Navy’s unclassified combined Azure and Microsoft 365 Impact Level 5(IL5) cloud. To achieve a secure operating environment, the Navy aligned its security approach around the DoD’s seven zero trust pillars—each of which represents its own protection area:  

As outlined in the diagram below, the Microsoft 365 E5 package combines best-in-class productivity solutions with comprehensive security technologies that can address all seven pillars of the DoD Zero Trust Strategy.  

This comprehensive and extensible zero trust platform supports a range of environments including hybrid cloud, multicloud, and multiplatform needs. It brings pre-integrated extended detection and response (XDR) services, coupled with cloud-based device management and cloud-based identity and access management to meet the security priorities necessary for all defense and civilian organizations. The specific technologies and implementation strategies that support each pillar are outlined in this blog post. Microsoft has also published a higher-level Security Adoption Framework (SAF) that provides guidance to organizations as they navigate the ever-changing security landscape. 

A partner agencies can trust 

Implementation of a zero trust solution from scratch can be a daunting task. A successful deployment requires the integration of properly configured technologies across numerous product categories. No single product can effectively achieve zero trust goals alone, but selecting a set of integrated capabilities whether first or third party can provide significant acceleration. In order to be effective in the long term, a zero trust implementation must also be flexible enough to adapt quickly to new adversary tactics. Following the White House Executive Order to improve the nation’s cybersecurity and protect federal government networks, Microsoft offered technical expertise that helped architect and deploy technologies aligned to the DoD ZT strategy, including continuous monitoring, big data analysis, and comply-to-connect components. 

The success of Flank Speed is a critical demonstration of this collaborative approach to implementation. That a complex and critical environment such as that belonging to the Navy fully met not only its Target Level zero trust activities, but nearly all of the Advanced Level criteria more than three years before the DoD’s 2027 deadline with a repeatable solution, is a testament that zero trust can be implemented effectively at scale across the government.  

Importantly, though Flank Speed itself is cloud-native, it has been deployed to extend its usability and security capabilities to both cloud-only and existing on-premises workloads and devices, both ashore and afloat. This gave the Navy a rapid path to increased security that was independent of any effort to modernize or sunset existing legacy assets. Along with the proven security achievements, this capacity to extend zero trust security to existing infrastructure could have wide-ranging benefits for organizations pursuing similar cybersecurity goals of a homogeneous security baseline across heterogeneous environments. 

A commitment to security and innovation 

Microsoft’s support in helping the United States Department of Defense and its branches achieve zero trust implementation also helps inform Microsoft’s own Secure Future Initiative, which aims to continuously apply the company’s cumulative security learnings in an effort to improve its own methods and practices, and to ensure that security is kept paramount in everything Microsoft creates and provides to its customers. Independent learnings gleaned as part of the Secure Future Initiative, in return, help Microsoft refine its approach in support of government organizations and a vast ecosystem of security partners. In this way Microsoft can work to ensure that zero trust environments supported by Microsoft 365 and Azure stay up to date, even as cyber threat actors change and mature their tactics and tools. This continuous collaboration advances the broader effort to secure and support the United States national security and the security posture of democratic organizations the world over.  

Microsoft commends the United States Navy for their milestone achievement. The United States Navy and the United States Department of Defense are proving that zero trust goes beyond compliance standards and has become a proven security methodology with real world results.  

Next steps

To learn more about how to accelerate your Zero Trust implementation with best practices, the latest trends, and a framework informed by real-world deployments, visit our latest guidance. 

 To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post DoD Zero Trust Strategy proves security benchmark years ahead of schedule with Microsoft collaboration appeared first on Microsoft Security Blog.

Microsoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by multiple Chinese threat actors. In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658. Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services. Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.

As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to help secure their environments. In this blog, we provide more information about CovertNetwork-1658 infrastructure, and associated Storm-0940 activity. We also share mitigation recommendations, detection information, and hunting queries that can help organizations identify, investigate, and mitigate associated activity.

What is CovertNetwork-1658?

Microsoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. Microsoft uses “CovertNetwork” to refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.

CovertNetwork-1658 specifically refers to a collection of egress IPs that may be used by one or more Chinese threat actors and is wholly comprised of compromised devices. Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.

Post-compromise activity on compromised routers

After successfully gaining access to a vulnerable router, in some instances, the following steps are taken by the threat actor to prepare the router for password spray operations:

1. Download Telnet binary from a remote File Transfer Protocol (FTP) server
2. Download xlogin backdoor binary from a remote FTP server
3. Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777
4. Connect and authenticate to the xlogin backdoor listening on TCP port 7777
5. Download a SOCKS5 server binary to router
6. Start SOCKS5 server on TCP port 11288

CovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to ensure the password spray attempts originate from the compromised devices.

Password spray activity from CovertNetwork-1658 infrastructure

Microsoft has observed multiple password spray campaigns originating from CovertNetwork-1658 infrastructure. In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization. In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day. Figure 2 depicts this distribution in greater detail.

CovertNetwork-1658 infrastructure is difficult to monitor due to the following characteristics:

• The use of compromised SOHO IP addresses
• The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
• The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity

Various security vendors have reported on CovertNetwork-1658 activities, including Sekoia (July 2024) and Team Cymru (August 2024). Microsoft assesses that after these blogs were published, the usage of CovertNetwork-1658 network has declined substantially. The below chart highlights a steady and steep decline in the use of CovertNetwork-1658’s original infrastructure since their activities have been exposed in public reporting as observed in Censys.IO data.

Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed increase in recent activity may be early evidence supporting this assessment.

