Ransomware News and Insights | Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog/tag/ransomware/ Expert coverage of cybersecurity topics Thu, 31 Oct 2024 10:19:15 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action http://approjects.co.za/?big=en-us/security/blog/2024/10/22/microsoft-threat-intelligence-healthcare-ransomware-report-highlights-need-for-collective-industry-action/ Tue, 22 Oct 2024 16:00:00 +0000 Healthcare organizations are an attractive target for ransomware attacks. Read our latest blog post to learn why and get strategies to protect yourself from cyberthreats.​

The post Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action appeared first on Microsoft Security Blog.

]]>
Healthcare organizations are an increasingly attractive target for threat actors. In a new Microsoft Threat Intelligence report, US healthcare at risk: strengthening resiliency against ransomware attacks, our researchers identified that ransomware continues to be among the most common and impactful cyberthreats targeting organizations. The report offers a holistic view of the healthcare threat landscape with a particular focus on ransomware attacks observed in recent years. By reading the report, healthcare organizations will gain insights that will help navigate these cyberthreats and understand how collective defense strategies can help improve protection and increase access to relevant threat intelligence.

Prior to 2020, there was an unspoken rule of threat actors to not launch attacks against schools and children, infrastructure, and healthcare organizations.1 However, that “rule” no longer applies, and in the past four years the healthcare threat landscape has seen tremendous shifts for the worse.

To put this shift into context, consider these trends from the Microsoft Threat Intelligence report showing healthcare cybersecurity challenges:

  • Healthcare is one of the top 10 most targeted industries in the second quarter of 20242—and has been for the past four quarters.
  • Ransomware attacks are costly, with healthcare organizations losing an average of $900,000 per day on downtime alone.3
  • In a recent study, out of the 99 healthcare organizations that admitted to paying a ransom and disclosed the ransom paid, the average payment was $4.4 million.4

The serious impact of ransomware on healthcare

While the potential financial risk for healthcare organizations is high, lives are at stake because ransomware attacks impact patient outcomes. If healthcare providers are not able to use diagnostic equipment or access patient medical records because it’s under ransom, care will be disrupted.

Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner. As a result, patients can experience longer wait times, which studies show could lead to more severe stroke cases and heart attack cases.5

These attacks don’t just impact facilities in large cities; in fact, rural health clinics are also a target for cyberattacks. They are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for a community as these hospitals are often the only healthcare option for many miles in the communities they serve.  

Why healthcare is an appealing target for threat actors

Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks. However, a more significant reason these facilities are at risk is the potential for huge financial payouts. As referenced earlier, lives are at stake and healthcare facilities committed to patient care can’t risk poor patient outcomes if their systems are taken down. They also can’t risk their patients’ data being exposed if they don’t pay the ransom. That reputation for paying ransoms—for understandable reasons—makes them a target.

What is phishing?

Learn more

Healthcare facilities are also targeted because of their limited security resources and cybersecurity investments to defend against these threats compared to other sectors. Facilities often lack staff dedicated to cybersecurity and in fact, some facilities don’t have a chief information security officer (CISO) or dedicated security operations center at all. Instead, their IT department may be tasked with managing cybersecurity. Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.

How cyber criminals target healthcare organizations

Financially motivated cyber criminals are using an evolving set of ransomware tactics on healthcare organizations. One common approach involves two steps. First, they gain access to an organization’s network, often using social engineering tactics through a phishing email or text. Then, they use that access to deploy ransomware to encrypt and lock healthcare systems and data so they can seek a ransom for their release.

“Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours,” said Jack Mott of Microsoft Threat Intelligence in the Microsoft ransomware report. “They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom.”

Social engineering tactics often involve convincing the email recipient to act in ways they normally wouldn’t, such as clicking on an unknown link, and using the tactics of urgency, emotion, and habit. Social engineering fraud is a serious problem. In just this fiscal year, a staggering 389 healthcare institutions across the United States fell victim to ransomware attacks, according to the 2024 Microsoft Digital Defense Report.6 The aftermath was severe, resulting in network closures, offline systems, delays in critical medical operations, and rescheduled appointments.

Another common approach is ransomware as a service (RaaS), a cybercrime business model growing in popularity. The RaaS model is an agreement between an operator, who develops extortion tools, and an affiliate, who deploys the ransomware. Both parties benefit from a successful ransomware and extortion attack, and it’s “democratized access to sophisticated ransomware tools,” Mott said. This model enables cyber criminals without the means of developing their own tools to launch their nefarious activities. Sometimes, they may simply purchase network access from a cybercrime group that has already breached a network. RaaS severely widens the risk to healthcare organizations, making ransomware more accessible and frequent.

Cybercrime tactics continue to grow in sophistication. Microsoft is continually tracking the latest cybercrime threats to support our customers and increase the knowledge of the entire global community. These threats include actions by threat actor groups Vanilla Tempest and Sangria Tempest, which are known for their financially motivated criminal activities.

Take a collective defense approach to boost your cyber resilience and visibility

We recognize that not all organizations have a robust cybersecurity team or even the resources to enable a cybersecurity resilience strategy. This is why it is important for us as a community to come together and share best practices, tools, and guidance. We encourage your organization to collaborate with regional, national, and global healthcare organizations such as Health-ISAC (Information Sharing and Analysis Centers). The Health-ISAC provides healthcare organizations with platforms to exchange threat intelligence. Health-ISAC Chief Security Officer Errol Weiss says these organizations are like “virtual neighborhood watch programs,” sharing threat experiences and defense strategies. 

It’s also important to foster a security-first mindset among healthcare staff. Dr. Christian Dameff and Dr. Jeff Tully, Co-directors of the University of California San Diego Center for Healthcare Cybersecurity, emphasize that breaking down silos between IT security teams, emergency managers, and clinical staff to develop cohesive incident response plans is key. They also recommend running high-fidelity clinical simulations that expose doctors and nurses to real-world cyberattack scenarios.

For rural hospitals that provide critical services to the communities they serve across the US, Microsoft created the Microsoft Cybersecurity Program for Rural Hospitals, which provides affordable access to Microsoft security solutions, builds cybersecurity capacity, and helps solve root challenges through innovation.

For healthcare organizations that have the resources, as part of this report we provide guidance on how to:

  • Establish a robust governance framework.
  • Create an incident response and detection plan. Then be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery.
  • Implement continuous monitoring and real-time detection capabilities.
  • Educate your organization using our cybersecurity awareness and education #BeCyberSmart Kit.
  • Harness more resilience strategies found in the report.

Given the serious cyberthreats against healthcare organizations, it’s critical to protect your assets by understanding the situation and taking steps to prevent it. For more details on the current healthcare cyberthreat landscape and ransomware threats, and for more in-depth guidance on boosting resilience, read the “US healthcare at risk: Strengthening resiliency against ransomware attacks” report and watch our healthcare threat intelligence briefing video, which is included in the report. To stay up-to-date on the latest threat intelligence insights and get actionable guidance for your security efforts, bookmark Microsoft Security Insider.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.


1How to protect your networks from ransomware, justice.gov.

2Threat Landscape: Healthcare and Public Health Sector, April 2024. Microsoft Threat Intelligence.

3On average, healthcare organizations lose $900,000 per day to downtime from ransomware attacks, Comparitech. March 6, 2024.

4Healthcare Ransomware Attacks Continue to Increase in Number and Severity, The HIPAA Journal. September 2024.

5Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US, JAMA Network. May 8, 2023.

6Microsoft Digital Defense Report 2024.

The post Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action appeared first on Microsoft Security Blog.

]]>
Storm-0501: Ransomware attacks expanding to hybrid cloud environments http://approjects.co.za/?big=en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/ Thu, 26 Sep 2024 17:00:00 +0000 Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, […]

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

]]>
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

A diagram of the Storm-0501 attack chain
Figure 1. Storm-0501 attack chain

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

  • Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
  • scvhost.exe –config C:\Windows\Debug\a.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

A screenshot of the on-premises account name in Microsoft Entra Connect Sync
Figure 2. The on-premises account name

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

A screenshot of the cloud account name in Microsoft Entra Connect Sync
Figure 3. The cloud account name

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

  1. If the password is known, then logging in to Microsoft Entra is possible from any device.
  2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
  3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

  • Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
  • Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
    • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Follow Microsoft’s best practices for securing Active Directory Federation Services.  
  • Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
  • Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
  • Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
  • Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
  • Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
  • Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
  • Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
  • Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
  • Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

Additional Cobalt Strike components are detected as the following:

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

Embargo Ransomware threat components are detected as the following:

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

  • Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

  • Possible Adobe ColdFusion vulnerability exploitation
  • Compromised account conducting hands-on-keyboard attack
  • Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
  • Ongoing hands-on-keyboard attack via Impacket toolkit
  • Suspicious Microsoft Defender Antivirus exclusion
  • Attempt to turn off Microsoft Defender Antivirus protection
  • Renaming of legitimate tools for possible data exfiltration
  • BlackCat ransomware
  • ‘Embargo’ ransomware was detected and was active
  • Suspicious Group Policy action detected
  • An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

