CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed Chromium renderer process. Google released a fix for the vulnerability on August 21, 2024, and users should ensure they are using the latest version of Chromium. We would like to thank the Chromium team for their collaboration in addressing this issue. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year, after CVE-2024-4947 and CVE-2024-5274. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information to help secure their environments.

In this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and procedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. We further provide recommended mitigations, detection details, hunting guidance, and indicators of compromise (IOCs) to help defenders identify, respond to, and improve defenses against these attacks.

Who is Citrine Sleet?

The threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering tactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with it. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.

The United States government has assessed that North Korean actors, like Citrine Sleet, will likely continue targeting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. One of the organizations targeted by the CVE-2024-7971 exploitation was also previously targeted by Sapphire Sleet.

Citrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and has been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.

Exploiting CVE-2024-7971

The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served.

After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response Center (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may suggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge of the vulnerability was shared by one vulnerability researcher to multiple actors.

Once the sandbox escape exploit was successful, the main FudModule rootkit ran in memory. This rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive. We did not observe any additional malware activity on the target devices.

FudModule rootkit

FudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection. Threat actors have been observed using the FudModule data-only rootkit to establish admin-to-kernel access to Windows-based systems to allow read/write primitive functions and perform DKOM.

Diamond Sleet has been observed using FudModule since October 2021. The earliest variant of FudModule was reported publicly in September 2022 by ESET and AhnLAB researchers, when threat actors exploited known vulnerable drivers to establish admin-to-kernel access in the technique known as bring your own vulnerable driver (BYOVD). In February 2024, Avast researchers published analysis on an updated FudModule variant that is significantly more advanced and difficult to detect, since it exploits a zero-day vulnerability in appid.sys, an AppLocker driver that is installed by default into Windows (CVE-2024-21338).

Further research by Avast uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule 2.0,” which includes malicious loaders and a late-stage remote access trojan (RAT). This attack chain revealed the previously unknown malware Kaolin RAT was responsible for loading the FudModule rootkit to targeted devices. Kaolin RAT established a secure, AES-encrypted connection with the command and control (C2) server and had capabilities to execute a robust list of commands, such as downloading and uploading files to the C2 server and creating or updating processes. The updated variant of FudModule exhibited an attack chain similar to that seen in Citrine Sleet’s zero-day exploit of CVE-2024-7971.

On August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows (CVE-2024-38193) identified by Gen Threat Labs. In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access. Gen Threat Labs released this information publicly on August 16.

Recommendations

The CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of these components are blocked, including CVE-2024-38106. Microsoft released a security update on August 13, 2024, for the CVE-2024-38106 vulnerability exploited by Diamond Sleet, thus also blocking attempts to exploit the CVE-2024-7971 exploit chain on updated systems. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security.

Zero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following exploitation. Microsoft recommends the following mitigations to reduce the impact of this threat.

Strengthen operating environment configuration

• Keep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google Chrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at version 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.

Strengthen Microsoft Defender for Endpoint configuration

• Ensure that tamper protection is turned on in Microsoft Dender for Endpoint.
• Enable network protection in Microsoft Defender for Endpoint.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-breach.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to help resolve breaches, significantly reducing alert volume.

Strengthen Microsoft Defender Antivirus configuration

• Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to help cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority of new and unknown variants.
• Turn on Microsoft Defender Antivirus scanning of downloaded files and attachments.
• Turn on real-time protection in Microsoft Defender Antivirus.

Detection details

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alert might also indicate threat activity related to this threat. Note, however, that this alert can also be triggered by unrelated threat activity.

• Emerging threat activity group Citrine Sleet detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2024-7971
• CVE-2024-38106

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence and protection information, and recommend actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Actor profile: Citrine Sleet
• Actor profile: Diamond Sleet
• Tool profile: AppleJeus

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Citrine Sleet domain activity

Microsoft Defender XDR customers may query for devices that may have interacted with Citrine Sleet domains related to this activity. Note that Microsoft Defender for Endpoint customers may surface related events with the alert title “Emerging threat activity group Citrine Sleet detected”.

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]);
union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Search for domain IOCs

let domainList = dynamic(["weinsteinfrog.com", "voyagorclub.space"]); 
union 
( 
DnsEvents 
| where QueryType has_any(domainList) or Name has_any(domainList) 
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents" 
), 
( 
IdentityQueryEvents 
| where QueryTarget has_any(domainList) 
| project TimeGenerated, Domain = QueryTarget, SourceTable = "IdentityQueryEvents" 
), 
( 
DeviceNetworkEvents 
| where RemoteUrl has_any(domainList) 
| project TimeGenerated, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents" 
), 
( 
DeviceNetworkInfo 
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks) 
| mv-expand DnsAddresses, ConnectedNetworks 
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList) 
| project TimeGenerated, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo" 
), 
( 
VMConnection 
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames) 
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames 
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList) 
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection" 
), 
( 
W3CIISLog 
| where csHost has_any(domainList) or csReferer has_any(domainList) 
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog" 
), 
( 
EmailUrlInfo 
| where UrlDomain has_any(domainList) 
| project TimeGenerated, Domain = UrlDomain, SourceTable = "EmailUrlInfo" 
), 
( 
UrlClickEvents 
| where Url has_any(domainList) 
| project TimeGenerated, Domain = Url, SourceTable = "UrlClickEvents" 
),
(
CommonSecurityLog
| where DestinationDnsDomain has_any(domainList)
| project TimeGenerated, Domain = DestinationDnsDomain, SourceTable = "CommonSecurityLog" 
),
(
EmailEvents
| where SenderFromDomain has_any (domainList) or SenderMailFromDomain has_any (domainList)
| project TimeGenerated, SenderfromDomain = SenderFromDomain,SenderMailfromDomain = SenderMailFromDomain, SourceTable = "EmailEvents"
)
| order by TimeGenerated desc

Assess presence of vulnerabilities used by Citrine Sleet

DeviceTvmSoftwareVulnerabilities  
| where CveId has_any ("CVE-2024-7971","CVE-2024-38106","CVE-2024-38193","CVE-2024-21338")
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel  
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId, CvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware ) on CveId  
| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,  
CveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftware

Indicators of compromise

During the attacks, Microsoft observed the following IOCs:

• voyagorclub[.]space
• weinsteinfrog[.]com

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-7971
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
• https://nvd.nist.gov/vuln/detail/CVE-2024-4947
• https://nvd.nist.gov/vuln/detail/CVE-2024-5274
• https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
• https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf
• https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
• https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
• https://www.gendigital.com/blog/news/innovation/protecting-windows-users
• https://www.google.com/chrome/update/
• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Learn more

Read our blogs on threat actors, including Sleet actors. For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post North Korean threat actor Citrine Sleet exploiting Chromium zero-day appeared first on Microsoft Security Blog.

Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via the professional networking platform LinkedIn.

Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.

Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. Microsoft published information on unrelated election interference linked to Iran in the most recent Microsoft Threat Analysis Center (MTAC) report.

Evolution of Peach Sandstorm tradecraft

In past campaigns, Peach Sandstorm has been observed to use password spray attacks to gain access to targets of interest with a high level of success. The threat actor has also conducted intelligence gathering via LinkedIn, researching organizations and individuals employed in the higher education, satellite, and defense sectors.

During the group’s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service. Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.

Intelligence gathering on LinkedIn

Going back to at least November 2021 and continuing through mid-2024, Microsoft observed Peach Sandstorm using multiple LinkedIn profiles masquerading as students, developers, and talent acquisition managers based in the US and Western Europe. Peach Sandstorm primarily used them to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries. The identified LinkedIn accounts were subsequently taken down. Information on LinkedIn’s policies and actions against inauthentic behavior on its platform is available here.

Password spray attacks as a common attack vector

Since at least February 2023, Microsoft has observed Peach Sandstorm carrying out password spray activity against thousands of organizations. In password spray attacks, threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords. In contrast to brute force attacks, which target a single account using many passwords, password spray attacks help adversaries maximize their chances for success and minimize the likelihood of automatic account lockouts.

Microsoft has observed that once Peach Sandstorm has verified a target account’s credentials using the password spray technique, the threat actor performed subsequent sign-ins to the compromised accounts from commercial VPN infrastructure.

In April and May 2024, Microsoft observed Peach Sandstorm conducting password spray attacks targeting organizations in the defense, space, education, and government sectors in the US and Australia. In particular, Peach Sandstorm continued to use the “go-http-client” user agent that they are known to leverage in password spray campaigns. While the password spray activity appeared consistently across sectors, Microsoft observed Peach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational infrastructure. In these cases, the threat actor accessed existing Azure subscriptions or created one using the compromised account to host their infrastructure. The attacker-controlled Azure infrastructure then served as C2 or operational hops for Peach Sandstorm operations targeting the government, defense, and space sectors. Recent updates to security defaults in Azure, such as multi-factor authentication help ensure that Azure accounts are more resistant to account compromise techniques such as those used by Peach Sandstorm.

Tickler malware

Microsoft Threat Intelligence identified two samples of the Tickler malware, a custom multi-stage backdoor, that Peach Sandstorm deployed in compromised environments as recently as July 2024. The first sample was contained in an archive file named Network Security.zip alongside benign PDF files used as decoy documents. The archive file contained:

• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe – theTickler malware
• Yahsat Policy Guide- April 2024.pdf – a benign PDF
• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf – a second benign PDF

YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe is a 64-bit C/C++ based native PE file. The sample begins with a Process Environment Block (PEB) traversal to locate the in-memory address of file kernell32.dll.

Upon successful PEB traversal yielding the address of kernell32.dll in memory, the sample decrypts a string to LoadLibraryA and resolves its address, decrypts the string “kernel32.dll”, and loads it again using LoadLibraryA. The sample then launches the benign PDF file YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf as a decoy document.

The sample collects the network information from the host and sends it to the C2 URI via HTTP POST request, likely as a means for the threat actor to orient themselves on the compromised network. The below network information is an example generated in a lab environment:

We subsequently observed Peach Sandstorm iterating and improving on this initial sample. The second Tickler sample, sold.dll, is a Trojan dropper functionally identical to the previously identified sample. The malware downloads additional payloads from the C2 server, including a backdoor, a batch script to set persistence for this backdoor, and the following legitimate files:

• msvcp140.dll (SHA-256: dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8)
• LoggingPlatform.dll (SHA-256: 56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6)
• vcruntime140.dll (SHA-256: 22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4)
• Microsoft.SharePoint.NativeMessaging.exe (SHA-256: e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5)

The files msvcp140.dll, LoggingPlatform.dll, vcruntime140.dll, and Microsoft.SharePoint.NativeMessaging.exe are legitimate Windows signed binaries likely used for DLL sideloading.