Historically, Microsoft has observed an average of 8,000 compromised devices actively engaged in the CovertNetwork-1658 network at any given time. On average, about 20 percent of these devices perform password spraying at any given time. Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Below are User Agent Strings* observed in the password spray activity:

• Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

*Note: We updated this list of User Agent Strings on November 4, 2024 to fix typos.

Observed activity tied to Storm-0940

Microsoft has observed numerous cases where Storm-0940 has gained initial access to target organizations using valid credentials obtained through CovertNetwork-1658’s password spray operations. In some instances, Storm-0940 was observed using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on the same day. This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940.

After successfully gaining access to a victim environment, in some instances, Storm-0940 has been observed:        

• Using scanning and credential dumping tools to move laterally within the network;
• Attempting to access network devices and install proxy tools and remote access trojans (RATs) for persistence; and
• Attempting to exfiltrate data.

Recommendations

Organizations can defend against password spraying by building credential hygiene and hardening cloud identities. Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users on the importance of credential hygiene and avoiding password reuse.
• Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. Microsoft continues to expand MFA defaults for products and services like Azure to broaden MFA adoption.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.
• Disable legacy authentication.
• Use a cloud-based identity security solution to identify and detect threats or compromised identities.
• Disable stale or unused accounts.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria.
• • Block legacy authentication with Azure AD by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those protocols.
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
• Secure accounts with credential hygiene:
  • Practice the principle of least privilege and audit privileged account activity in your Azure AD environments to slow and stop attackers.
  • Deploy Azure AD Connect Health for ADFS. This captures failed attempts as well as IP addresses recorded in ADFS logs for bad requests via the Risky IP report.
  • Use Azure AD password protection to detect and block known weak passwords and their variants.
  • Turn on identity protection in Azure AD to monitor for identity-based risks and create policies for risky sign ins.
• Educate users about phishing attempts and MFA fatigue attacks. Encourage users to report unsolicited MFA authentication prompts.
• Review your Anomaly detection policies in Defender for Cloud Apps under Microsoft 365 Defender Policies by going to Cloud Apps > Policies > Policy management. Then select Anomaly detection policy.

Detection details

Alerts with the following titles in the Security Center can indicate threat activity on your network:

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert can indicate associated threat activity:

• Storm-0940 actor activity detected

Microsoft Defender XDR

The following alert might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password spray attacks originating from single ISP

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Password Spray
• Unfamiliar Sign-in properties
• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate associated threat activity:

• Suspicious Administrative Activity
• Impossible travel activity

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Potential Storm-0940 activity           

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//Advanced Hunting Query
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
AADSignInEventsBeta
| where Timestamp >=ago(30d)
| where ApplicationId in ((suspAppRes | project appId)) and ResourceId in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))
Failed sign-in activity
The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection
IdentityLogonEvents
| where Timestamp > ago(4h)
| where ActionType == "LogonFailed"
| where isnotempty(AccountObjectId)
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Potential Storm-0940 activity

This query identifies UserAgents obtained from observed activity and AAD SignInEvent attributes that identify potential activity to guide investigation:

//sentinelquery
let suspAppRes = datatable(appId:string, resourceId:string)
[
    "1950a258-227b-4e31-a9cf-717495945fc2", "00000003-0000-0000-c000-000000000000"
];
let userAgents = datatable(userAgent:string)
[
    "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" //Low fidelity
];
SigninLogs
| where TimeGenerated >=ago(30d)
| where AppId  in ((suspAppRes | project appId)) and ResourceIdentity in ((suspAppRes | project resourceId)) and UserAgent in ((userAgents| project userAgent))

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network appeared first on Microsoft Security Blog.

To help us better understand the SMB security needs and trends, Microsoft partnered with Bredin, a company specializing in SMB research and insights, to conduct a survey focused on security for businesses with 25 to 299 employees. As we share these insights below, and initial actions that can take to address them, SMBs can also find additional best practices to stay secure in the Be Cybersmart Kit.  

SMB Cybersecurity Research Report

Read the full report to learn more about how security is continuing to play an important role for SMBs.

Discover more

1. One in three SMBs have been victims of a cyberattack 

With cyberattacks on the rise, SMBs are increasingly affected. Research shows that 31% of SMBs have been victims of cyberattacks such as ransomware, phishing, or data breaches. Despite this, many SMBs still hold misconceptions that increase their risk and vulnerability. Some believe they are too small to be targeted by hackers or assume that compliance equates to security. It is crucial to understand that bad actors pose a threat to businesses of all sizes, and complacency in cybersecurity can lead to significant risks. 

How can SMBs approach this?

Microsoft, in collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), has outlined four simple best practices to creates a strong cybersecurity foundation.

• Use strong passwords and consider a password manager.
• Turn on multifactor authentication.
• Learn to recognize and report phishing.
• Make sure to keep your software updated.

2. Cyberattacks cost SMBs more than $250,000 on average and up to $7,000,000 

The unexpected costs of a cyberattack can be devastating for an SMB and make it difficult to financially recover from. These costs can include expenses incurred for investigation and recovery efforts to resolve the incident, and associated fines related to a data breach. Cyberattacks not only present an immediate financial strain but can also have longer term impacts on an SMB. Diminished customer trust due to a cyberattack can cause broader reputational damage and lead to missed business opportunities in the future. It’s difficult to anticipate the impact of a cyberattack because the time it takes to recover can vary from one day to more than a month. While many SMBs are optimistic about their ability to withstand a cyberattack, some fail to accurately estimate the time needed to restore operations and resume normal business activities 

How can SMBs approach this?