  • Entra Connect Sync credentials extraction attempt
  • Suspicious cmdlets launch using AADInternals
  • Potential Entra Connect Tampering
  • Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

  • Data exfiltration over SMB
  • Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

  • Backdoor creation using AADInternals tool
  • Compromised Microsoft Entra ID Cloud Sync account
  • Suspicious sign-in to Microsoft Entra Connect Sync account
  • Entra Connect Sync account suspicious activity following a suspicious login
  • AADInternals tool used by a Microsoft Entra Sync account
  • Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

File nameSHA-256Description
PostalScanImporter.exe, win.exeefb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8dEmbargo ransomware
win.exea9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40Embargo ransomware
name.dllcaa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031Cobalt Strike
248.dlld37dc37fdcebbe0d265b8afad24198998ae8c3b2c6603a9258200ea8a1bd7b4aCobalt Strike
cs240.dll53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9Cobalt Strike
fel.ocx827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5fCobalt Strike
theme.ocxee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348aCobalt Strike
hana.ocxde09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304Cobalt Strike
obfs.ps1d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670ADRecon
recon.ps1c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1ADRecon

References

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

]]>
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption http://approjects.co.za/?big=en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ Mon, 29 Jul 2024 16:00:00 +0000 Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group called “ESX Admins” in Active Directory and adding an attacker-controlled user account to this group. This manipulation of the Active Directory group takes advantage of a privilege escalation vulnerability (CVE-2024-37085) in ESXi hypervisors that grants the added user full administrative access to the ESXi hypervisor. The vulnerability was fixed by VMware in their June release and ESXi administrators should install this security update.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

]]>
Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors. ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network. In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to apply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation and protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this issue.

This blog post presents analysis of the CVE-2024-37085, as well as details of an attack that was observed by Microsoft to exploit the vulnerability. We’re sharing this research to emphasize the importance of collaboration among researchers, vendors, and the security community to continuously advance defenses for the larger ecosystem. As part of Microsoft’s commitment to improve security for all, we will continue to share intelligence and work with the security community to help protect users and organizations across platforms.

CVE-2024-37085 vulnerability analysis

Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named “ESX Admins” in the domain and adding a user to it:

net group “ESX Admins” /domain /add

net group “ESX Admins” username /domain /add

While investigating the attacks and the described behavior, Microsoft researchers discovered that the threat actors’ purpose for using this command was to utilize a vulnerability in domain-joined ESXi hypervisors that allows the threat actor to elevate their privileges to full administrative access on the ESXi hypervisor. This finding was reported as part of a vulnerability disclosure to VMware earlier this year.

Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID).

Microsoft researchers identified three methods for exploiting this vulnerability:

  1. Adding the “ESX Admins” group to the domain and adding a user to it – This method is actively exploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.
  2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member – This method is similar to the first, but in this case the threat actor needs a user that has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The threat actor can then add a user or use a user that already exists in the group, to escalate privileges to full administrative access. This method was not observed in the wild by Microsoft.
  3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

Ransomware operators targeting ESXi hypervisors

Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target.

ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors. These hypervisors could be convenient targets if ransomware operators want to stay under the SOC’s radar because of the following factors:

  1. Many security products have limited visibility and protection for an ESXi hypervisor.
  2. Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could provide ransomware operators with more time and complexity in lateral movement and credential theft on each device they access.

Therefore, many ransomware threat actors like Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper (Figure 1). The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years.

Screenshot of post about ESXi unauthenticated shell for sale in the dark web
Figure 1. ESXi unauthenticated shell for sale on the dark web

Storm-0506 Black Basta ransomware deployment

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

Attack chain diagram of an attack by Storm-0506 from initial access via Qakbot infection followed by multiple malicious actions that lead to the exploitation of the ESXi vulnerability and eventual deployment of Black Basta ransomware and mass encryption of VMs in ESXi hypervisor
Figure 2. Storm-0506 attack chain

Mitigation and protection guidance

Microsoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect their network from attacks:

  • Install software updates – Make sure to install the latest security updates released by VMware on all domain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following recommendations to reduce the risk:
    • Validate the group “ESX Admins” exists in the domain and is hardened.
    • Change the admin group to a different group in the ESXi hypervisor.
    • Add custom detections in XDR/SIEM for the new group name.  
    • Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
  • Credential hygiene – To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. Therefore, our recommendation is making sure to protect your highly privileged accounts in the organization, especially those that can manage other domain groups:
    • Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, always.
    • Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
    • Isolate privileged accounts from productivity accounts to protect administrative access to the environment. Refer to this article to understand best practices.
  • Improve critical assets posture – Identify your critical assets in the network, such as  ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get them protected with latest security updates, proper monitoring procedures and backup and recovery plans. More information can be found in this article.
  • Identify vulnerable assets – Use Microsoft Defender Vulnerability Management to reduce risk with continuous vulnerability assessment of ESXi hypervisor out of the box.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint             

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

  • Suspicious modifications to ESX Admins group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • New group added suspiciously
  • Suspicious Windows account manipulation
  • Compromised account conducting hands-on-keyboard attack

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

  • Suspicious creation of ESX group

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks

This query identifies ESXi hypervisors in the organization:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId

This query identifies ESX Admins group changes in the Active directory:

IdentityDirectoryEvents
| where Timestamp >= ago(30d)
| where AdditionalFields has ('esx admins')

The following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability Management information:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

Cobalt Strike:

References

Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, Vaibhav Deshmukh

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

]]>
Automatic disruption of human-operated attacks through containment of compromised user accounts http://approjects.co.za/?big=en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/ Wed, 11 Oct 2023 16:00:00 +0000 User containment is a unique and innovative defense mechanism that stops human-operated attacks in their tracks. We’ve added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint. User containment is automatically triggered by high-fidelity signals and limits attackers’ ability to move laterally within a network regardless of the compromised account’s Active Directory state or privilege level.

The post Automatic disruption of human-operated attacks through containment of compromised user accounts appeared first on Microsoft Security Blog.

]]>
Our experience and insights from real-world incidents tell us that the swift containment of compromised user accounts is key to disrupting hands-on-keyboard attacks, especially those that involve human-operated ransomware. In these attacks, lateral movement follows initial access as the next critical stage for attackers to advance their objective of targeting valuable assets and sensitive data. Successful lateral movement depends on attackers’ ability to compromise user accounts and elevate permissions: our observations of attacks show that all human-operated ransomware attacks where ransomware deployment was successful involve attackers gaining access to a domain admin-level account or local administrator passwords.

Attackers compromise user accounts through numerous and diverse means, including techniques like credential dumping, keylogging, and brute-forcing. Poor credential hygiene could very quickly lead to the compromise of domain admin-level accounts, which could allow attackers to access domain resources and devices, and completely take over the network. Based on incidents analyzed by Microsoft, it can take only a single hop from the attacker’s initial access vector to compromise domain admin-level accounts. For instance, an attacker can target an over-privileged service account configured in an outdated and vulnerable internet-facing server.

Highly privileged user accounts are arguably the most important assets for attackers. Compromised domain admin-level accounts in environments that use traditional solutions provide attackers with access to Active Directory and could subvert traditional security mechanisms. In addition to compromising existing accounts, attackers have adopted the creation of additional dormant, highly privileged user accounts as persistence mechanisms.

Identifying and containing these compromised user accounts, therefore, prevents attacks from progressing, even if attackers gain initial access. This is why, as announced today, we added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint, a unique and innovative defense mechanism that stops human-operated attacks in their tracks. User containment prevents a compromised user account from accessing endpoints and other resources in the network, limiting attackers’ ability to move laterally regardless of the account’s Active Directory state or privilege level. It is automatically triggered by high-fidelity signals indicating that a compromised user account is being used in an ongoing attack. With user containment, even compromised domain admin accounts cannot help attackers access other devices in the network.

In this blog we will share our analysis of real-world incidents and demonstrate how automatic attack disruption protected our customers by containing compromised user accounts. We then explain how this capability fits in our automatic attack disruption strategy and how it works under the hood.

User containment stops Storm-1567 attack, prevents Akira ransomware encryption

In early June 2023, an industrial engineering organization was the target of a human-operated attack by an Akira ransomware operator tracked by Microsoft as Storm-1567. Akira is a ransomware strain first observed by Microsoft in March 2023 and has features common to other ransomware payloads like the use of ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft assesses that Akira is most likely a closed ransomware offering and not openly marketed as ransomware as a service.

In this attack, the threat actor leveraged devices that were not onboarded to Microsoft Defender for Endpoint for most of the attack stages, a defense evasion tactic we’ve seen in other attacks. While visibility by our endpoint solution could have blocked the attack earlier in the attack chain and helped to protect the organization’s devices much sooner, Defender for Endpoint nonetheless successfully prevented the ransomware stage, protecting all onboarded devices in the organization from getting encrypted.

