The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States.

The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access. While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity. After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment.

In this blog post, we delve into the attack techniques attributed to Storm-1175 over several years. While Storm-1175’s methodology aligns with the tactics, techniques, and procedures (TTPs) of many tracked ransomware actors, analysis of their post-compromise tactics provides essential insights into how organizations can harden and defend against attackers like Storm-1175, informing opportunities to disrupt attackers even if they have gained initial access to a network.

Storm-1175’s rapid attack chain: From initial access to impact

Exploitation of vulnerable web-facing assets

Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access. Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including:

• CVE-2023-21529 (Microsoft Exchange)
• CVE-2023-27351 and CVE-2023-27350 (Papercut)
• CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure)
• CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect)
• CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity)
• CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 (SimpleHelp)
• CVE‑2025‑31161 (CrushFTP)
• CVE-2025-10035 (GoAnywhere MFT)
• CVE-2025-52691 and CVE-2026-23760 (SmarterMail)
• CVE-2026-1731 (BeyondTrust)

Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected. In some cases, Storm-1175 has weaponized exploits for disclosed vulnerabilities in as little as one day, as was the case for CVE-2025-31324 impacting SAP NetWeaver: the security issue was disclosed on April 24, 2025, and we observed Storm-1175 exploitation soon after on April 25.

In multiple intrusions, Storm-1175 has chained together exploits to enable post-compromise activities like remote code execution (RCE). For example, in July 2023, Storm-1175 exploited two vulnerabilities affecting on-premises Microsoft Exchange Servers, dubbed “OWASSRF” by public researchers: exploitation of CVE‑2022‑41080 provided initial access by exposing Exchange PowerShell via Outlook Web Access (OWA), and Storm-1175 subsequently exploited CVE‑2022‑41082 to achieve remote code execution.

Storm-1175 has also demonstrated a capability for targeting Linux systems as well: in late 2024, Microsoft Threat Intelligence identified the exploitation of vulnerable Oracle WebLogic instances across multiple organizations, though we were unable to identify the exact vulnerability being exploited in these attacks.

Finally, we have also observed the use of at least three zero-day vulnerabilities including, most recently, CVE-2026-23760 in SmarterMail, which was exploited by Storm-1175 the week prior to public disclosure, and CVE-2025-10035 in GoAnywhere Managed File Transfer, also exploited one week before public disclosure. While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw; these factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities. Regardless, as attackers increasingly become more adept at identifying new vulnerabilities, understanding your digital footprint—such as through the use of public scanning interfaces like Microsoft Defender External Attack Surface Management—is essential to defending against perimeter network attacks.

Covert persistence and lateral movement

During exploitation, Storm-1175 typically creates a web shell or drops a remote access payload to establish their initial hold in the environment. From this point, Microsoft Threat Intelligence has observed Storm-1175 moving from initial access to ransomware deployment in as little as one day, though many of the actor’s attacks have occurred over a period of five to six days.

On the initially compromised device, the threat actor often establishes persistence by creating a new user and adding that user to the administrators group:

From this account, Storm-1175 begins their reconnaissance and lateral movement activity. Storm-1175 has a rotation of tools to accomplish these subsequent attack stages. Most commonly, we observe the use of living-off-the-land binaries (LOLBins), including PowerShell and PsExec, followed by the use of Cloudflare tunnels (renamed to mimic legitimate binaries like conhost.exe) to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices. If RDP is not allowed in the environment, Storm-1175 has been observed using administrator privileges to modify the Windows Firewall policy to enable Remote Desktop.

Storm-1175 has also demonstrated a heavy reliance on remote monitoring and management (RMM) tools during post-compromise activity. Since 2023, Storm-1175 has used multiple RMMs, including:

• Atera RMM
• Level RMM
• N-able
• DWAgent
• MeshAgent
• ConnectWise ScreenConnect
• AnyDesk
• SimpleHelp

While often used by enterprise IT teams, these RMM tools have multi-pronged functionality that could also allow adversaries to maintain persistence in a compromised network, create new user accounts, enable an alternative command-and-control (C2) method, deliver additional payloads, or use as an interactive remote desktop session.

In many attacks, Storm-1175 relies on PDQ Deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network.

Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities. Microsoft Defender for Endpoint has a dedicated attack surface reduction rule to defend against lateral movement techniques used by Impacket: Block process creations originating from PSExec and WMI commands); protecting lateral movement pathways can also mitigate Impacket.

Credential theft

Impacket is further used to facilitate credential dumping through LSASS; the threat actor also leveraged the commodity credential theft tool Mimikatz in identified intrusions in 2025. Additionally, Storm-1175 has relied on known living-off-the-land techniques for stealing credentials, such as by modifying the registry entry UseLogonCredential to turn on WDigest credential caching, or using Task Manager to dump LSASS credentials; for both of these attack techniques, the threat actor must obtain local administrative privileges to modify these resources. The attack surface reduction rule block credential stealing from LSASS can limit the effectiveness of this type of attack, and—more broadly—limiting the use of local administrator rights by end users. Ensuring that local administrator passwords are not shared through the environment can also reduce the risk of these LSASS dumping techniques.

We have also observed that after gaining administrator credentials, Storm-1175 has used a script to recover passwords from Veeam backup software, which is used to connect to remote hosts, therefore enabling ransomware deployment to additional connected systems.

With sufficient privileges, Storm-1175 can then use tools like PsExec to pivot to a Domain Controller, where they have accessed the NTDS.dit dump, a copy of the Active Directory database which contains user data and passwords that can be cracked offline. This privileged position has also granted Storm-1175 access to the security account manager (SAM), which provides detailed configuration and security settings, enabling an attacker to understand and manipulate the system environment on a much wider scale.

Security tampering for ransomware delivery

Storm-1175 modifies the Microsoft Defender Antivirus settings stored in the registry to tamper with the antivirus software and prevent it from blocking ransomware payloads; in order to accomplish this, an attacker must have access to highly privileged accounts that can modify the registry directly. For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access.

Storm-1175 has also used encoded PowerShell commands to add the C:\ drive to the antivirus exclusion path, preventing the security solution from scanning the drive and allowing payloads to run without any alerts. Defenders can harden against these tampering techniques by combining tamper protection with the DisableLocalAdminMerge setting, which prevents attackers from using local administrator privileges to set antivirus exclusions.

Data exfiltration and ransomware deployment

Like other ransomware as a service (RaaS) offerings, Medusa offers a leak site to facilitate double extortion operations for its affiliates: attackers not only encrypt data, but steal the data and hold it for ransom, threatening to leak the files publicly if a ransom is not paid. To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration. Data synchronization tools like Rclone allow threat actors to easily transfer large volumes of data to a remote attacker-owned cloud resource. These tools also provide data synchronization capabilities, moving newly created or updated files to cloud resources in real-time to enable continuous exfiltration throughout all stages of the attack without needing attacker interaction.

Finally, having gained sufficient access throughout the network, Storm-1175 frequently leverages PDQ Deployer to launch a script (RunFileCopy.cmd) and deliver Medusa ransomware payloads. In some cases, Storm-1175 has alternatively used highly privileged access to create a Group Policy update to broadly deploy ransomware.

Mitigation and protection guidance

To defend against Storm-1175 TTPs and similar activity, Microsoft recommends the following mitigation measures:

• Use a perimeter scanning tool like Microsoft Defender External Attack Surface Management to understand your organization’s digital footprint and potential attack surface. Targeting web-facing vulnerabilities continues to be one of the most effective attack methods for initial access.
• Ensure any web-facing systems are isolated from the public internet with a secure network boundary and access them with a virtual private network (VPN). If certain servers must be accessible on the public internet, position them behind a web application firewall (WAF), reverse proxy, or perimeter network (also known as a DMZ), which can reduce the risk of vulnerability exploitation in some cases.
• Follow the defending against ransomware guidance in Microsoft’s ransomware as a service blog post, which details how to build credential hygiene as well as how to limit lateral movement using the principle of least privilege.
• Implement Credential Guard, a critical security feature that protects credentials stored in process memory  – in the LSA process lsass.exe. Credential Guard is turned on by default in Windows 11. However, if Credential Guard was previously disabled on a device, updating a device to Windows 11 does not override that setting, and Credential Guard will need to be re-enabled. Additionally, Credential Guard should be enabled before a device is joined to a domain or before a domain user signs in for the first time. If Credential Guard is enabled after domain join, the user and device secrets may already be compromised. Credential Guard can be enabled using Group Policy, the registry, or Microsoft Intune.
• Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.
  • Customers running Intune or Microsoft Defender for Endpoint Security Configuration can enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.  
  • In addition to tamper protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy. 
  • If there is an issue with a device during roll out of various antivirus features, the device can be placed in Troubleshooting mode to turn off Tamper Protection temporarily without impacting the wider organizational security policy. 
• For approved RMM systems used in your environment, enforce security settings where possible to implement MFA. If an unapproved RMM installation is discovered in your network, reset passwords for accounts used to install the RMM services. If a System-level account was used to install the software, further investigation may be warranted.
• Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully.
• Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block execution of potentially obfuscated scripts
  • Block Webshell creation for Servers
  • Block process creations originating from PSExec and WMI commands (Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.)
  • Block execution of potentially obfuscated scripts
  • Block use of copied or impersonated system tools
  • Use advanced protection against ransomware

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

• Threat Intelligence Briefing agent
• Phishing Triage agent
• Threat Hunting agent
• Dynamic Threat Detection agent

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

• Actor profile: Storm-1175
• Tool profile: Medusa ransomware
• Threat overview profile: Human-operated ransomware  

Indicators of compromise

The following indicators are gathered from identified Storm-1175 attacks during 2026.

References

• Attackers With Decompilers Strike Again (SmarterTools SmarterMail WT-2026-0001 Auth Bypass)
• OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog.

One of the primary challenges in reverse engineering malware developed with Rust lies in its layers of abstraction added through features such as memory safety and concurrency handling, making it more challenging to identify the behavior and intent of the malware. Compared to traditional languages, Rust binaries are often larger and more complex due to the incorporation of extensive library code. Consequently, reverse engineers must undertake the demanding task of distinguishing attacker-written code from standard library code, necessitating advanced expertise and specialized tools.

To address these pressing challenges, Microsoft Threat Intelligence Center has developed RIFT. RIFT underscores the growing need for specialized tools as cyber threat actors continue to leverage Rust’s features to evade detection and complicate analysis. The adoption of Rust by threat actors is a stark reminder of the ever-changing tactics employed in the cyber domain, and the increasing sophistication required to combat these threats effectively. In this blog post, we explore how threat actors are increasingly adopting Rust for malware development due to its versatility and how RIFT can be used to combat this threat by enhancing the efficiency and accuracy of Rust-based malware analysis.

Threat actors continue adopting Rust

As Rust gains popularity as a rapidly growing programming language, its use by malware authors is becoming more noticeable. Over the past five years, Microsoft Threat Intelligence Center and the broader security industry have observed financially motivated and state-supported groups increasingly using Rust for malware development.

In 2021, the group behind the notorious BlackCat ransomware was among the first significant entities in the ransomware field to write their malicious programs in Rust. Following the appearance of the first malware families written in Rust, reverse engineers indicated that such malware presents a unique challenge for analysis.

Subsequently, several other groups began developing or rewriting their tools in the programming language. Nation-state threat actors have also selectively developed their malware in Rust.

Rust as a popular language for malware development

Rust is a versatile language known for its performance, type safety, concurrency, and memory safety. While these features benefit legitimate development, they also complicate static analysis of malicious files. The community has extensively addressed many of these challenges. One of the core issues in analyzing Rust binaries is differentiating between library code and code written by malware authors.

To illustrate the significance of this problem, Microsoft Threat Intelligence Center conducted a simple experiment. A small PE EXE file that downloads data from a website and saves it on disk as sample_data.txt is generated with Microsoft 365 Copilot. The program is first compiled in C++ and then in Rust. The C++ program is compiled using Microsoft Visual C++ (MSVC) with Visual Studio 2022, in release mode for the 64-bit architecture and dynamically linked, using default settings. The Rust binary is compiled using compiler version rustc 1.89.0-nightly (16d2276fa 2025-05-16), also in release mode and with default settings.

Next, both programs are loaded into IDA Pro, and a simple complexity analysis is performed by counting and comparing the number of disassembled and identified functions. Additionally, functions are categorized as annotated or not annotated. An annotated function is one that is automatically detected by IDA’s built-in signatures or algorithms. It should be noted that IDA has capabilities to enhance library recognition, but these were not used for this experiment.

While both programs implement similar functionalities, the total number of disassembled functions in the C++ program is lower than 100, while the Rust programs pack almost 10,000 functions. Furthermore, the size of the C++ program is lower than 20 KB, while the Rust program is larger than 3 MB.