SMBs can conduct a cybersecurity risk assessment to understand gaps in security and determine steps to resolve them. These assessments can help SMBs uncover areas open to attack to minimize them, ensure compliance with regulatory requirements, establish incident response plans, and more. Effectively and proactively planning can help minimize the financial, reputational, and operational costs associated with a cyberattack should one happen. Many organizations provide self-service assessments, and working with a security specialist or security service provider can bring additional expertise and guidance through the process as needed.

3. 81% of SMBs believe AI increases the need for additional security controls

The rapid advancement of AI technologies and the ease of use through simple user interfaces creates notable challenges for SMBs when used by employees. Without the proper tools in place to secure company data, AI use can lead to sensitive or confidential information getting in the wrong hands. Fortunately, more than half of companies currently not using AI security tools intend to implement them within the next six months for more advanced security. 

How can SMBs approach this?

Data security and data governance play a critical role in successful adoption and use of AI. Data security, which includes labeling and encrypting documents and information, can mitigate the chance of restricted information being referenced in AI prompts. Data governance, or the process of managing, understanding, and securing data, can help establish a framework to effectively organize data within.

4. 94% consider cybersecurity critical to their business 

Recognizing the critical importance of cybersecurity, 94% of SMBs consider it essential to their operations. While it was not always considered a top priority given limited resources and in-house expertise, the rise in cyberthreats and increased sophistication of cyberattacks now pose significant risks for SMBs that is largely recognized across the SMB space. Managing work data on personal devices, ransomware, and phishing and more are cited as top challenges that SMBs are facing. 

How can SMBs approach this?

For SMBs that want to get started with available resources to train and educate employees, security topics across Cybersecurity 101, Phishing, and more are provided through Microsoft’s Cybersecurity Awareness site.

5. Less than 30% of SMBs manage their security in-house 

Given the limited resources and in-house expertise within SMBs, many turn to security specialists for assistance. Less than 30% of SMBs manage security in-house and generally rely on security consultants or service providers to manage security needs. These security professionals provide crucial support in researching, selecting, and implementing cybersecurity solutions, ensuring that SMBs are protected from new threats. 

How can SMBs approach this?

Hiring a Managed Service Provider (MSP) is commonly used to supplement internal business operations. MSPs are organizations that help manage broad IT services, including security, and serve as strategic partners to improve efficiency and oversee day-to-day IT activities. Examples of security support can consist of researching and identifying the right security solution for a business based on specific needs and requirements. Additionally, MSPs can implement and manage the solution by configuring security policies and responding to incidents on the SMBs behalf. This model allows more time for SMBs to focus on core business objectives while MSPs keep the business protected.

6. 80% intend to increase their cybersecurity spending, with data protection as top area of spend 

Given the heightened importance of security, 80% of SMBs intend to increase cybersecurity spending. Top motivators are protection from financial losses and safeguards for client and customer data. It’s no surprise that data protection comes in as the top investment area with 65% of SMBs saying that is where increased spending will be allocated, validating the need for additional security with the rise of AI. Other top areas of spending include firewall services, phishing protection, ransomware and device protection, access control, and identity management.  

How can SMBs approach this?

Prioritizing these investments in the areas above, SMBs can improve security posture and reduce the risk of cyberattacks. Solutions such as Data Loss Prevention (DLP) help identify suspicious activity and prevent sensitive data from leaving leaking outside of the business, Endpoint Detection and Response (EDR) help protect devices and defend against threats, and Identity and Access Management (IAM) help ensure only the right people get access to the right information.

7. 68% of SMBs consider secure data access a challenge for remote workers 

The transition to hybrid work models has brought new security challenges for SMBs, and these issues will continue as hybrid work becomes a permanent fixture. With 68% of SMBs employing remote or hybrid workers, ensuring secure access for remote employees is increasingly critical. A significant 75% of SMBs are concerned about data loss on personal devices. To safeguard sensitive information in a hybrid work setting, it is vital to implement device security and management solutions so employees can securely work from anywhere.  

How can SMBs approach this?

Implement measures to protect data and internet-connected devices that include installing software updates immediately, ensuring mobile applications are downloaded from legitimate app stores, and refraining from sharing credentials over email or text, and only doing so over the phone in real-time.

Next steps with Microsoft Security

• Read the full report to learn more about how security is continuing to play an important role for SMBs.

• Get the Be Cybersmart Kit to help educate everyone in your organization with cybersecurity awareness resources.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​7 cybersecurity trends and tips for small and medium businesses to stay protected appeared first on Microsoft Security Blog.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon.

Midnight Blizzard is a Russian threat actor attributed by the United States and United Kingdom governments to the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear.

As with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. Strong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect against cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and recommendations at the end of this post.

Spear-phishing campaign

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.

RDP connection

When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including:

• Files and directories
• Connected network drives
• Connected peripherals, including smart cards, printers, and microphones
• Web authentication using Windows Hello, passkeys, or security keys
• Clipboard data
• Point of Service (also known as Point of Sale or POS) devices

Targets

Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.

Email infrastructure

Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises. The domains used are listed in the IOC section below.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Utilize Windows Firewall or Windows Firewall with Advanced Security to help prevent or restrict outbound RDP connection attempts to external or public networks external or public networks
• Require multifactor authentication (MFA). Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
• Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and help blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen endpoint security configuration

If you are using Microsoft Defender for Endpoint take the following steps:

• Ensure tamper protection is turned on in Microsoft Defender for Endpoint.
• Turn on network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume. 
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to help prevent common attack techniques used by threat actors.
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Strengthen antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.
• Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Enable Microsoft Defender Antivirus real-time protection.