Attack chain diagram of Storm-1567 attempt to encrypt devices
Figure 1. Storm-1567 attempt to encrypt devices

Based on our analysis, after gaining access to the network, the threat actor started preparing to encrypt devices by scanning, attempting to tamper with security products, conducting lateral movement using Remote Desktop Protocol (RDP), and other anomalous activities. It should be noted that the activities were conducted on a Sunday evening, a time when SOC teams might be at a limited capacity. Most of these activities were done on Windows Server devices, including SQL Servers onboarded to Microsoft Defender for Endpoint. These activities were highly anomalous compared to routine activity in the customer’s network and therefore triggered multiple alerts.

Microsoft Defender for Endpoint’s next-generation protection capabilities detected and prevented several attacker activities, prompting the attackers to try tampering with the security product. However, tamper protection was enabled in the environment, so these attempts were not successful. Meanwhile, Microsoft 365 Defender correlated signals from multiple Defender products, identified the malicious activity, and incriminated – that is, determined as malicious with high confidence – the associated compromised assets, including a user account the attackers used.

Approximately half an hour after activity began, attackers leveraged the compromised user account and attempted to encrypt devices remotely via Server Message Block (SMB) protocol from a device not onboarded to Microsoft Defender for Endpoint. Because of the earlier incrimination, the compromised user account was contained, and the devices onboarded to Defender for Endpoint were protected from encryption attempts.

Later the same day, the attackers repeated the same malicious sequences by pivoting to other compromised user accounts, attempting to bypass attack disruption protection. Defender for Endpoint was again able to protect onboarded devices from encryption over the network. In this incident, automatic attack disruption’s ability to contain additional compromised user accounts demonstrated unique and innovative impact for endpoint and identity security, helping to protect all devices onboarded to Defender for Endpoint from the attack.    

Line chart showing the number of devices where encryption attempts are being blocked as the attack progresses
Figure 2. Chart showing remote encryption attempts being blocked on devices onboarded to Microsoft Defender for Endpoint as the attack progresses

User containment stops lateral movement in human-operated campaign

In early August 2023, Microsoft Defender for Endpoint automatically disrupted a human-operated attack early in the attack chain by containing the compromised user account prior to any impact, saving a medical research lab from what could have been a large-scale attack. The first indication of the attack was observed at roughly 4:00 AM local time on a Friday, when attackers, operating from a device not onboarded to Defender for Endpoint, initiated a remote password reset for the default domain administrator account. This account wasn’t active on any device onboarded to Microsoft Defender for Endpoint in the months prior to the intrusion. We infer that the account credentials were likely expired, and that the attackers found the stale password hashes belonging to the account by using commodity credential theft tools like Mimikatz on a device not-onboarded to Microsoft Defender for Endpoint. Expired credentials, while often not seen as a security risk, could still be abused and could allow attackers to update an account’s password.

Minutes after the administrator account password was reset, the attackers started scanning the network for accessible shares and enumerated other account and domain configurations using SMB-accessible services. This scan and all subsequent malicious activities originated from the same non-onboarded device and compromised administrator account.

Parallel to the network scan, the threat actor initiated an RDP session to a SQL Server, attempting to tamper with security products on the server and running a variety of credential theft and domain discovery tools.

At this point, the compromised administrator account was incriminated based on cumulative signals from the Defender for Endpoint-onboarded SQL server and the account’s anomalous activity. Automatic attack disruption was triggered and the compromised account was contained. All devices in the organization that supported the user containment feature immediately blocked SMB access from the compromised user account, stopping the discovery operations and preventing the possibility of subsequent lateral movement.

Following the initial containment of the attack through automatic attack disruption, the SOC was then able to take additional critical remediation actions to expand the scope of the disruption and evict the attackers from the network. This included terminating the attackers’ sessions on two compromised servers and disabling the compromised domain administrator account at the Active Directory-level.

While user containment is automatic for devices onboarded to Defender for Endpoint, this incident demonstrates the importance of active engagement of the SOC team after the automatic attack disruption action to fully evict the attackers from the environment. It also shows that onboarding devices to Microsoft Defender for Endpoint improves the overall capability to detect and disrupt attacks within the network sooner, before high-privileged user accounts are compromised.

In addition, as of September 2023, user containment also supports terminating active RDP sessions, in addition of blocking new attempted connections, a critical first step in evicting attackers from the network. Disabling compromised user accounts at the Active Directory-level is already supported by automatic attack disruption through integration with Defender for Identity. In this particular incident, the customer was not using Defender for Identity, but this case highlights the stronger defenses as a result of cross-domain visibility.

Attach chain showing the stages of human-operated campaign and showing where the compromised user account is disrupted
Figure 3. Attack chain of human-operated campaign that targeted a medical research lab

Protecting against compromised user accounts through automatic containment

As demonstrated by the incidents we described above, unlike commodity malware infection, human-operated attacks are driven by humans with hands-on-keyboard access to the network who make decisions at every stage of their attack. Attack patterns vary depending on what attackers find in the target network. Protecting against such highly skilled, profit-driven, and determined adversaries is not trivial. These attackers leverage key principles of on-premises Active Directory environments, which provide an active domain administrator account unlimited access to domain resources. Once attackers obtain accounts with sufficient privileges, they can conduct malicious activities like lateral movement or data access using legitimate administrative tools and protocols.

High-level attack chain diagram of attacks that use compromised user accounts
Figure 4. An example of a malicious activity of compromised user accounts in a human-operated ransomware attack

At Microsoft, we understand that to better defend our customers against such highly motivated attackers, a multi-layer defense approach must be used for an optimal security protection solution across endpoints and identities. More importantly, this solution should prioritize organization-wide protection, rather than protecting only a single endpoint. Motivated attackers search for security weaknesses and prioritize compromising unprotected devices. As a result, assuming that initial attack stages have occurred, with potentially at least a few compromised user accounts, is critical for developing security defenses for later attack stages. Using key assumptions and principles of on-premises Active Directory environments, a security-first mindset means limiting the access of even the most privileged user accounts to mitigate security risks.

The automatic attack disruption capability contains user accounts by creating a boundary between healthy onboarded devices and compromised user accounts and devices. It works in a decentralized nature: a containment policy distributed to all onboarded devices across the organization enables each Microsoft Defender for Endpoint client to protect the device against any compromised account, even an account belonging to the Domain Admins group.

This decentralized approach avoids some of the pitfalls of centralized manual or automatic controls, such as disabling an account in Active Directory, which possesses a single point of failure as it can be overridden by the attacker who may already have compromised domain controllers. The virtual security boundary set to contain the user is implemented by controls that were tailored to disrupt attacker activity during various attack stages, including lateral movement, credential theft, and impact such as remote encryption or deployment of ransomware payload. The actual set of controls triggered to contain a user might vary depending on the attack scenario and stage, and includes:

  1. Sign-in restriction: This is the most aggressive control in containing a user account. When this control is triggered, devices will deny all or some types of sign-ins by a compromised account. This control takes effect immediately and is effective regardless of the account’s state (i.e., active or disabled) in the authority it belongs to. This control can block most attacker capabilities, but in cases where an attacker had already authenticated to device before a compromise was identified, the other controls might still be required to block the attack.
  2. Intercepting SMB activity: Attack disruption can contain a user by denying inbound file system access from a remote origin, limiting the attacker’s ability to remotely steal or destroy valuable data. Notably, this control can prevent or limit ransomware encryption over SMB. It can also block lateral movement methods that include a payload being created on a remote device, including PsExec and similar tools.
  3. Filtering RPC activity: Attack disruption can selectively restrict compromised users’ access to remote procedure call (RPC) interfaces that attackers often leverage during attacks. Attackers abuse RPC-based protocols for a variety of goals such credential theft (DCsync and DPAPI), privilege escalation (“PetitPotam”, Print Spooler), discovery (server & workstation services), and lateral movement (remote WMI, scheduled tasks, and services). Blocking such activities can contain an attack before the attacker gains a strong foothold in the network or can deny the ability to capitalize on such a foothold during the impact stage.
  4. Disconnecting or terminating active sessions: In case a compromised account had already gained a foothold on the device, when attack disruption is triggered, it can disconnect or terminate sessions previously initiated by the account. This control differs from the others in this list as it’s effective against already compromised devices, protecting against any additional malicious activity by the attacker. Once a session is terminated, attackers are locked out of the device by the sign-in restriction control. This is specifically critical in stopping attacks earlier in the attack chain, disrupting and containing attacks before reaching impact stage.

The user containment capability is part of the existing protections provided by solutions within Microsoft 365 Defender. As we described in this blog, this capability correlates high-fidelity signals from multiple Defender products to incriminate malicious entities with high confidence and then immediately contain them to automatically disrupt ongoing attacks, including the pre-ransomware and encryption stages in human-operated attacks.

To benefit from this capability, organizations need only to onboard devices to Microsoft Defender for Endpoint. As more devices are onboarded, the scope of disruption is larger and the level of protection is higher. And as more Defender products are used in the organization, the visibility is wider and the effectiveness of the solution is greater. This also lowers the risk of attackers taking advantage of unprotected devices as launch pads for attacks.