Programs written in Rust are typically statically linked, embedding all dependencies directly into the executable. As a result, binaries are larger with a high volume of functions, requiring analysts to distinguish first between third-party library code and attacker-authored logic.

To address this key problem, Microsoft Threat Intelligence Center is releasing an internally developed tool: RIFT.

This open-source project is designed to help reverse engineers and analysts more efficiently identify attacker-authored logic within Rust-based malware.

From source code to binary

Before delving into the inner workings of RIFT, it is essential to have a fundamental understanding of how Rust binaries are compiled. As illustrated in the diagram above, Rust developers typically engage with three primary components and two endpoints:

• cargo – The package manager
• rustc – The Rust compiler
• rustup – The Rust update manager
• static.rust-lang.org – S3 bucket that hosts pre-compiled compilers and toolchains
• crates.io – Rust community’s crate registry

Once a developer has conceptualized what they intend to develop, a typical workflow may proceed as follows:

1. Using the cargo tool, the developer initializes a new projected named “test”.
2. They opt not to use the latest Rust compiler but a specific version. They execute rustup install 1.84.0-x86_64-pc-windows-msvc to install the desired compiler version and configure the project to use the installed compiler.
3. They determine that their project should communicate via HTTP and incorporate a third-party dependency. They run cargo add request to install the latest version of the third-party library, request.

Following these steps will result in a fully configured project. Upon completion, the developer may run cargo build to finalize the binary, compiling the project.

Static artifacts and where to find them

Reverse engineers are usually handed the final development product of the malware author, oftentimes without information such as the compiler used or third-party dependencies. While it is highly likely that malware authors use the same tools as reverse engineers for development, no insights into the exact environment are available.

However, understanding the development toolchain can assist in quickly distinguishing library code from author written logic. Fortunately, various indicators can be extracted that provide insights.

Rust compiler version

Rust binaries typically include metadata from the compiler that identifies the Rust version used to compile the binary. A config.toml file is provided alongside pre-compiled Rust compilers and toolchains. This configuration file contains the commit hash and the corresponding Rust compiler version of the pre-compiled product. By extracting the commit hash from the final binary output, it is possible to map the Git commit hash back to the appropriate Rust compiler version by parsing all available config.toml files from the official release channels.

Rust crates

As mentioned above, cargo is used to add dependencies to a project. Next to the Git commit hash, metadata extracted from Rust binaries also include the statically linked dependencies and their versions.

The above image shows how filtering for certain strings can display which dependencies were likely statically linked into RALord ransomware.

Introducing RIFT

RIFT is an open-source tool consisting of a set of IDA Pro (supporting versions >=9.0) plugins and Python scripts that aim to assist reverse engineers and other software analysts in annotating library code in Rust malware. It essentially consists of three components:

RIFT Static Analyzer: IDA Pro plugin to extract the Rust compiler commit hash and embedded dependencies from a binary.

RIFT Generator: A Python program to automate the process of Rust compiler identification, FLIRT signature generation of used Rust compiler and dependencies, as well as automation of binary diffing.

RIFT Diff Applier: IDA Pro plugin to consume binary diffing information generated by RIFT Generator.

Extracting static information with RIFT Static Analyzer

In the previous section, we listed which indicators can be extracted from Rust binaries that give insights into which Rust compiler and dependencies were used. RIFT Static Analyzer automates the extraction process and stores the information in a JSON file for further processing. Furthermore, the plugin also extracts the architecture the binary was compiled for and the target operating system. In the below image, the target operating system is labeled as target_triple.

RIFT Generator: Automating FLIRT signature generation and auto diffing

Information gathered and stored by RIFT Static Analyzer can then be further processed by RIFT Generator.

The Python program automates the process of compilation, data collection, FLIRT signature generation, and binary comparison.

It is essentially a wrapper around the following tools:

• Cargo (Rust package manager) to manage the downloading and compiling of dependencies
• Hexray’s FLAIR tools, specifically sigmake.exe and pcf.exe, to generate FLIRT signatures
• Hexray’s text interface version of IDA, idat.exe, to automate binary analysis and disassembly
• The open-source tool Diaphora to facilitate binary diffing

The above image provides an overview of the phases RIFT Generator processes through. RIFT Generator reads the JSON file produced by RIFT Static Analyzer and downloads the corresponding Rust compiler, as well as the dependencies.

It is worth noting that upon completion of phase 1, both the code of the downloaded compiler and compiled crates are compressed as COFF files into RLIB files. RLIB is essentially a Rust-specific archive format similar to TAR. Once decompressed in phase 2, the COFF files are extracted and further processed.

FLIRT signatures and binary diffing

To provide information necessary for annotating library code in Rust binaries accurately, RIFT uses two known techniques for pattern matching: FLIRT signatures and binary diffing.

FLIRT stands for Fast Library Identification and Recognition Technology and enables IDA to identify standard library functions produced by its supported compilers. A characteristic of this technology is that library recognition is very precise. Therefore, functions that have a high similarity may not be flagged by FLIRT signatures due to their strict criteria.

Additionally, RIFT automates the process of binary diffing the collected COFF files against the target binary by leveraging IDA’s command line utility (idat.exe) and the Diaphora plugin.

In general, both approaches have their own advantages and disadvantages, which are listed below.

Consuming binary diffing information

If the binary diffing approach is applied, a second IDA plugin called RIFT Diff Applier can be used to apply the diffing results. In contrast to FLIRT signatures, the RIFT Diff Applier offers analysts an interactive, semi-manual method for identifying library code. It operates in two modes:

1. Interactive mode
2. Auto rename mode

By default, symbol names in COFF files are mangled. Consequently, if RIFT Generator generates the binary diffing information and stores it in the JSON format, the symbol names are also mangled. To address this issue, enabling Name Demangling can assist in attempting to demangle these names. We are continuously improving the tool, and currently, rust-demangler is being used for this purpose.

For both modes, a minimum similarity ratio can be specified. Functions will only be displayed or renamed if they meet or exceed the specified similarity threshold. Once the user clicks “OK”, a new window will appear in IDA with the title RIFT. Users can now right click on a function name and display the top three matching functions with the highest similarity determined through binary diffing or use the CTRL+X shortcut.

Applying RIFT on RALord ransomware

Having introduced the functionalities of RIFT, we will now examine its practical application in analyzing RALord ransomware and how RIFT’s FLIRT signature generation can be used to immensely reduce time identifying library functions in RALord.

First, RIFT Static Analyzer is used to dump the extractable dependencies, Git commit hash of the Rust compiler, target architecture, and target operating system. Next, the information is fed into RIFT Generator.

Once RIFT Generator has finished generating FLIRT signatures, they can either be loaded one by one manually or by using our script shared in the RIFT GitHub repository named “ida_apply_flirt_from_folder.py”.

The image below compares parts of the main function before and after application of RIFT. After applying the FLIRT signatures generated from the extracted dependencies and Rust compiler, the majority of library and compiler code is identified in the main function. As a result, reverse engineers can focus solely on the threat actor code instead of spending time weeding out the library code.

Applying RIFT on SPICA

In some use cases, FLIRT signature application might not be enough, for example when conducting a deep dive. RIFT’s binary diffing approach can provide additional information to improve library code recognition in addition to FLIRT signatures.

Having demonstrated the effectiveness of RIFT in applying FLIRT signatures to streamline the analysis of RALord ransomware, we now turn our focus to applying the binary diffing approach on SPICA, a backdoor written in Rust. This transition highlights scenarios where FLIRT signatures alone might be insufficient, necessitating a deeper, complementary analysis.

Similar to before, RIFT Static Analyzer is used first and the extracted information is fed into RIFT Generator. However, this time, we apply FLIRT signature generation and binary diffing.

To use the binary diffing approach, Diaphora must be used first to generate the corresponding SQLite file. It is worth noting that depending on the size of the binary and extracted dependencies, the binary diffing procedure can take multiple hours.

Once done, RIFT Diff Applier can be used to load the binary diffing output file.

A benefit of this approach is that for certain functions where FLIRT signatures failed to properly label the library function due to its strictness, RIFT Diff Applier can provide useful and reliable information where the similarity is high. Furthermore, thinking about detection engineering, the approach can also help identify or filter out potential library functions, especially when writing signatures on code segments.

Afterwords: Open sourcing RIFT

Rust’s strong performance, safety-focused design, cross-compilation support, and concurrency features have led to its increased adoption by threat actors for developing complex malware. This growing shift towards Rust represents a yet another evolution in the threat landscape, enabling attackers to create malware that is not more resistant to detection and analysis.

For malware analysts, this trend introduces a daunting set of challenges. Rust’s innovative features often result in binaries that are harder to decompile and analyze, making reverse engineering a time-intensive process. Analysts are frequently left grappling with unfamiliar patterns and library-heavy outputs, which further complicate their efforts to dissect malware and develop detection methods.

To address these challenges, we are proud to announce the open sourcing of RIFT. Designed to help accelerate Rust malware analysis by assisting reverse engineers to recognize library code in Rust malware through FLIRT signatures and binary diffing, RIFT further reinforces global efforts to equip security professionals with proper tools to defend against threats. By making RIFT freely available to the cybersecurity community, we aim to foster collaboration and innovation in combating the rise of Rust-based malware. We would like to extend a special thanks to the author of the Diaphora project for their invaluable contribution to the reverse engineering community.

Microsoft’s ongoing research and development efforts, including the creation of tools like RIFT, underscore our commitment to protecting customers and securing the cyber landscape. By enhancing the efficiency and accuracy of malware analysis, we aim to keep pace with evolving threats and ensure the safety of users worldwide. This research highlights the critical need for advanced security measures to safeguard against such increasingly sophisticated cyber threats.

References

• https://github.com/microsoft/RIFT
• https://www.security.com/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
• http://approjects.co.za/?big=en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/#:~:text=Hive%20isn’t%20the%20first,data%20type%2C%20and%20thread%20safety
• https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html
• https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust
• https://www.sonicwall.com/blog/nova-raas-the-ransomware-that-spares-schools-and-nonprofits-for-now
• https://research.checkpoint.com/2023/rust-binary-analysis-feature-by-feature/
• https://doc.rust-lang.org/cargo/
• https://docs.hex-rays.com/user-guide/helper-tools
• https://github.com/joxeankoret/diaphora
• https://www.ti.com/lit/an/spraao8/spraao8.pdf?ts=1749128710998
• https://pypi.org/project/rust-demangler/
• https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

Acknowledgments

• https://www.sentinelone.com/press/sentinelone-and-intezer-team-to-simplify-reverse-engineering-of-rust-malware/
• https://www.youtube.com/watch?v=cMIhIARmNfU

Learn more

Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog. 

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky. 

To hear stories and insights from the Microsoft Threat Intelligence community about the latest changes in the broader threat landscape, listen to the Microsoft Threat Intelligence podcast. 

The post Unveiling RIFT: Enhancing Rust malware analysis through pattern matching appeared first on Microsoft Security Blog.

In fact, over the last 18 months, our threat protection research teams have observed a 275% increase in ransomware encounters. In these cyberattacks, threat actors tend to target identities and devices for gaining initial access. Microsoft disrupts 35,000 such incidents each month. But not only has the volume of cyberattacks increased, so too has the speed of execution. Cyberattacks used to take days before affecting organizations, but today thousands of devices can be encrypted in less than five minutes.

Fortunately, the likelihood of a Microsoft Defender for Endpoint customer getting encrypted over the past 18 months has also decreased by 300%. Microsoft disabled and contained 120,000 compromised user accounts and saved more than 180,000 devices in the last six months alone.

Microsoft Defender for Endpoint

Apply AI-powered endpoint security across Windows, Linux, macOS, iOS, Android, and IoT devices. Learn more.

Microsoft delivers comprehensive endpoint protection

Not only does Microsoft have the largest market share in modern endpoint security worldwide, we see more attack data than any other security vendor. We process more than 84 trillion signals every day across data sources like novel cyberattacks, malware, ransomware, and fraud while leveraging dynamic insights from 10,000 full-time security experts. This gives us early signal into emerging threat vectors that we refactor into our detection and response systems.

Powered by AI and built on the broadest global threat and human intelligence, Microsoft Defender for Endpoint provides comprehensive protection across all platforms, from mobile to servers to IoT—including Windows, Linux, macOS, iOS, and Android. This empowers the security operations center (SOC) with industry-leading threat protection to stay one step ahead of the evolving cyberthreat landscape.

Defender for Endpoint is part of the Microsoft Defender XDR platform, natively integrated with the full breadth of security solutions that comprise our unified security operations platform.

Why do CISOs prefer Microsoft Defender for Endpoint?

Defender for Endpoint is purpose-built for the SOC and offers a series of capabilities that help you reduce your attack surface, accelerate your security workflows, and respond quicker and more effectively than ever before. These are just a few of the reasons most chief information security officers (CISOs) choose Microsoft to protect their device estate.