Additionally, we observed the sample downloading the following malicious files:

• A batch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)
• A DLL file (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)
• A DLL file (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)

The batch script adds a registry Run key for a file called SharePoint.exe, likely used to load the malicious DLL files above, thus setting up persistence:

The two DLL files are both 64-bit C/C++ compiled PE DLL files and appear to be functionally identical to the previously analyzed samples. As fully functional backdoors, they can run the following commands:

• systeminfo – Gather system information
• dir – List directory
• run – Execute command
• delete – Delete file
• interval – Sleep interval
• upload – Download file from the C2
• download – Upload file to the C2

Azure resources abuse

Microsoft observed Peach Sandstorm creating Azure tenants using Microsoft Outlook email accounts and creating Azure for Students subscriptions in these tenants. Additionally, the group leveraged compromised user accounts in the Azure tenants of organizations in the education sector to do the same. Within these subscriptions, Peach Sandstorm subsequently created Azure resources for use as C2 for the backdoor. Of note, we have observed multiple Iranian groups, including Smoke Sandstorm, use similar techniques in recent months. The following resources were created by Peach Sandstorm for use as Tickler C2 nodes:

• subreviews.azurewebsites[.]net 
• satellite2.azurewebsites[.]net 
• nodetestservers.azurewebsites[.]net 
• satellitegardens.azurewebsites[.]net 
• softwareservicesupport.azurewebsites[.]net
• getservicessuports.azurewebsites[.]net
• getservicessupports.azurewebsites[.]net 
• getsupportsservices.azurewebsites[.]net 
• satellitespecialists.azurewebsites[.]net
• satservicesdev.azurewebsites[.]net
• servicessupports.azurewebsites[.]net
• websupportprotection.azurewebsites[.]net 
• supportsoftwarecenter.azurewebsites[.]net
• centersoftwaresupports.azurewebsites[.]net
• softwareservicesupports.azurewebsites[.]net
• getsdervicessupoortss.azurewebsites[.]net

Post-compromise activity

In the past year, Peach Sandstorm has successfully compromised several organizations, primarily in the aforementioned sectors, using bespoke tooling. Once Peach Sandstorm gains access to an organization, the threat actor is known to perform lateral movement and actions on objectives using the following techniques:

Moving laterally via Server Message Block (SMB)

After compromising a European defense organization, Peach Sandstorm threat actors moved laterally via SMB. SMB lateral movement is a technique used by threat actors to move from one compromised machine to another within a network by exploiting the SMB protocol. This protocol, which is used for sharing files, printers, and other resources on a network, could be misused by attackers to propagate their access and gain control over multiple systems.

Downloading and installing a remote monitoring and management (RMM) tool

In an older intrusion against a multinational pharmaceutical company not associated with the campaign discussed in this blog, after a likely successful password spray attack, Peach Sandstorm attempted to download and install AnyDesk, a commercial RMM tool. AnyDesk has a range of capabilities that allow users to remotely access a network, persist in a compromised environment, and enable command and control. The convenience and utility of a tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments where it is used legitimately by IT support personnel or system administrators.

Taking an Active Directory (AD) snapshot

In at least one intrusion against a Middle East-based satellite operator, Peach Sandstorm actors compromised a user using a malicious ZIP file delivered via Microsoft Teams message followed by dropping AD Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various legitimate administrative tasks. These snapshots can also be exploited by threat actors for malicious purposes.

Mitigations

To harden networks against Peach Sandstorm activity, defenders can implement the following:

• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted. 
• Revoke session cookies in addition to resetting passwords. 
  • Revoke any MFA setting changes made by the attacker on any compromised users’ accounts. 
  • Require re-challenging MFA for MFA updates as the default. 
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:  
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria. 
  • Block legacy authentication with Microsoft Entra by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce multifactor authentication (MFA), so blocking such authentication methods will help prevent password spray attackers from taking advantage of the lack of MFA on those protocols. 
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise. 
• Secure accounts with credential hygiene: 
  • Practice the principle of least privilege and audit privileged account activity in your Microsoft Entra environments to help slow and stop attackers.  
  • Deploy Microsoft Entra Connect Health for Active Directory Federation Services (AD FS). This captures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky IP report. 
  • Use Microsoft Entra password protection to help detect and block known weak passwords and their variants. 
  • Turn on identity protection in Microsoft Entra to monitor for identity-based risks and create policies for risky sign ins. 
• Comply with the recent MFA enforcement policy requiring all Azure accounts to utilize MFA. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business. 
• Secure remote desktop protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.

To protect against password spray attacks, implement the following mitigations:

• Eliminate insecure passwords.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Detect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.
• Investigate compromised accounts using Microsoft Purview Audit (Premium).
• Enforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain Services.
• Use risk detections for user sign-ins to trigger multifactor authentication or password changes.
• Investigate any possible password spray activity using the password spray investigation playbook.

Strengthen endpoints against attacks by following these steps:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to help cover rapidly evolving attacker tools and techniques. 
• Enable real-time protection in Microsoft Defender Antivirus or the equivalent for your antivirus product. 
• Detect and block potentially unwanted applications through Microsoft Defender for Endpoint. 
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious artifacts that are detected post-compromise. 
• Turn on attack surface reduction rules to help prevent common attack techniques:  
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion  
  • Block execution of potentially obfuscated scripts 
• Implement anomaly detection policies in Microsoft Defender for Cloud Apps. 
• Enable protections in Microsoft Defender for Endpoint to help safeguard against malicious sites and internet-based threats. 
  • Network protection 
  • Web protection 
• Enable tamper protection within Microsoft Defender for Endpoint to help prevent threat actors from disabling or changing security features, such as virus and threat protection.

Microsoft Defender XDR detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects components of this threat as the following malware:

• TrojanDownloader:Win64/Tickler
• Backdoor:Win64/Tickler

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Peach Sandstorm actor activity detected

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Password spraying
• Unfamiliar Sign-in properties
• An executable file loaded an unexpected DLL file

Microsoft Defender for Identity

The following Microsoft Defender for Identity alerts can indicate activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Atypical travel
• Suspicious behavior: Impossible travel activity

Microsoft Defender for Cloud Apps

The following Microsoft Defender for Cloud Apps alerts can indicate activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Activity from a Tor IP address
• Suspicious Administrative Activity
• Impossible travel activity
• Multiple failed login attempts
• Activity from an anonymous proxy

Threat intelligence reports

Microsoft Defender Threat Intelligence customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to help prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Abuse of remote monitoring and management tools
• DLL sideloading and DLL search order hijacking

Hunting queries

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following query to find related activity in their networks:

Failed logon activity

The following query identifies failed attempts to sign-in from multiple sources that originate from a single ISP. Attackers distribute attacks from multiple IP addresses across a single service provider to evade detection. Run query 

IdentityLogonEvents
| where Timestamp > ago(4h)
| where ActionType == "LogonFailed"
| where isnotempty(AccountObjectId)
| summarize TargetCount = dcount(AccountObjectId), TargetCountry = dcount(Location), TargetIPAddress = dcount(IPAddress) by ISP
| where TargetCount >= 100
| where TargetCountry >= 5
| where TargetIPAddress >= 25

Connectivity to C2s

The following queries identifies connectivity to Peach Sandstorm created Azure App Service apps for command and control. Run query

let domainList = dynamic(["subreviews.azurewebsites.net", 
    "satellite2.azurewebsites.net",
    "nodetestservers.azurewebsites.net", 
    "satellitegardens.azurewebsites.net",
    "softwareservicesupport.azurewebsites.net",
    "getservicessuports.azurewebsites.net",
    "getservicessupports.azurewebsites.net",
    "getsupportsservices.azurewebsites.net",
    "satellitespecialists.azurewebsites.net",
    "satservicesdev.azurewebsites.net",
    "servicessupports.azurewebsites.net",
    "websupportprotection.azurewebsites.net ",
    "supportsoftwarecenter.azurewebsites.net",
    "centersoftwaresupports.azurewebsites.net"
    "softwareservicesupports.azurewebsites.net",
    "getsdervicessupoortss.azurewebsites.net"]);union
(
    DnsEvents
    | where QueryType has_any(domainList) or Name has_any(domainList)
    | project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
    IdentityQueryEvents
    | where QueryTarget has_any(domainList)
    | project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
    DeviceNetworkEvents
    | where RemoteUrl has_any(domainList)
    | project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
    DeviceNetworkInfo
    | extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
    | mv-expand DnsAddresses, ConnectedNetworks
    | where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
    | project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
    VMConnection
    | extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
    | mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
    | where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
    | project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
    W3CIISLog
    | where csHost has_any(domainList) or csReferer has_any(domainList)
    | project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
    EmailUrlInfo
    | where UrlDomain has_any(domainList)
    | project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
    UrlClickEvents
    | where Url has_any(domainList)
    | project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc

Malicious file activity

The following query will surface events involving malicious files related to this activity. Run query

let fileHashes = dynamic(["711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350", "fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f", "5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b", "ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4", "7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198"]);
union
(
    DeviceFileEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceFileEvents"
),
(
    DeviceEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceEvents"
),
(
    DeviceImageLoadEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceImageLoadEvents"
),
(
    DeviceProcessEvents
    | where SHA256 in (fileHashes)
    | project Timestamp, FileHash = SHA256, SourceTable = "DeviceProcessEvents"
)
| order by Timestamp desc

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

• Signin Password Spray
• New Location Azure AD Sign Ins
• Enumeration of users & groups for lateral movement
• SMB shares Discovery
• Anomaly in SMB Traffic
• AnyDesk Net Connection
• AnyDesk – File Signature
• AnyDesk – Create Process
• DCSync Attack Detection

Indicators of compromise

Domains

• subreviews.azurewebsites[.]net 
• satellite2.azurewebsites[.]net 
• nodetestservers.azurewebsites[.]net 
• satellitegardens.azurewebsites[.]net 
• softwareservicesupport.azurewebsites[.]net
• getservicessuports.azurewebsites[.]net
• getservicessupports.azurewebsites[.]net 
• getsupportsservices.azurewebsites[.]net 
• satellitespecialists.azurewebsites[.]net
• satservicesdev.azurewebsites[.]net
• servicessupports.azurewebsites[.]net
• websupportprotection.azurewebsites[.]net 
• supportsoftwarecenter.azurewebsites[.]net
• centersoftwaresupports.azurewebsites[.]net
• softwareservicesupports.azurewebsites[.]net
• getsdervicessupoortss.azurewebsites[.]net

Tickler samples and related indicators

• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe (SHA-256:  7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198)
• Sold.dll (SHA-256: ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4)
• Batch script (SHA-256: 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b)
• Malicious DLL (SHA-256: fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f)
• Malicious DLL (SHA-256: 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence and on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations appeared first on Microsoft Security Blog.

October 2024 update – Microsoft’s Digital Crimes Unit (DCU) is disrupting the technical infrastructure used by Star Blizzard. We have updated this blog with the latest observed Star Blizzard tactics, techniques, and procedures (TTPs).

Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian nation-state actor we call Star Blizzard. Star Blizzard has continuously improved their detection evasion capabilities while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.

Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.

This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the threat actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Star Blizzard TTPs observed in 2024

Star Blizzard persistently introduces new techniques to avoid detection. These TTPs are employed for brief periods and are either modified or abandoned once they become publicly known.

Microsoft has identified the following evasive techniques used by Star Blizzard in campaigns in 2024:

• Use of multiple registrars to register domain infrastructure
• Use of multiple link-shortening services and legitimate websites with open redirects, to hide actor-registered domains
• Use of altered legitimate email templates as spear-phishing lures

Using multiple registrars to register domain infrastructure

In December 2023, we highlighted that Star Blizzard was using the registrar NameCheap to register their domain infrastructure. As CitizenLab reported (August 2024), the threat actor has also used Hostinger to register domains used in the infrastructure for email credential theft.

Microsoft can confirm that in 2024 Star Blizzard transitioned from their long-standing practice of primarily using a single domain name registrar. Among the registrars seen used by Star Blizzard in 2024 are the following:

• Hostinger
• RealTime Register
• GMO Internet

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Use of multiple link-shortening services and legitimate websites to hide actor-registered domains

Since August 2024, Star Blizzard has made substantial changes in the methods they employ to redirect targets to their virtual private server (VPS) infrastructure, on which Evilginx is installed and then used to facilitate credential theft.

In December 2023, we detailed the threat actor’s use of email marketing platforms to prevent the need to embed the actor-registered domains in their spear-phishing emails. This technique was abandoned in early 2024, with the threat actor transitioning first to hosting the initial redirector website on shared infrastructure. Since August 2024, Star Blizzard has added multiple layers of redirection to their VPS infrastructure, utilizing various link-shortening services and legitimate websites that can be used as open redirectors.

For example, in a recent spear-phishing email that was sent from an actor-controlled Outlook account, we found that the threat actor had embedded an initial link, which was created using the Microsoft 365 Safe Links into the attached PDF lure. The Safe Links URL could only be generated by sending an email between actor-controlled accounts with the link in the body. The actor then copied that generated Safe Links URL to use in their attack.   

This link redirected to a shortened URL created using the Bitly link-shortening service, which resolved to another shortened URL created using the Cuttly link-shortening service. The second shortened URL redirected to a legitimate website, used as an open redirector, which ultimately redirected to the first actor-controlled domain.

The website mechengsys[.]net was hosted on shared infrastructure at Hostinger and performed various filtering actions until ultimately redirecting to an actor-controlled VPS installed with Evilginx, resolving the domain vidmemax[.]com.

Use of altered legitimate email templates as spear-phishing lures

For a brief period between July and August 2024, the threat actor utilized spear-phishing lures that did not contain or redirect to PDF lures embedded with links that redirected to actor-controlled infrastructure. Instead, Star Blizzard sent targets an altered OneDrive file share notification that included a clickable link to a malicious URL. When clicked, the link would initiate redirection to actor-controlled infrastructure. We observed Star Blizzard using this approach in spear-phishing attacks against its traditional espionage targets, including individuals associated with politics and diplomacy, NGOs, and think tanks.

In this approach, the threat actor began by creating a new email account, usually a Proton account, intended to impersonate a trusted sender so the recipient would be more likely to open the phishing email. The actor then stored a benign PDF or Word file in a cloud file-hosting service (for example, when targeting Microsoft customers, OneDrive) and shared the file with the newly created email account. The threat actor edited the HTML of the email, changing the displayed sender name and the URL behind the “Open” button that would otherwise lead back to the OneDrive-hosted file so that it directed to the Evilginx redirector domain instead.  

Star Blizzard then sent the spear-phishing email to the target. When the “Open” button was clicked, it directed the user to the redirector domain, which, after performing filtering based on browser fingerprinting and additional methods, directed the target to an actor-controlled Virtual Private Server (VPS) with the Evilginx installation. The Evilginx server allowed Star Blizzard to perform an adversary-in-the-middle (AiTM) attack on an authentication session to an email provider, enabling the actor to receive the necessary information to perform subsequent sign-ins to the target’s email account, including the username, password, and MFA token, if MFA is used by the target.

TTPs used in past Star Blizzard campaigns

Microsoft observed Star Blizzard using the following TTPs in campaigns before 2024, highlighting continuously evolving techniques used by the threat actor to evade detection:

• Use of server-side scripts to prevent automated scanning of actor-controlled infrastructure
• Use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
• Use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
• Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
• Shift to a more randomized domain generation algorithm (DGA) for actor-registered domains

Use of server-side scripts to prevent automated scanning

Between April 2023 and December 2023, we observed Star Blizzard gradually moving away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, first executing JavaScript code (titled “Collect and Send User Data”) before redirecting the browsing session to the Evilginx server.

Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled “Docs”), which is still in use today.

This capability collects various information from the browser performing the browsing session to the redirector server. The code contains three main functions:

• pluginsEmpty(): This function checks if the browser has any plugins installed.

• isAutomationTool(): This function checks for various indicators that the page is being accessed by an automation tool (such as Selenium, PhantomJS, or Nightmare) and returns an object with information about the detected tools.

• sendToBackend(data): This function sends the data collected by isAutomationTool() to the server using a POST request. If the server returns a response, the message in the response is executed using eval().

Following the POST request, the redirector server assessed the data collected from the browser and decided whether to allow continued browser redirection.

When a good verdict is reached, the browser received a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.

A bad verdict resulted in the receipt of an HTTP error response and no further redirection.

Use of email marketing platform services

We previously observed Star Blizzard using two different services, HubSpot and MailerLite. The actor used these services to create an email campaign, which provided them with a dedicated subdomain on the service that is then used to create URLs. These URLs acted as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services also provided the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the “From” address in their campaigns.

Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples were dedicated threat actor-controlled accounts.

Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).

Star Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.

Use of a DNS provider to resolve actor-controlled domain infrastructure

In December 2022, we began to observe Star Blizzard using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.

We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.

Password-protected PDF lures or links to cloud-based file-sharing platforms

Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.

In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.

Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.

Randomizing DGA for actor registered domains

Following the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.

Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.

Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:

• Namecheap remains the registrar of choice
• Domains are usually registered in groups, many times with similar naming conventions
• X.509 TLS certificates are provided by Let’s Encrypt, created in the same timeframe of domain registration

A list of recent domain names registered by Star Blizzard can be found at the end of this report.

Consistent TTPs since 2022

Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.

Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a “phishlet” for the intended targets’ email provider.

Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.

Protecting yourself against Star Blizzard

As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.

The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:

Am I at risk of being a Star Blizzard target?

Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:

1. Government or diplomacy (both incumbent and former position holders).
2. Research into defense policy or international relations when related to Russia.
3. Assistance to Ukraine related to the ongoing conflict with Russia.

Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.

What will a Star Blizzard spear-phishing email look like?

Star Blizzard emails appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders  (@proton[.]me, @protonmail[.]com) as they are frequently used by the threat actor.

An initial email is usually sent to the target, asking them to review a document, but without any attachment or link to the document.

The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or an embedded link, as detailed above in “Star Blizzard TTPs observed in 2024.”

If the targeted user has not completed authentication by entering their password in the offered sign-in page and/or supplied all the required factors for multifactor authentication (MFA), the threat actor does not have the capability to successfully compromise the targeted account.

Our recommendation to all email users that belong to Star Blizzard targeted sectors is to always remain vigilant when dealing with email, especially emails containing links to external resources. When in doubt, contact the person you think is sending the email using a known and previously used email address, to verify that the email was indeed sent by them.

What happens if I interact with a Star Blizzard PDF lure?

Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is the beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.

The host domain in the web address is an actor-controlled domain (see appendix for full list), and not the expected domain of the email server or cloud service.

If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.

As long as the authentication process is not completed (a valid password is not entered and/or an authentication request is not approved), the threat actor has not compromised the account.

If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, even if multifactor authentication is enabled.

Recommendations

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.

Microsoft emphasizes that the following two mitigations will strengthen customers’ environments against Star Blizzard attack activity:

• Using phishing resistant authentication methods.
• Lockdown account access using Conditional Access policies

Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.

Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:

• Use advanced anti-phishing solutions like Microsoft Defender for Office 365 that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that automatically identify and block malicious websites and provide solutions that detect and block malicious emails, links, and files.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.
• Configure investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Use  security defaults as a baseline set of policies to improve identity security posture. For more granular control, enable conditional access policies.  Conditional access policies evaluate sign-in requests using additional identity driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
• Implement continuous access evaluation.
• Continuously monitor suspicious or anomalous activities. Investigate sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, and use of anonymizer services).
• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office 365 applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application’s consent screen as well as spoofed app names, logos, and domain URLs appearing to originate from legitimate applications or companies. Note that Attack Simulator testing only supports phishing emails containing links at this time.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. In all web protection scenarios, SmartScreen and Network Protection can be used together to ensure protection across both Microsoft and non-Microsoft browsers and processes.
• Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
  • Block execution of potentially obfuscated scripts.

Appendix

Microsoft Defender XDR detections

Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office 365 inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:

• A potentially malicious URL click was detected
• Email messages containing malicious URL removed after delivery
• Email messages removed after delivery
• Email reported by user as malware or phish

Microsoft Defender SmartScreen

Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling Network protection, organizations can block attempts to connect to these malicious domains.

Microsoft Defender for Endpoint

Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft Defender for Endpoint alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:

• Star Blizzard activity group
• Suspicious URL clicked
• Suspicious URL opened in web browser
• User accessed link in ZAP-quarantined email
• Suspicious activity linked to a Russian state-sponsored threat actor has been detected
• Connection to adversary-in-the-middle (AiTM) phishing site
• User compromised in AiTM phishing attack
• Possible AiTM phishing attempt

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.

Microsoft Defender Threat Intelligence

• Star Blizzard
• Disrupting Star Blizzard’s ongoing phishing operations
• Star Blizzard adopting PDF-less approach to spearphishing
• Star Blizzard spearphishing campaign targets US think tanks

Microsoft Defender for Endpoint Threat analytics 

• Threat Insights: Disrupting Star Blizzard’s ongoing phishing operations

Hunting queries  

Microsoft Sentinel 

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.  

• Open Email Link 
• Suspicious Url Clicked 
• Doc attachment with link to download
• Possible Phishing with CSL & NetworkSession
• Potential DGA detected
• Possible DGA Contacts 
• Potential DGA Detected via Repetitive Failures AnomalyBased
• MultiVendor-Possible DGA Contacts
• Successful Signin From Non-CompliantDevice
• Risky User In 3P network activity

Indicators of compromise

Domain infrastructure observed in 2024

Past Star Blizzard domain infrastructure

Star Blizzard HubSpot campaign domains:

• djs53104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djr6t104[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djrzf704[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djskzh04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djslws04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djs36c04[.]eu1[.]hubspotlinksfree[.]com – used in August 2023
• djt47x04[.]eu1[.]hubspotlinksfree[.]com – used in September 2023
• djvcl404[.]eu1[.]hubspotlinksfree[.]com – used in October 2023
• d5b74r04[.]na1[.]hubspotlinksfree[.]com – used in October 2023
• djvxqp04[.]eu1[.]hubspotlinksfree[.]com – used in October 2023

Star Blizzard MailerLite campaign domain:

• ydjjja[.]clicks[.]mlsend[.]com – used in September 2023

References

• https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/
• https://www.ncsc.gov.uk/news/spear-phishing-campaigns-targets-of-interest
• https://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Star Blizzard increases sophistication and evasion in ongoing attacks appeared first on Microsoft Security Blog.