Automatic attack disruption represents an innovative solution designed to increase defenses against the increasingly more sophisticated threat of hands-on-keyboard attacks, especially human-operated ransomware. This capability is informed by threat intelligence and insights from investigations and analysis of threats and actors in the cybercrime economy, and reflects our commitment to provide industry-best protections for our customers.

Edan Zwick, Amir Kutcher, Charles-Edouard Bettan, Yair Tsarfaty, Noam Hadash

Further reading

Learn how Microsoft Defender for Endpoint stops human-operated attacks.

For more information, read our documentation on the automatic attack disruption capability.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us at https://twitter.com/MsftSecIntel.

The post Automatic disruption of human-operated attacks through containment of compromised user accounts appeared first on Microsoft Security Blog.

]]>
Malware distributor Storm-0324 facilitates ransomware access http://approjects.co.za/?big=en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/ Tue, 12 Sep 2023 17:00:00 +0000 The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors.

The post Malware distributor Storm-0324 facilitates ransomware access appeared first on Microsoft Security Blog.

]]>
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. This activity is not related to the Midnight Blizzard social engineering campaigns over Teams that we observed beginning in May 2023. Because Storm-0324 hands off access to other threat actors, identifying and remediating Storm-0324 activity can prevent more dangerous follow-on attacks like ransomware.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.  Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.

Historical malware distribution activity

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.

Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:

  • Nymaim, a first-stage downloader and locker
  • Gozi version 3, an infostealer
  • Trickbot, a modular malware platform
  • Gootkit, a banking trojan
  • Dridex, a banking trojan
  • Sage ransomware
  • GandCrab ransomware
  • IcedID, a modular information-stealing malware

Since 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Diagram showing the Storm-0324 attack chain from the delivery of phishing email to the deployment of the JSSLoader DLL, after which access is handed off to Sangria Tempest
Figure 1. Storm-0324 JSSLoader infection chain based on mid-2023 activity

Since as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after delivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.

Screenshot of invoice-themed lure email
Figure 2. Example Storm-0324 email

The ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

When the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by additional Sangria Tempest tooling.

In some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

Screenshot of Storm-0324 password protected lure document
Figure 3. Storm-0324 password-protected lure document

New Teams-based phishing activity

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization.

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.  In addition to these specific enhancements, our development teams will continue to introduce additional preventative and detective measures to further protect customers from phishing attacks.

Recommendations

To harden networks against Storm-0324 attacks, defenders are advised to implement the following:

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Detection details

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Ransomware-linked Storm-0324 threat activity group detected

Hunting queries

Microsoft 365 Defender

Possible TeamsPhisher downloads The following query looks for downloaded files that were potentially facilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name (‘mysharepointname’) in the query.

let allowedSharepointDomain = pack_array(
'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
'exe',
'dll',
'xll',
'msi',
'application'
);
let script = pack_array(
'ps1',
'py',
'vbs',
'bat'
);
let compressed = pack_array(
'rar',
'7z',
'zip',
'tar',
'gz'
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ 'FileCreated'
| where InitiatingProcessFileName has 'teams.exe'
    or InitiatingProcessParentFileName has 'teams.exe'
| where InitiatingProcessFileName !has 'update.exe'
    and InitiatingProcessParentFileName !has 'update.exe'
| where FileOriginUrl has 'sharepoint'
    and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')
| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))
| where fileExt in (executable)
    or fileExt in (script)
    or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),'executable','')
| extend fileGroup = iff( fileExt in (script),'script',fileGroup)
| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

References

Further reading

Microsoft customers can refer to the report on this activity in Microsoft Defender Threat Intelligence and Microsoft 365 Defender for detections, assessment of impact, mitigation and recovery actions, and hunting guidance.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Malware distributor Storm-0324 facilitates ransomware access appeared first on Microsoft Security Blog.

]]>
Microsoft Purview data security mitigations for BazaCall and other human-operated data exfiltration attacks http://approjects.co.za/?big=en-us/security/blog/2023/08/08/microsoft-purview-data-security-mitigations-for-bazacall-and-other-human-operated-data-exfiltration-attacks/ Tue, 08 Aug 2023 17:00:00 +0000 Microsoft Defender is our toolset for prevention and mitigation of data exfiltration and ransomware attacks. Microsoft Purview data security offers important mitigations as well and should be used as part of a defense-in-depth strategy.

The post Microsoft Purview data security mitigations for BazaCall and other human-operated data exfiltration attacks appeared first on Microsoft Security Blog.

]]>
I recently worked with an enterprise customer who experienced a data exfiltration attack using the characteristics of the BazaCall campaign. BazaCall can be both a ransomware and data exfiltration attack that are used together to increase pressure on and damage to the victim. Microsoft Purview has data security capabilities that form part of a holistic mitigation strategy.

Microsoft 365 Defender is our security solution for phishing and related cyberthreats. Some great analysis has been done by the Microsoft Threat Intelligence team on BazaCall’s Tactics, Techniques, and Procedures (TTPs). They’ve also shared how to use Microsoft 365 Defender to locate exploitation activity.

I wanted to take another perspective with this post and share the role that Microsoft Purview data security solutions play, together with Microsoft 365 Defender and Microsoft Sentinel, to provide defense-in-depth mitigation. With defense-in-depth, we create barriers to the bad actor, increasing their resources required and uncertainty, interfering with their business case.

Microsoft Purview provides important value with unified data governance and compliance solutions but it’s Microsoft Purview’s data security capabilities within Microsoft 365 we’ll be discussing in this blog.

What makes BazaCall different from most phishing attacks is using a malicious email to have the victim initiate a call to a phony call center run by the bad actor that then coaches the victim to install malware. Replacing malicious links and attachments in email with a phone number to the call center is used to evade email protection.

An overview of the BazaCall attack flow is provided at the end of this post.

The mitigations suggested here will be of value for attacks where the bad actor has control of a Microsoft 365 account and is attempting to exfiltrate sensitive data.

The data security benefits of Microsoft Purview for attack mitigation are sometimes overlooked. These solutions may be managed by other groups in the organization, such as the compliance team rather than the security team, and so may not be the go-to tools in the toolbox when preparing for or responding to an attack. These solutions should be part of a defense-in-depth strategy and Zero Trust architecture.

Microsoft Purview Mitigations

Microsoft Purview Information Protection sensitivity labels can be applied to protect sensitive files from unauthorized access. These sensitivity labels can have scoped encryption, among other protections, which travels with the file inside and outside of the organization’s environment. This would make the file unreadable except by the party for which the encryption is scoped—for example, only employees, a partner, or a customer organization—or it can be defined by the user to be consumable only by specific individuals.

Screenshot of Sensitivity Label with scoped encryption  accessible only to employees

Figure 1. Sensitivity Label with scoped encryption—accessible only to employees.

Automation, configured by the administrators, can be used to support the user in applying these labels including making the application of a label mandatory if the file contains sensitive information.

Microsoft Purview Data Loss Prevention (Purview DLP) can be used to prevent the sensitive information from being exfiltrated through several egress channels, including user’s endpoint devices, Microsoft cloud services such as SharePoint Online, OneDrive for Business, Exchange Online, Teams, and Microsoft PowerBI, browsers such as Microsoft Edge, Chrome, and Firefox, as well as non-Microsoft applications such as Salesforce, Dropbox, Box, and more, including the free file-sharing services used as part of the BazaCall TTPs.

Customers can create policies that block and do not allow override for their top priority sensitive information such that even if the bad actor manages to get access to the user’s account, they are blocked from exfiltrating any sensitive content. Purview DLP policies can be configured leveraging a variety of out-of-the-box or custom criteria including machine learning-based trainable classifiers as well as the sensitivity labels created in Information Protection.

Screenshot of Microsoft Purview Data Loss Prevention blocking the upload of a sensitive file into Dropbox.

Figure 2. Purview DLP preventing the upload of sensitive files into Dropbox.

Microsoft Purview Insider Risk Management can alert the security team to the bad actor’s activities, including the exfiltration of sensitive information to the file-sharing service. Insider Risk Management can reason over and parse through user activity signals, by leveraging more than 100 ready-to-use indicators and machine learning models, including sequence detection and cumulative exfiltration detection. With Adaptive Protection powered by Insider Risk Management, the security team can detect high-risk actors, such as a bad actor-controlled account, and automatically enforce the strictest DLP policy to prevent them from exfiltrating data.  

Screenshot of Microsoft Purview Insider Risk Management user activity screen of an insider risk case.  It shows the user activity and related risk over time together with relevant information for the investigator such as resignation date and employment end date.

Figure 3. Insider Risk Management uses specialized algorithms and machine learning to identify data exfiltration and other risks.

Microsoft Defender for Cloud Apps can make a file-sharing site used for sensitive file exfiltration unreachable from the user’s browser or it can prevent sensitive files from being moved to the site. Alternatively, the policy can be configured to only allow files to be moved to the file-sharing site if they have a sensitivity label applied that contains scoped encryption. If this protected file is exfiltrated it would not be readable by the bad actor.