• Reduce your attack surface: With built-in posture management, you can monitor vulnerabilities and security configuration issues, receive prioritized alerts, and take corrective actions to mitigate risk and reduce your exposure. Auto-deployed deception techniques allow you to create an artificial attack surface in minutes, sniffing out bad actors early in the cyberattack chain.
• Accelerate your workflow with AI: Defender for Endpoint’s native integration with Microsoft Security Copilot allows you to use natural language to speed up daily tasks such as investigating and responding to incidents and prioritizing alerts. As the industry’s first generative AI, Security Copilot helps analysts by providing enriched context for faster and smarter decisions in addition to prescriptive step-by-step remediation guidance.
• Respond automatically: Automatic attack disruption is an industry-first, always-on security response capability exclusive to Microsoft. It is offered only by Microsoft Defender XDR and available within Defender for Endpoint. Powered by advanced machine learning, it can identify when a cyberattack is occurring with high confidence and block the attack.

This makes it possible to contain an active breach quickly and effectively while preventing lateral movement from the cyberattacker. It accomplishes this using high confidence signals collected from our unified platform—including endpoints, hybrid identities, apps, email, collaboration tools, cloud workloads, data security insights and third-party data. It can protect against advanced attacks like ransomware, business email compromise (BEC), and Adversary-in-the-Middle (AiTM) attacks.

Automatic attack disruption doesn’t kick in until Defender for Endpoint has reached above 99.99% confidence in the presence of a cyberattack. It dynamically responds to in-progress, hands-on-keyboard attacks—isolating compromised entities, stopping cyberattackers in their tracks, and halting ransomware attacks in three minutes on average. Unlike traditional solutions that periodically scan for known malware and solely rely on endpoint signals, attack disruption uses AI and cross-domain signals to predict an attacker’s next move and adapt its response. This means we can block lateral movement early in the cyberattack chain and stop the attacker from progressing.

For more on why CISOs prefer Defender for Endpoint, read our latest e-book or watch the video.

Defender for Endpoint in action: Thwarting ransomware when another security solution couldn’t

Here is a real-life example that demonstrates just how critical it is to have Defender for Endpoint securing your devices.

In early 2024, a multinational organization was targeted by cyberattackers. They attempted to encrypt about 2,100 user devices and about 1,000 servers. The organization had mixed deployment of endpoint vendors with Microsoft on user devices and another leading EDR vendor on their servers. There were two cyberattack waves. 

• In the first attack wave, within two minutes of Microsoft recognizing that an attack was underway, automatic attack disruption kicked in and prevented the cyberattacker from encrypting more than 2,000 devices and held steady for about three hours.
• In the second attack wave, Microsoft held strong and thwarted encryption for more than 99% of devices, whereas the cyberattacker successfully encrypted 100% of the servers that were on another vendor.

The customer has since onboarded all of their servers to Microsoft.

How to transform endpoint security at your organization

Microsoft makes it easy to secure your device estate and stay one step ahead of the cyberattackers. If you’re looking to supercharge endpoint security at your organization and keep up with the evolving cyberthreat landscape, you can get started with Microsoft Defender for Endpoint today. Begin a free trial, read the e-book, watch the video, or speak to the Microsoft Security sales team.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Microsoft Defender for Endpoint is redefining endpoint security appeared first on Microsoft Security Blog.

Microsoft maintains a continuous effort to protect its platforms and customers from fraud and abuse. From blocking imposters on Microsoft Azure and adding anti-scam features to Microsoft Edge, to fighting tech support fraud with new features in Windows Quick Assist, this edition of Cyber Signals takes you inside the work underway and important milestones achieved that protect customers.

We are all defenders. 

Between April 2024 and April 2025, Microsoft:

• Thwarted $4 billion in fraud attempts.
• Rejected 49,000 fraudulent partnership enrollments.
• Blocked about 1.6 million bot signup attempts per hour.

The evolution of AI-enhanced cyber scams

AI has started to lower the technical bar for fraud and cybercrime actors looking for their own productivity tools, making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate. AI software used in fraud attempts runs the gamut, from legitimate apps misused for malicious purposes to more fraud-oriented tools used by bad actors in the cybercrime underground.

AI tools can scan and scrape the web for company information, helping cyberattackers build detailed profiles of employees or other targets to create highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials. By using deepfakes, voice cloning, phishing emails, and authentic-looking fake websites, threat actors seek to appear legitimate at wider scale.

According to the Microsoft Anti-Fraud Team, AI-powered fraud attacks are happening globally, with much of the activity coming from China and Europe, specifically Germany due in part to Germany’s status as one of the largest e-commerce and online services markets in the European Union (EU). The larger a digital marketplace in any region, the more likely a proportional degree of attempted fraud will take place.

E-commerce fraud

Fraudulent e-commerce websites can be set up in minutes using AI and other tools requiring minimal technical knowledge. Previously, it would take threat actors days or weeks to stand up convincing websites. These fraudulent websites often mimic legitimate sites, making it challenging for consumers to identify them as fake. 

Using AI-generated product descriptions, images, and customer reviews, customers are duped into believing they are interacting with a genuine merchant, exploiting consumer trust in familiar brands.

AI-powered customer service chatbots add another layer of deception by convincingly interacting with customers. These bots can delay chargebacks by stalling customers with scripted excuses and manipulating complaints with AI-generated responses that make scam sites appear professional.

In a multipronged approach, Microsoft has implemented robust defenses across our products and services to protect customers from AI-powered fraud. Microsoft Defender for Cloud provides comprehensive threat protection for Azure resources, including vulnerability assessments and threat detection for virtual machines, container images, and endpoints.

Microsoft Edge features website typo protection and domain impersonation protection using deep learning technology to help users avoid fraudulent websites. Edge has also implemented a machine learning-based Scareware Blocker to identify and block potential scam pages and deceptive pop-up screens with alarming warnings claiming a computer has been compromised. These attacks try to frighten users into calling fraudulent support numbers or downloading harmful software.

Job and employment fraud

The rapid advancement of generative AI has made it easier for scammers to create fake listings on various job platforms. They generate fake profiles with stolen credentials, fake job postings with auto-generated descriptions, and AI-powered email campaigns to phish job seekers. AI-powered interviews and automated emails enhance the credibility of job scams, making it harder for job seekers to identify fraudulent offers.

To prevent this, job platforms should introduce multifactor authentication for employer accounts to make it harder for bad actors to take over legitimate hirers’ listings and use available fraud-detection technologies to catch suspicious content.

Fraudsters often ask for personal information, such as resumes or even bank account details, under the guise of verifying the applicant’s information. Unsolicited text and email messages offering employment opportunities that promise high pay for minimal qualifications are typically an indicator of fraud.

Employment offers that include requests for payment, offers that seem too good to be true, unsolicited offers or interview requests over text message, and a lack of formal communication platforms can all be indicators of fraud.

Tech support scams

Tech support scams are a type of fraud where scammers trick victims into unnecessary technical support services to fix a device or software problems that don’t exist. The scammers may then gain remote access to a computer—which lets them access all information stored on it, and on any network connected to it or install malware that gives them access to the computer and sensitive data.

Tech support scams are a case where elevated fraud risks exist, even if AI does not play a role. For example, in mid-April 2024, Microsoft Threat Intelligence observed the financially motivated and ransomware-focused cybercriminal group Storm-1811 abusing Windows Quick Assist software by posing as IT support. Microsoft did not observe AI used in these attacks; Storm-1811 instead impersonated legitimate organizations through voice phishing (vishing) as a form of social engineering, convincing victims to grant them device access through Quick Assist. 

Quick Assist is a tool that enables users to share their Windows or macOS device with another person over a remote connection. Tech support scammers often pretend to be legitimate IT support from well-known companies and use social engineering tactics to gain the trust of their targets. They then attempt to employ tools like Quick Assist to connect to the target’s device. 

Quick Assist and Microsoft are not compromised in these cyberattack scenarios; however, the abuse of legitimate software presents risk Microsoft is focused on mitigating. Informed by Microsoft’s understanding of evolving cyberattack techniques, the company’s anti-fraud and product teams work closely together to improve transparency for users and enhance fraud detection techniques. 

The Storm-1811 cyberattacks highlight the capability of social engineering to circumvent security defenses. Social engineering involves collecting relevant information about targeted victims and arranging it into credible lures delivered through phone, email, text, or other mediums. Various AI tools can quickly find, organize, and generate information, thus acting as productivity tools for cyberattackers. Although AI is a new development, enduring measures to counter social engineering attacks remain highly effective. These include increasing employee awareness of legitimate helpdesk contact and support procedures, and applying Zero Trust principles to enforce least privilege across employee accounts and devices, thereby limiting the impact of any compromised assets while they are being addressed. 

Microsoft has taken action to mitigate attacks by Storm-1811 and other groups by suspending identified accounts and tenants associated with inauthentic behavior. If you receive an unsolicited tech support offer, it is likely a scam. Always reach out to trusted sources for tech support. If scammers claim to be from Microsoft, we encourage you to report it directly to us at http://approjects.co.za/?big=reportascam. 

Building on the Secure Future Initiative (SFI), Microsoft is taking a proactive approach to ensuring our products and services are “Fraud-resistant by Design.” In January 2025, a new fraud prevention policy was introduced: Microsoft product teams must now perform fraud prevention assessments and implement fraud controls as part of their design process. 

Recommendations

• Strengthen employer authentication: Fraudsters often hijack legitimate company profiles or create fake recruiters to deceive job seekers. To prevent this, job platforms should introduce multifactor authentication and Verified ID as part of Microsoft Entra ID for employer accounts, making it harder for unauthorized users to gain control.
• Monitor for AI-based recruitment scams: Companies should deploy deepfake detection algorithms to identify AI-generated interviews where facial expressions and speech patterns may not align naturally.
• Be cautious of websites and job listings that seem too good to be true: Verify the legitimacy of websites by checking for secure connections (https) and using tools like Microsoft Edge’s typo protection.
• Avoid providing personal information or payment details to unverified sources: Look for red flags in job listings, such as requests for payment or communication through informal platforms like text messages, WhatsApp, nonbusiness Gmail accounts, or requests to contact someone on a personal device for more information.

Using Microsoft’s security signal to combat fraud

Microsoft is actively working to stop fraud attempts using AI and other technologies by evolving large-scale detection models based on AI, such as machine learning, to play defense by learning from and mitigating fraud attempts. Machine learning is the process that helps a computer learn without direct instruction using algorithms to discover patterns in large datasets. Those patterns are then used to create a comprehensive AI model, allowing for predictions with high accuracy.

We have developed in-product safety controls that warn users about potential malicious activity and integrate rapid detection and prevention of new types of attacks.

Our fraud team has developed domain impersonation protection using deep-learning technology at the domain creation stage, to help protect against fraudulent e-commerce websites and fake job listings. Microsoft Edge has incorporated website typo protection, and we have developed AI-powered fake job detection systems for LinkedIn.

Microsoft Defender Smartscreen is a cloud-based security feature that aims to prevent unsafe browsing habits by analyzing websites, files, and applications based on their reputation and behavior. It is integrated into Windows and the Edge browser to help protect users from phishing attacks, malicious websites, and potentially harmful downloads.

Furthermore, Microsoft’s Digital Crimes Unit (DCU) partners with others in the private and public sector to disrupt the malicious infrastructure used by criminals perpetuating cyber-enabled fraud. The team’s longstanding collaboration with law enforcement around the world to respond to tech support fraud has resulted in hundreds of arrests and increasingly severe prison sentences worldwide. The DCU is applying key learnings from past actions to disrupt those who seek to abuse generative AI technology for malicious or fraudulent purposes. 

Quick Assist features and remote help combat tech support fraud

To help combat tech support fraud, we have incorporated warning messages to alert users about possible tech support scams in Quick Assist before they grant access to someone approaching them purporting to be an authorized IT department or other support resource.

Windows users must read and click the box to acknowledge the security risk of granting remote access to the device.

Microsoft has significantly enhanced Quick Assist protection for Windows users by leveraging its security signal. In response to tech support scams and other threats, Microsoft now blocks an average of 4,415 suspicious Quick Assist connection attempts daily, accounting for approximately 5.46% of global connection attempts. These blocks target connections exhibiting suspicious attributes, such as associations with malicious actors or unverified connections.

Microsoft’s continual focus on advancing Quick Assist safeguards seeks to counter adaptive cybercriminals, who previously targeted individuals opportunistically with fraudulent connection attempts, but more recently have sought to target enterprises with more organized cybercrime campaigns that Microsoft’s actions have helped disrupt.