Strengthen Microsoft Office 365 configuration

• Turn on Safe Links and Safe Attachments for Office 365.
• Enable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Strengthen email security configuration

• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example, Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically identify and help block malicious websites, including those used in phishing activities.
• If you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.
• If you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Conduct user education

• Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Midnight Blizzard Actor activity group
• Suspicious RDP session

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:

• Backdoor:Script/HustleCon.A

Microsoft Defender for Cloud

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Communication with suspicious domain identified by threat intelligence
• Suspicious outgoing RDP network activity
• Traffic detected from IP addresses recommended for blocking

Microsoft Defender for Office 365

Microsoft Defender for Office 365 raises alerts on this campaign using email- and attachment-based detections. Additionally, hunting signatures and an RDP file parser have been incorporated into detections to block similar campaigns in the future. Defenders can identify such activity in alert titles referencing RDP, for example, Trojan_RDP*.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Midnight Blizzard targets NGOs in new wave of initial access campaigns.
• Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity.

Hunting queries

Microsoft Defender XDR

Identify potential Midnight Blizzard targeted recipients 

Surface possible targeted email accounts within the environment where the email sender originated from a Midnight Blizzard compromised domain related to the RDP activity.

EmailEvents 
| where SenderFromDomain in~ ("sellar.co.uk", "townoflakelure.com", "totalconstruction.com.au", "swpartners.com.au", "cewalton.com") 
| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp 

Surface potential targets of an RDP attachment phishing attempt

Surface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of the email may have been targeted in an RDP attachment phishing attack attempt.

EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType

Identify potential successfully targeted assets in an RDP attachment phishing attack

Surface devices that may have been targeted in an email with an RDP file attached, followed by an RDP connection attempt from the device to an external network. This combined activity may indicate that a device may have been successfully targeted in an RDP attachment phishing attack.

// Step 1: Identify emails with RDP attachments
let rdpEmails = EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress;
// Step 2: Identify outbound RDP connections
let outboundRDPConnections = DeviceNetworkEvents
| where RemotePort == 3389
| where ActionType == "ConnectionAttempt"
| where RemoteIPType == "Public"
| project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP;
// Step 3: Correlate email and network events
rdpEmails
| join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress == $right.InitiatingProcessAccountUpn
| project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId, RemoteIP

Threat actor RDP connection files attached to email

Surface users that may have received an RDP connection file attached in email that have been observed in this attack from Midnight Blizzard.

EmailAttachmentInfo
| where FileName in~ (
    "AWS IAM Compliance Check.rdp",
    "AWS IAM Configuration.rdp",
    "AWS IAM Quick Start.rdp",
    "AWS SDE Compliance Check.rdp",
    "AWS SDE Environment Check.rdp",
    "AWS Secure Data Exchange - Compliance Check.rdp",
    "AWS Secure Data Exchange Compliance.rdp",
    "Device Configuration Verification.rdp",
    "Device Security Requirements Check.rdp",
    "IAM Identity Center Access.rdp",
    "IAM Identity Center Application Access.rdp",
    "Zero Trust Architecture Configuration.rdp",
    "Zero Trust Security Environment Compliance Check.rdp",
    "ZTS Device Compatibility Test.rdp"
)
| project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Email sender domains

RDP file names

• AWS IAM Compliance Check.rdp
• AWS IAM Configuration.rdp
• AWS IAM Quick Start.rdp
• AWS SDE Compliance Check.rdp
• AWS SDE Environment Check.rdp
• AWS SDE Environment Check.rdp 
• AWS Secure Data Exchange – Compliance Check.rdp
• AWS Secure Data Exchange Compliance.rdp
• Device Configuration Verification.rdp
• Device Security Requirements Check.rdp
• IAM Identity Center Access.rdp
• IAM Identity Center Application Access.rdp
• Zero Trust Architecture Configuration.rdp
• Zero Trust Security Environment Compliance Check.rdp
• ZTS Device Compatibility Test.rdp

RDP remote computer domains

References

• https://cert.gov.ua/article/6281076
• https://aws.Alpha XR/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
• https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF
• http://approjects.co.za/?big=security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/?msockid=392e4194f0f26165030055c3f1de6080
• http://approjects.co.za/?big=security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/?msockid=392e4194f0f26165030055c3f1de6080

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files appeared first on Microsoft Security Blog.

Prior to 2020, there was an unspoken rule of threat actors to not launch attacks against schools and children, infrastructure, and healthcare organizations.¹ However, that “rule” no longer applies, and in the past four years the healthcare threat landscape has seen tremendous shifts for the worse.

To put this shift into context, consider these trends from the Microsoft Threat Intelligence report showing healthcare cybersecurity challenges:

• Healthcare is one of the top 10 most targeted industries in the second quarter of 2024²—and has been for the past four quarters.
• Ransomware attacks are costly, with healthcare organizations losing an average of $900,000 per day on downtime alone.³
• In a recent study, out of the 99 healthcare organizations that admitted to paying a ransom and disclosed the ransom paid, the average payment was $4.4 million.⁴

The serious impact of ransomware on healthcare

While the potential financial risk for healthcare organizations is high, lives are at stake because ransomware attacks impact patient outcomes. If healthcare providers are not able to use diagnostic equipment or access patient medical records because it’s under ransom, care will be disrupted.

Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner. As a result, patients can experience longer wait times, which studies show could lead to more severe stroke cases and heart attack cases.⁵

These attacks don’t just impact facilities in large cities; in fact, rural health clinics are also a target for cyberattacks. They are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for a community as these hospitals are often the only healthcare option for many miles in the communities they serve.  

Why healthcare is an appealing target for threat actors

Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks. However, a more significant reason these facilities are at risk is the potential for huge financial payouts. As referenced earlier, lives are at stake and healthcare facilities committed to patient care can’t risk poor patient outcomes if their systems are taken down. They also can’t risk their patients’ data being exposed if they don’t pay the ransom. That reputation for paying ransoms—for understandable reasons—makes them a target.