Screenshot of Microsoft Defender for Cloud Apps blocking user access to powerfolder.com file sharing and backup site.

Figure 4. Microsoft Defender for Cloud Apps blocking access to file sharing and backup site.

Microsoft Purview Audit provides forensic information to scope a possible breach. This is especially valuable when bad actors are “living off the land.” Among the audit items made available are the terms that a user searched in email and SharePoint. If the bad actor was searching for sensitive information to exfiltrate, this item will assist the investigation.

Purview Audit, recently expanded for accessibility and flexibility, will also provide insight to mail items accessed and mail sent, which would be impactful when investigating scope and possible exfiltration channels. Although a bad actor’s known TTPs may not include these channels, we need a fulsome investigation. Their TTPs are likely not static.

Purview Audit Premium provides more logging event retention capabilities, with one-year retention (up from 180 days with Standard) and an option to increase retention to 10 years among other upgraded features.

Screenshot of Microsoft Purview Premium Audit solution showing ability to investigate email and SharePoint searches.

Figure 5. Premium Audit solution searching forensic events.

Microsoft Purview Data Lifecycle Management policies and labeling could be used to purge unneeded information from the organization’s environment. An auditable review can be required prior to deletion or deletion can be automated without user or administrator action.

If information is not in the environment, it cannot be exfiltrated by the bad actor or put the organization at risk.

Figure 6. Disposal of unneeded documents reduces exfiltration risk to the organization.

About BazaCall

BazaCall uses a phishing campaign that tricks unsuspecting users into phoning the attacker, who coaches them into downloading BazaLoader malware, which retrieves and installs a remote monitoring and management (RMM) tool onto the user’s device. The email typically claims that the user has reached the end of a free trial of some type, that billing will begin shortly and provides an option to cancel by phoning a call center. The threat of unjustified billing is the lever that the attacker uses to get the victim to comply.

Typically, the file download has been a malicious Excel document that purports to be a “cancellation form” for the unwanted service and charges referred to in the phishing campaign. The bad actor coaches the victim into accepting macros and disabling security solutions to complete the phony “cancellation.”

RMM software provides multiple useful purposes for attackers: The software allows an attacker to maintain persistence and deploy malicious tools within a compromised network. It can also be used for an interactive command-and-control system. With command and control established, the bad actor organization can spread laterally through the environment to steal sensitive data and deploy ransomware. Once command and control of the user’s machine is established, bad actor hands-on keyboard is used to exfiltrate data including through free cloud-based file-sharing sites. TTPs have evolved in the last two years, including the use of file-sharing sites for exfiltration in addition to open-source tools like RClone.

The user is also subject to human-operated ransomware.

The mitigations discussed in this post are focused on the data exfiltration aspects in the “hands-on-keyboard” phase of the attack.

Diagram showing the attack flow of a BazaCall, phony call center enabled style attack. The focus of Microsoft Purview mitigations on the right-most “Hands on keyboard: stage of the attack" is highlighted with an arrow.

Figure 7. BazaCall attack flow.

Microsoft Purview can help protect from BazaCall attacks

Microsoft Purview data security for Microsoft 365 is not a cure-all for phishing attacks. It is part of a defense-in-depth strategy that includes user training, antimalware, vulnerability management, email security, access control, monitoring, and response. The data security solutions within Microsoft Purview should be considered based on risk-based criteria for inclusion in the strategy.

These tools may be managed by different teams in the organization. Collaboration among these teams is critical for coordinated defense and incident response. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Purview data security mitigations for BazaCall and other human-operated data exfiltration attacks appeared first on Microsoft Security Blog.

]]>
Storm-0978 attacks reveal financial and espionage motives http://approjects.co.za/?big=en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ Tue, 11 Jul 2023 17:30:00 +0000 Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a zero-day remote code execution vulnerability exploited via Microsoft Word documents.

The post Storm-0978 attacks reveal financial and espionage motives appeared first on Microsoft Security Blog.

]]>

August 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.

Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Storm-0978’s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries, among others.

Microsoft 365 Defender detects multiple stages of Storm-0978 activity. Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office. Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. More mitigation recommendations are outlined in this blog.

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Targeting

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

Tools and TTPs

Tools

Storm-0978 uses trojanized versions of popular, legitimate software, leading to the installation of RomCom, which Microsoft assesses is developed by Storm-0978. Observed examples of trojanized software include Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. To host the trojanized installers for delivery, Storm-0978 typically registers malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com).

In financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware, a ransomware strain first observed in the wild in May 2022, and the Underground ransomware. The actor has also used the Trigona ransomware in at least one identified attack.

Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.

Ransomware activity

In known ransomware intrusions, Storm-0978 has accessed credentials by dumping password hashes from the Security Account Manager (SAM) using the Windows registry. To access SAM, attackers must acquire SYSTEM-level privileges. Microsoft Defender for Endpoint detects this type of activity with alerts such as Export of SAM registry hive.

Storm-0978 has then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral movement.

Microsoft has linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter. However, since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which contains significant code overlaps with the Industrial Spy ransomware.

Screenshot of the Storm-0978 ransom note
Figure 1. Storm-0978 ransom note references the “Underground team” and contains target-specific details of exfiltrated information

The code similarity between the two ransomware variants, as well as Storm-0978’s previous involvement in Industrial Spy operations, may indicate that Underground is a rebranding of the Industrial Spy ransomware.

Screenshot of the underground ransomware .onion site
Figure 2. Underground ransomware .onion site

Espionage activity

Since late 2022, Microsoft has identified the following campaigns attributable to Storm-0978. Based on the post-compromise activity and the nature of the targets, these operations were likely driven by espionage-related motivations:

June 2023 – Storm-0978 conducted a phishing campaign containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom. The phishing emails were directed to defense and government entities in Europe and North America, with lures related to the Ukrainian World Congress. These emails led to exploitation via the CVE-2023-36884 vulnerability.

Microsoft Defender for Office 365 detected Storm-0978’s initial use of the exploit targeting CVE-2023-36884 in this phishing activity. Additional recommendations specific to this vulnerability are detailed below.

Screenshot of phishing email using Ukrainian World Congress and NATO themes
Figure 3. Storm-0978 email uses Ukrainian World Congress and NATO themes
Screenshot of the lure document with Ukrainian World Congress and NATO content
Figure 4. Storm-0978 lure document with Ukrainian World Congress and NATO content

Notably, during this campaign, Microsoft identified concurrent, separate Storm-0978 ransomware activity against an unrelated target using the same initial payloads. The subsequent ransomware activity against a different victim profile further emphasizes the distinct motivations observed in Storm-0978 attacks.

December 2022 – According to CERT-UA, Storm-0978 compromised a Ukrainian Ministry of Defense email account to send phishing emails. Identified lure PDFs attached to emails contained links to a threat actor-controlled website hosting information-stealing malware.

October 2022 – Storm-0978 created fake installer websites mimicking legitimate software and used them in phishing campaigns. The actor targeted users at Ukrainian government and military organizations to deliver RomCom and likely to obtain credentials of high-value targets.

Recommendations

Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operations.

CVE-2023-36884 specific recommendations

August 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations below, as soon as possible.

  • Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
  • In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
  • In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
  • Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. 
    • No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
    • Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Screenshot of Registry Editor showing setting for the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key
Figure 5. Screenshot of settings for the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key to prevent exploitation of CVE-2023-36884

Detection details

Microsoft Defender for Office 365

Microsoft Defender for Office 365 customers are protected from attachments that attempt to exploit CVE-2023-36884.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects post-compromise components of this threat as the following malware:

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Emerging threat activity group Storm-0978 detected

Microsoft Sentinel

Microsoft Sentinel also has detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

The following content can be used to identify activity described in this blog post:

References

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Storm-0978 attacks reveal financial and espionage motives appeared first on Microsoft Security Blog.

]]>
Why you should practice rollbacks to prevent data loss in a ransomware attack http://approjects.co.za/?big=en-us/security/blog/2023/04/27/why-you-should-practice-rollbacks-to-prevent-data-loss-in-a-ransomware-attack/ Thu, 27 Apr 2023 16:00:00 +0000 Tanya Janca, Founder and Chief Executive Officer of We Hack Purple, shares insights on application security and offers strategies to protect against data loss from ransomware attacks.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

]]>
The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Tanya Janca, Founder and Chief Executive Officer (CEO) of We Hack Purple, who is known as SheHacksPurple and is the best-selling author of Alice and Bob Learn Application Security. The thoughts below reflect Tanya’s views, not the views of Tanya’s employer or Microsoft, and are not legal advice. In this blog post, Tanya talks about how to address ransomware attacks and the importance of security in development.

Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.1 Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

Learn more about general data security from Microsoft.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.


160 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

]]>
MERCURY and DEV-1084: Destructive attack on hybrid environment http://approjects.co.za/?big=en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/ Fri, 07 Apr 2023 16:00:00 +0000 Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments.

The post MERCURY and DEV-1084: Destructive attack on hybrid environment appeared first on Microsoft Security Blog.