Our Digital Fingerprinting capability, which leverages AI and machine learning, drives these safeguards by providing fraud and risk signals to detect fraudulent activity. If our risk signals detect a possible scam, the Quick Assist session is automatically ended. Digital Fingerprinting works by collecting various signals to detect and prevent fraud.

For enterprises combating tech support fraud, Remote Help is another valuable resource for employees. Remote Help is designed for internal use within an organization and includes features that make it ideal for enterprises.

By reducing scams and fraud, Microsoft aims to enhance the overall security of its products and protect its users from malicious activities.

Consumer protection tips

Fraudsters exploit psychological triggers such as urgency, scarcity, and trust in social proof. Consumers should be cautious of:

• Impulse buying—Scammers create a sense of urgency with “limited-time” deals and countdown timers.
• Trusting fake social proof—AI generates fake reviews, influencer endorsements, and testimonials to appear legitimate.
• Clicking on ads without verification—Many scam sites spread through AI-optimized social media ads. Consumers should cross-check domain names and reviews before purchasing.
• Ignoring payment security—Avoid direct bank transfers or cryptocurrency payments, which lack fraud protections.

Job seekers should verify employer legitimacy, be on the lookout for common job scam red flags, and avoid sharing personal or financial information with unverified employers.

• Verify employer legitimacy—Cross-check company details on LinkedIn, Glassdoor, and official websites to verify legitimacy.
• Notice common job scam red flags—If a job requires upfront payments for training materials, certifications, or background checks, it is likely a scam. Unrealistic salaries or no-experience-required remote positions should be approached with skepticism. Emails from free domains (such as johndoehr@gmail.com instead of hr@company.com) are also typically indicators of fraudulent activity.
• Be cautious of AI-generated interviews and communications—If a video interview seems unnatural, with lip-syncing delays, robotic speech, or odd facial expressions, it could be deepfake technology at work. Job seekers should always verify recruiter credentials through the company’s official website before engaging in any further discussions.
• Avoid sharing personal or financial information—Under no circumstances should you provide a Social Security number, banking details, or passwords to an unverified employer.

Microsoft is also a member of the Global Anti-Scam Alliance (GASA), which aims to bring governments, law enforcement, consumer protection organizations, financial authorities and providers, brand protection agencies, social media, internet service providers, and cybersecurity companies together to share knowledge and protect consumers from getting scammed.

Recommendations

• Remote Help: Microsoft recommends using Remote Help instead of Quick Assist for internal tech support. Remote Help is designed for internal use within an organization and incorporates several features designed to enhance security and minimize the risk of tech support hacks. It is engineered to be used only within an organization’s tenant, providing a safer alternative to Quick Assist.
• Digital Fingerprinting: This identifies malicious behaviors and ties them back to specific individuals. This helps in monitoring and preventing unauthorized access.
• Blocking full control requests: Quick Assist now includes warnings and requires users to check a box acknowledging the security implications of sharing their screen. This adds a layer of helpful “security friction” by prompting users who may be multitasking or preoccupied to pause to complete an authorization step.

Kelly Bissell: A cybersecurity pioneer combating fraud in the new era of AI

Kelly Bissell’s journey into cybersecurity began unexpectedly in 1990. Initially working in computer science, Kelly was involved in building software for healthcare patient accounting and operating systems at Medaphis and Bellsouth, now AT&T.

His interest in cybersecurity was sparked when he noticed someone logged into a phone switch attempting to get free long-distance calls and traced the intruder back to Romania. This incident marked the beginning of Kelly’s career in cybersecurity.

“I stayed in cybersecurity hunting for bad actors, integrating security controls for hundreds of companies, and helping shape the NIST security frameworks and regulations such as FFIEC, PCI, NERC-CIP,” he explains.

Currently, Kelly is Corporate Vice President of Anti-Fraud and Product Abuse within Microsoft Security. Microsoft’s fraud team employs machine learning and AI to build better detection code and understand fraud operations. They use AI-powered solutions to detect and prevent cyberthreats, leveraging advanced fraud detection frameworks that continuously learn and evolve.

“Cybercrime is a trillion-dollar problem, and it’s been going up every year for the past 30 years. I think we have an opportunity today to adopt AI faster so we can detect and close the gap of exposure quickly. Now we have AI that can make a difference at scale and help us build security and fraud protections into our products much faster.”

Previously Kelly managed the Microsoft Detection and Response Team (DART) and created the Global Hunting, Oversight, and Strategic Triage (GHOST) team that detected and responded to attackers such as Storm-0558 and Midnight Blizzard.

Prior to Microsoft, during his time at Accenture and Deloitte, Kelly collaborated with companies and worked extensively with government agencies like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation, where he helped build security systems inside their operations.

His time as Chief Information Security Officer (CISO) at a bank exposed him to addressing both cybersecurity and fraud, leading to his involvement in shaping regulatory guidelines to protect banks and eventually Microsoft.

Kelly has also played a significant role in shaping regulations around the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) compliance, which helps ensure the security of businesses’ credit card transactions, among others.

Internationally, Kelly played a crucial role in helping establish agencies and improve cybersecurity measures. As a consultant in London, he helped stand up the United Kingdom’s National Cyber Security Centre (NCSC), which is part of the Government Communications Headquarters (GCHQ), the equivalent of CISA. Kelly’s efforts in content moderation with several social media companies, including YouTube, were instrumental in removing harmful content.

That’s why he’s excited about Microsoft’s partnership with GASA. GASA brings together governments, law enforcement, consumer protection organizations, financial authorities, internet service providers, cybersecurity companies, and others to share knowledge and define joint actions to protect consumers from getting scammed.

“If I protect Microsoft, that’s good, but it’s not sufficient. In the same way, if Apple does their thing, and Google does their thing, but if we’re not working together, we’ve all missed the bigger opportunity. We must share cybercrime information with each other and educate the public. If we can have a three-pronged approach of tech companies building security and fraud protection into their products, public awareness, and sharing cybercrime and fraudster information with law enforcement, I think we can make a big difference,” he says.

Next steps with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Methodology: Microsoft platforms and services, including Azure, Microsoft Defender for Office, Microsoft Threat Intelligence, and Microsoft Digital Crimes Unit (DCU), provided anonymized data on threat actor activity and trends. Additionally, Microsoft Entra ID provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and telemetry from Microsoft platforms and services. The $4 billion figure represents an aggregated total of fraud and scam attempts against Microsoft and our customers in consumer and enterprise segments (in 12 months).

The post Cyber Signals Issue 9 | AI-powered deception: Emerging fraud threats and countermeasures appeared first on Microsoft Security Blog.

The evolution of ransomware attacks

Modern ransomware campaigns are meticulously planned. Cyberattackers understand that their chances of securing a ransom increase significantly if they can inflict widespread damage across a victim’s environment. The rationale is simple: paying the ransom becomes the most viable option when the alternative—restoring the environment and recovering data—is technically unfeasible, time-consuming, and costly.

This level of damage happens in minutes and even seconds, where bad actors embed themselves within an organization’s environment, laying the groundwork for a coordinated cyberattack that can encrypt dozens, hundreds, or even thousands of devices within minutes. To execute such a campaign, threat actors must overcome several challenges such as evading protection, mapping the network, maintaining their code execution ability, and preserving persistency in the environment, building their way to securing two major prerequisites necessary to execute ransomware on multiple devices simultaneously:

• High-privilege accounts: Whether cyberattackers choose to drop files and encrypt the devices locally or perform remote operations over the network, they must obtain the ability to authenticate to a device. In an on-premises environment, cyberattackers usually target domain admin accounts or other high-privilege accounts, as those can authenticate to the most critical resources in the environment.
• Access to central network assets: To execute the ransomware attack as fast and as wide as possible, threat actors aim to achieve access to a central asset in the network that is exposed to many endpoints. Thus, they can leverage the possession of high-privilege accounts and connect to all devices visible in their line of sight.

The role of domain controllers in ransomware campaigns

Domain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD). They play a pivotal role in enabling cyberattackers to achieve their goals by fulfilling two critical requirements:

1. Compromising highly privileged accounts

Domain controllers house the AD database, which contains sensitive information about all user accounts, including highly privileged accounts like domain admins. By compromising a domain controller, threat actors can:

• Extract password hashes: Dumping the NTDS.dit file allows cyberattackers to obtain password hashes for every user account.
• Create and elevate privileged accounts: Cyberattackers can generate new accounts or manipulate existing ones, assigning them elevated permissions, ensuring continued control over the environment.

With these capabilities, cyberattackers can authenticate as highly privileged users, facilitating lateral movement across the network. This level of access enables them to deploy ransomware on a scale, maximizing the impact of their attack.

2. Exploiting centralized network access

Domain controllers handle crucial tasks like authenticating users and devices, managing user accounts and policies, and keeping the AD database consistent across the network. Because of these important roles, many devices need to interact with domain controllers regularly to ensure security, efficient resource management, and operational continuity. That’s why domain controllers need to be central in the network and accessible to many endpoints, making them a prime target for cyberattackers looking to cause maximum damage with ransomware attacks.

Given these factors, it’s no surprise that domain controllers are frequently at the center of ransomware operations. Cyberattackers consistently target them to gain privileged access, move laterally, and rapidly deploy ransomware across an environment. We’ve seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader device—the system responsible for distributing ransomware at scale—is a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption.

Case study: Ransomware attack using a compromised domain controller

In one notable case, a small-medium manufacturer fell victim to a well-known, highly skilled threat actor attempting to execute a widespread Akira ransomware attack:

Pre domain-compromise activity

After gaining initial access, presumably through leveraging the customer’s VPN infrastructure, and prior to obtaining domain admin privileges, the cyberattackers initiated a series of actions focused on mapping potential assets and escalating privileges. A wide, remote execution of secrets dump is detected on Microsoft Defender for Endpoint-onboarded devices and User 1 (domain user) is contained by attack disruption.

Post domain-compromise activity

Once securing domain admin (User 2) credentials, potentially through leveraging the victim’s non-onboarded estate, the attacker immediately attempts to connect to the victim’s domain controller (DC1) using Remote Desktop Protocol (RDP) from the cyberattacker’s controlled device. When gaining access to DC1, the cyberattacker leverages the device to perform the following set of actions:

• Reconnaissance—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.
• Defense evasion—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.
• Persistence—The cyberattacker leverages the direct access to Active Directory, creating new domain users (User 3 and User 4) and adding them to the domain admin group, thus establishing a set of highly privileged users that would later on be used to execute the ransomware attack.

Encryption over the network

Once the cyberattacker takes control over a set of highly privileged users, this provides them access to any domain-joined resource, including comprehensive network access and visibility. It will also allow them to set up tools for the encryption phase of the cyberattack.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller. Attack disruption detects the threat actor’s attempt to run the payload and contains User 2, User 3, and the cyberattacker-controlled device used to RDP to the domain controller.

After successfully containing Users 2 and 3, the cyberattacker proceeded to log in to the domain controller using User 4, who had not yet been utilized. After logging into the device, the cyberattacker attempted to encrypt numerous devices over the network from the domain controller, leveraging the access provided by User 4.

Attack disruption detects the initiation of encryption over the network and automatically granularly contains device DC1 and User 4, blocking the attempted remote encryption on all Microsoft Defender for Endpoint-onboarded and targeted devices.

Protecting your domain controllers

Given the central role of domain controllers in ransomware attacks, protecting them is critical to preventing large-scale damage. However, securing domain controllers is particularly challenging due to their fundamental role in network operations. Unlike other endpoints, domain controllers must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment. This level of accessibility makes it difficult to apply traditional security measures without disrupting business continuity. Hence, security teams constantly face the complex challenge of striking the right balance between security and operational functionality.

To address this challenge, Defender for Endpoint introduced contain high value assets (HVA), an expansion of our contain device capability designed to automatically contain HVAs like domain controllers in a granular manner. This feature builds on Defender for Endpoint’s capability to classify device roles and criticality levels to deliver a custom, role-based containment policy, meaning that if a sensitive device, such a domain controller, is compromised, it is immediately contained in less than three minutes, preventing the cyberattacker from moving laterally and deploying ransomware, while at the same time maintaining the operational functionality of the device. The ability of the domain controller to distinguish between malicious and benign behavior helps keep essential authentication and directory services up and running. This approach provides rapid, automated cyberattack containment without sacrificing business continuity, allowing organizations to stay resilient against sophisticated human-operated cyberthreats.

Now your organization’s domain controllers can leverage automatic attack disruption as an extra line of defense against malicious actors trying to overtake high value assets and exert costly ransomware attacks.

Learn more

Explore these resources to stay updated on the latest automatic attack disruption capabilities:

• Learn more about Microsoft Defender for Endpoint.
• Read about the new containment features.
• Learn how attack disruption safeguards your domain controllers in this video.
• Check out our latest infographic.
• Read about automatic attack disruption.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Average cost per data breach in the United States 2006-2024, Ani Petrosyan. October 10, 2024.