Healthcare facilities are also targeted because of their limited security resources and cybersecurity investments to defend against these threats compared to other sectors. Facilities often lack staff dedicated to cybersecurity and in fact, some facilities don’t have a chief information security officer (CISO) or dedicated security operations center at all. Instead, their IT department may be tasked with managing cybersecurity. Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.

How cyber criminals target healthcare organizations

Financially motivated cyber criminals are using an evolving set of ransomware tactics on healthcare organizations. One common approach involves two steps. First, they gain access to an organization’s network, often using social engineering tactics through a phishing email or text. Then, they use that access to deploy ransomware to encrypt and lock healthcare systems and data so they can seek a ransom for their release.

“Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours,” said Jack Mott of Microsoft Threat Intelligence in the Microsoft ransomware report. “They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom.”

Social engineering tactics often involve convincing the email recipient to act in ways they normally wouldn’t, such as clicking on an unknown link, and using the tactics of urgency, emotion, and habit. Social engineering fraud is a serious problem. In just this fiscal year, a staggering 389 healthcare institutions across the United States fell victim to ransomware attacks, according to the 2024 Microsoft Digital Defense Report.⁶ The aftermath was severe, resulting in network closures, offline systems, delays in critical medical operations, and rescheduled appointments.

Another common approach is ransomware as a service (RaaS), a cybercrime business model growing in popularity. The RaaS model is an agreement between an operator, who develops extortion tools, and an affiliate, who deploys the ransomware. Both parties benefit from a successful ransomware and extortion attack, and it’s “democratized access to sophisticated ransomware tools,” Mott said. This model enables cyber criminals without the means of developing their own tools to launch their nefarious activities. Sometimes, they may simply purchase network access from a cybercrime group that has already breached a network. RaaS severely widens the risk to healthcare organizations, making ransomware more accessible and frequent.

Cybercrime tactics continue to grow in sophistication. Microsoft is continually tracking the latest cybercrime threats to support our customers and increase the knowledge of the entire global community. These threats include actions by threat actor groups Vanilla Tempest and Sangria Tempest, which are known for their financially motivated criminal activities.

Take a collective defense approach to boost your cyber resilience and visibility

We recognize that not all organizations have a robust cybersecurity team or even the resources to enable a cybersecurity resilience strategy. This is why it is important for us as a community to come together and share best practices, tools, and guidance. We encourage your organization to collaborate with regional, national, and global healthcare organizations such as Health-ISAC (Information Sharing and Analysis Centers). The Health-ISAC provides healthcare organizations with platforms to exchange threat intelligence. Health-ISAC Chief Security Officer Errol Weiss says these organizations are like “virtual neighborhood watch programs,” sharing threat experiences and defense strategies. 

It’s also important to foster a security-first mindset among healthcare staff. Dr. Christian Dameff and Dr. Jeff Tully, Co-directors of the University of California San Diego Center for Healthcare Cybersecurity, emphasize that breaking down silos between IT security teams, emergency managers, and clinical staff to develop cohesive incident response plans is key. They also recommend running high-fidelity clinical simulations that expose doctors and nurses to real-world cyberattack scenarios.

For rural hospitals that provide critical services to the communities they serve across the US, Microsoft created the Microsoft Cybersecurity Program for Rural Hospitals, which provides affordable access to Microsoft security solutions, builds cybersecurity capacity, and helps solve root challenges through innovation.

For healthcare organizations that have the resources, as part of this report we provide guidance on how to:

• Establish a robust governance framework.
• Create an incident response and detection plan. Then be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery.
• Implement continuous monitoring and real-time detection capabilities.
• Educate your organization using our cybersecurity awareness and education #BeCyberSmart Kit.
• Harness more resilience strategies found in the report.

Given the serious cyberthreats against healthcare organizations, it’s critical to protect your assets by understanding the situation and taking steps to prevent it. For more details on the current healthcare cyberthreat landscape and ransomware threats, and for more in-depth guidance on boosting resilience, read the “US healthcare at risk: Strengthening resiliency against ransomware attacks” report and watch our healthcare threat intelligence briefing video, which is included in the report. To stay up-to-date on the latest threat intelligence insights and get actionable guidance for your security efforts, bookmark Microsoft Security Insider.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹How to protect your networks from ransomware, justice.gov.

²Threat Landscape: Healthcare and Public Health Sector, April 2024. Microsoft Threat Intelligence.

³On average, healthcare organizations lose $900,000 per day to downtime from ransomware attacks, Comparitech. March 6, 2024.

⁴Healthcare Ransomware Attacks Continue to Increase in Number and Severity, The HIPAA Journal. September 2024.

⁵Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US, JAMA Network. May 8, 2023.

⁶Microsoft Digital Defense Report 2024.

The post Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action appeared first on Microsoft Security Blog.

After discovering the bypass technique, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files.

We encourage macOS users to apply these security updates as soon as possible. Behavior monitoring protections in Microsoft Defender for Endpoint has detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability. Microsoft Defender for Endpoint detects and blocks CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods.

We initially described TCC technology and how we were able to bypass it in our powerdir vulnerability discovery. As a reminder, TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge. Formally, the only legitimate way for an app to gain access to those services is by approving a popup through the user interface, or by approving per-app access in the operating system’s settings. In this blog post, we share details on how HM Surf can enable attackers to bypass TCC and access the said services without user consent. We also provide guidance for organizations to protect devices from successful exploitation.

Safari entitlements and TCC

Entitlements, as we shared in a past blog post, are privileges that macOS apps might have, and are digitally signed by Apple. Apple reserves some entitlements to their own applications, which are known as private entitlements. Such entitlements commonly start with the com.apple.private prefix.