]]>

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm and DEV-1084 is now tracked as Storm-1084.

To learn more about the new taxonomy represents the origin, unique traits, and impact of threat actors, to get complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Microsoft Threat Intelligence has detected destructive operations enabled by MERCURY, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.

Previous MERCURY attacks have been observed targeting on-premises environments, however, the impact in this case notably also included destruction of cloud resources. Microsoft assesses that MERCURY likely worked in partnership with another actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after MERCURY’s successful operations had gained access to the target environment.

MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.

In this blog post, we detail our analysis of the observed actor activity and related tools. We also share information to the community and industry partners on ways to detect these attacks, including detection details of MERCURY and DEV-1084’s tools in Microsoft 365 Defender, Microsoft Defender for Identity, Microsoft Defender for Cloud Applications, Microsoft Defender Antivirus, and Microsoft Defender for Endpoint. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity.

Who is DEV-1084?

Microsoft tracks the destructive actions documented in this blog post as DEV-1084. DEV-1084 likely worked in partnership with MERCURY—an Iran-based actor that the US Cyber Command has publicly linked to Iran’s Ministry of Intelligence and Security (MOIS). DEV-1084 publicly adopted the DarkBit persona and presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack.

The link between the DEV-1084 cluster and MERCURY was established based on the following evidence:

  • DEV-1084 operators were observed sending threatening emails from 146.70.106[.]89, an IP address previously linked to MERCURY.
  • DEV-1084 used MULLVAD VPN, the same VPN provider historically used by MERCURY.
  • DEV-1084 used Rport and a customized version of Ligolo. MERCURY has also been observed using Rport and a similar version of Ligolo in previous attacks.
  • DEV-1084 used the vatacloud[.]com domain for command and control (C2) during this incident. Microsoft assesses with high-confidence that the vatacloud[.]com domain is controlled by MERCURY operators.

Microsoft assesses that MERCURY gains access to the targets through remote exploitation of an unpatched internet-facing device. MERCURY then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates independently of MERCURY and works with other Iranian actors or if DEV-1084 is an ‘effects based’ sub-team of MERCURY that only surfaces when MERCURY operators are instructed to carry out a destructive attack.

Microsoft assesses with moderate confidence that the threat actors attempted several times and succeeded to perform initial intrusion leveraging exposed vulnerable applications, for example, continuing to exploit Log4j 2 vulnerabilities in unpatched systems in July 2022.

After gaining access, the threat actors deploy several tools and leverage techniques to maintain persistence, which provide effective and continued access to compromised devices, such as the following:

  • Installing web shells
  • Adding a local user account and elevating privileges to local administrator
  • Installing legitimate remote access tools, such as RPort, Ligolo and eHorus
  • Installing a customized PowerShell script backdoor
  • Stealing credentials

Once the persistence is established, the threat actors perform extensive discovery leveraging common native Windows tools and commands such as netstat and nltest. Such reconnaissance activities were seen leveraged throughout the attack chain.

The threat actors consistently perform extensive lateral movement actions using the acquired credentials within a targeted environment. These actions mainly involved:

  • Remote scheduled tasks to launch their customized PowerShell backdoor
  • Windows Management Instrumentation (WMI) to launch commands on devices
  • Remote services to run encoded PowerShell commands

After infecting the new devices, the threat actors often installed the same persistence mechanisms as described above. Interestingly, after each main attack step, the actors did not always immediately continue their operations but would wait weeks and sometimes months before moving to the next step.

For execution and communication, the threat actors leverage several C2 servers and sometimes deploy tunnelling tools, such as Ligolo and OpenSSH, commonly leveraged to stay under the radar of security teams and solutions.

On-premises destructive impact

In observed activity, the threat actors leveraged highly privileged credentials and access to domain controllers on on-premises destructive operations to prepare for large-scale encryption of targeted devices.

To do so, they first interfered with security tools using Group Policy Objects (GPO). With defenses impaired, the threat actors proceeded to stage the ransomware payload in the NETLOGON shares on several domain controllers.

GPO was leveraged again to register a scheduled task used to launch the ransomware payload. Finally, the ransomware payload encrypted files found on the file system of the targeted devices by changing the file name extension to DARKBIT and dropped ransom notes.

Attack flow of the threat actor through initial access, execution, discovery, persistence, credential access, lateral movement, execution, impact, and communications stages.
Figure 1. On-premises attack flow

Moving from on-premises to cloud

To move from on-premises to the cloud, the threat actors had to first compromise two privileged accounts and leverage them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks before the ransomware deployment, the threat actors first used a compromised, highly privileged account to access the device where the Azure Active Directory (Azure AD) Connect agent is installed. We assess with high confidence that the threat actors then used the AADInternals tool to extract the plaintext credentials of a privileged Azure AD account. The threat actors then used these credentials to pivot from the on-premises environment to the Azure AD environment.

Azure AD Connect is an on-premises application for managing hybrid identities through features like password hash synchronization, pass-through authentication, objects synchronization, and others. As part of the express settings installation process, multiple accounts are created both in the on-premises (Windows Server Active Directory) and cloud (Azure AD) environments. The first account is the AD DS Connector Account. The account name is prefixed with MSOL_ and it is created with a long complex password.

AD DS Connector account example
Figure 2. Example of AD DS Connector account

This account’s permissions are set based on features enabled during the service’s installation, but in most common scenarios, the account has permissions to replicate directory changes, modify passwords, modify users, modify groups, and so on (see all the permissions here). In addition, during installation, an Azure AD account called the Azure AD Connector Account is also created. This account is used by the synchronization service to manage Azure AD objects. The account is created with a long complex password as well, and by default (if using the express settings) prefixed with Sync_[ServerName]. This user is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). In older versions, this account might be assigned with the Global Administrator role.

Azure AD Connector account example
Figure 3. Example of an Azure AD Connector account

There are other entities detailed here that are created but are less relevant to this topic.

Extracting credentials

Two weeks before the ransomware deployment, the threat actors were observed using compromised credentials to access the Azure AD Connect device. Next, they set up an SSH tunnel to an attacker-controlled device. On a separate attacker-controlled compromised device, evidence indicates cloning of the AADInternals tool. One of the functions available in this tool’s library is Get-AADIntSyncCredentials, which allows any local administrator on a device where Azure AD Connect is installed to extract the plaintext credentials of both the Azure AD Connector account and the AD DS Connector account.

Shortly before the ransomware deployment, we observed authentication from a known attacker IP address into the Azure AD Connector cloud account. Investigating this sign-in showed that the threat actors were able to access the account on the first attempt without any guessing or modification of the password, indicating that the actors possessed the password for this account. The Azure AD Connector account is configured with single-factor authentication, making it easier for the attacker to gain entry and elevate privileges.

Cloud destructive impact

On the day of the ransomware attack, the threat actors executed multiple actions in the cloud using two privileged accounts. The first account was the compromised Azure AD Connector account, which had Global Administrator permissions as it was set up for an old solution (DirSync). For the second account, which also had Global Administrator permissions, the threat actors leveraged RDP for access into the account. Even though this account had MFA in place, the threat actors accessed it through RDP, which is an open session that evades MFA blocking their activities.

Diagram depicting how an attacker moves through the targeted devices, leverages an attacker-controlled device to extract passwords, access the admin and Azure AD Connector accounts to impersonate emails, dump emails using Exchange Web Server API, and mass delete Azure resources.
Figure 4. Pivoting to the cloud

Mass Azure resource deletion

On the same day, a successful sign-in to the Microsoft Azure environment was observed. The threat actors claimed the Global Administrator permission through Azure Privileged Identity Management (PIM) and elevated access to get permissions to the target’s management groups and Azure subscriptions. The Azure AD Connector account and the compromised administrator account were then used to perform significant destruction of the Azure environment—deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks. We assess that the attacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services.

Exchange Web Server API abuse

The actors went on to provide an existing legitimate OAuth application with both the full_access_as_app permission and administrator consent, which granted the threat actors full access to mailboxes through Exchange Web Services.

Screenshot of full_access_as_app permission being added to the legitimate OAuth app.
Figure 5. Adding access permission to the existing application

With the obtained cloud administrator privileges, the threat actors updated the OAuth application with certificates to conduct malicious activities.  These newly added credentials could then be used to issue access tokens and authenticate on behalf of the application to access cloud resources.

We then observed the threat actors using this application’s permissions to perform GetItem operations over many mailboxes in the target environment. They also performed thousands of search activities, which we suspect were attempts to dump mailboxes and/or search for sensitive data in them.

Email impersonation

The threat actors used the compromised administrator account to grant SMTP Send on behalf permissions to the Azure AD Connector account over a high-ranking employee’s mailbox, using the Set-Mailbox PowerShell cmdlet.

Access granted to send emails on behalf of the target's account
Figure 6. Threat actors granting access to send emails on behalf of the target’s account

Emails were then created and sent both internally and externally.