The post How cyberattackers exploit domain controllers using ransomware appeared first on Microsoft Security Blog.

Prior to 2020, there was an unspoken rule of threat actors to not launch attacks against schools and children, infrastructure, and healthcare organizations.¹ However, that “rule” no longer applies, and in the past four years the healthcare threat landscape has seen tremendous shifts for the worse.

To put this shift into context, consider these trends from the Microsoft Threat Intelligence report showing healthcare cybersecurity challenges:

• Healthcare is one of the top 10 most targeted industries in the second quarter of 2024²—and has been for the past four quarters.
• Ransomware attacks are costly, with healthcare organizations losing an average of $900,000 per day on downtime alone.³
• In a recent study, out of the 99 healthcare organizations that admitted to paying a ransom and disclosed the ransom paid, the average payment was $4.4 million.⁴

The serious impact of ransomware on healthcare

While the potential financial risk for healthcare organizations is high, lives are at stake because ransomware attacks impact patient outcomes. If healthcare providers are not able to use diagnostic equipment or access patient medical records because it’s under ransom, care will be disrupted.

Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner. As a result, patients can experience longer wait times, which studies show could lead to more severe stroke cases and heart attack cases.⁵

These attacks don’t just impact facilities in large cities; in fact, rural health clinics are also a target for cyberattacks. They are particularly vulnerable to ransomware incidents because they often have limited means to prevent and remediate security risks. This can be devastating for a community as these hospitals are often the only healthcare option for many miles in the communities they serve.  

Why healthcare is an appealing target for threat actors

Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks. However, a more significant reason these facilities are at risk is the potential for huge financial payouts. As referenced earlier, lives are at stake and healthcare facilities committed to patient care can’t risk poor patient outcomes if their systems are taken down. They also can’t risk their patients’ data being exposed if they don’t pay the ransom. That reputation for paying ransoms—for understandable reasons—makes them a target.

Healthcare facilities are also targeted because of their limited security resources and cybersecurity investments to defend against these threats compared to other sectors. Facilities often lack staff dedicated to cybersecurity and in fact, some facilities don’t have a chief information security officer (CISO) or dedicated security operations center at all. Instead, their IT department may be tasked with managing cybersecurity. Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.

How cyber criminals target healthcare organizations

Financially motivated cyber criminals are using an evolving set of ransomware tactics on healthcare organizations. One common approach involves two steps. First, they gain access to an organization’s network, often using social engineering tactics through a phishing email or text. Then, they use that access to deploy ransomware to encrypt and lock healthcare systems and data so they can seek a ransom for their release.

“Once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours,” said Jack Mott of Microsoft Threat Intelligence in the Microsoft ransomware report. “They target essential infrastructure, such as patient records, diagnostic systems, and even billing operations, to maximize the impact and pressure on healthcare organizations to pay the ransom.”

Social engineering tactics often involve convincing the email recipient to act in ways they normally wouldn’t, such as clicking on an unknown link, and using the tactics of urgency, emotion, and habit. Social engineering fraud is a serious problem. In just this fiscal year, a staggering 389 healthcare institutions across the United States fell victim to ransomware attacks, according to the 2024 Microsoft Digital Defense Report.⁶ The aftermath was severe, resulting in network closures, offline systems, delays in critical medical operations, and rescheduled appointments.

Another common approach is ransomware as a service (RaaS), a cybercrime business model growing in popularity. The RaaS model is an agreement between an operator, who develops extortion tools, and an affiliate, who deploys the ransomware. Both parties benefit from a successful ransomware and extortion attack, and it’s “democratized access to sophisticated ransomware tools,” Mott said. This model enables cyber criminals without the means of developing their own tools to launch their nefarious activities. Sometimes, they may simply purchase network access from a cybercrime group that has already breached a network. RaaS severely widens the risk to healthcare organizations, making ransomware more accessible and frequent.

Cybercrime tactics continue to grow in sophistication. Microsoft is continually tracking the latest cybercrime threats to support our customers and increase the knowledge of the entire global community. These threats include actions by threat actor groups Vanilla Tempest and Sangria Tempest, which are known for their financially motivated criminal activities.

Take a collective defense approach to boost your cyber resilience and visibility

We recognize that not all organizations have a robust cybersecurity team or even the resources to enable a cybersecurity resilience strategy. This is why it is important for us as a community to come together and share best practices, tools, and guidance. We encourage your organization to collaborate with regional, national, and global healthcare organizations such as Health-ISAC (Information Sharing and Analysis Centers). The Health-ISAC provides healthcare organizations with platforms to exchange threat intelligence. Health-ISAC Chief Security Officer Errol Weiss says these organizations are like “virtual neighborhood watch programs,” sharing threat experiences and defense strategies. 

It’s also important to foster a security-first mindset among healthcare staff. Dr. Christian Dameff and Dr. Jeff Tully, Co-directors of the University of California San Diego Center for Healthcare Cybersecurity, emphasize that breaking down silos between IT security teams, emergency managers, and clinical staff to develop cohesive incident response plans is key. They also recommend running high-fidelity clinical simulations that expose doctors and nurses to real-world cyberattack scenarios.

For rural hospitals that provide critical services to the communities they serve across the US, Microsoft created the Microsoft Cybersecurity Program for Rural Hospitals, which provides affordable access to Microsoft security solutions, builds cybersecurity capacity, and helps solve root challenges through innovation.

For healthcare organizations that have the resources, as part of this report we provide guidance on how to:

• Establish a robust governance framework.
• Create an incident response and detection plan. Then be prepared to execute it efficiently during an actual attack to minimize damage and ensure a quick recovery.
• Implement continuous monitoring and real-time detection capabilities.
• Educate your organization using our cybersecurity awareness and education #BeCyberSmart Kit.
• Harness more resilience strategies found in the report.

Given the serious cyberthreats against healthcare organizations, it’s critical to protect your assets by understanding the situation and taking steps to prevent it. For more details on the current healthcare cyberthreat landscape and ransomware threats, and for more in-depth guidance on boosting resilience, read the “US healthcare at risk: Strengthening resiliency against ransomware attacks” report and watch our healthcare threat intelligence briefing video, which is included in the report. To stay up-to-date on the latest threat intelligence insights and get actionable guidance for your security efforts, bookmark Microsoft Security Insider.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹How to protect your networks from ransomware, justice.gov.

²Threat Landscape: Healthcare and Public Health Sector, April 2024. Microsoft Threat Intelligence.

³On average, healthcare organizations lose $900,000 per day to downtime from ransomware attacks, Comparitech. March 6, 2024.

⁴Healthcare Ransomware Attacks Continue to Increase in Number and Severity, The HIPAA Journal. September 2024.

⁵Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US, JAMA Network. May 8, 2023.

⁶Microsoft Digital Defense Report 2024.

The post Microsoft Threat Intelligence healthcare ransomware report highlights need for collective industry action appeared first on Microsoft Security Blog.

Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.

Storm-0501 has been active as early as 2021, initially observed deploying the Sabbath(54bb47h) ransomware in attacks targeting US school districts, publicly leaking data for extortion, and even directly messaging school staff and parents. Since then, most of the threat actor’s attacks have been opportunistic, as the group began operating as a ransomware-as-a-service (RaaS) affiliate deploying multiple ransomware payloads developed and maintained by other threat actors over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. The threat actor was also recently observed targeting hospitals in the US.

Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises. Microsoft previously observed threat actors such as Octo Tempest and Manatee Tempest targeting both on-premises and cloud environments and exploiting the interfaces between the environments to achieve their goals.

As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations. Microsoft is committed to helping customers understand these attacks and build effective defenses against them.

In this blog post, we will go over Storm-0501’s tactics, techniques, and procedures (TTPs), typical attack methods, and expansion to the cloud. We will also provide information on how Microsoft detects activities related to this kind of attack, as well as provide mitigation guidance to help defenders protect their environment.

Analysis of the recent Storm-0501 campaign

On-premises compromise

Initial access and reconnaissance

Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.

After gaining initial access and code execution capabilities on the affected device in the network, the threat actor performed extensive discovery to find potential desirable targets such as high-value assets and general domain information like Domain Administrator users and domain forest trust. Common native Windows tools and commands, such as systeminfo.exe, net.exe, nltest.exe, tasklist.exe, were leveraged in this phase. The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information. Additionally, in some of the attacks, we observed the threat actor running an obfuscated version of ADRecon.ps1 called obfs.ps1 or recon.ps1 for Active Directory reconnaissance.

Following initial access and reconnaissance, the threat actor deployed several remote monitoring and management tools (RMMs), such as Level.io, AnyDesk, and NinjaOne to interact with the compromised device and maintain persistence.

Credential access and lateral movement

The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods. The threat actor primarily utilized Impacket’s SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials. The threat actor used the compromised credentials to access more devices in the network and then leveraged Impacket again to collect additional credentials. The threat actor then repeated this process until they compromised a large set of credentials that potentially included multiple Domain Admin credentials.

In addition, the threat actor was observed attempting to gather secrets by reading sensitive files and in some cases gathering KeePass secrets from the compromised devices. The threat actor used EncryptedStore’s Find-KeePassConfig.ps1 PowerShell script to output the database location and keyfile/user master key information and launch the KeePass executable to gather the credentials. We assess with medium confidence that the threat actor also performed extensive brute force activity on a few occasions to gain additional credentials for specific accounts.

The threat actor was observed leveraging Cobalt Strike to move laterally across the network using the compromised credentials and using the tool’s command-and-control (C2) capabilities to directly communicate with the endpoints and send further commands. The common Cobalt Strike Beacon file types used in these campaigns were .dll files and .ocx files that were launched by rundll32.exe and regsvr32.exe respectively. Moreover, the “license_id” associated with this Cobalt Strike Beacon is “666”.  The “license_id” definition is commonly referred to as Watermark and is a nine-digit value that is unique per legitimate license provided by Cobalt Strike. In this case, the “license_id” was modified with 3-digit unique value in all the beacon configurations.

In cases we observed, the threat actor’s lateral movement across the campaign ended with a Domain Admin compromise and access to a Domain Controller that eventually enabled them to deploy ransomware across the devices in the network.

Data collection and exfiltration

The threat actor was observed exfiltrating sensitive data from compromised devices. To exfiltrate data, the threat actor used the open-source tool Rclone and renamed it to known Windows binary names or variations of them, such as svhost.exe or scvhost.exe as masquerading means. The threat actor employed the renamed Rclone binaries to transfer data to the cloud, using a dedicated configuration that synchronized files to public cloud storage services such as MegaSync across multiple threads. The following are command line examples used by the threat actor in demonstrating this behavior:

• Svhost.exe copy –filter-from [REDACTED] [REDACTED] config:[REDACTED] -q –ignore-existing –auto-confirm –multi-thread-streams 11 –transfers 11
• scvhost.exe –config C:WindowsDebuga.conf copy [REDACTED UNC PATH] [REDACTED]

Defense evasion

The threat actor attempted to evade detection by tampering with security products in some of the devices they got hands-on-keyboard access to. They employed an open-source tool, resorted to PowerShell cmdlets and existing binaries to evade detection, and in some cases, distributed Group Policy Object (GPO) policies to tamper with security products.

On-premises to cloud pivot

In their recent campaign, we noticed a shift in Storm-0501’s methods. The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor.

Storm-0501 was observed using the following attack vectors and pivot points on the on-premises side to gain subsequent control in Microsoft Entra ID:

Microsoft Entra Connect Sync account compromise

Microsoft Entra Connect, previously known as Azure AD Connect, is an on-premises Microsoft application that plays a critical role in synchronizing passwords and sensitive data between Active Directory (AD) objects and Microsoft Entra ID objects. Microsoft Entra Connect synchronizes the on-premises identity and Microsoft Entra identity of a user account to allow the user to sign in to both realms with the same password. To deploy Microsoft Entra Connect, the application must be installed on an on-premises server or an Azure VM. To decrease the attack surface, Microsoft recommends that organizations deploy Microsoft Entra Connect on a domain-joined server and restrict administrative access to domain administrators or other tightly controlled security groups. Microsoft Incident Response also published recommendations on preventing cloud identity compromise.

Microsoft Entra Connect Sync is a component of Microsoft Entra Connect that synchronizes identity data between on-premises environments and Microsoft Entra ID. During the Microsoft Entra Connect installation process, at least two new accounts (more accounts are created if there are multiple forests) responsible for the synchronization are created, one in the on-premises AD realm and the other in the Microsoft Entra ID tenant. These service accounts are responsible for the synchronization process.

The on-premises account name is prefixed with “MSOL_” and has permissions to replicate directory changes, modify passwords, modify users, modify groups, and more (see full permissions here).