When it comes to TCC, the com.apple.private.tcc.allow entitlement allows the entitled app to completely bypass TCC checks for services that are mentioned under the entitlement. Safari, the default browser in macOS, has very powerful TCC entitlements, including com.apple.private.tcc.allow:

There are two important aspects here:

1. Safari can freely access the address book (kTCCServiceAddressBook), camera (kTCCServiceCamera), microphone (kTCCServiceMicrophone), and more, completely bypassing TCC access checks for those services.
2. Safari is compiled with flags=0x2000 (library-validation), which means all dynamically loaded libraries must be digitally signed by the same Team ID. This feature could be considered a part of Apple’s Hardened Runtime, and hardens the app against certain type of attacks such as code injection. The Hardened Runtime technology is in many aspects similar to the Windows process mitigation policies, and essentially means an attacker is going to have a very hard time running arbitrary code in the context of Safari.

By default, when one browses a website that requires access to the camera or the microphone, a TCC-like popup still appears, which means Safari maintains its own TCC policy. That makes sense, since Safari must maintain access records on a per-origin (website) basis:

We discovered that Safari maintains its configuration in various files under ~/Library/Safari (the user’s home directory). That said directory contains several files of interest, including the following:

Therefore:

1. Reading arbitrary files from the directory allows attackers to gather extremely useful information (such as the user’s browsing history).
2. Writing to the directory allows TCC bypasses, for instance, by overriding the PerSitePreferences.db.

Apple’s approach of protecting that directory with TCC is therefore very justified.

Exploitation

Similar to the exploit we developed for powerdir, we noticed that sensitive files exist under the user’s home directory. We concluded we could use a similar method to remove the protection for the ~/Library/Safari directory.

Our exploit involves the following steps:

1. Change the home directory of the current user with the dscl utility, which does not require TCC access in Sonoma (At this point, the ~/Library/Safari directory is no longer TCC protected).
2. Modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db).
3. Change the home directory again so Safari uses the now modified files.
4. Run Safari to open a webpage that takes a camera snapshot and trace device location.

In our exploit, we also reset the TCC permissions of the Terminal (using tccutil) for the sake of demonstration.

We noticed that PerSitePreferences.db is used only when a secure connection occurs (over HTTPS), but an attacker could host malicious JavaScript code over HTTPS.

The JavaScript code that takes the camera snapshot and retrieves location information is straightforward and is hosted here (the code does not include the exploit). The most important part that usually requires TCC camera access is:

We downloaded the snapshot in our demonstration, but in a real scenario, an attacker could do stealthy things, including:

1. Host the snapshot somewhere to be downloaded later privately.
2. Save an entire camera stream.
3. Record microphone and stream it to another server or upload it.
4. Get access to the device’s location.
5. Start Safari in a very small window to not draw attention.

We called our exploit HM Surf in reference to the HM03 (Surf) Safari zone and recorded a complete video of our exploit. Note how TCC access for Camera is not permitted, as well as Safari-specific controls do not automatically allow Camera access:

Third-party browsers

Third-party browsers such as Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications, which means that the said apps can’t bypass TCC checks.

Therefore, when an end-user runs a third-party browser to use a TCC service (such as the camera, microphone, or location) for the first time, a TCC popup will appear and ask for access to the resource. By design, the access approval happens at the app level rather than at a per-origin (the combination of schema, host name, and port number) level. Once access is approved to an app, it’s then up to that app to maintain their own database of approved origins for privacy and safety.

Detecting new Adload behavior via behavioral monitoring

After discovering this new technique of bypassing TCC, we deployed behavior monitoring detection strategies to protect customers. In analyzing the intelligence gathered from the detection strategies, we observed a suspicious activity in a customer’s device: a process by the name of p running from the /private/tmp world-writable folder (SHA-256: 17e1b83089814128bc243315894f412026503c10b710c9c59d4aaf67bc209cb8) that anomalously modified the local user’s Chrome Preferences file.

Upon further examination, we discovered the parent process was running with the following command line:

/Users/<username>/Library/Application Support/.17066225541972342347/Services/com.BasicIndex.service/BasicIndex.service” -s 6600

The com.BasicIndex.service folder name is a fake macOS service attributed to Adload, a prevalent macOS threat family we have described in the past.

These are the behaviors we discovered:

Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.

Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device and can detect this kind of malicious behavior, including anomalous modification of the Preferences file through HM Surf or other methods.

Hardening device security through vulnerability management and behavioral monitoring

Continuous research on vulnerabilities in security technologies like TCC in macOS devices is important to help ensure that user data is protected from unauthorized access. Software vendors are always in a tight race against malicious actors to discover vulnerabilities and address them before they are exploited for attacks. The discoveries and insights from our research, including vulnerabilities such as Migraine, powerdir, and Shrootless, enrich our protection technologies and solutions such as Microsoft Defender for Endpoint, which allows organizations to quickly discover and remediate vulnerabilities in their networks that are increasingly becoming heterogeneous.

In addition, Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device, such as creating spoofed home directories, a technique which was previously used in other vulnerabilities. In the example provided in the previous section, Microsoft Defender for Endpoint detects modifications to the Safari private directory, as well as private directories of third-party browsers, as suspicious. Extending the concept, Defender for Endpoint has similar detections for sensitive file access (including Safari-specific settings) by a non-Safari application.

Apple has also introduced new APIs for App Group Containers that make SIP (System Integrity Policy) that protect configuration files from being modified by an external attacker, resolving the vulnerability class. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files. While Chromium and Firefox is yet to adopt the new APIs, Chromium is moving towards using os_crypt which solves the attack in a different way.