Email successfully sent through the targeted account
Figure 7. Threat actors successfully sent email through the targeted account

The timeline below summarizes the sequence of events:

Attack flow timeline of the threat actors' actions in the cloud environment
Figure 8. Cloud attack flow timeline

Mitigations for destructive attacks

The techniques used by the actors and described in this blog can be mitigated by adopting the following security measures: 

Recommendations to secure your on-prem environment

Recommendations to secure your Azure AD environment

  • Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Enable continuous access evaluation – Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.
  • Search unified audit logs for the SendAs operation to identify and track emails sent on behalf of a user mailbox.
  • Further steps and recommendation to manage, design, and secure your Azure AD environment can be found by referring to Azure Identity Management and access control security best practices.

Detections

Microsoft 365 Defender

The following alerts in Microsoft 365 Defender can be used to detect suspicious operations in Azure related to the attacker activities described in this blog, including destructive activity:

  • Access elevation by risky user
  • Suspicious Azure resource deletions
  • Suspicious Addition of an Exchange related App Role

In addition, the following alert can help detect compromised Azure AD Connect accounts:

  • Unusual activities by Azure AD Connect sync account

Microsoft Defender for Cloud Apps

For Microsoft Defender for Cloud Apps with Azure Connector enabled, the following alerts can be used to detect destructive operations in Azure:

  • Multiple storage deletion activities
  • Multiple delete VM activities

Azure AD Identity Protection

Monitor medium and high severity alerts for highly privileged accounts as they can indicate malicious activity. For example:

  • Unfamiliar sign-in properties

Find details of Azure AD Identity Protection alerts here.

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

  • Suspicious additions to sensitive groups

For relevant accounts with Honeytoken configured, the following alert can indicate malicious activity:

  • Honeytoken activity

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats. Refer to the list of detection names related to exploitation of Log4j 2 vulnerabilities. Detections for the IOCs listed above are listed below:

  • Backdoor:PHP/Remoteshell.V
  • HackTool:Win32/LSADump
  • VirTool:Win32/RemoteExec
  • Trojan:PowerShell/Downloader.SB
  • Trojan:Win32/Nibtse.G!tsk
  • Backdoor:ASP/Shellman.SA
  • Ransom:Win64/DarkBit
  • VirTool:Win32/AtExecCommand

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of the indicators of compromise listed below.

  • Mercury actor activity detected
  • Ransomware-linked emerging threat actor DEV-1084 detected

Reducing the attack surface

Microsoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat:

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
  • Implement controlled folder access and add folders to the protected folders list to help prevent files from being altered or encrypted by ransomware. Set controlled folder access to Enabled.

Detecting Log4j 2 exploitation

Alerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately investigated and remediated. Refer to our Log4j related blogs to learn about this vulnerability and for a list of Microsoft Defender for Endpoint alerts that can indicate exploitation and exploitation attempts.

Detecting post-exploitation activity

Alerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity described in this blog and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms:

Any alert title related to web shell threats, for example:

  • ‘WebShell’ backdoor was prevented on an IIS Web server

Any alert title that mentions the DarkBit ransomware threat or DEV-1084, for example:

  • ‘DarkBit’ ransomware was blocked
  • ‘DarkBit’ ransomware was detected
  • ‘DarkBit’ ransomware was prevented
  • Ransomware-linked emerging threat actor DEV-1084 detected

Any alert title that mentions suspicious scheduled task creation or execution, for example:

  • Suspicious scheduled task

Any alert title that mentions suspected tunneling activity, for example:

  • Suspicious SSH tunneling activity

Any alert title that mentions suspected tampering activity, for example:

  • Suspicious Microsoft Defender Antivirus exclusion
  • Microsoft Defender Antivirus tampering

Any alert title that mentions PowerShell, for example:

  • Suspicious process executed PowerShell command
  • A malicious PowerShell Cmdlet was invoked on the machine
  • Suspicious PowerShell command line
  • Suspicious PowerShell download or encoded command execution
  • Suspicious remote PowerShell execution

Any alert title related to suspicious remote activity, for example:

  • Suspicious RDP session
  • An active ‘RemoteExec’ malware was blocked
  • Suspicious service registration

Any alert related to persistence:

  • Anomaly detected in ASEP registry
  • User account created under suspicious circumstances

Any alert title that mentions credential dumping activity or tools, for example:

  • Malicious credential theft tool execution detected
  • Credential dumping activity observed
  • Mimikatz credential theft tool
  • ‘DumpLsass’ malware was blocked on a Microsoft SQL server

Microsoft Defender Vulnerability Management

In addition to the mitigations above being presented and managed through Microsoft Defender Vulnerability Management, Microsoft 365 Defender customers can use threat and vulnerability management to identify and remediate devices that are vulnerable to Log4j 2 exploitation. More comprehensive guidance on this capability can be found on this blog: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability.

Advanced hunting queries

Microsoft 365 Defender

To locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:

// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor installation

DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where FolderPath in~ (@"c:\programdata\db.ps1", @"c:\programdata\db.sqlite")
| summarize min(Timestamp), max(Timestamp) by DeviceId, SHA256, InitiatingProcessParentFileName

DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has_cs "-EP BYPASS -NoP -W h"
| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId

// Advanced Hunting Query to surface potential Mercury PowerShell script backdoor initiating commands

DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine contains_cs @"c:\programdata\db.ps1"
| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId

//Advanced Hunting Query for Azure resource deletion activity

let PrivEscalation = CloudAppEvents 
| where Application == "Microsoft Azure"
| where ActionType == "ElevateAccess Microsoft.Authorization"
| where ActivityObjects has "Azure Subscription" and ActivityObjects has "Azure Resource Group"
| extend PrivEscalationTime = Timestamp
| project AccountObjectId, PrivEscalationTime ,ActionType;
CloudAppEvents
| join kind = inner PrivEscalation on AccountObjectId
| extend DeletionTime = Timestamp
| where (DeletionTime - PrivEscalationTime) <= 1h
| where Application == "Microsoft Azure"
| where ActionType has "Delete"
|summarize min(DeletionTime), TotalResourcersDeleted =count(), CountOfDistinctResources= dcount(ActionType), DistinctResources=make_set(ActionType) by AccountObjectId

//AHQ used to detect attacker abusing OAuth application during the attack

CloudAppEvents
    | where Application == "Office 365"
    | where ActionType == "Consent to application."
    | where RawEventData.ResultStatus =~ "success"
    | extend UserId = tostring(RawEventData.UserId)
    | mv-expand AdminConsent = RawEventData.ModifiedProperties 
    | where AdminConsent.Name == "ConsentContext.IsAdminConsent" and AdminConsent.NewValue == "True"
    | project ConsentTimestamp =Timestamp, UserId, AccountObjectId, ReportId, ActionType
    | join kind = leftouter (CloudAppEvents  
        | where Application == "Office 365"      
        | where ActionType == "Add app role assignment to service principal."   
        | extend PermissionAddedTo = tostring(RawEventData.Target[3].ID)
        | extend FullAccessPermission = RawEventData.ModifiedProperties 
        | extend OuthAppName = tostring(FullAccessPermission[6].NewValue) // Find app name
        | extend OAuthApplicationId = tostring(FullAccessPermission[7].NewValue) // Find appId
        | extend AppRoleValue = tostring(FullAccessPermission[1].NewValue) // Permission Level
        | where AppRoleValue == "full_access_as_app"
        | project PermissionTime=Timestamp, InitiatingUser=AccountDisplayName, OuthAppName, OAuthApplicationId, AppRoleValue, AccountObjectId, FullAccessPermission
    ) on AccountObjectId

Microsoft Sentinel

Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft Defender detections list above.

Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescription
9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ffDEV-1084 ransom payload8thCurse.exe
80bd00c0f6d5e39b542ee6e9b67b1eef97b2dbc6ec6cae87bf5148f1cf18c260DEV-1084 batch script
8dd9773c24703e803903e7a5faa088c2df9a4b509549e768f29276ef86ef96aeDEV-1084 batch script
486eb80171c086f4d184423ed7e79303ad7276834e5e5529b199f8ae5fc661f2DEV-1084 batch script
f1edff0fb16a64ac5a2ce64579d0d76920c37a0fd183d4c19219ca990f50effcDEV-1084 batch script
887ae654d69ac5ccb8835e565a449d7716d6c4747dc2fbff1f59f11723244202DEV-1084 batch script
3fba459d589cd513d2478fb4ae7c4efd6aa09e62bc3ff249a19f9a233e922061DEV-1084 batch script
0dde13e3cd2dcda522eeb565b6374c97b3ed4aa6b8ed9ff9b6224ea97bf2a584DEV-1084 batch script
afd16b9ad57eb9c26c8ae347c379c8e2b82361c7bdff5b189659674d5614854cDEV-1084 batch script
3e59d36faf2d5e6edf1d881e2043a46055c63b7c68cc08d44cc7fc1b364157ebDEV-1084 batch script
786bd97172ec0cef88f6ea08e3cb482fd15cf28ab22d37792e3a86fa3c27c975DEV-1084 batch script
36c71ce7cd38733eb66f32a8c56acd635680197f01585c5a2a846cc3cb0a8fe2DEV-1084 batch script
016967de76382c674b3a1cb912eb85ff642b2ebfe4e107fc576065f172c6ef80DEV-1084 batch script
3059844c102595172bb7f644c9a70d77a198a11f1e84539792408b1f19954e18DEV-1084 batch script
194.61.121[.]86Command and control
hxxps://pairing[.]rport[.]io/qMLc2WxDownload Rport software from it
141.95.22[.]153Command and control
193.200[.]16.3Command and control
192.52.166[.]191Command and control
45.56.162[.]111Command and control
104.194.222[.]219Command and control
192.169.6[.]88Command and control
192.52.167[.]209Command and control
webstore4tech[.]uaenorth.cloudapp.azure[.]comCommand and control
vatacloud[.]comActor-owned Rport domain
146.70.106[.]89DEV-1084 operators were observed sending threatening emails to the victim after the attack from 146.70.106[.]89, an IP address previously linked to MERCURY
b9cf785b81778e2b805752c7b839737416e3af54f64f1e40e008142e382df0c4Rport Legit remote access toolrport.exe
ab179112caadaf138241c43c4a4dccc2e3c67aeb96a151e432cfbafa18a4b436Customized Ligolo tunneling tool
46.249.35[.]243Command and control
45.86.230[.]20Command and control
6485a68ba1d335d16a1d158976e0cbfad7ab15b51de00c381d240e8b0c479f77db.ps1 Customized Script Backdoor
b155c5b3a8f4c89ba74c5c5c03d029e4202510d0cbb5e152995ab91e6809bcd7db.sqlite Customized Obfuscated Script Backdoor

NOTE: These indicators should not be considered exhaustive for this observed activity.

Microsoft Defender Threat Intelligence

Community members and customers can find summary information and all IOCs from this blog post in the linked Microsoft Defender Threat Intelligence article.

References

The post MERCURY and DEV-1084: Destructive attack on hybrid environment appeared first on Microsoft Security Blog.

]]>
DEV-0569 finds new ways to deliver Royal ransomware, various payloads http://approjects.co.za/?big=en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/ Thu, 17 Nov 2022 17:00:00 +0000 DEV-0569’s recent activity shows their reliance on malvertising and phishing in delivering malicious payloads. The group’s changes and updates in delivery and payload led to distribution of info stealers and Royal ransomware.

The post DEV-0569 finds new ways to deliver Royal ransomware, various payloads appeared first on Microsoft Security Blog.

]]>

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0569 is now tracked as Storm-0569.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Recent activity from the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors. Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.

DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. In the past few months, Microsoft security researchers observed the following tweaks in the group’s delivery methods:

  • Use of contact forms on targeted organizations’ websites to deliver phishing links
  • Hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and
  • Expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic

These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads. DEV-0569 activity uses signed binaries and delivers encrypted malware payloads. The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns.

In this blog we share details of DEV-0569’s tactics, techniques, and procedures (TTPs) and observed behavior in recent campaigns, which show that DEV-0569 will likely continue leveraging malvertising and phishing for initial access. We also share preventive measures that organizations can adopt to thwart DEV-0569’s delivery methods involving malicious links and phishing emails using solutions like Microsoft Defender SmartScreen and Microsoft Defender for Office 365, and to reduce the impact of the group’s follow-on activities. Microsoft Defender for Endpoint detects the DEV-0569 behavior discussed in this blog, including the code signing certificates in use and the attempts to disable Microsoft Defender Antivirus.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.

DEV-0569 attack chain: Delivery tactics tweaked

DEV-0569 has multiple methods for delivery of their initial payload. In some cases, DEV-0569 payloads are delivered via phishing campaigns run by other malicious actors that offer delivery of malware payloads as a service.

Historical observation of typical DEV-0569 attack begins with malicious links delivered to targets via malicious ads, fake forum pages, blog comments, or through phishing emails. These links lead to malicious files signed by the attacker using a legitimate certificate. The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.

Posing as legitimate software download sites

From August to October 2022, Microsoft observed DEV-0569 activity where BATLOADER, delivered via malicious links in phishing emails, posed as legitimate installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. BATLOADER was hosted on attacker-created domains posing as legitimate software download sites (anydeskos[.]com, for example) and on legitimate repositories like GitHub and OneDrive. Microsoft takes down verified malicious content from these repositories as they are found or reported.

Screenshot of a BATLOADER landing site that poses as a TeamViewer website hosting a fake installer.

Figure 1. DEV-0569 activity seen in September 2022, where the landing site hosted BATLOADER posing as a TeamViewer installer

Use of VHD file formats

Aside from using installer files, Microsoft has also observed the use of file formats like Virtual Hard Disk (VHD) impersonating legitimate software for first-stage payloads. These VHDs also contain malicious scripts that lead to the download of DEV-0569’s malware payloads.

PowerShell and batch scripts for downloading

DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network. The management tool can also be an access point for the staging and spread of ransomware.

NSudo to disable antivirus solutions

DEV-0569 also continues to tamper with antivirus products. In September and October 2022, Microsoft saw activity where DEV-0569 used the open-source NSudo tool to attempt disabling antivirus solutions.  

This diagram illustrates a typical DEV-0569 infection chain. It illustrates some of the observed tweaks in recent campaigns.

 Figure 2. High-level view of observed DEV-0569 infection chains between August to October 2022

September 2022: Adopting contact forms to gain access to targets and deliver information stealers

In September 2022, Microsoft observed a campaign using contact forms to deliver DEV-0569 payloads. Using contact forms on public websites to distribute malware has been seen in other campaigns, including IcedID malware. Attackers use this technique as a defense evasion method since contact forms can bypass email protections and appear trustworthy to the recipient.

In this campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 replied with a message that contained a link to BATLOADER. Microsoft Defender for Office 365 detects the spoofing behavior as well as the malicious links in these emails.

The malicious links in the contact forms led to BATLOADER malware hosted on abused web services like GitHub and OneDrive. The installers launched a PowerShell script that issued multiple commands, including downloading a NirCmd command-line utility provided by freeware developer NirSoft:

nircmd elevatecmd exec hide "requestadmin.bat"

If successful, the command allows the attacker to elevate from local admin to SYSTEM rights, similar to executing a scheduled task as SYSTEM.

The PowerShell script also delivered additional executables from a remote website (e.g., updateea1[.]com), including an AES-encrypted Gozi banking trojan and the information stealer known as Vidar Stealer, which used Telegram to receive command and control (C2) information. DEV-0569 frequently diversifies their payloads and has shifted from delivering ZLoader at the beginning of 2022, possibly in response to disruption efforts against Zloader in April 2022.

September 2022: Deploying Royal ransomware

Microsoft identified instances involving DEV-0569 infection chains that ultimately facilitated human-operated ransomware attacks distributing Royal ransomware. Based on tactics observed by Microsoft, ransomware attackers likely gained access to compromised networks via a BATLOADER-delivered Cobalt Strike Beacon implant.

DEV-0569’s widespread infection base and diverse payloads likely make the group an attractive access broker for ransomware operators.

October 2022: Leveraging Google Ads to deliver BATLOADER selectively

In late October 2022, Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering. Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site. Microsoft reported this abuse to Google for awareness and consideration for action.

Using Keitaro, DEV-0569 can use traffic filtering provided by Keitaro to deliver their payloads to specified IP ranges and targets. This traffic filtering can also aid DEV-0569 in avoiding IP ranges of known security sandboxing solutions.

Defending against DEV-0569

DEV-0569 will likely continue to rely on malvertising and phishing to deliver malware payloads. Solutions such as network protection and Microsoft Defender SmartScreen can help thwart malicious link access. Microsoft Defender for Office 365 helps guard against phishing by inspecting the email body and URL for known patterns. Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists. Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.

Defenders can also apply the following mitigations to reduce the impact of this threat:

  • Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. Turn on network protection to block connections to malicious domains and IP addresses.
  • Build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.
  • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Turn on tamper protection features to prevent attackers from stopping security services.

Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

NSudo activity is detected by the tamper protection capability as:

  • Nsudo file drop
  • Nsudo runtime
  • Nsudo AV tampering commandline

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

  • Ransomware-linked DEV-0569 activity group

While the following alerts might indicate activity associated with this threat, they could also be triggered by unrelated threat activity:

  • Ransomware-linked DEV-0858 activity group
  • Cobalt Strike activity detected
  • Cobalt Strike activity observed
  • Cobalt Strike artifact observed
  • Cobalt Strike attack tool
  • Cobalt strike named pipes
  • ‘Vidar’ credential theft malware was detected
  • ‘VidarStealer’ malware was detected
  • ‘Gozi’ malware was detected
  • An active ‘Nsudo’ hacktool in a command line was detected while executing
  • An active ‘NSudo’ hacktool process was detected while executing

The post DEV-0569 finds new ways to deliver Royal ransomware, various payloads appeared first on Microsoft Security Blog.

]]>