The cloud Microsoft Entra ID account is prefixed with “sync_<Entra Connect server name>_” and has the account display name set to “On-Premises Directory Synchronization Service Account”. This user account is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role here). Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync and helps prevent abuse.

The on-premises and cloud service accounts conduct the syncing operation every few minutes, similar to Password Hash Synchronization (PHS), to uphold real time user experience. Both user accounts mentioned above are crucial for the Microsoft Entra Connect Sync service operations and their credentials are saved encrypted via DPAPI (Data Protection API) on the server’s disk or a remote SQL server.

We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts. We assess that the threat actor was able to achieve this because of the previous malicious activities described in this blog post, such as using Impacket to steal credentials and DPAPI encryption keys, and tampering with security products.

Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear text credentials and get an access token to Microsoft Graph. The compromise of the Microsoft Entra Connect Sync account presents a high risk to the target, as it can allow the threat actor to set or change Microsoft Entra ID passwords of any hybrid account (on-premises account that is synced to Microsoft Entra ID).

Cloud session hijacking of on-premises user account

Another way to pivot from on-premises to Microsoft Entra ID is to gain control of an on-premises user account that has a respective user account in the cloud. In some of the Storm-0501 cases we investigated, at least one of the Domain Admin accounts that was compromised had a respective account in Microsoft Entra ID, with multifactor authentication (MFA) disabled, and assigned with a Global Administrator role. It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case. However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. web browsers passwords store), then the pivot is possible.

If a compromised on-premises user account is not assigned with an administrative role in Microsoft Entra ID and is synced to the cloud and no security boundaries such as MFA or Conditional Access are set, then the threat actor could escalate to the cloud through the following:

1. If the password is known, then logging in to Microsoft Entra is possible from any device.
2. If the password is unknown, the threat actor can reset the on-premises user password, and after a few minutes the new password will be synced to the cloud.
3. If they hold credentials of a compromised Microsoft Entra Directory Synchronization Account, they can set the cloud password using AADInternals’ Set-AADIntUserPassword cmdlet.

If MFA for that user account is enabled, then authentication with the user will require the threat actor to tamper with the MFA or gain control of a device owned by the user and subsequently hijack its cloud session or extract its Microsoft Entra access tokens along with their MFA claims.

MFA is a security practice that requires users to provide two or more verification factors to gain access to a resource and is a recommended security practice for all users, especially for privileged administrators. A lack of MFA or Conditional Access policies limiting the sign-in options opens a wide door of possibilities for the attacker to pivot to the cloud environment, especially if the user has administrative privileges. To increase the security of admin accounts, Microsoft is rolling out additional tenant-level security measures to require MFA for all Azure users.

Impact

Cloud compromise leading to backdoor

Following a successful pivot from the on-premises environment to the cloud through the compromised Microsoft Entra Connect Sync user account or the cloud admin account compromised through cloud session hijacking, the threat actor was able to connect to Microsoft Entra (portal/MS Graph) from any device, using a privileged Microsoft Entra ID account, such as a Global Administrator, and was no longer limited to the compromised devices.

Once Global Administrator access is available for Storm-0501, we observed them creating a persistent backdoor access for later use by creating a new federated domain in the tenant. This backdoor enables an attacker to sign in as any user of the Microsoft Entra ID tenant in hand if the Microsoft Entra ID user property ImmutableId is known or set by the attackers. For users that are configured to be synced by the Microsoft Entra Connect service, the ImmutableId property is automatically populated, while for users that are not synced the default value is null. However, users with administrative privileges can add an ImmutableId value, regardless.

The threat actor used the open-source tool AADInternals, and its Microsoft Entra ID capabilities to create the backdoor. AADInternals is a PowerShell module designed for security researchers and penetration testers that provides various methods for interacting and testing Microsoft Entra ID and is commonly used by Storm-0501. To create the backdoor, the threat actor first needed to have a domain of their own that is registered to Microsoft Entra ID. The attacker’s next step is to determine whether the target domain is managed or federated. A federated domain in Microsoft Entra ID is a domain that is configured to use federation technologies, such as Active Directory Federation Services (AD FS), to authenticate users. If the target domain is managed, then the attackers need to convert it to a federated one and provide a root certificate to sign future tokens upon user authentication and authorization processes. If the target domain is already federated, then the attackers need to add the root certificate as “NextSigningCertificate”.

Once a backdoor domain is available for use, the threat actor creates a federation trust between the compromised tenant, and their own tenant. The threat actor uses the AADInternals commands that enable the creation of Security Assertion Markup Language (SAML or SAML2) tokens, which can be used to impersonate any user in the organization and bypass MFA to sign in to any application. Microsoft observed the actor using the SAML token sign in to Office 365.

On-premises compromise leading to ransomware

Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization. We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network.

Embargo ransomware is a new strain developed in Rust, known to use advanced encryption methods. Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom. Embargo affiliates employ double extortion tactics, where they first encrypt a victim’s files and threaten to leak stolen sensitive data unless a ransom is paid.

In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named “SysUpdate” that was registered via GPO on the devices in the network. The ransomware binaries names that were used were PostalScanImporter.exe and win.exe. Once the files on the target devices were encrypted, the encrypted files extension changed to .partial, .564ba1, and .embargo.

Mitigation and protection guidance

Microsoft recently implemented a change in Microsoft Entra ID that restricts permissions on the Directory Synchronization Accounts (DSA) role in Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync as part of ongoing security hardening. This change helps prevent threat actors from abusing Directory Synchronization Accounts in attacks.

Customers may also refer to Microsoft’s human-operated ransomware overview for general hardening recommendations against ransomware attacks.

The other techniques used by threat actors and described in this blog can be mitigated by adopting the following security measures:

• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
• Enable Conditional Access policies – Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.
  • Set a Conditional Access policy to limit the access of Microsoft Entra ID sync accounts from untrusted IP addresses to all cloud apps. The Microsoft Entra ID sync account is identified by having the role ‘Directory Synchronization Accounts’. Please refer to the Advanced Hunting section and check the relevant query to get those IP addresses.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Follow Microsoft’s best practices for securing Active Directory Federation Services.  
• Refer to Azure Identity Management and access control security best practices for further steps and recommendations to manage, design, and secure your Azure AD environment can be found by referring.
• Ensure Microsoft Defender for Cloud Apps connectors are turned on for your organization to receive alerts on the Microsoft Entra ID sync account and all other users.
• Enable protection to prevent by-passing of cloud Microsoft Entra MFA when federated with Microsoft Entra ID.
• Set the validatingDomains property of federatedTokenValidationPolicy to “all” to block attempts to sign-in to any non-federated domain (like .onmicrosoft.com) with SAML tokens.
• Turn on Microsoft Entra ID protection to monitor identity-based risks and create risk-based conditional access policies to remediate risky sign-ins.
• Turn on tamper protection features to prevent attackers from stopping security services such as Microsoft Defender for Endpoint, which can help prevent hybrid cloud environment attacks such as Microsoft Entra Connect abuse.
• Refer to the recommendations in our attacker technique profile, including use of Windows Defender Application Control or AppLocker to create policies to block unapproved information technology (IT) management tools to protect against the abuse of legitimate remote management tools like AnyDesk or Level.io.
• Run endpoint detection and response (EDR) in block mode so that Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts detected post-breach.
• Turn on investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to help remediate alerts, significantly reducing alert volume.

Detection details

Alerts with the following names can be in use when investigating the current campaign of Storm-0501.

Microsoft Defender XDR detections

Microsoft Defender Antivirus 

Microsoft Defender Antivirus detects the Cobalt Strike Beacon as the following:

• Behavior:Win32/CobaltStrike
• Backdoor:Win64/CobaltStrike
• HackTool:Win64/CobaltStrike

Additional Cobalt Strike components are detected as the following:

• TrojanDropper:PowerShell/Cobacis
• Trojan:Win64/TurtleLoader.CS
• Exploit:Win32/ShellCode.BN

Microsoft Defender Antivirus detects tools that enable Microsoft Entra ID enumeration as the following malware: 

• Backdoor:Win32/SuspAadInternalsUsage

Embargo Ransomware threat components are detected as the following:

• Ransom:Win32/Embargo

Microsoft Defender for Endpoint 

Alerts with the following titles in the security center can indicate threat activity related to Storm-0501 on your network:

• Ransomware-linked Storm-0501 threat actor detected

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report. 

• Possible Adobe ColdFusion vulnerability exploitation
• Compromised account conducting hands-on-keyboard attack
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• Ongoing hands-on-keyboard attack via Impacket toolkit
• Suspicious Microsoft Defender Antivirus exclusion
• Attempt to turn off Microsoft Defender Antivirus protection
• Renaming of legitimate tools for possible data exfiltration
• BlackCat ransomware
• ‘Embargo’ ransomware was detected and was active
• Suspicious Group Policy action detected
• An active ‘Embargo’ ransomware was detected

The following alerts might indicate on-premises to cloud pivot through Microsoft Entra Connect:

• Entra Connect Sync credentials extraction attempt
• Suspicious cmdlets launch using AADInternals
• Potential Entra Connect Tampering
• Indication of local security authority secrets theft

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat:

• Data exfiltration over SMB
• Suspected DCSync attack

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps can detect abuse of permissions in Microsoft Entra ID and other cloud apps. Activities related to the Storm-0501 campaign described in this blog are detected as the following:

• Backdoor creation using AADInternals tool
• Compromised Microsoft Entra ID Cloud Sync account
• Suspicious sign-in to Microsoft Entra Connect Sync account
• Entra Connect Sync account suspicious activity following a suspicious login
• AADInternals tool used by a Microsoft Entra Sync account
• Suspicious login from AADInternals tool

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2022-47966

Threat intelligence reports 

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments: 

• Storm-0501

Advanced hunting 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Microsoft Entra Connect Sync account exploration

Explore sign-in activity from IdentityLogonEvents, look for uncommon behavior, such as sign-ins from newly seen IP addresses or sign-ins to new applications that are non-sync related.

IdentityLogonEvents
| where Timestamp > ago(30d)
| where AccountDisplayName contains "On-Premises Directory Synchronization Service Account"
| extend ApplicationName = tostring(RawEventData.ApplicationName)
| project-reorder Timestamp, AccountDisplayName, AccountObjectId, IPAddress, ActionType, ApplicationName, OSPlatform, DeviceType

Usually, the activity of the sync account is repetitive, coming from the same IP address to the same application, any deviation from the natural flow is worth investigating. Cloud applications that normally accessed by the Microsoft Entra ID sync account are “Microsoft Azure Active Directory Connect”, “Windows Azure Active Directory”, “Microsoft Online Syndication Partner Portal”

Explore the cloud activity (a.k.a ActionType) of the sync account, same as above, this account by nature performs a certain set of actions including ‘update User.’, ‘update Device.’ and so on. New and uncommon activity from this user might indicate an interactive use of the account, even though it could have been from someone inside the organization it could also be the threat actor.

CloudAppEvents
| where Timestamp > ago(30d)
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| extend Workload = RawEventData.Workload
| project-reorder Timestamp, IPAddress, AccountObjectId, ActionType, Application, Workload, DeviceType, OSPlatform, UserAgent, ISP

Pay close attention to action from different DeviceTypes or OSPlatforms, this account automated service is performed from one specific machine, so there shouldn’t be any variety in these fields.

Check which IP addresses Microsoft Entra Connect Sync account uses

This query reveals all IP addresses that the default Microsoft Entra Connect Sync account uses so those could be added as trusted IP addresses for the Entra ID sync account (make sure the account is not compromised before relying on this list)

IdentityLogonEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| where ActionType == "LogonSuccess"
| distinct IPAddress
| union (CloudAppEvents
| where AccountDisplayName has "On-Premises Directory Synchronization Service Account"
| distinct IPAddress)
| distinct IPAddress

Federation and authentication domain changes

Explore the addition of a new authentication or federation domain, validate that the new domain is valid one and was purposefully added

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType in ("Set domain authentication.", "Set federation settings on domain.")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Assess your environment for Manage Engine, Netscaler, and ColdFusion vulnerabilities.