Microsoft continues to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich protection technologies that secure users’ computing experience regardless of the platform or device they’re using.

References

• https://developer.apple.com/documentation/security/hardened_runtime
• https://attack.mitre.org/techniques/T1055/
• https://ss64.com/mac/dscl.html
• https://ss64.com/mac/tccutil.html
• https://github.com/yo-yo-yo-jbo/hm-surf/blob/main/hm-surf.html
• https://bulbapedia.bulbagarden.net/wiki/HM03

Jonathan Bar Or
Microsoft Threat Intelligence

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post New macOS vulnerability, “HM Surf”, could lead to unauthorized data access appeared first on Microsoft Security Blog.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.

Importantly, Microsoft takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. To help protect enterprise accounts from compromise, by default both Microsoft 365 and Office 365 support multi-factor authentication (MFA) and passwordless sign-in. Consumers can also go passwordless with their Microsoft account. Because security is a team sport, Microsoft also works with third parties like Dropbox to share threat intelligence and protect mutual customers and the wider community.

In this blog, we discuss the typical attack chain used in campaigns misusing file hosting services and detail the recently observed tactics, techniques, and procedures (TTPs), including the increasing use of certain defense evasion tactics. To help defenders protect their identities and data, we also share mitigation guidance to help reduce the impact of this threat, and detection details and hunting queries to locate potential misuse of file hosting services and related threat actor activities. By understanding these evolving threats and implementing the recommended mitigations, organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.

Attack overview

Phishing campaigns exploiting legitimate file hosting services have been trending throughout the last few years, especially due to the relative ease of the technique. The files are delivered through different approaches, including email and email attachments like PDFs, OneNote, and Word files, with the intent of compromising identities or devices. These campaigns are different from traditional phishing attacks because of the sophisticated defense evasion techniques used.

Since mid-April 2024, we observed threat actors increasingly use these tactics aimed at circumventing defense mechanisms:

• Files with restricted access: The files sent through the phishing emails are configured to be accessible solely to the designated recipient. This requires the recipient to be signed in to the file-sharing service—be it Dropbox, OneDrive, or SharePoint—or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.
• Files with view-only restrictions: To bypass analysis by email detonation systems, the files shared in these phishing attacks are set to ‘view-only’ mode, disabling the ability to download and consequently, the detection of embedded URLs within the file.

An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Initial access

The attack typically begins with the compromise of a user within a trusted vendor. After compromising the trusted vendor, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization. This misuse of legitimate file hosting services is particularly effective because recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures and compromise identities. Often, users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.

While file names observed in these campaigns also included the recipients, the hosted files typically follow these patterns:

• Familiar topics based on existing conversations
  • For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”.
• Familiar topics based on current context
  • If the attack has not originated from a trusted vendor, the threat actor often impersonates administrators or help desk or IT support personnel in the sender display name and uses a file name such as “IT Filing Support 2024”, “Forms related to Tax submission”, or “Troubleshooting guidelines”.
• Topics based on urgency
  • Another common technique observed by the threat actors creating these files is that they create a sense of urgency with the file names like “Urgent:Attention Required” and “Compromised Password Reset”.

Defense evasion techniques

Once the threat actor shares the files on the file hosting service with the intended users, the file hosting service sends the target user an automated email notification with a link to access the file securely. This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you”. To evade detections, the threat actor deploys the following additional techniques:

• Only the intended recipient can access the file
  • The intended recipient needs to re-authenticate before accessing the file
  • The file is accessible only for a limited time window
• The PDF shared in the file cannot be downloaded

These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.

Identity compromise

When the targeted user accesses the shared file, the user is prompted to verify their identity by providing their email address:

Next, an OTP is sent from no-reply@notify.microsoft[.]com. Once the OTP is submitted, the user is successfully authorized and can view a document, often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the “View my message” access link.

This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign.

Recommended actions

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Enable Conditional Access policies in Microsoft Entra, especially risk-based access policies. Conditional access policies evaluate sign-in requests using additional identity-driven signals like user or group membership, IP address location information, and device status, among others, are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, Azure trusted IP address requirements, or risk-based policies with proper access control. If you are still evaluating Conditional Access, use security defaults as an initial baseline set of policies to improve identity security posture.
• Implement continuous access evaluation.
• Implement Microsoft Entra passwordless sign-in with FIDO2 security keys.
• Turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
• Implement Microsoft Defender for Endpoint – Mobile Threat Defense on mobile devices used to access enterprise assets.
• Leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign, and Microsoft Defender for Office 365 to detect and block malicious emails, links, and files. Monitor suspicious or anomalous activities in Microsoft Entra ID Protection. Investigate sign-in attempts with suspicious characteristics (such as the location, ISP, user agent, and use of anonymizer services). Educate users about the risks of secure file sharing and emails from trusted vendors.

Appendix

Microsoft Defender XDR detections

Microsoft Defender XDR raises the following alerts by combining Microsoft Defender for Office 365 URL click and Microsoft Entra ID Protection risky sign-ins signal.