In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a particularly high risk to organizations who are affected. JetBrains has released an update to address this vulnerability and has developed a mitigation for users who are unable to update to the latest software version.

While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation. Based on the profile of victim organizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically compromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques that may enable persistent access to victim environments.

As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised and provides them with the information they need to secure their environments.

Who are Diamond Sleet and Onyx Sleet?

Diamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s weaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software supply chain compromise of a German software provider.

Onyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that they have developed to establish persistent access to victim environments and remain undetected. The actor frequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.

Diamond Sleet attack path 1: Deployment of ForestTiger backdoor

Following the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two payloads from legitimate infrastructure previously compromised by the threat actor. These two payloads, Forest64.exe and 4800-84DC-063A6A41C5C are stored in the C:\ProgramData directory.

When launched, Forest64.exe checks for the presence of the file named 4800-84DC-063A6A41C5C, then reads and decrypts the contents of that file using embedded, statically assigned key of ‘uTYNkfKxHiZrx3KJ’:

c:\ProgramData\Forest64.exe  uTYNkfKxHiZrx3KJ

Interestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it utilized during our analysis. The same value and configuration name was also referenced in historical activity reported by Kaspersky’s Securelist on this malware, dubbed ForestTiger.

The decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the malware, which contains additional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft observed Diamond Sleet using infrastructure previously compromised by the actor for C2.

Microsoft observed Forest64.exe then creating a scheduled task named Windows TeamCity Settings User Interface so it runs every time the system starts with the above referenced command parameter “uTYNkfKxHiZrx3KJ”. Microsoft also observed Diamond Sleet leveraging the ForestTiger backdoor to dump credentials via the LSASS memory. Microsoft Defender Antivirus detects this malware as ForestTiger.

Diamond Sleet attack path 2: Deploying payloads for use in DLL search-order hijacking attacks

Diamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker infrastructure. This malicious DLL is then staged in C:\ProgramData\ alongside a legitimate .exe file to carry out DLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used by the actor:

DSROLE.dll attack chain

When DSROLE.dll is loaded by wsmprovhost.exe, the DLL initiates a thread that enumerates and attempts to process files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read and signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to reveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific export named ‘StartAction’. The address of this export is resolved and then launched in memory.

While the functionality of DSROLE.dll is ultimately decided by whatever payloads it deobfuscates and launches, Microsoft has observed the DLL being used to launch wksprt.exe, which communicates with C2 domains. Microsoft Defender Antivirus detects DSROLE.dll using the family name RollSling.

Version.dll attack chain

When loaded by clip.exe, Version.dll loads and decrypts the contents of readme.md, a file  downloaded alongside Version.dll from attacker-compromised infrastructure. The file readme.md contains data that is used as a multibyte XOR key to decrypt position-independent code (PIC) embedded in Version.dll. This PIC loads and launches the final-stage remote access trojan (RAT).

Once loaded in memory, the second-stage executable decrypts an embedded configuration file containing several URLs used by the malware for command and control. Shortly after the malware beacons to the callback URL, Microsoft has observed a separate process iexpress.exe created and communicating with other C2 domains. Microsoft Defender Antivirus detects Version.dll using the family name FeedLoad.

After successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.

In some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1 and 2.

Onyx Sleet attack path: User account creation, system discovery, and payload deployment

Following successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on compromised systems. This account, named krtbgt, is likely intended to impersonate the legitimate Windows account name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to the Local Administrators Group through net use:

net  localgroup administrators krtbgt /add

The threat actor also runs several system discovery commands on compromised systems, including:

net localgroup 'Remote Desktop Users’
net localgroup Administrators
cmd.exe "/c tasklist | findstr Sec"
cmd.exe "/c whoami"
cmd.exe "/c netstat -nabp tcp"
cmd.exe "/c ipconfig /all"
cmd.exe "/c systeminfo"

Next, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:

• C:\Windows\Temp\temp.exe
• C:\Windows\ADFS\bg\inetmgr.exe

This payload, when launched, loads and decrypts an embedded PE resource. This decrypted payload is then loaded into memory and launched directly. The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus detects this proxy tool as HazyLoad.

Microsoft also observed the following post-compromise tools and techniques leveraged in this attack path:

• Using the attacker-controlled krtbgt account to sign into the compromised device via remote desktop protocol (RDP)
• Stopping the TeamCity service, likely in an attempt to prevent access by other threat actors
• Dumping credentials via the LSASS memory
• Deploying tools to retrieve credentials and other data stored by browsers

Recommended mitigation actions

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Apply the update or mitigations released by JetBrains to address CVE-2023-42793.
• Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
• Block in-bound traffic from IPs specified in the IOC table.
• Use Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Take immediate action to address malicious activity on the impacted device. If malicious code has been launched, the attacker has likely taken complete control of the device. Immediately isolate the system and perform a reset of credentials and tokens.
• Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
• Ensure that “Safe DLL Search Mode” is set.
• Turn on the following attack surface reduction rule:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Detections

Microsoft 365 Defender

Microsoft 365 Defender is becoming Microsoft Defender XDR. Learn more.

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the CVE-2023-42793 vulnerability leveraged in these attacks.

Microsoft Defender Antivirus

Microsoft Defender Antivirus customers should look for the following family names for activity related to these attacks:

• ForestTiger
• RollSling
• FeedLoad
• HazyLoad

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.

• Diamond Sleet Actor activity detected
• Onyx Sleet Actor activity detected
• Possible exploitation of JetBrains TeamCity vulnerability
• Suspicious behavior by cmd.exe was observed
• Suspicious DLL loaded by an application
• Suspicious PowerShell download or encoded command execution
• Possible lateral movement involving suspicious file
• A script with suspicious content was observed
• Suspicious scheduled task

Hunting queries

Microsoft 365 Defender

Command and control using iexpress.exe or wksprt.exe

DeviceNetworkEvents
| where (InitiatingProcessFileName =~ "wksprt.exe" and InitiatingProcessCommandLine == "wksprt.exe") 
or (InitiatingProcessFileName =~ "iexpress.exe" and InitiatingProcessCommandLine == "iexpress.exe")

Search order hijack using Wsmprovhost.exe and DSROLE.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName =~ "DSROLE.dll"
| where not(FolderPath has_any("system32", "syswow64"))

Search order hijack using clip.exe and Version.dll

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "clip.exe"
| where FileName in~("version.dll")
| where not(FolderPath has_any("system32", "syswow64", "program files", "windows defender\\platform", "winsxs", "platform",
"trend micro"))

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.  

• PowerShell downloads
• Dumping LSASS Process into a File
• Anomalous Account Creation
• RDP Rare Connection
• Anomalous RDP Activity

Indicators of compromise (IOCs)

The list below provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Diamond Sleet path 1

Diamond Sleet path 2

Onyx Sleet path

NOTE: These indicators should not be considered exhaustive for this observed activity.

References

• Following the Lazarus group by tracking DeathNote campaign | Securelist

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability appeared first on Microsoft Security Blog.

Our current investigation indicates this campaign has affected fewer than 40 unique global organizations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard (NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Midnight Blizzard’s latest credential phishing attack

Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard.

Use of security-themed domain names in lures

To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant. The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.

Social engineering attack chain

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.

Step 1: Teams request to chat

The target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team.

Step 2: Request authentication app action

If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device.

Step 3: Successful MFA authentication

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant. In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.

Recommendations

Microsoft recommends the following mitigations to reduce the risk of this threat.

• Pilot and start deploying phishing-resistant authentication methods for users.
• Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
• Apply security best practices for Microsoft Teams. Refer to the security guide for Microsoft Teams.
  • Understand and select the best access settings for external collaboration for your organization.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
• Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
• Allow only known devices that adhere to Microsoft’s recommended security baselines.
• Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
  • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate Microsoft Teams users about accepting or blocking people outside the organization who send messages in Microsoft Teams.
• Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
• Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.

Indicators of compromise

Hunting guidance

Microsoft Purview

Customers hunting for related activity in their environment can identify users that were targeted with the phishing lure using content search in Microsoft Purview. A content search can be created for selected Exchange mailboxes (which include Teams messages) using the following keywords (remove the [] around the “.” before use): 

• mlcrosoftaccounts.onmicrosoft[.]com
• msftonlineservices.onmicrosoft[.]com
• msonlineteam.onmicrosoft[.]com
• msftservice.onmicrosoft[.]com
• noreplyteam.onmicrosoft[.]com
• accounteam.onmicrosoft[.]com
• teamsprotection.onmicrosoft[.]com
• identityverification.onmicrosoft[.]com
• msftprotection.onmicrosoft[.]com
• accountsverification.onmicrosoft[.]com
• azuresecuritycenter.onmicrosoft[.]com
• We detected a recent change to your preferred Multi-Factor Authentication (MFA)

The search results will include the messages that match the criteria. The first result will appear to be from <threadid>@unq.gbl.spaces addressed to the target user and the threat actor (i.e., the request to chat as described in Step 1), followed by the message sent by the threat actor, as shown in the Microsoft Purview image below:

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Midnight Blizzard in Microsoft Defender Threat Intelligence with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the Defender Threat Intelligence connector and analytics rule deployed in their Sentinel workspace. Learn more about the Content Hub.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect activity related to the activity described in this blog:

• Azure portal sign-in from another Azure tenant
• Successful sign-in from non-compliant device
• User accounts – Sign-in failure due to CA spikes
• New onmicrosoft domain added to tenant

Further reading

Read about the threat actor Midnight Blizzard (formerly tracked as NOBELIUM).

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Midnight Blizzard conducts targeted social engineering over Microsoft Teams appeared first on Microsoft Security Blog.

Today, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor’s tooling, victimology, and motivation, meeting the criteria to convert this group to a named threat actor.  

Microsoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian”.

Microsoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard’s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.

Microsoft has been working with CERT-UA closely since the beginning of Russia’s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Microsoft is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels. Having elevated this activity to a distinct threat actor name, we’re sharing this information with the larger security community to provide insights to protect and mitigate Cadet Blizzard as a threat. Organizations should actively take steps to protect environments against Cadet Blizzard, and this blog further aims to discuss how to detect and prevent disruption.

Who is Cadet Blizzard?

Cadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepped for an offensive attack. The defacements of key Ukrainian institutions’ websites, coupled with the WhisperGate malware, prefaced multiple waves of attacks by Seashell Blizzard that followed when the Russian military began their ground offensive a month later.

Cadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard’s activity peak between January and June 2022, followed by an extended period of reduced activity. The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new “Free Civilian” Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.

Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard.  Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.

Targets

Cadet Blizzard’s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact. Cadet Blizzard, consistent with a Russian military-associated threat actor, continues to mainly target Ukraine, although the relative scope of impact of Cadet Blizzard’s destructive activity is minimal compared to the multiple waves of destructive attacks that we attribute to Seashell Blizzard. In January 2022, Cadet Blizzard launched destructive attacks in Ukraine in the following industry verticals:

• Government services
• Law enforcement
• Non-profit/non-governmental organization
• IT service providers/consulting
• Emergency services

Cadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain “compromise one, compromise many” technique. The group’s January 2022 compromise of government entities in Ukraine probably were at least in part due to access and information gained during a breach of an information technology provider that often worked with these organizations.

Prior to the war in Ukraine, Cadet Blizzard performed historical compromises of several Eastern European entities as well, primarily affecting the government and technology sectors as early as April 2021. As the war continues, Cadet Blizzard activity poses an increasing risk to the broader European community, specifically any successful attacks against governments and IT service providers, which may give the actor both tactical and strategic-level insight into Western operations and policy surrounding the conflict. Gaining heightened levels of access into these targeted sectors may also enable Cadet Blizzard to carry out retaliatory demonstrations in opposition to the West’s support for Ukraine.

Tools, tactics, and procedures

Cadet Blizzard is a conventional network operator and commonly utilizes living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other information, and deploy defense evasion techniques and persistence mechanisms. Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation.

Initial access

Cadet Blizzard predominantly achieves initial access through exploitation of web servers commonly found on network perimeters and DMZs. Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability, Exchange servers through multiple vulnerabilities including CVE-2022-41040 and ProxyShell, and likely commodity vulnerabilities in various open-source platforms such as content management systems.

Persistence

Cadet Blizzard frequently persists on target networks through the deployment of commodity web shells used either for commanding or tunneling. Commonly utilized web shells include P0wnyshell, reGeorg, PAS, and even custom variants included in publicly available exploit kits.

In February 2023, CERT-UA reported an attempted attack against a Ukrainian state information system that involved a variant of the PAS web shell, which Microsoft assesses to be unique to Cadet Blizzard operations at the time of the intrusion.

Privilege escalation and credential harvesting
Cadet Blizzard has leveraged a variety of living-off-the-land techniques to conduct privilege escalation and harvesting of credentials.

• Dumping LSASS – Cadet Blizzard uses Sysinternals tools such as procdump to dump LSASS in suspected offline credential harvesting efforts. Cadet Blizzard frequently renames procdump64 to alternative names, such as dump64.exe.
• Dumping registry hives – Cadet Blizzard extracts registry hives using native means via reg save.

Lateral movement
Cadet Blizzard conducts lateral movement with valid network credentials obtained from credential harvesting. To conduct lateral movement more efficiently, Cadet Blizzard typically uses modules from the publicly available Impacket framework. While this framework is generically utilized by multiple actors, preferential execution of patterns of commands may allow for more precision profiling of Cadet Blizzard operations:

• PowerShell get-volume to enumerate the volume of a device

• Copying critical registry hives that contain password hashes and computer information

• Downloading files directly from actor-owned infrastructure via the PowerShell DownloadFile commandlet

Command execution and C2

Cadet Blizzard periodically uses generic socket-based tunneling utilities to facilitate command and control (C2) to actor-controlled infrastructure. Payloads such as NetCat and Go Simple Tunnel (GOST) are commonly renamed to blend into the operating system but are used to shovel interactive command prompts over established sockets. Frequently, remote command execution may be facilitated through remotely scheduled tasks. The group has also sparingly utilized Meterpreter.

Operational security

Cadet Blizzard utilizes anonymization services IVPN, SurfShark, and Tor as their anonymization layer during select operations.

Anti-forensics
Cadet Blizzard has been observed leveraging the Win32_NTEventlogFile commandlet in PowerShell to extract both system and security event logs to an operational directory. The activities are anticipated to be consistent with anti-forensics activities.

• Common file targets during extraction are:
  • sec.evtx
  • sys.evtx
• Cadet Blizzard commonly deletes files used during operational phases seen in lateral movement.
• Cadet Blizzard malware implants are known to disable Microsoft Defender Antivirus through a variety of means:
  • NirSoft AdvancedRun utility, which is used to disable Microsoft Defender Antivirus by stopping the WinDefend service.
  • Disable Windows Defender.bat, which presumably disables Microsoft Defender Antivirus via the registry.

Impact assessment

Cadet Blizzard typically collects information en-masse from targeted servers. If mail servers are affected, Cadet Blizzard typically attempts to collect mail, placing incident response communications at risk. Credential material (such as SSH keys) are also a common target to provide methods for re-entry if a full remediation does not occur. As was the case with the WhisperGate operation in January 2022, Cadet Blizzard is known to deploy destructive malware to select target environments to delete data and render systems inoperable.

Also in January of 2022, Microsoft identified that data exfiltrated by Cadet Blizzard in compromises of various Ukrainian organizations was leaked on a Tor .onion site under the name “Free Civilian.” The organizations from which data was leaked strongly correlated to multiple Cadet Blizzard compromises earlier in 2022, leading Microsoft to assess that this forum is almost certainly linked to Cadet Blizzard. In February 2023, a new Telegram channel was established under the same “Free Civilian” moniker, suggesting that Cadet Blizzard intends to continue conducting information operations in the second year of the war. However, the public channel only has 1.3K followers with posts getting at most a dozen reactions as of the time of publication, signifying low user interaction. A private channel assumed to be operated by the same group appears to have shared data with 748 of those subscribers.

Related ecosystems

Cadet Blizzard operations do not occur in a silo; there have been substantial technical indicators of intersection with other malicious cyber activity that may have a broader scope or a nexus outside of Russia. They have at times utilized services associated with these ecosystems such as Storm-0587, discussed below, as well as having support from at least one private sector enabler organization within Russia. Though there have been various forms of intersections in threat activity, when these groups have been observed operating independently, the tactics, techniques, procedures (TTPs) and capabilities have often been distinct—therefore making it operationally valuable to distinguish these activity groups.

Storm-0587

Storm-0587 is a cluster of activity beginning as early as April 2021 involving a series of weaponized documents predominantly delivered in phishing operations usually to distribute a series of downloaders and document stealers. One of Storm-0587’s trademark tools is SaintBot, an uncommon downloader that often appears in spear-phishing emails. This downloader can be customized to deploy almost anything as the payload, but in Ukraine, the malware often deploys a version of an AutoIT information stealer that collects documents on the machine that threat actors deem of interest. This specific version of the malware has been named OUTSTEEL by CERT UA and has been observed in several attacks, such as a fake version of the Office of the President of Ukraine’s website created in July 2021 that hid weaponized documents, including OUTSTEEL, that would download onto victim’s machines when the documents are clicked.

Mitigation and protection guidance

Defending against Cadet Blizzard

Activities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period of time. A comprehensive approach to incident response may be required in order to fully remediate from Cadet Blizzard operations. Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report. Use the included indicators of compromise to investigate environments and assess for potential intrusion.

• Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
• Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
• Enable controlled folder access (CFA) to prevent MBR/VBR modification.
• Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.

Hunting for Cadet Blizzard hands-on-keyboard activity

To uncover malicious hands-on-keyboard activities in environments, identify any unusual or unexpected commands or tools launched on systems as well as the presence of any unusual directories or files that could be used for staging or storing malicious tools. Use the common commands, tools, staging directories, and indicators of compromise listed below to help identify Cadet Blizzard intrusion and hands-on-keyboard activity in environments.

Common commands

• systeminfo to fingerprint a device after lateral movement
• get-volume to fingerprint a device after lateral movement
• nslookup to research specific devices (IP) and FQDNs internally
• Get-DnsServerResourceRecord to conduct reconnaissance of an internal DNS namespace
• query session to profile RDP connections
• route print to enumerate routes available on the devices
• DownloadFile via PowerShell to download payloads from external servers

Common tool staging directories

• C:\ProgramData
• C:\PerfLogs
• C:\Temp
• C:\
• Subdirectories of legitimate (or fake) user accounts within %APPDATA%\Temp
• Subdirectories with the name USOPublic in the path

Common tools

• Tor
• Python
• SurfShark
• Teamviewer
• Meterpreter named as dbus-rpc.exe in known instances
• IVPN
• NGROK
• GOST.exe frequently masked as USORead.exe
• regeorg web shell

Indicators of compromise (IOCs)

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects behavioral components of techniques this threat actor uses as the following:

• Behavior:Win32/WmiprvseRemoteProc

Microsoft Defender Antivirus detects the WhisperGate malware attributed to this threat actor with the following family:

• WhisperGate

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Cadet Blizzard activity detected
• Possible Storm-0587 activity detected

The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

• Ongoing hands-on-keyboard attack via Impacket toolkit
• Suspicious PowerShell command line
• Suspicious WMI process creation

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

• CVE-2021-26084
• CVE-2020-1472
• CVE-2021-4034

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

Check for WMIExec Impacket activity with common Cadet Blizzard commands

DeviceProcessEvents
| where InitiatingProcessFileName =~ "WmiPrvSE.exe" and FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex "2>&1"
| where ProcessCommandLine has_any ("get-volume","systeminfo","reg.exe","downloadfile","nslookup","query session","route print")

Find PowerShell file downloads

DeviceProcessEvents
| where FileName == "powershell.exe" and ProcessCommandLine has "DownloadFile"

Scheduled task creation, command execution and C2 communication

DeviceProcessEvents 
| where Timestamp  > ago(14d) 
| where FileName =~ "schtasks.exe"  
| where (ProcessCommandLine  contains "splservice" or ProcessCommandLine contains "spl32") and 
(ProcessCommandLine contains "127.0.0.1" or ProcessCommandLine contains "2>&1")

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with “TI map”) to automatically match indicators associated with Cadet Blizzard in Microsoft Defender Threat Intelligence (MDTI) with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the MDTI connector and analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

• Web Shell Activity
• Commands executed by WMI
• Potential Impacket Execution
• Dumping LSASS using procdump
• Potential Microsoft Defender Tampering

References

• https://www.npr.org/2022/01/14/1073001754/ukraine-cyber-attack-government-websites-russia
• https://github.com/flozz/p0wny-shell
• https://github.com/sensepost/reGeorg
• https://cert.gov.ua/article/3947787
• https://github.com/fortra/impacket
• https://intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

The post Cadet Blizzard emerges as a novel and distinct Russian threat actor appeared first on Microsoft Security Blog.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness and further investigations and protections across the security ecosystem.

To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

In this blog post, we share information on Volt Typhoon, their campaign targeting critical infrastructure providers, and their tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this blog.