DeviceTvmSoftwareVulnerabilities  
| where CveId in ("CVE-2022-47966","CVE-2023-4966","CVE-2023-29300","CVE-2023-38203")   
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Search for file IOC

let selectedTimestamp = datetime(2024-09-17T00:00:00.0000000Z);
let fileName = dynamic(["PostalScanImporter.exe","win.exe","name.dll","248.dll","cs240.dll","fel.ocx","theme.ocx","hana.ocx","obfs.ps1","recon.ps1"]); 
let FileSHA256 = dynamic(["efb2f6452d7b0a63f6f2f4d8db49433259249df598391dd79f64df1ee3880a8d","a9aeb861817f3e4e74134622cbe298909e28d0fcc1e72f179a32adc637293a40","caa21a8f13a0b77ff5808ad7725ff3af9b74ce5b67426c84538b8fa43820a031","53e2dec3e16a0ff000a8c8c279eeeca8b4437edb8ec8462bfbd9f64ded8072d9","827f7178802b2e92988d7cff349648f334bc86317b0b628f4bb9264285fccf5f","ee80f3e3ad43a283cbc83992e235e4c1b03ff3437c880be02ab1d15d92a8348a","de09ec092b11a1396613846f6b082e1e1ee16ea270c895ec6e4f553a13716304","d065623a7d943c6e5a20ca9667aa3c41e639e153600e26ca0af5d7c643384670","c08dd490860b54ae20fa9090274da9ffa1ba163f00d1e462e913cf8c68c11ac1"]); 
search in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents, DeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAttachmentInfo,OfficeActivity,SecurityEvent,ThreatIntelligenceIndicator) TimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from September 17th runs the search for 90 days, change the selectedTimestamp accordingly. and  (FileName in (fileName) or OldFileName in (fileName)  or ProfileName in (fileName)  or InitiatingProcessFileName in (fileName)  or InitiatingProcessParentFileName in (fileName)  or InitiatingProcessVersionInfoInternalFileName in (fileName)  or InitiatingProcessVersionInfoOriginalFileName in (fileName)  or PreviousFileName in (fileName)  or ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or DestinationFileName in (fileName) or SourceFileName in (fileName)or ServiceFileName in (fileName) or SHA256 in (FileSHA256)  or InitiatingProcessSHA256 in (FileSHA256))

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog, in addition to Microsoft Defender XDR detections list above.

• Remote Management Monitoring Network Connections
• Level.io RMM File Signature
• AnyDesk RMM File Signature
• NinjaOne RMM File Signature
• Potential Impacket Execution
• Potential ransomware activity related to Cobalt Strike
• Cobalt DNS Beacon
• C2-NamedPipe
• Renamed Rclone Exfiltration
• Disable Or Modify Windows Defender
• Clearing of forensic evidence from event logs using wevtutil
• Suspicious Signin By AAD Connect Account

Indicators of compromise (IOCs)

The following list provides indicators of compromise (IOCs) observed during our investigation. We encourage our customers to investigate these indicators within their environments and implement detections and protections to identify any past related activity and prevent future attacks against their systems.

References

• The Rust Revolution: New Embargo Ransomware Steps In – Cyble
• Embargo Ransomware Group: The Interview (suspectfile.com)
• https://aadinternals.com/post/aadbackdoor/
• https://aadinternals.com/post/aad-deepdive/

Omri Refaeli, Tafat Gaspar, Vaibhav Deshmukh, Naya Hashem, Charles-Edouard Bettan

Microsoft Threat Intelligence Community

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Storm-0501: Ransomware attacks expanding to hybrid cloud environments appeared first on Microsoft Security Blog.

The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to apply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation and protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this issue.

This blog post presents analysis of the CVE-2024-37085, as well as details of an attack that was observed by Microsoft to exploit the vulnerability. We’re sharing this research to emphasize the importance of collaboration among researchers, vendors, and the security community to continuously advance defenses for the larger ecosystem. As part of Microsoft’s commitment to improve security for all, we will continue to share intelligence and work with the security community to help protect users and organizations across platforms.

CVE-2024-37085 vulnerability analysis

Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named “ESX Admins” in the domain and adding a user to it:

net group “ESX Admins” /domain /add

net group “ESX Admins” username /domain /add

While investigating the attacks and the described behavior, Microsoft researchers discovered that the threat actors’ purpose for using this command was to utilize a vulnerability in domain-joined ESXi hypervisors that allows the threat actor to elevate their privileges to full administrative access on the ESXi hypervisor. This finding was reported as part of a vulnerability disclosure to VMware earlier this year.

Further analysis of the vulnerability revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named “ESX Admins” to have full administrative access by default. This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID).

Microsoft researchers identified three methods for exploiting this vulnerability:

1. Adding the “ESX Admins” group to the domain and adding a user to it – This method is actively exploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group.
2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member – This method is similar to the first, but in this case the threat actor needs a user that has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The threat actor can then add a user or use a user that already exists in the group, to escalate privileges to full administrative access. This method was not observed in the wild by Microsoft.
3. ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.

Ransomware operators targeting ESXi hypervisors

Over the last year, we have seen ransomware actors targeting ESXi hypervisors to facilitate mass encryption impact in few clicks, demonstrating that ransomware operators are constantly innovating their attack techniques to increase impact on the organizations they target.

ESXi is a popular product in many corporate networks, and in recent years, we have observed ESXi hypervisors become a favored target for threat actors. These hypervisors could be convenient targets if ransomware operators want to stay under the SOC’s radar because of the following factors:

1. Many security products have limited visibility and protection for an ESXi hypervisor.
2. Encrypting an ESXi hypervisor file system allows one-click mass encryption, as hosted VMs are impacted. This could provide ransomware operators with more time and complexity in lateral movement and credential theft on each device they access.

Therefore, many ransomware threat actors like Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper (Figure 1). The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years.

Storm-0506 Black Basta ransomware deployment

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

On the compromised domain controllers, the threat actor installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor.   The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

Mitigation and protection guidance

Microsoft recommends organizations that use domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. The following guidelines will also help organizations protect their network from attacks:

• Install software updates – Make sure to install the latest security updates released by VMware on all domain-joined ESXi hypervisors. If installing software updates is not possible, you can use the following recommendations to reduce the risk:
  • Validate the group “ESX Admins” exists in the domain and is hardened.
  • Manually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’.
  • Change the admin group to a different group in the ESXi hypervisor.
  • Add custom detections in XDR/SIEM for the new group name.  
  • Configure sending ESXi logs to a SIEM system and monitor suspicious full administrative access.
• Credential hygiene – To utilize the different vulnerability methods, threat actors require control of a highly privileged user in the organization. Therefore, our recommendation is making sure to protect your highly privileged accounts in the organization, especially those that can manage other domain groups:
  • Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, always.
  • Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
  • Isolate privileged accounts from productivity accounts to protect administrative access to the environment. Refer to this article to understand best practices.
• Improve critical assets posture – Identify your critical assets in the network, such as  ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and make sure to get them protected with latest security updates, proper monitoring procedures and backup and recovery plans. More information can be found in this article.
• Identify vulnerable assets – Use Microsoft Defender Vulnerability Management to reduce risk with continuous vulnerability assessment of ESXi hypervisor out of the box.

Microsoft Defender XDR detections

Microsoft Defender for Endpoint             

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Suspicious modifications to ESX Admins group

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• New group added suspiciously
• Suspicious Windows account manipulation
• Compromised account conducting hands-on-keyboard attack

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate associated threat activity:

• Suspicious creation of ESX group

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments:

• Storm-0506
• Storm-1175
• Octo Tempest 
• Manatee Tempest
• Akira
• Black Basta

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks

This query identifies ESXi hypervisors in the organization:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId

This query identifies ESX Admins group changes in the Active directory:

IdentityDirectoryEvents
| where Timestamp >= ago(30d)
| where AdditionalFields has ('esx admins')

The following queries are for assessing the already discovered ESXi with the Microsoft Defender Vulnerability Management information:

DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
DeviceInfo
| where OSDistribution =~ "ESXi"
| summarize arg_max(Timestamp, *) by DeviceId
| join kind=inner (DeviceTvmSecureConfigurationAssessment) on DeviceId

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of hunting queries available in Sentinel GitHub repo or as part of Sentinel solutions that customers can use to detect the activity detailed in this blog in addition to Microsoft Defender detections. These hunting queries include the following:

Qakbot:

• Qakbot hunting queries

Cobalt Strike:

• Cobalt Strike DNS Beaconing
• Potential ransomware activity related to Cobalt Strike
• Suspicious named pipes
• Cobalt Strike Invocation using WMI

References

• https://knowledge.broadcom.com/external/article?legacyId=1025569
• https://core.vmware.com/vmware-vsphere-8-security-configuration-guide
• https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html
• https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
• https://www.sygnia.co/blog/esxi-ransomware-attacks/?blaid=6088911https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/
• https://www.darkreading.com/cloud-security/agenda-ransomware-vmware-esxi-servers
• https://blog.checkpoint.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/amp/
• https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/amp/

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption appeared first on Microsoft Security Blog.

Our experience and insights from real-world incidents tell us that the swift containment of compromised user accounts is key to disrupting hands-on-keyboard attacks, especially those that involve human-operated ransomware. In these attacks, lateral movement follows initial access as the next critical stage for attackers to advance their objective of targeting valuable assets and sensitive data. Successful lateral movement depends on attackers’ ability to compromise user accounts and elevate permissions: our observations of attacks show that all human-operated ransomware attacks where ransomware deployment was successful involve attackers gaining access to a domain admin-level account or local administrator passwords.

Attackers compromise user accounts through numerous and diverse means, including techniques like credential dumping, keylogging, and brute-forcing. Poor credential hygiene could very quickly lead to the compromise of domain admin-level accounts, which could allow attackers to access domain resources and devices, and completely take over the network. Based on incidents analyzed by Microsoft, it can take only a single hop from the attacker’s initial access vector to compromise domain admin-level accounts. For instance, an attacker can target an over-privileged service account configured in an outdated and vulnerable internet-facing server.

Highly privileged user accounts are arguably the most important assets for attackers. Compromised domain admin-level accounts in environments that use traditional solutions provide attackers with access to Active Directory and could subvert traditional security mechanisms. In addition to compromising existing accounts, attackers have adopted the creation of additional dormant, highly privileged user accounts as persistence mechanisms.

Identifying and containing these compromised user accounts, therefore, prevents attacks from progressing, even if attackers gain initial access. This is why, as announced today, we added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint, a unique and innovative defense mechanism that stops human-operated attacks in their tracks. User containment prevents a compromised user account from accessing endpoints and other resources in the network, limiting attackers’ ability to move laterally regardless of the account’s Active Directory state or privilege level. It is automatically triggered by high-fidelity signals indicating that a compromised user account is being used in an ongoing attack. With user containment, even compromised domain admin accounts cannot help attackers access other devices in the network.

In this blog we will share our analysis of real-world incidents and demonstrate how automatic attack disruption protected our customers by containing compromised user accounts. We then explain how this capability fits in our automatic attack disruption strategy and how it works under the hood.

User containment stops Storm-1567 attack, prevents Akira ransomware encryption

In early June 2023, an industrial engineering organization was the target of a human-operated attack by an Akira ransomware operator tracked by Microsoft as Storm-1567. Akira is a ransomware strain first observed by Microsoft in March 2023 and has features common to other ransomware payloads like the use of ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft assesses that Akira is most likely a closed ransomware offering and not openly marketed as ransomware as a service.

In this attack, the threat actor leveraged devices that were not onboarded to Microsoft Defender for Endpoint for most of the attack stages, a defense evasion tactic we’ve seen in other attacks. While visibility by our endpoint solution could have blocked the attack earlier in the attack chain and helped to protect the organization’s devices much sooner, Defender for Endpoint nonetheless successfully prevented the ransomware stage, protecting all onboarded devices in the organization from getting encrypted.

Based on our analysis, after gaining access to the network, the threat actor started preparing to encrypt devices by scanning, attempting to tamper with security products, conducting lateral movement using Remote Desktop Protocol (RDP), and other anomalous activities. It should be noted that the activities were conducted on a Sunday evening, a time when SOC teams might be at a limited capacity. Most of these activities were done on Windows Server devices, including SQL Servers onboarded to Microsoft Defender for Endpoint. These activities were highly anomalous compared to routine activity in the customer’s network and therefore triggered multiple alerts.

Microsoft Defender for Endpoint’s next-generation protection capabilities detected and prevented several attacker activities, prompting the attackers to try tampering with the security product. However, tamper protection was enabled in the environment, so these attempts were not successful. Meanwhile, Microsoft 365 Defender correlated signals from multiple Defender products, identified the malicious activity, and incriminated – that is, determined as malicious with high confidence – the associated compromised assets, including a user account the attackers used.

Approximately half an hour after activity began, attackers leveraged the compromised user account and attempted to encrypt devices remotely via Server Message Block (SMB) protocol from a device not onboarded to Microsoft Defender for Endpoint. Because of the earlier incrimination, the compromised user account was contained, and the devices onboarded to Defender for Endpoint were protected from encryption attempts.

Later the same day, the attackers repeated the same malicious sequences by pivoting to other compromised user accounts, attempting to bypass attack disruption protection. Defender for Endpoint was again able to protect onboarded devices from encryption over the network. In this incident, automatic attack disruption’s ability to contain additional compromised user accounts demonstrated unique and innovative impact for endpoint and identity security, helping to protect all devices onboarded to Defender for Endpoint from the attack.    