• Risky sign-in after clicking a possible AiTM phishing URL
• User compromised through session cookie hijack
• User compromised in a known AiTM phishing kit

Hunting queries

Microsoft Defender XDR 

The file sharing events related to the activity in this blog post can be audited through the CloudAppEvents telemetry. Microsoft Defender XDR customers can run the following query to find related activity in their networks: 

Automated email notifications and suspicious sign-in activity

By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.

let usersWithSuspiciousEmails = EmailEvents
    | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
    | where isnotempty(RecipientObjectId)
    | distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

Files share contents and suspicious sign-in activity

In the majority of the campaigns, the file name involves a sense of urgency or content related to finance or credential updates. By correlating the file share emails with suspicious sign-ins, compromises can be detected. (For example: Alex shared “Password Reset Mandatory.pdf” with you). Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection.

let usersWithSuspiciousEmails = EmailEvents
    | where Subject has_all ("shared", "with you")
    | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password")
    | where isnotempty(RecipientObjectId)
    | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject
    | where RecipientCount >= 10
    | mv-expand RecipientList to typeof(string)
    | distinct RecipientList;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100

BEC: File sharing tactics based on the file hosting service used

To initiate the file sharing activity, these campaigns commonly use certain action types depending on the file hosting service being leveraged. Below are the action types from the audit logs recorded for the file sharing events. These action types can be used to hunt for activities related to these campaigns by replacing the action type for its respective application in the queries below this table.

OneDrive or SharePoint: The following query highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.

let securelinkCreated = CloudAppEvents
    | where ActionType == "SecureLinkCreated"
    | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
let filesCreated = securelinkCreated
    | where isnotempty(ObjectName)
    | distinct tostring(ObjectName);
CloudAppEvents
| where ActionType == "AddedToSecureLink"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
| extend FileShared = tostring(RawEventData.ObjectId)
| where FileShared in (filesCreated)
| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
| where TypeofUserSharedWith == "Guest"
| where isnotempty(FileShared) and isnotempty(UserSharedWith)
| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
// Secure file created recently (in the last 1day)
| where (Timestamp - FileCreatedTime) between (1d .. 0h)
| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
| where NumofUsersSharedWith >= 20

Dropbox: The following query highlights that a file hosted on Dropbox has been shared with multiple participants.

CloudAppEvents
| where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
| where Application == "Dropbox"
| where ObjectType == "File"
| extend FileShared = tostring(ObjectName)
| where isnotempty(FileShared)
| mv-expand ActivityObjects
| where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
| extend SharedBy = AccountId
| extend UserSharedWith = tostring(ActivityObjects.Name)
| summarize dcount(UserSharedWith) by FileShared, AccountObjectId
| where dcount_UserSharedWith >= 20

Microsoft Sentinel

Microsoft Sentinel customers can use the resources below to find related activities similar to those described in this post:

The following query identifies files with specific keywords that attackers might use in this campaign that have been shared through OneDrive or SharePoint using a Secure Link and accessed by over 10 unique users. It captures crucial details like target users, client IP addresses, timestamps, and file URLs to aid in detecting potential attacks:

let OperationName = dynamic(['SecureLinkCreated', 'AddedToSecureLink']);
OfficeActivity
| where Operation in (OperationName)
| where OfficeWorkload in ('OneDrive', 'SharePoint')
| where SourceFileName has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password", "paycheck", "bank statement", "bank details", "closing", "funds", "bank account", "account details", "remittance", "deposit", "Reset")
| summarize CountOfShares = dcount(TargetUserOrGroupName), 
            make_list(TargetUserOrGroupName), 
            make_list(ClientIP), 
            make_list(TimeGenerated), 
            make_list(SourceRelativeUrl) by SourceFileName, OfficeWorkload
| where CountOfShares > 10

Considering that the attacker compromises users through AiTM,  possible AiTM phishing attempts can be detected through the below rule:

• Possible AiTM Phishing Attempt

In addition, customers can also use the following identity-focused queries to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor:

• Signins From VPS Providers
• Signins from Nord VPN Providers
• Successful Signin From Non-Compliant Device

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post File hosting services misused for identity phishing appeared first on Microsoft Security Blog.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

• Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
• scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

1. If the password is known, then logging in to Microsoft Entra is possible from any device.
2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Follow Microsoft’s best practices for securing Active Directory Federation Services.  
• Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
• Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
• Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
• Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
• Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
• Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
• Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
• Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
• Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

• Backdoor:Win32/SuspAadInternalsUsage

Embargo Ransomware threat components are detected as the following:

• Ransom:Win32/Embargo

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

• Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

• Possible Adobe ColdFusion vulnerability exploitation
• Compromised account conducting hands-on-keyboard attack
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Ongoing hands-on-keyboard attack via Impacket toolkit
• Suspicious Microsoft Defender Antivirus exclusion
• Attempt to turn off Microsoft Defender Antivirus protection
• Renaming of legitimate tools for possible data exfiltration
• BlackCat ransomware
• ‘Embargo’ ransomware was detected and was active
• Suspicious Group Policy action detected
• An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

• Entra Connect Sync credentials extraction attempt
• Suspicious cmdlets launch using AADInternals
• Potential Entra Connect Tampering
• Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

• Data exfiltration over SMB
• Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

• Backdoor creation using AADInternals tool
• Compromised Microsoft Entra ID Cloud Sync account
• Suspicious sign-in to Microsoft Entra Connect Sync account
• Entra Connect Sync account suspicious activity following a suspicious login
• AADInternals tool used by a Microsoft Entra Sync account
• Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

• Storm-0501

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

• Remote Management Monitoring Network Connections
• Level.io RMM File Signature
• AnyDesk RMM File Signature
• NinjaOne RMM File Signature
• Potential Impacket Execution
• Potential ransomware activity related to Cobalt Strike
• Cobalt DNS Beacon
• C2-NamedPipe
• Renamed Rclone Exfiltration
• Disable Or Modify Windows Defender
• Clearing of forensic evidence from event logs using wevtutil
• Suspicious Signin By AAD Connect Account

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

References

• The Rust Revolution: New Embargo Ransomware Steps In – Cyble
• Embargo Ransomware Group: The Interview (suspectfile.com)
• https://aadinternals.com/post/aadbackdoor/
• https://aadinternals.com/post/aad-deepdive/

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.