As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. To learn about Microsoft’s approach to threat actor tracking, read Microsoft shifts to a new threat actor naming taxonomy.

Initial access

Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices.

The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.

Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.

Post-compromise activity

Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times.

Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. We describe their activities in the following sections, including the most impactful actions that relate to credential access.

Credential access

If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.

Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.

Volt Typhoon also frequently attempts to use the command-line tool Ntdsutil.exe to create installation media from domain controllers, either remotely or locally. These media are intended to be used in the installation of new domain controllers. The files in the installation media contain usernames and password hashes that the threat actors can crack offline, giving them valid domain account credentials that they could use to regain access to a compromised organization if they lose access.

Discovery

Microsoft has observed Volt Typhoon discovering system information, including file system types; drive names, size, and free space; running processes; and open networks. They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command. In a small number of cases, the threat actors run system checks to determine if they are operating within a virtualized environment.

Collection

In addition to operating system and domain credentials, Volt Typhoon dumps information from local web browser applications. Microsoft has also observed the threat actors staging collected data in password-protected archives.

Command and control

In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh portproxy command.

In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy.

Compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. The same user account used for these sign-ins may be linked to command-line activity conducting further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.

Mitigation and protection guidance

Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts. Suspected compromised accounts or affected systems should be investigated:

• Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
• Examine the activity of compromised accounts for any malicious actions or exposed data.
• Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected.

Defending against this campaign

• Mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
• Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
  • Block execution of potentially obfuscated scripts.
• Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.
• Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.

Detection details and hunting queries

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects attempted post-compromise activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats.

• Behavior:Win32/SuspNtdsUtilUsage.A
• Behavior:Win32/SuspPowershellExec.E
• Behavior:Win32/SuspRemoteCmdCommandParent.A
• Behavior:Win32/UNCFilePathOperation
• Behavior:Win32/VSSAmsiCaller.A
• Behavior:Win32/WinrsCommand.A
• Behavior:Win32/WmiSuspProcExec.J!se
• Behavior:Win32/WmicRemote.A
• Behavior:Win32/WmiprvseRemoteProc.B

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of Volt Typhoon activity.

• Volt Typhoon threat actor detected

The following alerts may also be associated with Volt Typhoon activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon.

• A machine was configured to forward traffic to a non-local address
• Ntdsutil collecting Active Directory information
• Password hashes dumped from LSASS memory
• Suspicious use of wmic.exe to execute code
• Impacket toolkit

Hunting queries

Microsoft 365 Defender

Volt Typhoon’s post-compromise activity usually includes distinctive commands. Searching for these can help to determine the scope and impact of an incident.

Find commands creating domain controller installation media

This query can identify domain controller installation media creation commands similar to those used by Volt Typhoon.

DeviceProcessEvents
| where ProcessCommandLine has_all ("ntdsutil", "create full", "pro")

Find commands establishing internal proxies

This query can identify commands that establish internal proxies similar to those used by Volt Typhoon.

DeviceProcessEvents
| where ProcessCommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4")

Find detections of custom FRP executables

This query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries.

AlertEvidence
| where SHA256 in 
('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c', 
'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74', 
'4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349', 
'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d', 
'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af', 
'9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a', 
'450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267', 
'93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066', 
'7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5', 
'389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61', 
'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b', 
'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95', 
'6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff', 
'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984', 
'17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4', 
'8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2', 
'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295', 
'472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d', 
'3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')

Microsoft Sentinel

Below are some suggested queries to assist Microsoft Sentinel customers in identifying Volt Typhoon activity in their environment:

• LSASS process memory dumping
• Potential Impacket execution
• Domain controller installation media creation commands similar to those used by Volt Typhoon
• Commands that set up internal proxies resembling the ones employed by Volt Typhoon

Microsoft customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious hash indicators (related to the custom Fast Reverse Proxy binaries) mentioned in this blog post. These analytics are part of the Threat Intelligence solution and can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protection to identify past related activity and prevent future attacks against their systems.

Volt Typhoon custom FRP executable (SHA-256):

• baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
• b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
• 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
• c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
• d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
• 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
• 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
• 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
• 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
• 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
• c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
• e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
• 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
• cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
• 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
• 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
• d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
• 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
• 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

The post Volt Typhoon targets US critical infrastructure with living-off-the-land techniques appeared first on Microsoft Security Blog.

Who is Mint Sandstorm?

Mint Sandstorm is Microsoft’s new name for PHOSPHORUS, an Iranian nation-state actor. This new name is part of the new threat actor naming taxonomy we announced today, designed to keep pace with the evolving and growing threat landscape.

Mint Sandstorm is known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East.  Activity Microsoft tracks as part of the larger Mint Sandstorm group overlaps with public reporting on groups known as APT35, APT42, Charming Kitten, and TA453.

Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational structure. Microsoft assesses that Mint Sandstorm is associated with an intelligence arm of Iran’s military, the Islamic Revolutionary Guard Corps (IRGC), an assessment that has been corroborated by multiple credible sources including Mandiant, Proofpoint, and SecureWorks.  In 2022, the US Department of Treasury sanctioned elements of Mint Sandstorm for past cyberattacks citing sponsorship from the IRGC.

Today, Microsoft is reporting on a distinct Mint Sandstorm subgroup that specializes in hacking into and stealing sensitive information from high-value targets. This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s  national priorities.

Microsoft Threat Intelligence consistently tracks threat actor activity, including Mint Sandstorm and its subgroups, and works across Microsoft Security products and services to build detections into our products that improve protection for customers. As with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft is sharing details on these operations to raise awareness on the risks associated with their activity and to empower organizations to harden their attack surfaces against tradecraft commonly used by this Mint Sandstorm subgroup.

Recent operations

From late 2021 to mid-2022, this Mint Sandstorm subgroup moved from reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity potentially in support of retaliatory destructive cyberattacks. This targeting was likely in response to Iran’s attribution of cyberattacks that halted maritime traffic at a major Iranian seaport in May 2020, delayed Iranian trains in July 2021, and crashed gas station payment systems throughout Iran in late 2021. Of note, a senior cybersecurity-focused IRGC official and others close to the Iranian Supreme Leader pinned the attack affecting gas station payment systems on Israel and the United States.

This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021. The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations.  Given the hardline consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.

Mint Sandstorm tradecraft

Microsoft has observed multiple attack chains and various tools in compromises involving this Mint Sandstorm subgroup. The TTPs detailed below are a sampling of new or otherwise notable tradecraft used by this actor.

Rapid adoption of publicly disclosed POCs for initial access and persistence

Microsoft has increasingly observed this Mint Sandstorm subgroup adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in internet-facing applications. Until 2023, this subgroup had been slow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs, often taking several weeks to successfully weaponize exploits for vulnerabilities like Proxyshell and Log4Shell. However, beginning in early 2023, Microsoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs. For example, Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made public on February 2, 2023.

While this subgroup has demonstrated their ability to rapidly incorporate new public POCs into their playbooks, Microsoft has also observed that Mint Sandstorm continues to use older vulnerabilities, especially Log4Shell, to compromise unpatched devices. As this activity is typically opportunistic and indiscriminate, Microsoft recommends that organizations regularly patch vulnerabilities with publicly available POCs, regardless of how long the POC has been available.

After gaining initial access to an organization by exploiting a vulnerability with a public POC, this Mint Sandstorm subgroup deploys a custom PowerShell script designed for discovery. In some cases, the subgroup does not act on the information they collect, possibly because they assess that a victim does not meet any targeting requirements or because the subgroup wishes to wait and focus on more valuable targets. In cases where Mint Sandstorm operators continue their pursuit of a given target, Microsoft typically observes one of two possible attack chains.

• Attack chain 1: The Mint Sandstorm subgroup proceeds using Impacket to move laterally through a compromised organization and relies extensively on PowerShell scripts (rather than custom implants) to enumerate admin accounts and enable RDP connections. In this attack chain, the subgroup uses an SSH tunnel for command and control (C2), and the final objective in many cases is theft of the Active Directory database. If obtained, the Mint Sandstorm subgroup can use the Active Directory database to access credentials for users’ accounts. In cases where users’ credentials are accessed and the target organization has not reset corresponding passwords, the actors can log in with stolen credentials and masquerade as legitimate users, possibly without attracting attention from defenders. The actors could also gain access to other systems where individuals may have reused their passwords.
• Attack chain 2: As is the case in attack chain 1, the Mint Sandstorm subgroup uses Impacket to move laterally. However, in this progression, the operators use webhook.site for C2 and create scheduled tasks for persistence. Finally, in this attack chain, the actors deploy a custom malware variant, such as Drokbk or Soldier. These custom malware variants signal an increase in the subgroup’s level of sophistication, as they shift from using publicly available tools and simple scripts to deploying fully custom developed malicious code. 

Use of custom tools to evade detection

Since 2022,Microsoft has observed this Mint Sandstorm subgroup using two custom implants, detected by Microsoft security products as Drokbk and Soldier, to persist in target environments and deploy additional tools. Drobkbk and Soldier both use Mint Sandstorm-controlled GitHub repositories to host a domain rotator containing the operators’ C2 domains. This allows Mint Sandstorm to dynamically update their C2 infrastructure, which may help the operators stay a step ahead of defenders using list-based domain blocking.

• Drokbk: Drokbk.exe is a custom .NET implant with two components: an installer, sometimes accessed from a compressed archive on a legitimate file-sharing platform, and a secondary backdoor payload. The Drokbk backdoor issues a web request to obtain the contents of a README file on a Mint Sandstorm-controlled GitHub repo. The README file contains a list of URLs that direct targets to the C2 infrastructure associated with Drokbk.
• Soldier: Soldier is a multistage .NET backdoor with the ability to download and run additional tools and uninstall itself. Like Drokbk, Soldier C2 infrastructure is stored on a domain rotator on a GitHub repository operated by Mint Sandstorm. Microsoft Threat Intelligence analysts assess that Soldier is a more sophisticated variant of Drokbk.

In certain cases, this Mint Sandstorm subgroup has used TTPs outside of these attack chains, notably when they have failed to achieve short-term objectives. In one instance, Microsoft also observed the subgroup using TTPs from both attack chains in a single compromised environment. However, in most cases, Mint Sandstorm activity displays one of the above discussed attack chains.

Low-volume phishing campaigns using template injection

Microsoft has also observed this Mint Sandstorm subgroup using a distinct attack chain involving low-volume phishing campaigns and a third custom implant.  In these operations, the group crafts bespoke phishing emails, often purporting to contain information on security policies that affect countries in the Middle East, to deliver weaponized documents to individuals of interest. Recipients are typically individuals affiliated with high-profile think tanks or universities in Israel, North America, or Europe with ties to the security and policy communities. Unlike their initial exploitation of vulnerable internet-facing applications, which is largely indiscriminate and affects organizations across sectors and geographies, activity associated with this campaign was highly targeted and affected fewer than 10 organizations..