User containment stops lateral movement in human-operated campaign

In early August 2023, Microsoft Defender for Endpoint automatically disrupted a human-operated attack early in the attack chain by containing the compromised user account prior to any impact, saving a medical research lab from what could have been a large-scale attack. The first indication of the attack was observed at roughly 4:00 AM local time on a Friday, when attackers, operating from a device not onboarded to Defender for Endpoint, initiated a remote password reset for the default domain administrator account. This account wasn’t active on any device onboarded to Microsoft Defender for Endpoint in the months prior to the intrusion. We infer that the account credentials were likely expired, and that the attackers found the stale password hashes belonging to the account by using commodity credential theft tools like Mimikatz on a device not-onboarded to Microsoft Defender for Endpoint. Expired credentials, while often not seen as a security risk, could still be abused and could allow attackers to update an account’s password.

Minutes after the administrator account password was reset, the attackers started scanning the network for accessible shares and enumerated other account and domain configurations using SMB-accessible services. This scan and all subsequent malicious activities originated from the same non-onboarded device and compromised administrator account.

Parallel to the network scan, the threat actor initiated an RDP session to a SQL Server, attempting to tamper with security products on the server and running a variety of credential theft and domain discovery tools.

At this point, the compromised administrator account was incriminated based on cumulative signals from the Defender for Endpoint-onboarded SQL server and the account’s anomalous activity. Automatic attack disruption was triggered and the compromised account was contained. All devices in the organization that supported the user containment feature immediately blocked SMB access from the compromised user account, stopping the discovery operations and preventing the possibility of subsequent lateral movement.

Following the initial containment of the attack through automatic attack disruption, the SOC was then able to take additional critical remediation actions to expand the scope of the disruption and evict the attackers from the network. This included terminating the attackers’ sessions on two compromised servers and disabling the compromised domain administrator account at the Active Directory-level.

While user containment is automatic for devices onboarded to Defender for Endpoint, this incident demonstrates the importance of active engagement of the SOC team after the automatic attack disruption action to fully evict the attackers from the environment. It also shows that onboarding devices to Microsoft Defender for Endpoint improves the overall capability to detect and disrupt attacks within the network sooner, before high-privileged user accounts are compromised.

In addition, as of September 2023, user containment also supports terminating active RDP sessions, in addition of blocking new attempted connections, a critical first step in evicting attackers from the network. Disabling compromised user accounts at the Active Directory-level is already supported by automatic attack disruption through integration with Defender for Identity. In this particular incident, the customer was not using Defender for Identity, but this case highlights the stronger defenses as a result of cross-domain visibility.

Protecting against compromised user accounts through automatic containment

As demonstrated by the incidents we described above, unlike commodity malware infection, human-operated attacks are driven by humans with hands-on-keyboard access to the network who make decisions at every stage of their attack. Attack patterns vary depending on what attackers find in the target network. Protecting against such highly skilled, profit-driven, and determined adversaries is not trivial. These attackers leverage key principles of on-premises Active Directory environments, which provide an active domain administrator account unlimited access to domain resources. Once attackers obtain accounts with sufficient privileges, they can conduct malicious activities like lateral movement or data access using legitimate administrative tools and protocols.

At Microsoft, we understand that to better defend our customers against such highly motivated attackers, a multi-layer defense approach must be used for an optimal security protection solution across endpoints and identities. More importantly, this solution should prioritize organization-wide protection, rather than protecting only a single endpoint. Motivated attackers search for security weaknesses and prioritize compromising unprotected devices. As a result, assuming that initial attack stages have occurred, with potentially at least a few compromised user accounts, is critical for developing security defenses for later attack stages. Using key assumptions and principles of on-premises Active Directory environments, a security-first mindset means limiting the access of even the most privileged user accounts to mitigate security risks.

The automatic attack disruption capability contains user accounts by creating a boundary between healthy onboarded devices and compromised user accounts and devices. It works in a decentralized nature: a containment policy distributed to all onboarded devices across the organization enables each Microsoft Defender for Endpoint client to protect the device against any compromised account, even an account belonging to the Domain Admins group.

This decentralized approach avoids some of the pitfalls of centralized manual or automatic controls, such as disabling an account in Active Directory, which possesses a single point of failure as it can be overridden by the attacker who may already have compromised domain controllers. The virtual security boundary set to contain the user is implemented by controls that were tailored to disrupt attacker activity during various attack stages, including lateral movement, credential theft, and impact such as remote encryption or deployment of ransomware payload. The actual set of controls triggered to contain a user might vary depending on the attack scenario and stage, and includes:

1. Sign-in restriction: This is the most aggressive control in containing a user account. When this control is triggered, devices will deny all or some types of sign-ins by a compromised account. This control takes effect immediately and is effective regardless of the account’s state (i.e., active or disabled) in the authority it belongs to. This control can block most attacker capabilities, but in cases where an attacker had already authenticated to device before a compromise was identified, the other controls might still be required to block the attack.
2. Intercepting SMB activity: Attack disruption can contain a user by denying inbound file system access from a remote origin, limiting the attacker’s ability to remotely steal or destroy valuable data. Notably, this control can prevent or limit ransomware encryption over SMB. It can also block lateral movement methods that include a payload being created on a remote device, including PsExec and similar tools.
3. Filtering RPC activity: Attack disruption can selectively restrict compromised users’ access to remote procedure call (RPC) interfaces that attackers often leverage during attacks. Attackers abuse RPC-based protocols for a variety of goals such credential theft (DCsync and DPAPI), privilege escalation (“PetitPotam”, Print Spooler), discovery (server & workstation services), and lateral movement (remote WMI, scheduled tasks, and services). Blocking such activities can contain an attack before the attacker gains a strong foothold in the network or can deny the ability to capitalize on such a foothold during the impact stage.
4. Disconnecting or terminating active sessions: In case a compromised account had already gained a foothold on the device, when attack disruption is triggered, it can disconnect or terminate sessions previously initiated by the account. This control differs from the others in this list as it’s effective against already compromised devices, protecting against any additional malicious activity by the attacker. Once a session is terminated, attackers are locked out of the device by the sign-in restriction control. This is specifically critical in stopping attacks earlier in the attack chain, disrupting and containing attacks before reaching impact stage.

The user containment capability is part of the existing protections provided by solutions within Microsoft 365 Defender. As we described in this blog, this capability correlates high-fidelity signals from multiple Defender products to incriminate malicious entities with high confidence and then immediately contain them to automatically disrupt ongoing attacks, including the pre-ransomware and encryption stages in human-operated attacks.

To benefit from this capability, organizations need only to onboard devices to Microsoft Defender for Endpoint. As more devices are onboarded, the scope of disruption is larger and the level of protection is higher. And as more Defender products are used in the organization, the visibility is wider and the effectiveness of the solution is greater. This also lowers the risk of attackers taking advantage of unprotected devices as launch pads for attacks.

Automatic attack disruption represents an innovative solution designed to increase defenses against the increasingly more sophisticated threat of hands-on-keyboard attacks, especially human-operated ransomware. This capability is informed by threat intelligence and insights from investigations and analysis of threats and actors in the cybercrime economy, and reflects our commitment to provide industry-best protections for our customers.

Edan Zwick, Amir Kutcher, Charles-Edouard Bettan, Yair Tsarfaty, Noam Hadash

Further reading

Learn how Microsoft Defender for Endpoint stops human-operated attacks.

For more information, read our documentation on the automatic attack disruption capability.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us at https://twitter.com/MsftSecIntel.

The post Automatic disruption of human-operated attacks through containment of compromised user accounts appeared first on Microsoft Security Blog.

Storm-0324 (DEV-0324), which overlaps with threat groups tracked by other researchers as TA543 and Sagrid, acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors.  Storm-0324’s tactics focus on highly evasive infection chains with payment and invoice lures. The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest (ELBRUS, Carbon Spider, FIN7). Previous distribution activity associated with Storm-0324 included the Gozi infostealer and the Nymaim downloader and locker.

In this blog, we provide a comprehensive analysis of Storm-0324 activity, covering their established tools, tactics, and procedures (TTPs) as observed in past campaigns as well as their more recent attacks. To defend against this threat actor, Microsoft customers can use Microsoft 365 Defender to detect Storm-0324 activity and significantly limit the impact of these attacks on networks. Additionally, by using the principle of least privilege, building credential hygiene, and following the other recommendations we provide in this blog, administrators can limit the destructive impact of ransomware even if the attackers can gain initial access.

Historical malware distribution activity

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads. The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.

Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload. Storm-0324 has used many file formats to launch the malicious JavaScript including Microsoft Office documents, Windows Script File (WSF), and VBScript, among others.

Storm-0324 has distributed a range of first-stage payloads since at least 2016, including:

• Nymaim, a first-stage downloader and locker
• Gozi version 3, an infostealer
• Trickbot, a modular malware platform
• Gootkit, a banking trojan
• Dridex, a banking trojan
• Sage ransomware
• GandCrab ransomware
• IcedID, a modular information-stealing malware

Since 2019, however, Storm-0324 has primarily distributed JSSLoader, handing off access to ransomware actor Sangria Tempest.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Since as early as 2019, Storm-0324 has handed off access to the cybercrime group Sangria Tempest after delivering the group’s first-stage malware payload, JSSLoader. Storm-0324’s delivery chain begins with phishing emails referencing invoices or payments and containing a link to a SharePoint site that hosts a ZIP archive. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.

The ZIP archive contains a file with embedded JavaScript code. Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

When the JavaScript launches, it drops a JSSLoader variant DLL. The JSSLoader malware is then followed by additional Sangria Tempest tooling.

In some cases, Storm-0324 uses protected documents for additional social engineering. By adding the security code or password in the initial communications to the user, the lure document may acquire an additional level of believability for the user. The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

New Teams-based phishing activity

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher. TeamsPhisher is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization.

Microsoft takes these phishing campaigns very seriously and has rolled out several improvements to better defend against these threats. In accordance with Microsoft policies, we have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. We have also rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders . We rolled out new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.  In addition to these specific enhancements, our development teams will continue to introduce additional preventative and detective measures to further protect customers from phishing attacks.

Recommendations

To harden networks against Storm-0324 attacks, defenders are advised to implement the following:

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
  • Understand and select the best access settings for external collaboration for your organization.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
  • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• For additional recommendations on hardening your organization against ransomware attacks, refer to our threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block JavaScript or VBScript from launching downloaded executable content
• Use advanced protection against ransomware

Detection details

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• TrojanSpy:MSIL/JSSLoader
• Trojan:Win32/Gootkit
• Trojan:Win32/IcedId
• Trojan:Win64/IcedId
• Trojan:Win32/Trickbot

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• Ransomware-linked Storm-0324 threat activity group detected

Hunting queries

Microsoft 365 Defender

Possible TeamsPhisher downloads The following query looks for downloaded files that were potentially facilitated by use of the TeamsPhisher tool. Defenders should customize the SharePoint domain name (‘mysharepointname’) in the query.

let allowedSharepointDomain = pack_array(
'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query
);
//
let executable = pack_array(
'exe',
'dll',
'xll',
'msi',
'application'
);
let script = pack_array(
'ps1',
'py',
'vbs',
'bat'
);
let compressed = pack_array(
'rar',
'7z',
'zip',
'tar',
'gz'
);
//
let startTime = ago(1d);
let endTime = now();
DeviceFileEvents
| where Timestamp between (startTime..endTime)
| where ActionType =~ 'FileCreated'
| where InitiatingProcessFileName has 'teams.exe'
    or InitiatingProcessParentFileName has 'teams.exe'
| where InitiatingProcessFileName !has 'update.exe'
    and InitiatingProcessParentFileName !has 'update.exe'
| where FileOriginUrl has 'sharepoint'
    and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft')
| extend fileExt = tolower(tostring(split(FileName,'.')[-1]))
| where fileExt in (executable)
    or fileExt in (script)
    or fileExt in (compressed)
| extend fileGroup = iff( fileExt in (executable),'executable','')
| extend fileGroup = iff( fileExt in (script),'script',fileGroup)
| extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup)
//
| extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2])
| where not (sharePoint_domain has_any (allowedSharepointDomain))
| project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

• Suspicious Javascript
• Javascript file creation
• Ransomware Triggered
• Signs of Ransomware Activity
• Suspicious Image Load

References

• Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself
• JSSLoader: Recoded and Reloaded (Proofpoint)

Further reading

Microsoft customers can refer to the report on this activity in Microsoft Defender Threat Intelligence and Microsoft 365 Defender for detections, assessment of impact, mitigation and recovery actions, and hunting guidance.

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Malware distributor Storm-0324 facilitates ransomware access appeared first on Microsoft Security Blog.