The initial emails are most commonly lures designed to social engineer recipients into clicking a OneDrive link hosting a PDF spoofed to resemble information on a topic involving security or policy in the Middle East. The PDF contains a link to a macro-enabled template file (dotm) hosted on Dropbox. This file has been weaponized with macros to perform remote template injection, a technique that allows operators to obtain and launch a payload from a remote C2, often OneDrive. Template injection is an attractive option for adversaries looking to execute malicious code without drawing scrutiny from defenders. This technique can also be used to persist in a compromised environment if an adversary replaces a default template used by a common application.

In these attacks, Microsoft has observed the Mint Sandstorm subgroup using CharmPower, a custom implant, in attacks that began with targeted phishing campaigns. CharmPower is a modular backdoor written in PowerShell that this subgroup delivers in phishing campaigns that rely on template injection. CharmPower can read files, gather information on an infected host, and send details back to the attackers. Reporting from Checkpoint indicates that at least one version of CharmPower pulls data from a specific text file that contains a hardcoded victim identifier.

What’s next

Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. While effects vary depending on the operators’ post-intrusion activities, even initial access can enable unauthorized access and facilitate further behaviors that may adversely impact the confidentiality, integrity, and availability of an environment. A successful intrusion creates liabilities and may harm an organization’s reputation, especially those responsible for delivering services to others such as critical infrastructure providers, which Mint Sandstorm has targeted in the past.  

As these operators increasingly develop and use sophisticated capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these operators. Microsoft will continue to monitor Mint Sandstorm activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below and shared with the broader security community to help detect and prevent further attacks.

Mitigation and protection guidance

The techniques used by this subset of Mint Sandstorm can be mitigated through the following actions:

Hardening internet-facing assets and understanding your perimeter

Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as Microsoft Defender External Attack Surface Management, can be used to improve data.

Vulnerabilities observed in recent campaigns attributed to this Mint Sandstorm subgroup that defenders can identify and mitigate include:

• IBM Aspera Faspex affected by CVE-2022-47986: Organizations can remediate CVE-2022-47986 by upgrading to Faspex 4.4.2 Patch Level 2 or using Faspex 5.x which does not contain this vulnerability. More details are available in IBM’s security advisory here.
• Zoho ManageEngine affected by CVE-2022-47966: Organizations using Zoho ManageEngine products vulnerable to CVE-2022-47966 should download and apply upgrades from the official advisory as soon as possible. Patching this vulnerability is useful beyond this specific campaign as several adversaries are exploiting CVE-2022-47966 for initial access.
• Apache Log4j2 (aka Log4Shell) (CVE-2021-44228 and CVE-2021-45046): Microsoft’s guidance for organizations using applications vulnerable to Log4Shell exploitation can be found here. This guidance is useful for any organization with vulnerable applications and useful beyond this specific campaign, as several adversaries exploit Log4Shell to obtain initial access.

This Mint Sandstorm subgroup has demonstrated its ability to rapidly adopt newly reported N-day vulnerabilities into its playbooks. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Reducing the attack surface

Microsoft 365 Defender customers can also turn on attack surface reduction rules to harden their environments against techniques used by this Mint Sandstorm subgroup. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant protection against the tradecraft discussed in this report.

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block Office applications from creating executable content
• Block process creations originating from PSExec and WMI commands

Additionally, in 2022, Microsoft changed the default behavior of Office applications to block macros in files from the internet, further minimizing the attack surface for operators like this subgroup of Mint Sandstorm.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects the Drokbk implant as the following malware:

• Trojan:MSIL/Drokbk.A!dha
• Trojan:MSIL/Drokbk.B!dha
• Trojan:MSIL/Drokbk.C!dha
• Trojan:Win32/Drokbk.C!dha  

  Microsoft Defender Antivirus detects the Soldier implant as the following malware:

• Trojan:MSIL/SoldierAudio.A!dha
• Trojan:MSIL/SoldierAudio.B!dha
• Trojan:MSIL/SoldierAudio.C!dha

Microsoft Defender Antivirus detects the CharmPower implant as the following malware:

• TrojanDownloader:O97M/RooftopMelt.A!dha

Microsoft Defender for Endpoint

The following Microsoft Defender for Endpoint alerts can indicate associated threat activity:

• Phosphorus Actor activity detected

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ManageEngine Suspicious Process Execution.  

DeviceProcessEvents
| where InitiatingProcessFileName hasprefix "java"
| where InitiatingProcessFolderPath  has @"\manageengine\" or InitiatingProcessFolderPath has @"\ServiceDesk\"
| where (FileName in~ ("powershell.exe", "powershell_ise.exe") and
            (ProcessCommandLine has_any ("whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", " echo ", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "usoprivate", "usoshared", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "set-MpPreference", "add-MpPreference", "certutil", "bitsadmin") // "csvhost.exe", "ekern.exe", "svhost.exe", ".dmp"
             or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}"))
           or (FileName =~ "curl.exe" and ProcessCommandLine contains "http")
           or (FileName =~ "wget.exe" and ProcessCommandLine contains "http")
           or ProcessCommandLine has_any ("E:jscript", "e:vbscript")
           or ProcessCommandLine has_all ("localgroup Administrators", "/add")
           or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender")
           or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa")
           or ProcessCommandLine has_all ("wmic", "process call create")
           or ProcessCommandLine has_all ("net", "user ", "/add")
           or ProcessCommandLine has_all ("net1", "user ", "/add")
           or ProcessCommandLine has_all ("vssadmin", "delete", "shadows")
           or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy")
           or ProcessCommandLine has_all ("wbadmin", "delete", "catalog")
           or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr"))
 | where ProcessCommandLine !contains "download.microsoft.com" and ProcessCommandLine !contains "manageengine.com" and ProcessCommandLine !contains "msiexec"

Ruby AsperaFaspex Suspicious Process Execution.

DeviceProcessEvents
| where InitiatingProcessFileName hasprefix "ruby"
| where InitiatingProcessFolderPath has @"aspera"
| where (FileName in~ ("powershell.exe", "powershell_ise.exe") and
            (ProcessCommandLine has_any ("whoami", "net user", "net group", "localgroup administrators", "dsquery", "samaccountname=", " echo ", "query session", "adscredentials", "o365accountconfiguration", "-dumpmode", "-ssh", "usoprivate", "usoshared", "Invoke-Expression", "DownloadString", "DownloadFile", "FromBase64String",  "System.IO.Compression", "System.IO.MemoryStream", "iex ", "iex(", "Invoke-WebRequest", "set-MpPreference", "add-MpPreference", "certutil", "bitsadmin", "csvhost.exe", "ekern.exe", "svhost.exe", ".dmp")
             or ProcessCommandLine matches regex @"[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}"))
           or (FileName =~ "curl.exe" and ProcessCommandLine contains "http")
           or (FileName =~ "wget.exe" and ProcessCommandLine contains "http")
           or ProcessCommandLine has_any ("E:jscript", "e:vbscript")
           or ProcessCommandLine has_all ("localgroup Administrators", "/add")
           or ProcessCommandLine has_all ("reg add", "DisableAntiSpyware", @"\Microsoft\Windows Defender")
           or ProcessCommandLine has_all ("reg add", "DisableRestrictedAdmin", @"CurrentControlSet\Control\Lsa")
           or ProcessCommandLine has_all ("wmic", "process call create")
           or ProcessCommandLine has_all ("net", "user ", "/add")
           or ProcessCommandLine has_all ("net1", "user ", "/add")
           or ProcessCommandLine has_all ("vssadmin", "delete", "shadows")
           or ProcessCommandLine has_all ("wmic", "delete", "shadowcopy")
           or ProcessCommandLine has_all ("wbadmin", "delete", "catalog")
           or (ProcessCommandLine has "lsass" and ProcessCommandLine has_any ("procdump", "tasklist", "findstr"))

Log4J Wstomcat Process Execution.

DeviceProcessEvents
| where InitiatingProcessFileName has "ws_tomcatservice.exe" and FileName !in~("repadmin.exe")

Encoded watcher Function.

DeviceProcessEvents 
| where FileName =~ "powershell.exe" and ProcessCommandLine hasprefix "-e"
| extend SplitString = split(ProcessCommandLine, " ")
| mvexpand SS = SplitString 
| where SS matches regex "^[A-Za-z0-9+/]{50,}[=]{0,2}$"
| extend base64_decoded = replace(@'\0', '', make_string(base64_decode_toarray(tostring(SS))))
| where not(base64_decoded has_any(@"software\checker", "set folder to watch"))
| where base64_decoded has_all("$hst", "$prt") or base64_decoded has_any("watcher", @"WAt`CH`Er()")

 Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with “TI map”) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

In addition, Microsoft Sentinel customers can leverage the following content to hunt for and detect related activity in their environments:

• Log4J solution
• Potential Impacket Execution
• Commands executed by WMI on new hosts – potential Impacket
• Scheduled Task Hidden
• Remote Task Creation/Update using Schtasks Process
• Scheduled Task Creation or Update from User Writable Directory
• Exchange SSRF Autodiscover ProxyShell – Detection

Indicators of compromise

References

Iran: Background and U.S. Policy. Congressional Research Service

Cobalt Illusion Masquerades as Atlantic Council Employee. Secureworks

Apt42: Crooked Charms, Cons, and Compromises. Mandiant

Badblood: TA453 Targets US & Israel in Credential Phishing. Proofpoint

Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity. U.S. Department of the Treasury

Officials: Israel Linked to a Disruptive Cyberattack on Iranian Port Facility. The Washington Post

Iran Says Cyberattack Causes Widespread Disruption at Gas Stations. Thomson Reuters

Iran’s Evolving Approach to Asymmetric Naval Warfare. The Washington Institute for Near East Policy

Hackers breach Iran rail network, disrupt service | Reuters. Reuters

APT35 Exploits Log4J Vulnerability to Distribute New Modular PowerShell Toolkit. Checkpoint

Iran Says Gas Stations Were Target Of Cyberattack To Foment Unrest (iranintl.com)

Complaint – Summons – Civil Cover Sheet.pdf (noticeofpleadings.com)

The post Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets appeared first on Microsoft Security Blog.

You’ve implemented multifactor authentication for access to your enterprise network. But what if multifactor authentication isn’t as foolproof as you’re hoping?

Are you comfortable betting your organization’s security on it?

Multifactor authentication isn’t a silver bullet

The premise behind multifactor authentication is a good one—anybody who wants to access your network needs two or more things:

1. Something they know (such as a password or personal identification number).
2. Something they have in their possession (cryptographic identification device, token).
3. Something they are (biometric, fingerprint).

Users enter two of those (or three of them, to access especially sensitive resources), your server authenticates them, and they’re on your network. It’s more robust security than a simple username and password, and it makes bad actors work a lot harder to access your network.

That’s why multifactor authentication is such a commonly used approach in security for solving the problem of leaked or compromised credentials. But it’s not foolproof, and here’s why Recorded Future thinks you can do better.

SMS is vulnerable

Many multifactor authentication products, especially the ones suitable for consumer use, rely on SMS and send a code to the user’s phone in a text message. Unfortunately, SMS can be hacked or spoofed, with the result that the bad actor receives the code and is able to pass the authentication test.

Also, not all applications support multifactor authentication—that’s especially true of older systems—which leaves the door open to bad actors. There are passwordless authentication methods, but credentials are used to authenticate the system on the back end, so password security and the user’s identity can still be avenues for compromise.

Multifactor authentication isn’t enough

Threat actors can brute force their way into accounts, defeat multifactor authentication, and breach organizations. There are many ways, unfortunately, that threat actors can accomplish this.

One way is by hijacking session cookies. Another way involves exploiting default multifactor authentication protocols. For instance, the United States Cybersecurity and Infrastructure Security Agency recently released a report warning that Russian state-sponsored threat actors were able to gain network access by taking advantage of an account set to default multifactor authentication protocols. That allowed them to enroll a new device for multifactor authentication access in their victim’s network, and then take advantage of a critical Windows vulnerability to run any code they wanted on the hacked network—with system privileges. One small mistake with multifactor authentication enabled threat actors to gain not only access but also significant control over the network.

Beyond multifactor authentication: Identity Intelligence from Recorded Future

Of course, threat actors are trying to breach thousands of networks every day. Suppose you had up-to-date intelligence that told you about their attempts all over the globe. That would give you a lot more information about them than just their IP address. Wouldn’t that help you decide whether their visit to your site was legitimate or not?

That’s the identity management model Recorded Future uses with Identity Intelligence. It arms security teams with real-time information about identity compromises worldwide so they can respond confidently, without any manual research. Identity Intelligence automates the collection, analysis, and production of intelligence from open-source, dark-web, and technology entities, including unique sourcing of malware log information. It combines that intelligence with world-class research to deliver an unmatched source of truth for identity management and authentication at a massive scale.

Identity Intelligence covers the most prominent use cases that enterprises face in a landscape of employees, partners, supply chains, and customers in an era of account takeovers and identity fraud:

• Preventing business email compromise and account hijacking.
• Identifying and mitigating the risk of account takeover.
• Checking for risk automatically during critical events (such as password creation or reset).
• Monitoring employee and customer identities on an ongoing basis.

It represents an important tool for securing user identity, as remote work and digital interactions across multiple channels increase the responsibilities of security and IT teams.

Integration with Microsoft

Recorded Future has released an integration between Identity Intelligence and Microsoft Azure Active Directory. The integration monitors new, compromised credentials found by Recorded Future, and places at-risk users into one or more different security groups, based on the client’s security policies and the nature of the compromise.  For example, credentials from bulk data dumps that have been circulated before may pose a relatively low risk and warrant only an “informational” warning to the user. On the other hand, credentials stolen recently by info stealer software are at high risk and require immediate remediation by the affected users.

Microsoft Azure Active Directory (Azure AD) supports identity protection and can score user risk as low, medium, or high. The integration with Identity Intelligence complements that insight, layering more context and transparency into the risks associated with users’ identities. The easiest way to do this is by placing an at-risk user into one or more security groups based on the Identity Intelligence available from Recorded Future and pushing the details of Recorded Future’s Identity Intelligence into Microsoft Sentinel. That allows forensic teams to examine the compromised credentials and respond to any potential incidents.

A Microsoft Sentinel example

Imagine how your company’s attack surface is constantly growing and your security team is seeing more events with each passing day. The team has too little context on user activity, so it can’t connect the dots between the external risk of detected threats and other insights. Its responses grow slower, increasing the likelihood that threats will slip through the cracks.

Identity Intelligence integrates with Azure AD through Azure Logic Apps. It uses one playbook to connect to Azure AD and Microsoft Sentinel and mitigate security risk by automatically positioning threat data in your Microsoft Sentinel environment. By layering real-time evidence on top of internal activity in Microsoft Sentinel, Identity Intelligence gives your security analysts the evidence they need to deal with threats.

Recorded Future is a member of the Microsoft Intelligent Security Association (MISA). It joins the independent software vendors and managed security service providers who integrate their solutions with Microsoft products to better defend against threats. Recorded Future indicators are also available as Microsoft Graph Security API indicators for use in security products from Microsoft and other partners.

Take the next step

Strong identity authentication is a must-have as your company faces a growing threat landscape and higher attack volumes.

Identity Intelligence from Recorded Future uses a combination of public sources and proprietary methods to help security teams to focus on the highest-risk user activity. It enables companies to address threats automatically, with out-of-the-box integrations and real-time insights for Azure AD and Microsoft Sentinel.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Gain real-time identity protection with Microsoft and Recorded Future appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. HAFNIUM is now tracked as Silk Typhoon.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog.

Microsoft observed HAFNIUM from August 2021 to February 2022, target those in the telecommunication, internet service provider and data services sector, expanding on targeted sectors observed from their earlier operations conducted in Spring 2021.

Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates “hidden” scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.

The blog outlines the simplicity of the malware technique Tarrask uses, while highlighting that scheduled task abuse is a very common method of persistence and defense evasion—and an enticing one, at that. In this post, we will demonstrate how threat actors create scheduled tasks, how they cover their tracks, how the malware’s evasion techniques are used to maintain and ensure persistence on systems, and how to protect against this tactic.

Right on schedule: Maintaining persistence via scheduled tasks

Windows Task Scheduler is a service that allows users to perform automated tasks (scheduled tasks) on a chosen computer for legitimate administrative purposes (e.g., scheduled updates for browsers and other applications).

Throughout the course of our research, we’ve found that threat actors commonly make use of this service to maintain persistence within a Windows environment.

We’ve noted that the Tarrask malware generates several artifacts upon the creation of a scheduled task, whether using the Task Scheduler GUI or the schtasks command line utility. Profiling the use of either of these tools can aid investigators in tracking this persistence mechanism.

The following registry keys are created upon creation of a new task:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}

The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.

To demonstrate the value in the artifacts generated, shown in the following figures, we have created “My Special Task” which is set to execute the binary “C:\Windows\System32\calc.exe” on a regular interval.

Similar information is also stored within an extensionless XML file created within C:\Windows\System32\Tasks, where the name of the file matches the name of the task. This is displayed in Figure 2, where we name the task “My Special Task” as an example.

Note that the “Actions” value stored within the Tasks\{GUID} key points to the command line associated with the task. In Figure 2, there is a reference to “C:\Windows\System32\calc.exe” within the “Edit Binary Value” dialog, and there is a path referenced within the “<Command>” section in the extensionless XML file in Figure 3. The fact that this value is stored within two different locations can prove useful in recovering information regarding the task’s purpose in the event the threat actor has taken steps to cover their tracks.

Finally, there are two Windows event logs that record actions related to the creation and operation of Scheduled Tasks – Event ID 4698 within the Security.evtx log, and the Microsoft-Windows-TaskScheduler/Operational.evtx log.

Neither of these are audited by default and must be explicitly turned on by an administrator. Microsoft-Windows-TaskScheduler/Maintenance.evtx will exist by default, but only contains maintenance-related information for the Task Scheduler engine.

Effectively hiding scheduled tasks

In this scenario, the threat actor created a scheduled task named “WinUpdate” via HackTool:Win64/Tarrask in order to re-establish any dropped connections to their command and control (C&C) infrastructure. This resulted in the creation of the registry keys and values described in the earlier section, however, the threat actor deleted the SD value within the Tree registry path.

In this context, SD refers to the Security Descriptor, which determines the users allowed to run the task. Interestingly, removal of this value results in the task “disappearing” from “schtasks /query” and Task Scheduler. The task is effectively hidden unless an examiner manually inspects the aforementioned registry paths.

Issuing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. Deletion must occur within the context of the SYSTEM user. It is for this reason that the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process. Upon execution of the token theft, the malware could operate with the same privileges as LSASS, making the deletion possible.

It is also important to note that the threat actor could have chosen to completely remove the two registry keys within Tree and Tasks, and the XML file created within C:\Windows\System32\Tasks. This would effectively remove the on-disk artifacts associated with the scheduled task, but the task would continue to run according to the defined triggers until the system rebooted, or until the associated svchost.exe process responsible for executing the task was terminated.

It’s possible the threat actor wanted to ensure persistence across reboots and therefore chose not to perform those steps, instead deleting only the SD value; however, we also speculate that the threat actor was unaware that the task would continue to run even after these components were removed.

Recommendations and cyber resilience guidance

Job or task schedulers are services that have been present in the Windows operating system for many years. The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.

As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique. We also want to bring attention to the fact that threat actors may utilize this method of evasion to maintain access to high value targets in a manner that will likely remain undetected. This could be especially problematic for systems that are infrequently rebooted (e.g., critical systems such as domain controllers, database servers, etc.).

The techniques used by the actor and described in this post can be mitigated or detected by adopting the following recommendations and security guidelines¹:

• Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.
• Modify your audit policy to identify Scheduled Tasks actions by enabling logging “TaskOperational” within Microsoft-Windows-TaskScheduler/Operational. Apply the recommended Microsoft audit policy settings suitable to your environment.
• Enable and centralize the following Task Scheduler logs. Even if the tasks are ‘hidden’, these logs track key events relating to them that could lead you to discovering a well-hidden persistence mechanism
  • Event ID 4698 within the Security.evtx log
  • Microsoft-Windows-TaskScheduler/Operational.evtx log
• The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure. Remain vigilant and monitor uncommon behavior of your outbound communications by ensuring that monitoring and alerting for these connections from these critical Tier 0 and Tier 1 assets is in place.

Indicators of compromise (IOCs)

The following list provides IOCs observed during our investigation. We encourage customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Microsoft 365 Defender Detections

How customers can identify this in Microsoft 365 Defender:

Microsoft Defender Antivirus

Microsoft Defender for Endpoint on detects implants and components as the following:

• HackTool:Win64/Tarrask!MSR
• HackTool:Win64/Ligolo!MSR

Microsoft Defender for Endpoint detects malicious behavior observed as the following:

• Behavior:Win32/ScheduledTaskHide.A

Microsoft Sentinel Detections

Microsoft Sentinel customers can use the following detection queries to look for this activity:

• Tarrask malware hash IOC: This query identifies a hash match related to Tarrask malware across various data sources.
• Scheduled Task Hide: This query uses Windows Security Events to detect attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task “disappearing” from “schtasks /query” and Task Scheduler.
• Microsoft Defender AV Hits: This query looks for Microsoft Defender AV detections related to Tarrask malware using SecurityAlerts table. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as Device group, IP, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for the alerts.

¹ The technical information contained in this article is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any action based upon such information, we encourage you to consult with the appropriate professionals. We do not provide any kind of guarantee of a certain outcome or result based on the information provided. Therefore, the use or reliance of any information contained in this article is solely at your own risk.

The post Tarrask malware uses scheduled tasks for defense evasion appeared first on Microsoft Security Blog.